Privacy notice on the processing of Bureau Veritas Hellas suppliers personal data

PRIVACY NOTICE ON THE PROCESSING OF BUREAU VERITAS HELLAS SUPPLIERS PERSONAL DATA pursuant to Article 13 of EU Regulation 2016/679

This policy (the "Policy") is provided pursuant to art. 13 of Regulation (EU) 679/2016 ("GDPR") in relation to the processing of personal data of Bureau Veritas Hellas suppliers (the "Suppliers" and/or the "Data Subjects").

  1. DATA CONTROLLER

    The Data Controller is Bureau Veritas Hellas, with registered office in Etolikou 23, Pireas 185 45, Greece, VAT no. EL999307410 (hereinafter “Bureau Veritas” or the “Data Controller”).
  2. DATA COLLECTED

    The Data Controller processes the personal data of the Suppliers  –  collected through the contractual documentation relating to the contract stipulated with them – such as identification data (name, surname, date and place of birth, Tax Code and VAT number), contact data (such as address, e-mail and telephone number) and any other information found in the signed contracts and the bank and tax data necessary for the payment of the services and services provided by the Data Subject (the "Data" and/or "Personal Data").
    The Data Subject's data is collected electronically or on paper through the contract, any order forms and, more generally, the contractual documentation signed between the Supplier and the Data Controller. The Data collected is, therefore, limited to data that is necessary for the management and execution of the contractual relationship with the Supplier.
  3. PURPOSE AND LEGAL BASIS OF THE PROCESSING

    The Data Controller processes the Data according to the following purposes and legal bases:

    Execution of the contractual relationship
    Data will be processed in order to correctly execute the supply contract with the Data Controller and, in particular:
    A.  To allow effective management of the contractual relationship with the Data Controller:
    (i)  for the provision of the services offered and payment thereof.
    B.  To carry out the obligations deriving from the supply contract, such as for example:
    (i)  for accounting purposes;
    (ii)  for the purpose of transmitting orders.

    Data provision for the above-mentioned purposes is mandatory and necessary for the proper execution of the aforementioned activities. In the event of a total or partial refusal to provide the Data for these purposes, the Data Controller will not be able to establish and execute the contractual relationship.

    Compliance with legal obligations
    The Data may also be processed to allow the Data Controller to fulfil the obligations established by law, by a regulation, by EU legislation or by an order by Authorities;
    The provision of Data for this purpose is necessary to follow up on the legal obligations to which the Data Controller is subject.

    Legitimate interest (legal protection)
    The Data will be processed to exercise the rights of the Data Controller, such as the right of defence in court. This legitimate interest is to be considered prevailing because it corresponds to a constitutionally guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual concerned. Data provision for this purpose is necessary to allow the Data Controller to defend itself in legal and out-of-court proceedings. 
  4. DATA RECIPIENTS

    The Data will be processed by the Data Controller’s employees, specifically appointed as authorised processors (such as, but not limited to, those in charge of the purchasing department), where necessary to carry out the activities referred to in paragraph 3 above.

    Personal Data may also be notified to third parties if necessary for the establishment, management, execution and/or termination of the contractual relationship with the Data Controller. In this case, the third-party recipients of Personal Data – autonomous data controllers or duly appointed as data processors – belong to the following categories:
    A.  External subjects operating as autonomous controllers such as, for example, Authorities and supervisory and control bodies and in general to subjects, including private individuals, entitled to request the data (such as accounting consultants, legal consultants), Public Authorities that make an express request for administrative or institutional purposes, in accordance with the provisions of current national and European legislation;
    B.  Subjects outside the company who provide services to the company and who are useful for its activities (for example: IT service providers for the management of databases, including contacts and e-mails, digital service providers and IT consultants who provide technical assistance to the company, offices that provide payroll services, training institutions, banking and financial intermediaries); these subjects have received a specific assignment as data processors and their names are available upon request to the Data Controller, using the contact details indicated in Paragraph 7 below.
  5. DATA RETENTION PERIOD

    The Data processed for:
    (i)  the execution of the contractual relationship to which the Data Subject is a party is retained for the entire duration of the contractual relationship and for the ordinary limitation period of 10 years provided for by the applicable regulations;
    (ii)  the fulfilment of legal obligations to which the Data Controller is subject is kept for the duration provided for by law (10 years for administrative-accounting obligations);
    (iii)  the legitimate interest of the Data Controller, and specifically in the case of judicial litigation, will be kept for the entire duration of the same, until the exhaustion of the terms of practicability of appeals.
  6. TRANSFER OF DATA TO THIRD COUNTRIES

    The Data Controller will not make transfers outside the European Union. Should this occur, the Data Controller will adopt adequate guarantees in accordance with the applicable legal and regulatory legislation on the protection of personal data, in order to ensure that its Data is adequately protected: in particular, such transfers will take place, on a case-by-case basis, after verification of the Standard Contractual Clauses approved by the European Commission pursuant to article 46, paragraph 2, letters c) and d) of the GDPR or of the binding rules for the company referred to in article 47 of the GDPR or, in the absence thereof, by virtue of one of the derogating measures referred to in article 49 of the GDPR.
  7. THE RIGHTS OF THE DATA SUBJECTS

    The Suppliers, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the GDPR. In particular, pursuant to Articles 15-22 of the GDPR, Data Subjects have the right to request and obtain, at any time, access to their personal data, information on the processing carried out, the correction and/or updating of personal data, the deletion and limitation of the processing. Additionally, they also have the right to object to the processing and to request data portability (i.e. to receive personal data in a structured, commonly used, machine-readable format). Finally, Data Subjects always have the right to revoke their consent at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the revocation) and to lodge a complaint with a supervisory authority.

    The above-mentioned rights may be exercised at any time by simply sending a request to the Data Controller:
    •    by post, Etolikou 23, Pireas 185 45, Greece; 
    •    through the portal for the exercise of rights, available at the link https://personaldataprotection.bureauveritas.com/#/HomePage.
     

READ THE GREEK VERSION