Last Update: December 2023
This Privacy Notice covers the processing(1) of personal data related to all:
current and former suppliers, included individuals consultants, in the context of their contractual relationship with Reply Group Companies (hereinafter, “Supplier/s”);
prospective suppliers interested in opportunities with Reply Group (hereinafter, “Prospective Supplier/s”).
This Privacy Notice also describes legal rights with respect to such activities.
2. Data Controller identity and contact details
Data Controller of the processing activities related to Suppliers is the specific Reply Group’s Company, holder of the contractual relationship with the Supplier, in the person of the legal representative pro tempore (hereinafter “Company”).
Data Controller of the processing activities related to Prospective Suppliers for the preliminary evaluation of their proposed services is Reply S.p.A., with a registered office in Corso Francia n. 110, Turin, Italy, represented by the pro tempore legal representative.
3. DPO contact details
Data Protection Officers (DPO) contacts are:
4. Categories and origin of data processed
Pursuant to Article 4.1) of GDPR, “personal data” means “any information referred to an identified or identifiable individual («subject»)”. Therefore, under the present Privacy Notice, “Data” means the personal details and contact details related to individuals processed for: i) the preliminary evaluation of the Prospective Suppliers proposed services; ii) the conclusion and the execution of the contractual relationship with Suppliers, included the ones relative to Supplier as natural persons, the ones of the legal representative of the Supplier (that signs the contract in the name and on behalf of the Supplier), as well as to employees/consultants of the Supplier involved in the activities referred to in the contract.
Furthermore, personal data inherent to individuals involved in the execution of contract could be processed and related to: i) the same contractual relationship; ii) mobile device used by the Supplier’s employees/consultants to install and use the Reply app enforcing strong authentication mechanism on specific Reply services (e.g. the Reply VPN). In this last case, the origin of Data processed is the Supplier or the Supplier’s employee/consultant installing and using the Reply strong authentication app.
5. Data processing purposes and legal basis
5.1 Data related to Prospective Suppliers can be processed by Reply S.p.A. for a preliminary evaluation of their services proposed via contact forms or by e-mail or via communication tools. When Prospective Suppliers use a Reply contact form, their personal data may be stored in the Reply ticketing system for backup and request management purposes. In this case the legal basis for the processing activities by Reply S.p.A. is the execution of the pre-contractual activities.
5.2 Upon express consent, Data related to EU/UK Prospective Suppliers could be transferred for pre-contractual activities by Reply S.p.A. to non-EU/non-UK Reply Group Companies. In this case the legal basis for the processing activities is the consent given by the Prospective Supplier which may be revoked at any time. For more information about these data transfers refer to the below section 8.
5.3 Data may be also processed by the Company according to the purposes related to the conclusion and execution of the contract between the Supplier and the Company. The legal basis for the processing activities by the Company of Data of Supplier’s legal representative (legal entity) or of the Supplier (natural person) is the execution of the contract; the legal basis for the processing activities of Data of Suppliers’ employees / consultants, involved in the activities referred to in the contract, is the execution of the contract whose activities involve the Supplier’s employees / consultants.
5.4 Data may be also processed for performing administrative-accounting obligations, such as the management of bookkeeping and treasury, as well as invoicing (for example check and registration of invoices), in compliance with the current legislation, or for the execution of other obligations imposed by laws, regulations and applicable legislation. In this case, the legal basis for the processing activities by the Company is the need to fulfil a legal obligation to which the Company is subject.
5.5 Data may be also processed by Company and by Reply S.p.A., Reply Ltd, Reply SE and Reply France Sas, when necessary, as Joint Controllers for enforcing / defending the rights of the Company in court. In this case the legal basis for the processing is the legitimate interest of the Controller.
5.6 Data may be also processed by Company and Reply S.p.A, Reply Ltd, Reply SE and Reply France Sas, when necessary, as Joint Controllers for the management of verification process of suppliers’ requirements with respect to corporate policies. In this case the legal basis for the processing activities is the execution of the pre-contractual activities.
5.7 The Data provision is necessary for the attainment of the abovementioned purposes, except for the purpose 5.2 based on consent; therefore, their missed, partial, or inexact provision could have as consequence the objective impossibility for the Company to enter into or to regularly continue the contractual relationship or to evaluate the Prospective Supplier proposed services
6. Data retention period
6.1 Supplier’s data collected for the contractual purposes will be stored for the entire duration of the contract and no more than 10 years after the termination. In the case of judicial litigation, data will be kept for the entire duration of the latter, until the expiry of the terms of applicability of the appeal.
6.2 Supplier’s employees/consultants data collected and used to enforce strong authentication mechanism to Reply services are stored for 6 months after the strong authentication mobile app and user is disenrolled from the Reply strong authentication service.
6.3 Prospective Suppliers’s personal data are stored for 6 months upon receiving their application, unless in the meanwhile they become Supplier and in this case the retention times referred to in the previous 6.1.and 6.2 apply.
6.4 Once the above storage terms have elapsed, Data will be destroyed or made anonymous, compatibly with the technical erasure procedures and backup.
7. Third parties and data recipients
7.1 Data may be communicated to Third Parties or Data Recipients operating as data controllers or as data processors, as the case may be, such as:
b) Insurance companies;
d) banks and credit institutions;
e) subjects to whom the right to access to Data is recognized by provisions of law or regulatory or applicable legislation;
f) subjects for whom the communication of Data is necessary or in any case functional to the management of the contractual relationship with clients;
g) the referring Reply Holding(2) as Data Processor for purposes referred to in the previous 5.3. and 5.4;
h) suppliers engaged by Reply to support the management and operations of Reply services used by the Supplier’s employees / consultants.
8. Extra-EU/UK Data Transfer
8.1 EU/UK Prospective Suppliers personal data, upon express consent, could be transferred by Reply S.p.A. for pre-contractual activities also outside the EU/UK to countries where Reply Group Companies are based (see “Offices” at www.reply.com).
8.2 In the absence of an adequacy decision by the EU/UK Commission regarding the level of safeguard assigned to data subjects by these countries, pursuant to art. 45 of the GDPR, Reply ensures that the transfer is executed in accordance with applicable requirements by ensuring an adequate level of data protection.
8.3 If the data subjects no longer agree with such data transfers or need more information, at any time they can email at firstname.lastname@example.org
9. Data subjects’ rights
9.1 The data subjects can ask to Data Controller the access to Data concerning them, rectification of inaccurate Data or integration of incomplete Data, erasure of Data, restriction of processing activity in the cases provided by art.18 GDPR; to receive data in a structured, commonly used and machine-readable format, as well as, if technically possible, to transmit Data to other data controller without hindrance, in the cases in which the conditions for the exercise of data portability right are present, according to art. 20 GDPR (processing is based on the consent pursuant to art. 6.1 lett. a) or art. 9.2 lett. a) or on a contract pursuant to point (b) of art 6.1 GDPR or in the case in which processing is carried out by automated means).
Data subjects have the right to object, for reasons connected to their particular situation, the processing activity for pursuing the purposes based on the legitimate interest of the Company.
At any time, data subjects have the right to revoke their consent for the purposes based on the consent referred to in the previous 5.2
9.2 These rights can be exercised by writing to the Company, among the same Controller offices, or via e-mail to email@example.com.
9.3 The Data Subjects have also the right to lodge a complaint to the relevant Supervisory Authority pursuant to art. 77 GDPR (in particular, in the Member State in which he/she has habitual residence or place of work, or in the place where the alleged infringement occurred).
(1) - Pursuant to GDPR Article 4, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(2) - Reply S.p.A. for Italy, Reply SE for Germany, Reply Ltd for UK and Reply France Sas