Privacy notice for clients of Bureau Veritas Hellas clients

This privacy notice is provided pursuant to art. 13 of Regulation (EU) 679/2016 ("GDPR") in relation to the processing of Bureau Veritas Hellas Clients’ personal data (the “Clients”).

1. DATA PROCESSING CONTROLLER
   
   The Data Controller is Bureau Veritas Hellas, with registered office in Etolikou 23, Pireas 185 45, Greece, VAT no. EL999307410 (hereafter “Bureau Veritas” or the “Controller”), part of the Bureau Veritas Group.
2. DATA COLLECTED
   
   The Data Controller processes your personal data collected through the contractual documentation and relating to the contract stipulated, such as identification data (including fist name, second name, date and place of birth, Tax Code and VAT number, company name) and contact data (such as address, e-mail and telephone number) and any information contained therein (the "Data").
3. PURPOSE AND LEGAL BASIS OF THE PROCESSING
   
   The Data is processed according to the following purposes and legal bases: 
   
   3.1 Execution of the contractual relationship
   The Data will be processed in order to correctly execute the contract with the Data Controller and, in particular:
   (i)  to allow effective management of the contractual relationship with the Data Controller;
   (ii)  to carry out the obligations deriving from the contract, such as, for example, for the purposes of keeping accounts.
   Data provision for the above-mentioned purposes is mandatory and necessary for the proper execution of the aforementioned activities. In the event of a total or partial refusal to provide the Data for these purposes, the Data Controller will not be able to establish and execute the contractual relationship.
   
   3.2 Compliance with legal obligations
   The Data may also be processed to allow the Data Controller to fulfil the obligations established by law, by a regulation, by EU legislation or by an order of Authorities.
   The provision of Data for this purpose is necessary to follow up on the legal obligations to which the Data Controller is subject.
   
   3.3 Overriding interest
   (i)  Legal protection
   The Data will be processed to exercise the rights of the Data Controller, such as the right of defence in court. This overriding interest is to be considered prevailing because it corresponds to a constitutionally guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual concerned. Data provision for this purpose is necessary to allow the Data Controller to defend itself in legal and out-of-court proceedings.
   (ii)  Information and promotional notifications
   The Data will be processed in order to allow the Data Controller to contact Clients in order to send individual notifications, exclusively by e-mail, of an informative and promotional nature, on the basis of the contractual relationship already established with the same, and concerning products and/or services of the same type with respect to those being sold (Soft Spam), in accordance with the provisions of art. 130, par. 4 of Legislative Decree no. 196/2003 and subsequent amendments, unless objected. The legal basis for this processing lies in the overriding interest of the Data Controller to maintain and strengthen the human and professional relationships established with Client. Overriding interest that does not affect the rights and freedoms of the Clients as it finds its respective balance in the interest and reasonable expectation of the Clients to receive information on products similar to those already purchased and on the activity of the Data Controller.
   
   3.4 Consent
   (i)  Marketing activities
   The Data may be processed by the Data Controller to send to Client through the channels authorized by them – such as, for example, mail, telephone or electronic notifications, such as e-mails – marketing notifications, having an advertising, informative and promotional nature of the products and services offered by Bureau Veritas. The legal basis of said processing is the consent given. Consent can always be freely revoked by using the appropriate "unsubscribe" link at the bottom of all notifications sent by e-mail or through the portal for the exercise of rights indicated in article 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose.  
   (ii)  Transfer of data to the Bureau Veritas Group companies to allow them to send their own advertising, informative and promotional material notifications.
   Client Data may be transferred to Bureau Veritas Group companies and used for sending advertising, information and promotional material notifications by Bureau Veritas Group companies. The legal basis of said processing is the consent of the Client. Consent may always be revoked freely through the portal for the exercise of rights indicated in article 7 below. The provision of data is optional. Any refusal will result in the impossibility, even partial, of pursuing this purpose.
4. DATA RECIPIENTS
   
   The Data will be processed by the Data Controller’s employees, specifically appointed as authorised data processors (such as, but not limited to, those in charge of the sales, legal and marketing departments), where necessary to carry out the activities referred to in article 3 above.
   Personal Data may also be transferred to third parties where necessary for the establishment, management, execution and/or termination of the contractual relationship with the Data Controller. In this case, the third-party recipients of Personal Data – autonomous data controllers or duly appointed as data processors – belong to the following categories:
   (i)  external subjects operating as autonomous controllers such as, for example, Authorities and supervisory and control bodies and in general to subjects, including private individuals, entitled to request the data (such as accounting consultants, legal consultants), Public Authorities that make an express request for administrative or institutional purposes, in accordance with the provisions of current national and European legislation;
   (ii)  subjects outside the company who provide services to the company and who are useful for its activities (for example: IT service providers for the management of databases, including contacts and e-mails, digital service providers and IT consultants who provide technical assistance to the company, offices that provide payroll services, training institutions, banking and financial intermediaries); these subjects have received a specific assignment as data processors and their names are available upon request to the Data Controller, using the contact details indicated in article 7 below.
5. DATA RETENTION PERIOD
   
   The Data processed for:
   (i)  the execution of the contractual relationship with the interested party and is retained for the entire duration of the contractual relationship and for the ordinary limitation period of 10 years provided for by the applicable regulations;
   (ii)  the fulfilment of legal obligations to which the Data Controller is subject are kept for the duration provided for by law (10 years for administrative-accounting obligations);
   (iii)  the overriding interest of the Data Controller, and specifically in the case of judicial litigation, will be kept for the entire duration of the same, until the expiration of the terms of practicability of appeals and for the purpose of sending commercial notifications until the request for opt-out by the data subject or for a period of 12 months from the last active contact with the data subject.
   (iv)  marketing activities will be retained for a period of time not exceeding 24 months from the granting of consent by the Client to carry out such processing, after which a request will be sent to confirm the wish to continue receiving such processing: in the event of refusal, the Data provided will be deleted; in the event of consent, it will be retained and processed for a further period of 24 months. Clients may, in any case, withdraw their consent as specified in article 3 of this privacy notice.
   (v)  the transfer of data to subsidiaries/parent companies and/or affiliates of the Bureau Veritas Group, will be kept for a period of time necessary to technically allow the correct transfer of data to third parties and subsequently as regulated in the information that will be issued by each owner.
6. TRANSFER OF DATA OF THIRD COUNTRIES
   
   The Data Controller will not make transfers outside the European Union.
   Should this occur, the Data Controller will adopt adequate guarantees in accordance with the applicable legal and regulatory legislation on the protection of personal data, in order to ensure that its Data is adequately protected: in particular, such transfers will take place, on a case-by-case basis, after verification of the Standard Contractual Clauses approved by the European Commission pursuant to article 46, paragraph 2, letters c) and d) of the GDPR or of the binding rules for the company referred to in article 47 of the GDPR or, in the absence thereof, by virtue of one of the derogating measures referred to in article 49 of the GDPR.
7. RIGHTS OF THE DATA SUBJECT
   
   Clients, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the GDPR. In particular, pursuant to Articles 15-22 of the GDPR, data subjects have the right to request and obtain, at any time, access to their personal data, information on the processing carried out, the correction and/or updating of personal data, the deletion and limitation of the processing. Additionally, they also have the right to object to the processing and to request data portability (i.e. to receive personal data in a structured, commonly used, machine-readable format). Finally, data subjects always have the right to revoke their consent at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the revocation) and to lodge a complaint with a supervisory authority.
   
   The above-mentioned rights may be exercised at any time by simply sending a request to the Data Controller:
   •    by post, Bureau Veritas Hellas, Etolikou 23, Pireas 185 45, Greece; 
   •    through the portal for the exercise of rights, available at the link https://personaldataprotection.bureauveritas.com/#/HomePage.