Pursuant to art. 12 et seq. of EU Regulation 2016/679 ("GDPR" or "Regulation"), and in general in compliance with the principle of transparency provided for by the same Regulation, the following information is provided regarding the processing of personal data (i.e. any information relating to an identified or identifiable natural person: "Data Subject") in connection with relations with suppliers.
- DATA CONTROLLER
The Data Controller (i.e. the person who determines the purposes and means of the processing of personal data) is BLM GROUP (BLM S.p.A., with registered office in Cantù (CO), via Selvaregina 30, VAT no. 01653120137 – Adige S.p.A., with registered office in Levico Terme (TN), via per Barco 11, VAT no. 01429670225 – Adige-Sys S.p.A., with registered office in Levico Terme (TN), viale Venezia 84/B, P.IVA nr. 01713040226 – BGS S.r.l., with registered office in Gossolengo (PC), via I Maggio nr. 26, VAT 01356980332). For contacts specifically relating to the protection of personal data, including the exercise of the rights referred to in point 8 below, please indicate in particular the e-mail address: privacy@blmgroup.it to which you are requested to address any requests you may have.
- PURPOSE AND LEGAL BASIS OF THE PROCESSING
The personal data collected will be processed, in compliance with current legislation and pursuant to Art. 6, letter b) – Execution of a contract to which the interested party is a party and pursuant to Art. 6, letter c) – Legal obligation to which the data controller is subject, for the following purposes:
a) fulfilment of contractual obligations and related administrative-accounting and tax purposes, as well as legal obligations related to the establishment (commercial negotiation, stipulation of the contract and related and consequent activities such as, by way of example but not limited to: management of training courses, performance of technical assistance activities also in remote assistance mode, management of legal obligations regarding health and safety, etc.), execution and possible termination of the contractual relationship (contractual purpose);
Pursuant to Article 6, letter f) – pursuit of the legitimate interest of the data controller, for the following purpose:
b) protection of rights: prevention and conduct of potential disputes and defense in the event of a trial;
Pursuant to Art. 6, letter f) – pursuit of the legitimate interest of the data controller and Art. 130 paragraph 4 of Legislative Decree 196/2003, for the following purpose:
c) Marketing via e-mail/"Soft-Spam": the Data Controller will use, for the purpose of direct sale of its products and/or services, the e-mail address provided by the data subject in the context of the sale of a product and/or service, without requesting the consent of the data subject, for the purposes of promotion and direct sales and for the sending of commercial communications via e-mail on products and/or services similar to those subject to the sale provided that the interested party, adequately informed, does not refuse such use, initially or on the occasion of subsequent communications. The data subject, at the time of collection and at the time of sending any communication made for the purposes referred to in this paragraph, shall be informed of the possibility of objecting (opt-out) at any time to the processing, easily and free of charge.
- TYPE OF DATA PROCESSED AND DATA SUBJECTS
The data subject to processing belong to the category of common data, such as:
- surname, first name and date of birth, residence of the customer and/or the customer's employees;
- tax code and/or VAT number and other tax and related data such as the "recipient code" CdI for electronic invoicing;
- telephone number/e-mail address/PEC address (contact details);
- data relating to the supply;
It should be noted that, in addition to those of the supplier, data may be processed, always belonging to the category of common data, of subjects attributable to them who relate to the Data Controller, such as directors, employees and collaborators, with particular reference to their names and contact details, telephone number and e-mail address. These data are provided by the supplier, by the Data Subject or are the result of public registers (such as the Chamber of Commerce or the registry office).
- NATURE OF THE PROVISION AND RETENTION PERIOD
The provision of data for the purposes listed above is necessary. Failure to provide the requested data could make it impossible to enter into and execute the contract. The data will be stored for the entire duration of the contractual relationship, and, after the termination of the relationship – limited to the data necessary at that point – for the extinction of the contractual obligations assumed and for the fulfilment of any legal obligations and for the protection needs, including contractual ones, connected or deriving from it; Ordinarily, therefore, the data will not be kept for more than 10 years from the termination of the contractual relationship. With regard to purpose c) E-mail Marketing/"Soft-Spam", the data will be processed until you object (opt-out).
- PROCESSING AND STORAGE METHODS
The processing of data will be carried out through the use of tools for their recording and storage (manual and automated), by persons authorized to carry out these tasks and with the use of appropriate measures to guarantee the security and confidentiality of the data and avoid access to them by unauthorized third parties. There are no fully automated decision-making processes.
- RECIPIENTS OR CATEGORIES OF RECIPIENTS
Personal data will be collected and processed by authorized personnel of the Data Controller (Art. 29 GDPR) as well as may be processed by recipients who will act as data processors (Art. 28 GDPR) or as independent Data Controllers. More precisely, they may be processed by:
- financial administration and other entities for which mandatory communications are required;
- companies that provide services for the management of telecommunications networks and/or for the management of the BLM GROUP information system;
- external companies that offer assistance and/or consultancy services to the Data Controller.
This list is provided by way of example. The data will not be subject to dissemination.
- PLACE OF DATA PROCESSING
The activity takes place on the territory of the European Union. Should personal data be transferred to countries outside the EEA, the transfer will take place pursuant to Art. 44 et seq. GDPR, i.e. to third countries international organisations for which the Commission has intervened with an adequacy assessment (art. 45) and to entities that have provided adequate guarantees, with standard contractual clauses (SCCs) of the Commission (art. 46).
- RIGHTS OF THE DATA SUBJECT
The GDPR gives the Data Subject the exercise of the following rights with reference to personal data concerning him/her (the brief description is indicative, for the complete statement of the rights, including the limitations of the same, please refer to the Regulation, and in particular to articles 15-22):
- access to personal data (the Data Subject has the right to have free information regarding the personal data concerning him or her held by the Data Controller and its processing, as well as to obtain a copy in an accessible format);
- rectification of personal data (upon notification by the Data Subject, correction or integration of personal data – not the expression of evaluation elements – incorrect or inaccurate, even if they have become such because they are not updated);
- erasure of personal data (right to be forgotten) (e.g. the data is no longer necessary in relation to the purposes for which it was collected or processed; it has been unlawfully processed; it must be erased to comply with a legal obligation; the data subject has withdrawn consent and there is no other legal basis for the processing; the data subject objects, if the conditions are met, processing);
- limitation of processing (in certain cases – contestation of the accuracy of the data, in the time necessary for verification; objection to the lawfulness of the processing with opposition to erasure; necessity of use for the rights of defense of the Data Subject, while they are no longer useful for the purposes of the processing; if there is opposition to the processing, while the necessary checks are carried out – the data will be stored in such a way as to be able to be reinstated, but in the meantime, may not be consulted by the Data Controller except in relation to the verification of the validity of the request for restriction by the Data Subject, or with the consent of the Data Subject or for the establishment, exercise or defence in court of a right in court or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State);
- objection in whole or in part, for reasons related to the particular situation of the Data Subject, to the processing carried out on the basis of legitimate interest;
- data portability (if the processing is based on consent or on a contract and is carried out by automated means, upon request, the Data Subject will receive the personal data concerning him or her in a structured, commonly used and machine-readable format and may transmit them to another Data Controller, without hindrance from the Data Controller to whom he or she has provided them and, if technically feasible, he may obtain that such transmission be carried out directly by the latter).
Furthermore, if the processing takes place on the basis of the consent given by the Data Subject, the Data Subject may withdraw the consent at any time, without prejudice to the lawfulness of the processing provided before the withdrawal. The Data Subject also has the right to lodge a complaint with the Data Protection Authority if he/she believes that the processing of personal data violates the provisions of the legislation on the protection of personal data; the Data Protection Authority can be contacted through the contact details indicated on the Authority's website "www.garanteprivacy.it". In any case, we would like to have the opportunity to address any concerns of the Data Subjects in advance, who may contact the e-mail address privacy@blmgroup.it or other contact details of the Data Controller above for any clarification relating to the processing of personal data concerning them and to exercise the related rights.
Updated: October 2025
The Data Controller may modify or update its content in whole or in part, also taking into account any changes in the legislation on the protection of personal data. Data subjects are therefore invited to consult this page regularly, in order to be aware of what concerns the processing processes.
