Privacy Notice Supplier

Privacy notice on the processing of personal data pursuant to regulation (eu) 2016/679 on the protection of personal data

Pursuant to Articles 13 and 14 of European Regulation 2016/679, Fondazione “Biotecnopolo di Siena”(hereinafter Fondazione ), with head office in Pursuant to Articles 13 and 14 of European Regulation 2016/679, Fondazione “Biotecnopolo di Siena” (hereinafter FONDAZIONE ), with head office in Siena, via Fiorentina no. 1, in its capacity as Controller of the processing of personal data, hereby informs its suppliers, including consultants as natural persons (hereinafter “Supplier(s)”) that, with respect to the contractual relationship established with the Supplier existing to date, the personal data concerning the Supplier and collected by the Controller, or the data that shall be requested in the future or communicated by third parties are required and shall be used for the purposes detailed below.


The Controller of the processing of your personal data is Fondazione “Biotecnopolo di Siena”, with registered office in (53100) Siena, via Fiorentina no.1, in the person of its legal representative. You may send any request pertaining to this privacy notice and the exercise of your rights to the Controller by email at

Types of personal data processed

Pursuant to this Privacy Notice, “Data” shall mean the personal details and contact data of natural persons processed by Fondazione to enter into and perform the contract with the Supplier, including the Data of the Supplier as a natural person, of the legal representative of the Supplier as a legal person (who executes the contract for and on behalf of the Supplier), and of the Supplier’s employees/consultants involved in the activities envisaged in the contract. The personal data of natural persons involved in the performance of the contract and concerning the contractual relationship shall also be subject to processing. In the latter case, the source of the Data is the Supplier.

Purposes of and legal grounds for processing

The Data shall be processed by Fondazione for purposes connected

  • with the entering into and the performance of the contract by and between the Supplier and Fondazione;
  • the creation of the database of coded Suppliers.

The legal ground that legitimizes processing by Fondazione of the Data of the legal representative of the Supplier (legal person) or of the Supplier (natural person) is the performance of the contract; the legal ground that legitimizes processing of the Data concerning the Supplier’s employees/consultants involved in contractual activities is Fondazione’s legitimate interest. The Data shall also be processed to fulfil administrative and accounting obligations, including bookkeeping, treasury and invoicing (e.g., invoice verification and registration), in compliance with the provisions of current regulations, or other obligations under European Community laws, regulations and legislation. In this case, the legal ground that legitimizes the processing of the Data by Fondazione is the need for Fondazione to fulfil a legal obligation.

The provision of the Data is mandatory to achieve the foregoing purposes; therefore, failure in whole or in part to provide such Data, or provision of inaccurate, Data may result in the objective impossibility for Fondazione to establish or regularly conduct the contractual relationship.

Means of processing

Data are processed using IT processes and, in any event, with electronic means and tools suitable for the purpose, and also using other means, including paper. Processing is entrusted to duly authorized internal subjects in compliance with the provisions of the law. The Data are stored in paper-based, computer and telematic filing systems, in line with technical and organizational measures suitable for ensuring a level of security proportional to the risk involved.

Communication and dissemination

During processing the Data may become known to duly authorized internal and external processors identified in writing, where necessary, who have received specific instructions in this regard. Where necessary, the Data may be communicated to authorized external recipients, such as banks and credit unions, insurance agencies, independent professionals (lawyers, notaries and accountants), software support, electronic invoicing and storage service providers, Fondazione partners, supervisory and control authorities and bodies, and public and private entities in general, entitled to request the Data.

Rights of the data subject

You are entitled to contact the Controller at any time to exercise your rights under Art. 15 et seq. of the GDPR. In particular, you have the right to:

  • request information from Fondazione on the processing of your personal data and obtain a copy thereof;
  • request rectification and/or erasure of your personal data;
  • request the restriction of processing or object to the processing of your personal data;
  • withdraw your consent to the processing;
  • lodge a complaint with the Italian Data Protection Authority in case of infringement of your rights or of damage suffered as a result of data processing in noncompliance with the law.

Retention period

The Data collected for the purposes stated in the foregoing shall be stored for the entire duration of the contract and for 10 (ten) years after termination thereof. In the event of judicial litigation, the Data shall be stored for the entire duration thereof, and until the time allowed for appealing has expired. Once the retention periods indicated above have elapsed, where possible the Data shall be destroyed or made anonymous, compatibly with the technical erasure and backup processes.

Download the privacy notice