Dear Customer/Supplier,
PRIMA s.r.l. (hereinafter, "the Company" or "the Data Controller"), as the Data Controller, wishes to inform you, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on the protection of personal data (hereinafter, "GDPR"), of the following.

1. Purpose of the processing

The Data Controller will process the data transmitted by you in relation to your personnel responsible for the execution and management of contracts with the Company, including:

  • Name and surname;
  • Contact details;
  • Email addresses;
  • Relevant professional qualifications;
  • Professional suitability certificates;
  • Any data related to salaries and contributions paid and compliance with contributions towards the personnel employed by you for the provision of services at the Company, when such data are necessary to conduct checks on compliance with the rules protecting workers in the contracts.

For individual suppliers, in addition to the above-mentioned data, data related to billing and payments (including VAT and Tax Code), bank data, registration in professional registers, and economic-financial data (e.g., balance sheet) may also be processed.

2. Purpose of the processing and legal basis

The processing of data of the Data Subjects is carried out by the Company in the course of its economic and commercial activities for purposes related to the possible selection, establishment, management, and execution of the contractual relationship (including the management of the pre-contractual relationship). In particular, the data will be processed to fulfill legal obligations (e.g., tax and accounting obligations, obligations arising from the discipline of contracts and hygiene and safety at work); for the opening of the supplier registry; administrative management of contracts, including payment and invoicing management; obligations aimed at the supply of goods or services, as well as the management of any disputes, the performance of internal controls (safety, productivity, quality of services, asset integrity), certification. The data of the Data Subjects may also be processed for periodic activities to assess compliance with the ethical and legal requirements established by the Company in its own Code of Ethics and within the framework of audits, including at your premises, related to quality, process, product, or sustainability.

For the purposes mentioned above, the legal basis for data processing is to be found in compliance with a legal obligation to which the Data Controller is subject (Article 6, paragraph 1, letter c), GDPR) and/or in the performance of a contract of which the data subject is a party or in the performance of pre-contractual measures taken at the request of the data subject (Article 6, paragraph 1, letter b), GDPR).

3. Nature of the provision and processing methods

The provision of the data by the Data Subjects is necessary and, in its absence, it will not be possible to establish any commercial relationship, correctly perform pre-contractual and contractual obligations or, where a contractual relationship already exists, fulfill the obligations and commitments arising from it.

Personal data are subject to computer and paper processing in the ways and within the limits necessary to achieve the purposes outlined in point 2). Personal data will be processed internally by authorized personnel, under the authority of the Data Controller and instructed on the regulatory principles and security procedures (Article 32, paragraph 4, GDPR). All data processing operations are carried out to guarantee the integrity, confidentiality, and availability of personal data.

4. Data retention period

The data will be retained in compliance with applicable legislation on the protection of personal data for the entire period necessary to fulfill the aforementioned purposes. In particular, the data will be retained for the entire duration of the contractual relationship and also after its termination in compliance with civil and tax obligations (e.g., the civil obligation to retain invoices and company documentation for at least 10 years). The data acquired during the supplier selection process, if no subsequent contractual relationship with the Company arises, will be retained for a period of 5 years from their acquisition.

5. Scope of communication and dissemination of data

Without prejudice to communications made to comply with legal and contractual obligations, the data may be communicated to credit institutions, public bodies, and administrations where necessary, as well as to subjects legitimized by law to receive such information, Italian and foreign judicial authorities, and other public authorities, for purposes connected to the fulfillment of legal obligations or for the fulfillment of obligations arising from the contractual relationship, including the need for defense in legal proceedings. These subjects operate as independent data controllers.

Contact data may be communicated for occasional needs to additional suppliers of the Company, for example, if they need to collaborate with these subjects for the execution of contractual obligations. The Company also uses third parties to provide certain services that involve the processing of personal data, including, for example, tax or legal consultants, providers of substitute storage services, companies or freelance professionals in the field of business consulting or quality, process, and product audit services. These subjects operate as data processors (Article 28, GDPR), based on specific instructions and adequate in terms of processing methods and security measures indicated in appropriate contractual documentation. The complete and updated list of subjects who process personal data as data processors is available upon request from the Data Controller at the contacts indicated in point 8) of this information.

Personal data will not be subject to dissemination.

6. Transfer of data to non-EU countries

Personal data will be processed by the Data Controller within the territory of the European Union. In any case, the Data Controller, if necessary, has the right to move the servers also outside the EU, for example, in the case of using Cloud services. In this case, the Data Controller assures from now on that the transfer of data outside the EU will take place in compliance with applicable law, after entering into standard contractual clauses provided by the European Commission.

7. Rights of the data subjects

Data Subjects may exercise, in relation to the processing of the data described here, the rights provided by the GDPR (Articles 15-22), including:

  • Receive confirmation of the existence of their personal data and access their content (right of access);
  • Update, modify, and/or correct their personal data (right to rectification);
  • Request their deletion or the limitation of the processing of data processed in violation of the law, including those for which conservation is not necessary in relation to the purposes for which the data were collected or otherwise processed (right to erasure and right to restriction);
  • Except where processing is required to comply with a legal obligation, object to the processing, in cases provided for by the GDPR (right to object);
  • Withdraw consent, where given, without prejudice to the lawfulness of processing based on consent given before the withdrawal, for all or part of the treatments in question;
  • Receive a copy of the data in electronic format concerning them provided in the context of the contract and request that such data be transmitted to another data controller (right to data portability).

To exercise these rights or to request further information regarding this information, the Data Subject may contact the Data Controller by sending an email to

Pursuant to Article 77 of the GDPR, the data subject also has the right to lodge a complaint with the Guarantor for the Protection of Personal Data, following the procedures and indications published on the official website of the Authority (

8. Identity and contact details of the Data Controller

The Data Controller is PRIMA s.r.l., with registered office in Via Manta, 6 - 12033 Moretta (CN), represented by its Legal Representative. Tax Code and VAT number: 02190470043. Phone: (+39) 0172 94205, e-mail:

The Data Controller for Personal Data Processing invites its Clients and Suppliers to inform the Data Subjects (e.g., administrators, employees, and collaborators whose data the Company comes into possession of for the purpose of executing the contract) about the content of this Information.

The Personal Data Controller