Information on the Protection of Personal Data of CUSTOMERS / SUPPLIERS


1 Purpose of data processing and related legal basis

The data processing is directed to:
• A. Implementation of contractual and pre-contractual activities and activities they are connected to access the Company’s services / products or to provide services / products to the Company, including supplier tracking
• B. Fulfillment of contractual and tax obligations deriving from existing relationships
• C. Fulfill the obligations established by law, by a regulation, by community legislation or by an order Authority;
• D. Respond to requests made in the context of meetings, events, fairs and / or for the processing of estimates. In this case, the provision is optional but essential for the execution of the contract.

2. Legal basis of the treatment

The legal basis of the processing consists of:
• Fulfillment of contractual obligations (for the treatments referred to in letters A and B of point 1)
• Legal obligations to which the data controller is subject (for the treatment referred to in letter C of point 1)
• Legitimate overriding interest of the owner or third parties whose data are communicated (for the treatment of referred to in letter D of point 1)

3. Processing methods:

Your personal data and those provided by your organization may be processed in the following ways:
• Treatment by means of electronic procedures
• Manual processing by means of paper archives in compliance with the confidentiality and rights of the person, through the systematic application, by our Organization, of specific protection measures and guarantee prepared for both paper and electronic data processing and commensurate with the specificity of the given itself.

4. Categories of recipients of the Data

The data may be disclosed as specified above to:
• Accountant for tax compliance and drafting financial statements
• Banking and Credit Institutions
• Other Customers and Suppliers
• Public and / or Private Bodies for compliance with legal obligations (Customs Agency, Revenue Agencyetc.)
• Social Security institutions
• Public Entities Holders of Tenders for funding requests (eg Tuscany Region)
• Law firms for any disputes• Information Technology company for IT data management (network maintenance,
management, PC, data storage, website)
• Domain companies, hosting, cloud, dedicated servers,
• Freight forwarders and Logistics companies,
• Our Suppliers
• Auditing Firm and Board of Auditors
• Insurance Institutions
• Our Sales Network
• Certification Companies

5. Data Retention

For the treatments referred to in letters A, B and C of point 1, the data will be kept for 10 years from conclusion of the contractual relationship (unless otherwise provided for by current legislation) and for the time necessary for any defense in court of Data Controller;
• For the treatment referred to in letter D of point 1, the data will be kept for the time strictly necessary to achieve the purposes of the processing itself

6. Data Transfer Abroad

The data is stored within the EU. Any transfers outside the EU take place only on specific consent of the interested party or in compliance with articles 45 and 46 of the GDPR.

7. Rights of the interested party

The GDPR establishes the following rights of the interested party:
• be made aware that the Data Controller holds and / or processes your personal data, to be able to access them in full and obtain a copy (Article 15 Right of access),
• enjoy the rectification of inaccurate personal data or the integration of incomplete personal data (Article 16 Right of rectification);
• see their personal data held by the Data Controller deleted if one of the reasons provided for by the GDPR exists (Article 17, Right to Cancellation);
• ask the Data Controller to limit the processing to only some personal data, if one of the reasons exists provided for by the GDPR (Article 18, Right to limitation of processing);
• request and receive the personal data processed by the Data Controller, in a structured, commonly used and legible format by automatic device or request transmission to another holder without impediments (only in the case of automated treatments) (Article 20, Right to Portability);
• object in whole or in part to the processing of data for the purpose of sending advertising material and research market (so-called Consent) (Article 21 Right to object);
• lodge a complaint with a supervisory authority in the event of alleged violations of the GDPR

8. How to exercise the rights of the interested party

The exercise of the data subject’s rights (where applicable) may take place by sending a request by e-mail to the address The request will be handled within the times provided for by the GDPR.

9. How we maintain this document

We last updated this information on May 31, 2019 and it replaces previous versions.
We will update from time to time this privacy policy and we will inform you of any changes by publishing the information updated on our website and informing you before these changes take effect.

10. Holder of the treatment

The Data Controller is IRIS GREEN S.R.L Via Frediani, 34 – 59100 PRATO (Italy)
Rev.1 – 31/05/2019