PRIVACY INFORMATION UNDER REGULATION (EU) 2016/679

Regulation EU 679/2016 (“GDPR”) and other Italian legislation (i.e. Legislative Decree 196/2003, known as the “Personal Data Protection Code”) and regulatory measures are there to protect the confidentiality of personal data, imposing a series of obligations on those who process the personal data of natural persons (“data subjects”). One of the most important legal requirements set out in the GDPR is the duty to ensure that natural persons have been informed on this subject and, when there are legal bases, to obtain their consent to process their personal data.

This information document refers to the handling of personal data – supplied directly by the company, professional and/or acquired from third parties – for the purposes related to participation in a supply, to the presentation (and subsequent evaluation) of an offer but also for the signing and fulfilling a contract, associated obligations and administrative and accounting operations.

In order to carry out the above purposes, it is or may be necessary to acquire and handle the personal data of the company’s legal representatives, its technical managers and its employees, collaborators and potential subcontractors.

It being understood that all personal data processing operations are based on the principles of lawfulness, correctness and transparency, of minimising and limiting the data stored and their correctness, integrity and confidentiality, we provide the following information:

a)      The Data Controller is MIP Politecnico di Milano – Graduate School of Business Consortium Company with Share Capital, Via Lambruschini 4C – Building 26/A, 20156 Milan, Italy, Tel.: +39 02 23992820, Fax: +39 02 23992844.

b)      MIP has appointed a Data Protection Officer (DPO), domiciled at the Data Controller’s address in compliance with the regulation on the handling of personal data, whose contact details are: Telephone: +39.02.23992820 – email: dpo@mip.polimi.it

c)      Data supplied or acquired from third parties are handled lawfully according to the relative legal basis and for the sole purposes set out in the table below:

 

Purpose Legal basis GDPR
Initiate preliminary operations, verify the technical, economic and financial suitability and that the Company satisfies all requirements set out in the applicable law, with a view to the definitive allocation of the contract.  Signing and execution of the contract. 6.1.b – Contract

6.1.c – Legal requirement
The data handled could include, only if there is a legal obligation, judicial data for the legal and technical representatives of the company, in order to verify that there are no grounds for exclusion, or suspensions or bans against the company under Legislative Decree no. 231/2001 or anti-mafia legislation. 6.1.c, 10 – Legal requirement
In the case of works in areas managed by the Customer, data of employees / collaborators with a role in the execution of the contract are also treated, for the purpose of managing accident prevention issues. 6.1.c – Legal requirement
Accounting, administration and financial management. 6.1.c – Legal requirement
MIP’s right to defend its interests in court. 6.1.f – Legitimate interest

 

The data supplied will be kept in paper and/or electronic format and be processed manually and/or electronically or by automated means in general, and will be stored for ten years. In the event of litigation, data will be kept until all legal proceedings and orders at every stage are definitive.

d)      Data must be provided for all purposes connected to legal and contractual obligations. Data can be handled to address requests made by the competent administrative or judicial authorities and, more in general, to public bodies in the respect of legal obligations.

e)      Personal data may be handled by persons qualified as Data Processors or in charge of handling such data under GDPR, Articles 4.8 and 28 (professionals with internal control functions; safety coordinator during execution phase, in the event of building sites; site manager, if appointed; accountants, consultancy firms and service companies, hardware and software support companies…) and by persons in charge of processing the data under Article 29 of the GDPR, who operate under the direct authority of the Data Controller (employees or collaborators under whatever circumstances), where the latter has provided relative instructions.

f)      Whereas communicating personal data to third parties does not exempt the latter from supplying this privacy information or from lawfully handling the data exclusively when there is a valid legal basis, we nevertheless specify that, apart from the communications to persons whose right to access such information is recognised in law or by an order from the authorities, personal data may be communicated to: banks and similar institutions; leasing and factoring companies; insurance companies and brokers; professional and service companies; competent authorities for the fulfilment of legal obligations and/or provisions of public bodies; authorities overseeing public contracts for building work, services and supplies on tender contracts.

g)      The dissemination of data is confined to their publication, in compliance with the law;

h)      With reference to potential cloud-based services used by the Data Controller, data can be transferred to a third country only in the event that the Personal Data Protection Authorities have established that the country satisfies a high standard of protection of personal data.

i)       Making the request through the DPO, under Articles 15 to 22 of the GDPR, the natural person’s rights can be exercised at any moment, that is, the right to ask the Data Controller for access to personal data and to rectify or cancel them or limit the processing that concerns them or to oppose their processing. The DPO can also be asked to supply the list of persons appointed as Data Processors.

Natural persons can lodge a complaint with the Personal Data Protection Authorities.