INFORMATION NOTICE ON THE PROTECTION OF PERSONAL DATA
Pursuant to art. 13 and art. 14 of EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data
Madbit Entertainment Srl, single shareholder company with limited liability (hereinafter "Madbit"), in its position as the controller with regard to the processing of personal data, pursuant to art. 13 and art. 14 of the European Regulation 679/2016 concerning the protection of personal data (“GDPR”), wishes to provide you with the following information.
1. Controller and Data Protection Officer
The Controller, who is responsible for making decisions as to the purposes and means of personal data processing, is Madbit Entertainment Srl, single shareholder company with limited liability, having its registered seat in Bergamo (BG), Italy, at the following address: Via Gerolamo Zanchi 22/C, tax code and VAT No. 03881520161. The Data Protection Officer, who is in charge of monitoring internal compliance with the regulations on the protection of personal data, can be contacted by email, at the address firstname.lastname@example.org, or by post, at the address of Madbit.
2. Types of data under processing and categories of data subjects
This information notice is about the processing of personal data relating to the following categories of persons:
a) Suppliers, being the natural persons or sole proprietorships having entered into an agreement (hereinafter the “Agreement”) with Madbit as well as those currently negotiating in view of entering into an agreement with Madbit (hereinafter jointly referred to as the “Suppliers”), or
b) Legal representatives, individual members of corporate bodies (e.g., partners, directors, statutory auditors, etc.), agents, employees, and collaborators, as well as other persons having representative or managing powers within the business structure of the Suppliers
(hereinafter, jointly referred to as the "Data Subjects").
Therefore, Madbit may process personal data that are disclosed during the process for selecting the Supplier, including those provided when the Supplier fills in the qualification questionnaire that is necessary to assess whether the Supplier meets the professional competence and eligibility requirements provided under Madbit’s Supplier Qualification Manual. Furthermore, Madbit may collect further information upon the execution of the Agreement and thereafter, during performance of it. Personal data processed by Madbit may include, without limitation, names, qualifications, telephone numbers, tax codes, information included in ID documents, bank and payment details, business names (if applicable) and email addresses. In addition, MadBit may collect information that is required to comply with the applicable law, including certificates of compliance with social security and wages obligations towards the Supplier’s employees, and other information needed not to incur social security liabilities, as well as information concerning the Supplier’s holding specific authorisations, permits and licenses, which may occasionally include information on individuals.
The personal data collected by Madbit in relation to the management of contractual relationships, and to any pre-contractual negotiations may be provided:
a) directly by the Data Subject, if the Supplier is an individual or a sole proprietorship; or
b) by the Supplier, if the Data Subjects are any Supplier’s internal contacts charged with the management of the Agreement, or if they are persons with specific functions or qualifications, such as those vested with top management roles within the Supplier’s corporate organisation, including its chairman, CEO or sole director, attorney in fact, legal representative.
Some information, for instance, the details concerning the representatives and attorneys, may also be obtained and/or validated through public sources, including books and lists available from the Chamber of Commerce, from a business information service or from public registers.
3. Purposes of the processing
Madbit shall process personal data, in the course of its economic and commercial activity, for purposes generally relating to the establishment, management, and performance of business relationships, including handling negotiations and precontractual relationships. Specifically, Personal Data provided by the Data Subjects shall be processed for the following purposes:
a) Negotiating, carrying our precontractual activities, and performing the Agreement, including invoicing and the administrative and accounting management of the Agreement (“Contractual Purposes”).
b) Selecting the Suppliers, also based on audits concerning their compliance with payment, social security, and tax obligations, in accordance with the Suppliers’ qualification process implemented by Madbit, and with the provisions set forth in the internal policies, procedures, codes, and models adopted by Madbit.
c) Enforcing or defending the rights of MadBit, also in the context of credit recovery proceedings.
d) Analysing data in aggregate form in order to optimize operating efficiency and improve business strategies.
e) Performing activities that are preparatory or incidental to operations such as transfers of business or of a part of it, acquisitions, mergers, split-ups, or other company’s transformations, and carrying out any such operations (the purposes from b) to e) above being collectively referred to as the “Legitimate Interest Purposes”), and
f) Discharging obligations arising from the laws, regulations or the European legislation including, without limitation, with regard to tax, corporate, labour and accounting matters, and complying with the relevant requirements, including reporting to the competent authorities and supervisory bodies, and satisfying any requests made by these latter (“Legal Purposes”).
4. Legal basis for processing
The processing of Data for the Contractual Purposes specified in section 3, letter a) above is mandatory for the proper execution and performance of the Agreement. If a Data Subject does not provide Data as necessary for these Contractual Purposes, the Agreement cannot be entered into and, if entered into already, its performance cannot be continued.
The processing of Data for the Legitimate Interest Purposes specified in section 3, letters from b) to e) above, is allowed based on article 6, letter f) of the GDPR, on grounds of the legitimate interests of Madbit to select Suppliers that are adequate in order not to incur joint liability established in the law, to carry out extraordinary corporate transactions, and to protect Madbit’s financial interests. These legitimate interests, in any case, are fairly balanced against the legitimate interests of the Data Subjects, since the processing of Data is limited to what is strictly necessary to pursue the Legitimate Interest Purposes. The processing of Data for the Legitimate Interest Purposes is not mandatory, and the Data Subjects may always object to it in the manners set out in this information notice. Should the Data Subject object to the processing for such purposes, the Data shall not be used for any Legitimate Interest Purposes, unless there are overriding mandatory reasons, or if the use is necessary for the exercise or the defence of legal claims by Madbit.
The processing of Data for the Legal Purposes specified in section 3, letter f), is mandatory. If a Data Subject does not provide Data as necessary for these Legal Purposes, the Agreement cannot be entered into, nor performed.
The data shall be processed by Madbit with electronic and manual means, based on fairness, integrity, and in a transparent manner, as required by the applicable laws on the protection of personal data, and by protecting at any time the privacy of the Data Subjects by means of technical and organizational measures ensuring an adequate level of security.
6. Data retention
Personal data collected for the purposes contemplated under previous section 3 shall be kept for the duration of the Agreement and for a further period of 10 years following termination of it, unless further retention is necessary in connection with litigations, for compliance with a request by a competent authority, or pursuant to the applicable law.
7. Disclosure of data
The data shall be processed, to the extent strictly necessary, by the authorized, duly instructed, and trained personnel of Madbit, as well as by the personnel of such third parties -to whom the Data will be disclosed- which will provide services to Madbit and which will carry out the processing in their position as external data processors, including, without limitation:
- Persons carrying out monitoring, auditing, and certification activities on Madbit’s operations
- Legal, administrative and tax advisors assisting Madbit in carrying out its operations
- Suppliers of IT services (e.g., hosting providers) and third parties, including companies belonging to the TeamSystem Group
- Banking institutions handling the collection and payment of amounts due in connection with the performance of the Agreement, and
- Outsourcers and/or subcontractors carrying out activities in connection with the performance of the Agreement. Furthermore, the data may be disclosed to public and/or judicial and/or supervisory authorities, in their capacity as independent controllers with regard to data processing, if there is a request by such authorities and in order to comply with legal obligations. A full and updated list of person/entities processing data in their position as external processors is available upon request to be addressed to the Data Protection Officer.
8. Dissemination and transfer of data
As a general rule, the Data shall not be disseminated nor transferred to countries outside the European Union. However, due to specific needs relating to the location of certain third parties with which the Data may be shared, in compliance with the provisions above, certain Data may be transferred outside the European Economic Area to countries ensuring an adequate level of protection, and also to third countries, including the United States of America. With regard to transfers outside the territory of the European Union to countries for which the Commission has not adopted an adequacy decision, Madbit shall implement adequate security measures as appropriate to protect the Data. As a consequence, any transfer of data to countries outside the European Union shall take place only in compliance with appropriate and suitable safeguards for the purposes of such transfer, including use of standard contractual clauses for the protection of data pursuant to the applicable regulations and in particular to art. 45 and art. 46 of the GDPR (copy of the safeguards adopted by third parties by means of such standard clauses may be obtained upon request to be addressed to the Data Protection Officer at the contact details specified below).
9. Rights of data subjects
With regard to the processing of personal data contemplated in the GDPR, the Data Subjects are entitled to exercise the rights set out therein (articles from 15 to 21), including:
- The right to obtain confirmation as to whether or not personal data concerning the Data Subjects are being processed, and to have access to any such data (right of access).
- The right to have the personal data updated, amended and/or rectified (right to rectification).
- The right to obtain the erasure of data or the restriction of data processing where such processing is unlawful, including if the retention of data is not necessary in relation to the purposes for which the data have been collected or otherwise processed (right to be forgotten and right to restriction of processing).
- The right to object to the processing of Data, in particular if the Data Subject deems that the legitimate reasons of MadBit for processing personal data no longer exist (right to object)
- The right to receive a copy in electronic form of the data relating to them as Data Subjects, when such Data have been provided in the framework of the Agreement, and to request that such Data will be communicated to another controller (right to Data portability).
In addition to the provisions above, pursuant to article 2-terdecies of Legislative Decree No. 196/2003 and following amendments, in case of death of a Data Subject, the above-mentioned rights relating to his/her Data may be exercised by any person/entity having an interest in it or acting for the protection of a Data Subject as his/her agent, or for family-related reasons deserving protection. The Data Subject may expressly forbid that any of the rights above is exercised by an assignee, by means of a written statement to be sent to Madbit. This statement may be revoked or amended at any time, according to the same formalities. It is herein reminded, however, that some of the rights mentioned above may only be exercised when certain specific circumstances occur. Should it be impossible to comply with a request for the exercise of any of such rights by a Data Subject, pursuant to the laws on the protection of personal data, Madbit will inform the concerned Data Subject in writing of the reasons for denying such request. Further information concerning the above-mentioned rights and their enforcement may be obtained upon request at the contact details specified below.
In order to exercise the rights above, the Data Subjects may send a request to Madbit at the address: email@example.com, or to the Data Protection Officer at the address: firstname.lastname@example.org. To ensure proper processing of the request, the Data Subjects are kindly invited to make sure that they have included their name, email/postal address and/or telephone number(s).
Should a Data Subject consider that there has been an infringement of the laws on the protection of personal data, such Data Subject shall be entitled to lodge a complaint with the supervisory authority in the member State of his or her habitual residence or place of work, or place of the alleged infringement.
10. Amendments and updates
This information notice is subject to amendments, including those made as a consequence of any amendments and/or supplements (if any) to the applicable law. Any such amendments shall be communicated upon prior notice and the text of this information notice, which shall be kept constantly updated, shall be made available on the website www.fattureincloud.it at any time.
The PDF version of this policy can be downloaded here.