Vendor policy

INFORMATION ON DATA PROCESSING
Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

Data Subjects: Suppliers

Dear Supplier,

ACHILLI S.R.L., as the Data Controller of your personal data, pursuant to and for the purposes of Regulation (EU) 2016/679 (hereinafter "GDPR"), hereby informs you that the legislation in question safeguards data subjects regarding the processing of personal data. Such processing will be conducted in adherence to principles of fairness, lawfulness, transparency, and the protection of your privacy and rights.

To manage our relationship effectively, ACHILLI S.R.L. needs to collect and process certain personal data, including but not limited to your name, surname, company details, telephone and/or mobile number, email address, tax code, and other relevant information.

Your personal data will be processed in accordance with the legislative provisions of the GDPR and the confidentiality obligations it prescribes.

Purposes of Processing and Legal Basis

Your data will be processed specifically for the following purposes related to the fulfilment of legislative or contractual obligations:

• Compliance with legal obligations in tax and accounting matters (Legal basis: legal obligation);
• Supplier management (Legal basis: contractual obligation);
• Supplier invoicing records (Legal basis: legal obligation);
• Fulfillment of obligations prescribed by current laws (Legal basis: legal obligation);
• Administrative management (Legal basis: contractual obligation).

Consequences of non-communication: Providing personal data is essential for the purposes stated above. Failure to provide the necessary information, or providing incorrect information, may prevent the Data Controller from properly managing the relationship.

Methods of Processing

The data processing will be carried out using manual, computerized, and telematic tools designed to ensure the security, integrity, and confidentiality of the data. These measures comply with physical and logical organizational safeguards to minimize risks of destruction, loss, unauthorized access, modification, or unauthorized disclosure, as required by Articles 5 and 32 of the GDPR.

Recipients of the Data

Certain activities or organizational requirements may involve sharing or communicating data to recipients categorized as follows:

Third Parties

(Communication to entities, natural or legal persons, public authorities, or other bodies other than the data subject, the Data Controller, the Data Processor, and authorized persons):

• Banking institutions for the management of collections and payments;
• Postal service providers (traditional or digital), when necessary for the stated purposes;
• Consultants and freelancers (including law firms), acting as independent data controllers;
• Entities legally entitled to access your data due to statutory obligations.

Data Processors

(Natural or legal persons, public authorities, services, or other entities processing personal data on behalf of the Data Controller):

• Companies, consultants, and freelancers responsible for fiscal, administrative, accounting, or legal obligations;
• IT, web, and service providers necessary for relationship management.

Within the organization, your data will only be processed by staff expressly authorized by the Data Controller, specifically those in:

• Administration.

Transfer of Data to Third Countries

The Data Controller does not transfer personal data to non-EU countries. Should such transfers become necessary, data subjects will be notified in advance. Appropriate safeguards will be implemented, including assessing the adequacy of the recipient country's data protection framework, adopting standard contractual clauses, or other measures as recommended by EDPB Recommendation 01/2020. In exceptional cases (e.g., contractual necessity or explicit consent), data transfers may occur under Article 49 of the GDPR.

Data Dissemination

Your personal data will not be disseminated under any circumstances.

Retention Period

In compliance with GDPR principles of lawfulness, purpose limitation, and data minimization (Article 5), your personal data will be retained only as long as necessary to fulfill the purposes for which it was collected. If a contract is signed, retention may continue until contract termination or withdrawal. Data may be further retained to manage potential disputes, relying on the legal bases of contractual obligation or the Data Controller’s legitimate interest. Where applicable, data may also be retained for periods mandated by law, such as a minimum of 10 years for tax-related records.

Data Controller

The Data Controller is ACHILLI S.R.L., with its registered and operational office at Via Montescudo, 148 – 47924 Rimini (RN), VAT number: 02343350407, Tel: +39 0541 387066. For inquiries regarding the provided data, you may contact the company via email at info@achilli.com or fax at +39 0541 389058. For additional information on privacy policies, visit www.achilli.com.

Rights of the Data Subject (Articles 15-23 GDPR)

As a data subject, you are entitled to:

1. Obtain confirmation of the existence of your personal data and receive it in an intelligible format.
2. Access the following information:
   • The origin of personal data;
   • Purposes and methods of processing;
   • Processing logic (if using electronic systems);
   • Identification of the Data Controller, processors, and representatives;
   • Recipients or categories of recipients of the data.
3. Request:
   • Data updates, corrections, or additions;
   • Erasure, anonymization, or restriction of unlawful data processing;
   • Certification that these requests have been communicated to third parties.
4. Object, in whole or in part:
   • To processing based on legitimate grounds;
   • To processing for direct marketing purposes.

Right to Lodge a Complaint

If conditions are met, you also have the right to lodge a complaint with the relevant Supervisory Authority. For further information or to exercise your rights, please contact the Data Controller using the details provided above.