Privacy Notice regarding the processing of Clients' personal data

Last Update: November 2022

Pursuant to Section 13 of EU General Data Protection Regulation and UK General Data Protection Regulation (hereinafter, “GDPR”) and to the national law provisions from time to time applicable, the Reply Group’s Company (“Reply”), holder of the contractual relationship in place / to be executed with the Client, in its capacity as data controller (“Controller”), hereby provides certain information about processing of personal data.

The contact details of the Data Protection Officers are:

The personal data (e.g. names, work email addresses, phone contact, etc.) of employees and/or contractors of the Client, involved in activities and services requested or that could be required, and disclosed by the Client to shall be notified to Reply shall be processed by the latter for the following purposes:

a) For the performance of contractual and/or of pre-contractual obligations: for the execution and entire performance of contractual relationships, including in relation to any linked administrative and/or accounting matter; for the collection of information necessary to manage the intercompany relationship; for the performance of the after-sale activities;

b) For the compliance with law obligations: in order to duly fulfil any duty provided by applicable National laws and regulation (including tax);

c) For pursuing a legitimate interest of Reply and/or of the Reply Holding[1], when necessary: for the disclosure of the above indicated personal data to the referring Reply Holding and their respective processing by this latter, in its capacity as joint controller (with Reply); for the performance of organizational and control management activities even in order to improve the services offered by Reply Group to its customers, including Client’s satisfaction surveys (even by phone) on the services rendered and on the activities carried out on the basis of the offer; for defending against potential legal claims or trial before any competent authority, including in order to recover its credit; for analysis and statistic researches based on data, subject to anonymization.

The Client represents and warrants to Reply that it has informed its employees/contractors (and any other person involved in the disclosure of the data to Reply), according to its policies and procedures and/or in any case with the most appropriate form, the content of this privacy notice and to obtain the consent before the disclosure of the personal data to the Controller and to the referring Reply Holding, if so required by applicable law.

Without prejudice to the autonomy of the data subject, the collection of personal data must be understood as necessary for carrying out the activities as referred above; in case of failure to provide this data or objecting their processing, Reply and/or the referring Reply Holding might be unable to lawfully perform the obligations undertaken by the agreement vis-à-vis the Client and therefore might be obliged to refuse the execution of any agreement with the Client.

Further, the Client acknowledges that such personal data might be communicated to all public and/or private subjects, natural persons and/or legal entities (Judicial Offices, Chamber of Commerce, Public Authorities etc.), if this communication is necessary or useful in order to duly comply with contractual obligations under this offer as well as with applicable law. Personal data might also be disclosed to audit companies, advisors and law firms as well as processed by other companies belonging to Reply Group in their capacity as data processors consistently with applicable law.

Personal data will be processed for the entire duration of the contractual relationship and, following its termination, for the maximum period provided by applicable statutory limitation and timelimitation period provided by both legal and tax law and, in general, for defending interests and rights of Reply and/or of Reply S.p.A., Reply SE and Reply Ltd, when necessary, in any dispute raised by public authorities, private and public subjects / entities. Further information with respect to data retention period and respective ratio may be requested to Controller and/or to the Data Protection Officer.

Employee and contractors of the Client, in their quality as data subjects, have the right to ask to the Controller and obtain access to their personal data, their respective deletion, the rectification of inaccurate data, the integration of incomplete data, the limitation of data processing in the cases provided by Section 18 GDPR, as well as to object to personal data processing whether it is based on Controller’s or third parties’ legitimate interest. They are also entitled to file a complaint with the Supervisory Authority. Such rights may be exercised by emailing to client.privacy@reply.com

With reference to personal data of data subjects (other than employees and contractors) disclosed by the Client in order to executed services being the subject matter of the offer and/or that could be required and processed by Reply on behalf of the Client, Reply undertakes that it and its own employees and/or contractors will comply with GDPR and to the obligations arising out of its appointment as data processor according to Section 28 GDPR.

(1) - Reply S.p.A. for Italy, Reply SE for Germany and Reply LTD for UK