Visit
Convention Bureau
Travel Trade
Schools
Media
Partner + Sponsorship
To do and to seeEventsTerritoryAccommodationWhere to eatPlan your trip
HomeInformation on the processing Personal DataPrivacy notice for suppliers

Privacy notice for suppliers

This privacy notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of personal data (GDPR) to individuals acting as suppliers (consultants, professionals, technical designers, collaborators, legal representatives of economic operators, etc.).

 

Type and Source of Data

Depending on the category of data subject, the processed data may include:

  • Identification data
  • Identity documents
  • Payment and billing information
  • Educational and professional qualifications (e.g., CVs, certifications, credentials, etc.)
  • Authentication credentials

Data is provided directly by the data subject during registration to the “Supplier Register” platform accessible from the Data Controller’s website and throughout the contractual relationship in the event of a service/assignment.

 

Purpose and Legal Basis of Processing

Data is processed for the following purposes:

  • To manage registration in the Supplier Register, including verification of prerequisites and eligibility.
    • Legal basis: performance of pre-contractual, contractual, and post-contractual measures (Art. 6(1)(b) GDPR).
  • To collect pre-contractual information (e.g., assessment of offers, quotes, document preparation, communications relating to the management of the contractual relationship).
    • Legal basis: performance of pre-contractual, contractual, and post-contractual measures (Art. 6(1)(b) GDPR).
  • To prevent and manage potential legal or extrajudicial disputes.
    • Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR); exercise or defense of legal claims.

In case of selection:

  • To manage the contractual relationship related to the supply of goods or services (e.g., payment management, financial flows, organizational management).
    • Legal basis: performance of pre-contractual, contractual, and post-contractual measures (Art. 6(1)(b) GDPR).
  • To fulfill accounting and tax obligations arising from the supplier relationship.
    • Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR).
  • To comply with legal obligations regarding publicity and transparency, including the publication of data on the Data Controller’s website.
    • Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR).

 

Nature of Data Provision

Providing the requested data is mandatory. Failure to provide data, or providing incomplete or inaccurate data, may prevent registration in the Supplier Register and the subsequent qualification process.

 

Data Retention

Supplier data is retained in the Supplier Register until removal and, thereafter, for the duration required by administrative and legal limitation periods, especially in connection with any potential legal disputes.

 

Data Recipients

Collected data may be communicated to and processed by:

  • Authorized personnel (employees and collaborators)
  • External parties designated as Data Processors, such as professionals or service providers for accounting, tax, corporate, and legal support; electronic data processing; IT services (e.g., e-invoicing systems, supplier databases)

Data may also be disclosed to:

  • Banks
  • Public authorities (e.g., Revenue Agency)

Finally, data may be disclosed to parties entitled to access them by law, regulation, or EU legislation.

Furthermore, for the purposes specified in section 6, certain data may be published on the Data Controller’s website.

A complete and updated list of Data Processors is available upon request.

 

Data Transfers

The Data Controller does not transfer personal data to third countries or international organizations. However, the use of cloud services is reserved. In such cases, data transfers will occur only to providers operating in countries deemed adequate pursuant to Article 45 GDPR, or that adhere to the EU–U.S. Data Privacy Framework, or that provide appropriate safeguards pursuant to Article 46 GDPR.

Further information and/or a copy of the applicable safeguards can be obtained by contacting the Data Controller.

 

Data Subject Rights

Data subjects may exercise the rights established by Articles 15–22 of the GDPR. In particular, they may request:

  • Confirmation as to whether personal data concerning them is being processed, and if so, access to such data (right of access);
  • Rectification of inaccurate data and completion of incomplete data (right to rectification);
  • Erasure of data (right to erasure), unless retention is required by law or justified by the Data Controller’s legitimate interest;
  • Restriction of processing (right to restriction);
  • Portability of the data to another controller (right to data portability), applicable only to processing based on consent or contract;

The Data Controller particularly reminds data subjects of their right to object under Article 21 of the GDPR. However, the Data Controller may reject the objection where compelling legitimate grounds exist to continue the processing.


To exercise these rights, data subjects may contact the Data Controller at the email address provided above, clearly indicating the subject of the request, the right being exercised, and any identifying information necessary to verify the legitimacy of the request.


In addition, data subjects have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

Uffici del Turismo
Tourist Offices

Find out when and where you can find us

Newlsetter
Newsletter

Keep in touch with us

Atp
Mangébin Logo Footer
Residenze Reali Footer
Logo Outdooractive Green White Rgb 1368x360