This General Privacy Notice for Suppliers refers exclusively to the processing of personal data carried out by Be2Net Srl, acting as Data Controller, for the purposes of performing contracts with Suppliers, as well as for commercial development and marketing activities. With reference to any processing of personal data carried out by Suppliers on behalf of Be2Net Srl, acting as Data Processor, please refer to the provisions set out in the contracts signed between the Data Controller and the Data Processor. GENERAL SUPPLIERS PRIVACY NOTICE – REGARDING THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”)

The Data Controller is BE2NET S.R.L., with registered office at Via Orzinuovi 73, 25125 Brescia, Italy, Tax Code and VAT No. 03559600170. Be2Net Srl has appointed a Data Protection Officer (DPO), who can be contacted for any request at the following email address: dpo@be2net.it. The updated list of Data Processors is kept at the registered office of the Data Controller.

The Data Controller processes personal data relating to you or to your appointed representatives, understood as common identifying and business contact data (such as name, surname, address, telephone number, email address, or, in the case of individual suppliers, also bank details, company name, etc.), provided by you when defining and/or entering into contracts as a Supplier, or during the contractual relationship. The Supplier receiving this notice undertakes to inform any of its representatives whose data are processed by the Data Controller. The Data Controller may also process your personal data or those of your representatives, consisting of common identifying and business contact data (such as name, surname, address, telephone number, email), obtained from third-party Data Controllers (e.g. trade fair organizations) who have lawfully obtained consent for the transfer for commercial contact purposes.

3.1 Contractual and Pre-contractual Purposes:

Legal bases:

3.1.1 The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.

3.1.2 The processing is necessary to comply with legal obligations, regulations, EU legislation, or orders issued by public authorities.

3.1.3 The processing is necessary to pursue the legitimate interest of the Data Controller in exercising or defending legal claims.

3.2 Commercial Development and Marketing Purposes: to send you (via email) commercial or marketing communications relating to products or services of the Data Controller.

Legal basis:

3.2 Your explicit and specific consent.

The processing of your personal data may be carried out through the operations indicated in Article 4(2) GDPR, including: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, restriction, communication, erasure, and destruction of data. Personal data may be processed both in paper and electronic form.

The Data Controller will process personal data for the time necessary to fulfill contractual purposes and in any case for no longer than 10 years after termination of the contractual relationship. For marketing purposes, personal data will be processed only for the time strictly necessary to achieve the purposes for which they were collected, in accordance with applicable laws or authority provisions. Following the withdrawal of consent or an explicit request to unsubscribe from the commercial mailing list, your data will be promptly deactivated from marketing databases. In any case, personal data contained in previous communications will be retained for no longer than 24 months from registration, unless anonymized.

Your data may be accessed for the purposes referred to in Article 3 by:

employees and collaborators of the Data Controller, acting as authorized processors and/or system administrators;

third-party companies or other entities (such as professional firms, consultants, insurance companies, banks, etc.) that perform activities on behalf of the Data Controller, acting as independent Data Controllers or external Data Processors appointed by the Data Controller.

Pursuant to Article 6(b) and (c) GDPR, and without the need for explicit consent, the Data Controller may disclose your data to judicial authorities or to entities for whom disclosure is mandatory by law, for purposes related to the contractual relationship. Such entities will process the data as independent Data Controllers.

Your data will not be subject to dissemination.

Personal data may be transferred, for the purposes described in this notice and for archiving and storage needs, both within the European Union and to non-EU countries. In any case, the Data Controller ensures that transfers outside the EU will take place in compliance with applicable legal provisions.

The provision of data for the contractual purposes referred to in Article 3.1 is mandatory. Failure to provide such data will make it impossible to perform the contractual relationship. The provision of data for marketing purposes referred to in Article 3.2 is optional; you may decide not to provide data or to withdraw consent at a later time. In such case, you will not receive commercial communications or advertising material relating to the Data Controller’s products or services.

By contacting the Data Controller via email at privacy@be2net.it, data subjects may exercise their rights under Article 15 GDPR, including:

obtaining confirmation as to whether personal data concerning them exist and receiving such data in an intelligible form;

obtaining information on: a) the origin of the data; b) the purposes and methods of processing; c) the logic applied in automated processing; d) the identity of the Data Controller, Data Processors, and designated representative; e) recipients or categories of recipients of the data;

obtaining: a) updating, rectification, or integration of data; b) erasure, anonymization, or restriction of unlawfully processed data; c) confirmation that such operations have been communicated to recipients, where applicable;

objecting, in whole or in part, to the processing of personal data for legitimate reasons or for direct marketing purposes, including automated and traditional methods.

Where applicable, data subjects may also exercise rights under Articles 16–21 GDPR, as well as the right to lodge a complaint with the Supervisory Authority. Where conditions are met, data subjects also have the right to compensation for damages suffered pursuant to Article 82 GDPR.