Privacy policy for Businesses
B2B privacy policy
Version dated 01.October 2022
BULLMANN GmbH in its capacity of data controller, hereby wishes to inform its B2B clients, dealers, retailers and other contractual counterparties of the Controller, as part of a different commercial relationship, of the processing methods of their personal data, in conformity with the European General Data Protection Regulation No. 679/2016 (hereinafter, ?European Regulation?).
1. Controller and data protection officer
BULLMANN GmbH (?Controller?), UID CHE-199.486.646 with registered office in Baar, Switzerland, Rathausstrasse 14, which can be contacted at the email address [email protected], is the data controller in relation to the processing of personal data described in this privacy policy.
As described in this privacy policy, the Controller will collect and process the personal data through an innovative client relationship management system, ?CRM?. The data will be collected directly from the Data Subject ? if the Controller?s contractual counterparty is a natural person or sole proprietorship ? or from the company/entity to which the Data Subject belongs on the occasion of registering for events, to the BULLMANN GmbH interactive digital platform or during events, shows, work meetings and in the phase of negotiation and/or conclusion and/or execution and/or termination of the contract entered into with the Controller. The data collected will be entered into the central database of BULLMANN GmbH, which will process them ? in the capacity of autonomous controller ? for marketing purposes (as described below), both for activities implemented in Switzerland and for activities carried out in the EU. The data may also be collected by the associated and/or subsidiary companies and by the retailers or commercial partners of BULLMANN GmbH that operate in the EU and abroad and in that case they will be appointed by the Controller as data processors.
With reference, on the other hand, solely to the management of sales and after-sales activities at some of our showrooms, the BULLMANN GmbH will collect and process the Data in the capacity of autonomous controllers, in accordance with what is indicated in this privacy policy, insofar as it applies.
The Controller has appointed a data protection officer (?DPO?), who can be contacted using the details indicated in paragraph 11) of this privacy policy.
2. To whom does the Privacy Policy apply?
This privacy policy applies to the processing, by the Controller, of personal data of:
- B2B clients, dealers, retailers and other contractual counterparties of the Controller, in the case of natural persons or sole proprietorships; and
- legal representatives, shareholders (natural persons), directors, attorneys, members of the board of statutory auditors, members of the supervisory body, technical managers, other natural persons vested with powers of representation and/or management and/or control, as well as the employees and contract staff of B2B clients, dealers, retailers and other contractual counterparties;
(hereinafter jointly referred to as the ?Data Subjects?).
3. Which Data are processed?
The Controller collects the personal data relating to the Data Subject directly from the latter ? if the Controller?s contractual counterparty is a natural person or sole proprietorship ? or from the company/entity to which the data subject belongs for registration to the event in which the Data Subject intends to participate, for registration to the BULLMANN GmbH interactive digital platform or during events, shows, work meetings and in the phase of negotiation and/or conclusion and/or execution and/or termination of the contract entered into with the Controller. Furthermore, the Controller may collect the personal data relating to the Data Subject from lists, registers and other publicly accessible sources ? such as, for example, data contained in the chamber of commerce company report of the company to which the Data Subject belongs ? as well as databases of organisations that provide information on the commercial reliability of entrepreneurs and managers.
Depending on the purposes and the time of collection, the Controller processes the following types of personal data relating to the Data Subject:
- personal details, contact data, identity document and role covered at the company/entity to which the Data Subject belongs;
- company name, address of the main office and any secondary offices, VAT number and/or tax code, details bank account or accounts of the Data Subject, if the latter is a natural person or sole proprietorship;
- data relating to the Data Subject?s economic-financial reliability ? in the case of a sole proprietorship or single-member company ? collected using databases of organisations that provide information on the commercial reliability of entrepreneurs and managers and that have adhered to the Code of Conduct for personal data processing in relation to commercial information approved by the EU Data Protection Supervisory Authority. For further information, including with regard to the categories of data collected using those databases, the Data Subject may consult the privacy policy of the organisations that provide the information in question, which may be viewed on the website www.informativaprivacyancic.it;
- other personal data relating to the Data Subject that may be collected by the Controller during the phase of negotiation and/or conclusion and/or execution and/or termination of the contract entered into with the Controller;
(hereinafter, jointly, the ?Data?).
The Data Subjects are advised not to provide to the Controller Data that are not necessary to pursue the purposes indicated in this Privacy Policy.
4. For what purposes are the Data processed?
The Controller processes the Data of Data Subjects to:
- carry out negotiations and perform the contract of which the Data Subject is a party during an online purchase or at the showroom, for registration to one of the events organised by the Controller or for registration to the interactive digital platform of the Controller (hereafter ?Contractual Purposes?);
- comply with obligations deriving from applicable legislation, therein including tax legislation (hereafter ?Legal Purposes?); and
- if the Controller?s contractual counterparty is a company, pursue the legitimate interest of the Controller in holding negotiations and performing the contract of which the company/entity to which the Data Subject belongs is a party;
- pursue the legitimate interest of the Controller in verifying the commercial and financial security and reliability of its B2B clients, dealers, retailers and other contractual counterparties, to prevent fraud, to guarantee management solidity and the correct execution of commercial relationships between the Controller and its B2B clients, dealers, retailers and other contractual counterparties;
- exercise and defend its rights, also as part of credit recovery procedures, in relation to the Data Subject or third parties in any dispute;
- carry out activities functional to sales of businesses and business branches, acquisitions, mergers, demergers or other transformations and for performing those operations;
- send to potential professional purchasers of the Controller?s products and services communications of commercial nature on collections, exhibitions and events relating to the Controller. We will send these communications periodically, indicatively no more than twice a month or on the occasion of particular initiatives (e.g., IMM Fair) by email to the addresses of the Data Subject indicated each time within the contractual relationship between the Controller and the company/entity to which the Data Subject belongs;
- communicate to other companies of the group to which the Controller belongs the contact information of potential professional purchasers of the products and services of the companies of the Controller?s group so that the same can send commercial information on collections, exhibitions and events, even by way of newsletters, in relation to their products and services. The BULLMANN GmbH will send these communications periodically, indicatively no more than once a month or on the occasion of particular initiatives (e.g., IMM Cologne Fair) by email to the addresses of the Data Subject indicated each time within the contractual relationship between the Controller and the company/entity to which the Data Subject belongs. Furthermore, in order to limit those communications to what is strictly necessary, the Data Subject will receive emails only subject to evaluating the commercial opportunity by the group company that has registered the contact. This evaluation will be based upon two criteria:
- the type of clientele to which the Data Subject belongs (therefore, for example, promotional communications will not be sent to suppliers of BULLMANN GmbH, which, by virtue of the commercial relationship in place or for which negotiations are in progress with the latter, are considered unlikely to be interested in purchasing products or participating in events of the Controller, while they will always be sent to potential professional purchasers of the products or services of the companies of the group to which the Controller belongs, so that they are made aware of all commercial opportunities with the Group companies); and
- the sector of activity of the Data Subject. In this way, communications are not sent indiscriminately and in a potentially inappropriate manner, but rather considering the immediate benefit for both the Data Subjects (which receive all and only the communications they are potentially interested in) and for the Controller. Each Data Subject will in any case be free to request directly from each group company the transmission of promotional material; in that case the evaluation of the company with which he/she originally had contact will not be necessary;
(the purposes indicated in letters c) to h) are known jointly as the ?Legitimate Interest Purposes?).
5. On what basis are the Data processed?
The processing of Data is necessary with reference to the Contractual Purposes and the Legal Purposes referred to in paragraph 4, letter a) and b), in order to allow you to participate in the event, to register to the platform, to negotiate, enter into, perform and/or terminate the contract between the Controller and the Data Subject, as well as to adhere to the provisions of applicable legislation. Any failure to provide the Data for those purposes will make it impossible for the Controller to allow you to participate in the event, to register to the platform or to perform the aforementioned contract.
The processing of Data for the Legitimate Interest Purposes is carried out in accordance with Article 6, letter f) of the European Regulation to pursue the legitimate interest of the Controller, which is equally balanced with the legitimate interest of the Data Subjects, as the activity of Personal Data processing is (i) limited to what is strictly necessary to perform the economic operations and other activities specified in letters c) to f) above and is (ii) functional to maintaining commercial relationships with professional clientele for the activities specified in points g) and h). Processing for the Legitimate Interest Purposes is not mandatory and the Data Subject may object immediately or subsequently to each processing activity using the methods stated in paragraph 11) of this Privacy Policy; however, if the Data Subject objects to such processing, his/her data may not be used for the Legitimate Interest Purposes. By way of example, for the activities specified under points g) and h), the Data Subject may object to both the communication of his/her contact details to other Group companies but also in general to receiving any promotional communication from the Controller, without this prejudicing in any way the contractual relationship with the Controller.
6. How are the Data processed?
In relation to the purposes indicated above, the Data will be processed both using IT or automated tools and on paper, and they will be protected by way of appropriate measures to guarantee the confidentiality and security of the personal data. In particular, the Controller adopts appropriate organisational and technical measures to protect the Data in its possession against loss, theft, as well as unauthorised use, disclosure or modification of the Data.
7. To whom are the Data communicated?
For the purposes stated in paragraph 4, the Controller may communicate ? in whole or in part ? the Data of the Data Subjects to the following categories of entities:
- employees of the Controller or of the entities indicated below, as persons in charge of the processing, as part of their respective duties and within the limits established by law;
- providers of services instrumental to or in support of those performed by the Controller and therefore, by way of example but without limitation, legal, administrative and tax consultants, banking institutions for the management of receipts and payments deriving from the execution of the contract between the Controller and the Data Subject or the company/entity to which he/she belongs, auditing companies, events management companies, companies instructed to send marketing newsletters, providers of technological services, in the capacity of autonomous data controllers or processors;
- end customers which may request the name or contact of the Data Subject in order to receive the services provided by the latter or by the company/entity to which the Data Subject belongs;
- sub-suppliers and/or subcontractors engaged in activities connected to the performance of the contract between the Controller and the Data Subject or the company/entity to which he/she belongs, in the capacity of external processors;
- other companies belonging to the group of which the Controller is part, situated in Switzerland or the EU, as data controllers for their own marketing purposes;
- retailers or commercial partners of the Controller or companies of the group to which the Controller belongs which perform services on behalf of the Controller, including the collection of data to be entered in the client relationship management system ?CRM?. Those entities will act in the capacity of processors;
- public entities and/or judicial and/or control authorities whose right of access to the data of the Data Subject is envisaged by applicable legislation, in the capacity of autonomous data controllers; and
- transferees of businesses or business branches, companies resulting from mergers, demergers or other transformations of the Controller, as autonomous controllers.
Some of the entities listed above may be situated in countries outside the European Union or the European Economic Area. More specifically, the Data entered in the CRM database, whose servers are located in the territory of the European Union, will be shared with entities that may, however, be located both inside and outside the EEA, as the Controller offers its products and services to customers and commercial partners in all countries in which it is present.
In that case, the Data will be communicated in accordance with the following paragraph.
8. Are the Data transferred abroad?
In compliance with applicable norms, the Data may be transferred abroad, even to countries not belonging to the European Economic Area and, in particular, to countries in which the companies of the group to which the Controller belongs are based, as well as showrooms and authorised retailers of products and services of the Controller which will have access to them via the CRM system; a full list of those entities is available on the website of the Controller, while the full list of group companies can be requested from the Controller by sending an email to the address stated in paragraph 11) below. Any transfer of Data to countries located outside the European Economic Area will occur, in any case, in respect of the appropriate and adequate guarantees for the purposes of that transfer, in accordance with Articles 44 et seq. of the European Regulation.
In any case, the Data Subject will be made aware of any transfer of Data outside the European Economic Area, through the update of this privacy policy, using the methods described in the paragraphs below.
9. For how long are the Data stored?
The Data will be stored by the Controller:
- For registration to the event, for registration to the interactive digital platform or in the case of a positive outcome of the contractual negotiations, for a period equal to the duration of the contract entered into between the Controller and the Data Subject, or the company/entity to which he/she belongs, and for 10 years after its termination;
- in the case of a negative outcome of the contractual negotiations, the Data will be erased at the end of the negotiation phase;
except, in any case, where the further storage of Data is necessary in order to exercise or defend a claim of the Controller in relation to the Data Subject or third parties in any dispute.
With reference to Data processed for the purposes of sending commercial communications, the Controller will process the data of the Data Subject until the right to object is exercised and, in any case, for no more than 2 years from the end of the contractual relationship between the Controller and the company/entity to which the Data Subject belongs.
At the end of the storage period, the data will be erased, anonymised or aggregated.
10. What are the rights of the Data Subjects?
Without prejudice to the possibility for the Data Subject not to provide his/her Data, the Data Subject may, at any time and free of charge:
- obtain confirmation of the existence or otherwise of Data concerning him/her;
- ask to be informed about the origin of the Data, the purposes of processing and its methods, as well as the logic applied to processing carried out using electronic tools;
- request the update, rectification or ? if appropriate ? supplementation of Data relating to him/her;
- obtain the erasure, transformation into anonymous form or blocking of Data potentially processed in violation of the law, as well as object, for legitimate reasons, to the processing;
- withdraw consent, where previously provided;
- ask the Controller to restrict the processing of the Data relating to him/her if (i) the Data Subject disputes the accuracy of the Data, for the period necessary for the Controller to verify the accuracy of those Data; (ii) the processing is unlawful and the Data Subject objects to the erasure of the Data and instead requests that their use be limited; (iii) although the Controller no longer needs them for the purposes of processing, the Data are required by the Data Subject for establishing, exercising or defending a claim judicially or extra-judicially; (iv) the Data Subject has objected to the processing in accordance with Article 21, paragraph 1 of the European Regulation pending verification with regard to any prevalence of the legitimate reasons of the Controller over those of the Data Subject;
- object at any time to the processing of his/her Data for Legitimate Interest Purposes;
- request the erasure of the Data concerning him/her without undue delay; and
- obtain the portability of the Data concerning him/her.
The Data Subject will also have the right to lodge a complaint with the EU Data Protection Authority, where the conditions apply.
Requests to exercise the rights may be sent in writing to the Controller, which can be contacted at the following email address [email protected].
11. DPO
The Controller has appointed a DPO who is responsible for compliance by the Controller with the fulfilments required by personal data protection legislation.
The Data Subject may contact the DPO securely and confidentially, at any time, if he/she has general questions on the processing of his/her personal data, or for any issue relating to data protection. The Data Protection Officer?s email address is: [email protected]
12. Amendments and updates
This Privacy Policy is valid from the effective date. The Controller may, however, make changes and/or additions to this privacy policy, including as a result of any subsequent regulatory changes and/or additions.