Privacy Notice regarding the processing of Suppliers’ and prospective Suppliers’ Personal Data

Last Update: October 2024

1. Introduction

Reply S.p.A. with registered office in Corso Francia n. 110, Turin, Italy, (hereinafter “Reply”) and Reply group companies as identified below (jointly defined as “We”, “Us” or “Our”) respect your privacy and are committed to protecting it through our compliance with this Privacy Notice (“Privacy Notice”), and our Privacy and Cookie Policy available in the footer of the Reply website/platform (“Site”).

This Privacy Notice covers the processing of personal data related to:

  • prospective suppliers (in case of natural persons and self-employed individuals) interested in opportunities with Reply Group companies, including consultants and employees as well as legal representatives, shareholders, directors, delegates, officers and any other persons with representation and/or management and/or control powers (“Prospective Supplier/s”);

  • current and former suppliers (in case of natural persons and self-employed individuals), including consultants and employees as well as legal representatives, shareholders, directors, delegates, officers and any other persons with representation and/or management and/or control powers, in the context of their contractual relationship with the relevant Reply Group company (“Supplier/s”);

Prospective Suppliers and Suppliers are hereinafter jointly referred to as “Data Subjects”.

Depending on the data subject location, additional terms and conditions concerning personal data protection may apply. These additional terms ("Supplementary Notice") are incorporated into Section 13 below, and should be read alongside, this Privacy Notice by reference to the applicable jurisdiction. These terms prevail over the rest of the document in case of contrast.

2. Data controller identity and contact details

The Data Controller for the processing activities related to Data Subjects is Reply.

The Data Controller for the processing activities related to Suppliers is the specific Reply Group company which holds the contractual relationship with the Supplier (“Company”). The Company name and contact details of the relevant Company acting as Data Controller are specified within the agreement entered into by the Supplier with such Company (“Agreement”).

Reply and each Company act as autonomous data controllers with regards to the processing of Data Subjects’ personal data described in this Privacy Notice.

3. DPO contact details

Data Protection Officers (DPO) for our European Companies depending on the location of their registered office can be contacted at the following addresses:

4. Source of Data Processed

We can collect personal data (“Data”) relating to the Data Subjects directly from the latter, from publicly available sources and from the company/entity which the Data Subject belongs to during the negotiations necessary for the evaluation of their proposed services, their assessment, and the potential conclusion, execution and termination of the Agreement for the supply of services and/or goods or of the different commercial relationship established with the Company.

5. Categories of Data Processed

Reply may process the following Data:

a)   personal details, including name and surname, identity document details and the role held in the company/entity to which the Data Subject belongs;

b)   the contact details, including the address, telephone number and e-mail address;

c)   in the event that the Prospective Supplier is a natural person, the company name, the office’s main and secondary (if any) addresses, the VAT number and/or tax code, the details of the bank account(s) of the Data Subject.

Furthermore, the relevant Company processes – in addition to the data listed under letters a) to c) above - the following additional Data of Suppliers in the context of the execution of the contractual relationship:

d)   information on the mobile device used by the Supplier’s employees/consultants to enforce strong authentication mechanism on specific Reply services (e.g., the Reply VPN);

e)   any further Data Subject’s personal data that may be collected during the negotiation and potential conclusion, execution and termination of the Agreement with the Company.

Should the Prospective Supplier and/or Supplier provide personal data relating to other individuals (including, without limitation, any of their own employees or other personnel), the Prospective Supplier and/or Supplier acknowledges, represents and warrants that it will provide such third party personal data only after:

  • having informed with due advance the concerned persons of the communication of their personal data to Us; and

  • having relied on an appropriate and valid legal basis for the communication of their personal data for the purposes of this Privacy Notice.

6. Data Processing Purposes and Legal Basis

6.1. Reply processes Data related to Prospective Suppliers to perform an evaluation of their services/capabilities proposed via contact forms or by e-mail or via other communication channels. In the cases above the legal basis for the processing is the execution of the pre-contractual activities.

(the purposes of Section 6.1 are jointly referred to as "Pre-Contractual Purposes").

6.2. The Company processes the Data for the negotiation, the potential conclusion, execution and termination of the Agreement between the Supplier and the Company. In this case the legal basis for the processing is the performance of the contract entered into with between the Company and the Supplier.

(the purposes of Section 6.2 are jointly referred to as "Contractual Purposes").

6.3. We process the Data to comply with the obligations arising from the applicable laws regulations and applicable legislation (e.g. administrative-accounting obligations) including the communication to competent authorities and supervisory bodies and to comply with requests coming from them. In this case the legal basis for the processing is the need to fulfil a legal obligation to which We are subject.

(the purposes of Section 6.3 are jointly referred to as "Legal Obligation Purposes")

6.4. We process the Data for enforcing / defending our rights in court and to perform activities that are functional to transfers of assets, branch of business, acquisitions, mergers, divisions or other corporate operations. We also process the Data to manage our IT resources, including infrastructure, websites and technological equipment, to ensure service continuity and guarantee IT security (e.g. to prevent cyber-attacks or perform checks in case of attacks) and verify Suppliers’ compliance with the requirements provided by our corporate policies. Furthermore, Reply can transfer the Data to other Companies to enable them to engage Suppliers. In the cases above the legal basis for the processing is the legitimate interest.

(the purposes of Section 6.4 are jointly referred to as "Legitimate Interest Purposes")

6.5. The processing of the Data is necessary with reference to the Contractual, Pre-Contractual and Legal Obligation Purposes in order to perform the evaluation activities and negotiate, stipulate, execute and/or terminate the Agreement between the Company and the Data Subject, as well as in order to comply with the provisions of the applicable legislation. If the Prospective Supplier fails to provide the Data during the evaluation activities, this shall result in the impossibility for Reply to evaluate the Prospective Suppliers. If the Prospective Supplier fails to provide the Data after the evaluation activities have been concluded, this shall result in the impossibility for the Company to enter into an Agreement with them or execute the Agreement in place with the Suppliers.

6.6. Processing for the Legitimate Interest Purposes is carried out in pursuit of our legitimate interests which are adequately balanced with the legitimate interest of the Data Subjects since the Data processing activity is limited to what is strictly necessary for the exercise or defense of our rights and performance of the economic operations described above. The processing for Legitimate Interest Purposes is not mandatory and the Data Subject may object to such processing as indicated in Section 10 of this Privacy Notice. Should the Data Subject object to such processing, their Data may not be used for the aforementioned purpose, unless We have a compelling legitimate ground for the processing that overrides the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of a right in a court of law.

If you have any questions or would like more information about the legal basis for collecting your personal information, please contact Us at supplier.privacy@reply.com.

7. Data Retention Period

7.1 We will store Data Subjects’ Data for the period necessary to fulfil the purposes for which such Data was collected as outlined in this Privacy Notice. In any case We will store the Data for no longer than the retention periods detailed below.

7.2 Prospective Suppliers’ Data collected for the Pre-Contractual purposes are stored for up to 12 months upon receiving their application.

7.3 In the event of a positive outcome of the evaluation and contractual negotiations, Supplier’s Data are retained for the entire duration of the Agreement and for 10 years following the Agreement’s termination; in the event of a negative outcome of contractual negotiations, Personal Data will be deleted at the end of the negotiation phase.

7.4 Data collected for the Legal Obligation Purposes are retained for the duration prescribed for each type of personal data by the applicable laws, and in any case for up to 10 years after the collection;

7.5 Data collected for the Legitimate Interest Purposes are retained for the entire duration of the Agreement and for the following 10 years, in the event the Data was necessary to protect and enforce our rights in any legal disputes.

7.6 Supplier’s employees/consultants Data collected and used to enforce strong authentication mechanism to Reply services are stored for 6 months after the strong authentication mobile app and user is disenrolled from the Reply strong authentication service.

7.7 Once the above storage terms have elapsed, Data will be destroyed or anonymized, save in cases for which Data shall be further retained to respond or to file legal actions, upon request of the competent authorities or in compliance with the applicable laws.

8. Third parties and Data Recipients

8.1 To pursue the above-mentioned purposes, Data may be communicated to the following third parties or data recipients: 

a) personnel belonging to the relevant Company which has been authorized and instructed to process Data or the subjects indicated below as data processors, within the scope of their respective duties and within the limits established by the applicable law;

b) providers of support services, as well as of assistance or advice, to the relevant Reply Group Company, such as, by way of example but not limited to, legal, administrative and tax consultants, banks for the management of collections and payments arising from the execution of the contract between the relevant Company and the Data Subject or the company/entity to which the latter belongs, auditing companies, suppliers of technological services, as autonomous data controllers or data processors;

c) sub-providers and/or sub-contractors engaged in activities connected to the execution of the Agreement between the relevant Company and the Data Subject or the company/entity to which the latter belongs, in their quality as data processors;

d) public bodies and/or judicial and/or control authorities, whose right to access the Data is provided for by the applicable legislation, acting as independent data controllers;

e) other companies belonging to the Reply group and/or subjects transferring a company or business, companies resulting from possible mergers or any other transformation involving the relevant Company, acting as autonomous data controllers.

8.2 Data of Prospective Suppliers which have successfully overcome the evaluation may be shared by Reply to other Companies which are interested in the service provided by the Prospective Supplier.

9. Extra-EU/UK Data Transfer

9.1 Both EU/UK and non-EU/UK Prospective Suppliers’ Data could be accessed by Reply Group Companies which are based in the EU/UK (see “Offices” at www.reply.com).

9.2 In case of transfers from EU/UK to countries not considered adequate by the European Commission/UK Data Protection Authority (as applicable), We have put in place appropriate and suitable safeguards to protect the Data. Accordingly, Data Subjects’ Data are transferred in compliance with the requirements and the obligations provided by applicable data protection laws, such as an adequacy decision or standard contractual clauses adopted by the European Commission/UK Data Protection Authority (as applicable).

9.3 In particular, in order to transfer the Data outside the EU/UK, We will enter into the appropriate module of the Standard Contractual Clauses issued by the European Commission on 4 June 2021 with the relevant data importer and adopt any supplementary measure required as a consequence of the decision of the European Court of Justice C-311/18.

9.4 If the Data Subjects wish to have more information on such transfers, he/she may at any time send an email to supplier.privacy@reply.com.

10. Data subjects’ rights

10.1 Notwithstanding the possibility for the Data Subjects not to provide their Data, if the processing of Data Subjects’ personal data is subject to EU data protection laws, they can exercise the following rights free of charge and at any given time:

a) obtain confirmation of the existence of Data relating to them;

b) know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means;

c) verify the accuracy of Data and request its integration, update or amendment;

d) request the erasure, anonymisation or restriction of the processing of Data processed in breach of the applicable laws, and object, on legitimate grounds, to the processing of Data;

e) withdraw previously given consents, if any;

f) request to limit the processing of the Data where (i) Data Subjects contest the accuracy of the personal data until We have taken sufficient steps to correct or verify its accuracy; (ii) the processing is unlawful but the Data Subjects do not want Us to erase the Data; (iii) We no longer need the Data for the purposes of the processing, but the Data Subjects require them for the establishment, exercise or defense of legal claims; or (iv) Data Subjects have objected to processing justified on legitimate interests, pending verification as to whether We have compelling legitimate grounds to continue the processing;

g) object to the processing of the Data for the processing activities based on Our legitimate interest;

h) request the erasure of the Data without undue delay; and

i) obtain Data portability to receive the Data that had been previously supplied to Us in a structured, common use and readable format.

10.2 If Legislative Decree No. 196/2003 as subsequently amended and supplemented by Legislative Decree no. 101/2018 (“Italian Privacy Code”) applies to the processing of Data Subject’s Data, in case of Data Subject’s death, the aforesaid rights relating to his/her Data may be exercised by anyone who has a personal interest, or acts to protect the Data Subject as its representative, or for family reasons worthy of protection pursuant to article 2-terdecies of the Italian Privacy Code. Data Subjects may expressly prohibit the exercise by its assignees of some of the rights above by written notice to be sent to Us, without prejudice to their right to withdraw or modify such expressed intention later on according to the same procedure.

10.3 Requests for the exercise of rights may be made in writing to the relevant Company acting as Data Controller at the contact details specified within the Agreement or at the following e-mail address supplier.privacy@reply.com.

10.4 The Data Subjects have also the right to lodge a complaint to the relevant Supervisory Authority in particular, in the Member State in which he/she has habitual residence or place of work, or in the place where the alleged infringement occurred.

11. Data Security

We process the Data for the purposes above through adequate paper and electronic means and implement appropriate measures to ensure Data confidentiality and security. In particular, We adopt appropriate organizational and technical measures to protect Data against loss, theft, as well as unauthorized use, disclosure or modification.

12. Changes and Updates

This Privacy Notice is valid from the date of effectiveness provided below. However, the Privacy Notice may subsequently be updated or integrated, from time to time, also as consequence of possible subsequent amendments and/or integrations of the applicable laws. Changes will be notified in advance and Data Subjects will be able to consult the constantly updated version of this Privacy Notice on the Site.

13. Supplementary notice

13.1 People’s Republic of China

This Section 13.1 applies if the Data Subject is located within the People’s Republic of China (“PRC”).

13.1.1. Data Processing Purposes and Legal Basis

  • We process the Data related to Prospective Suppliers for Pre-Contractual Purposes (see defined above);

  • We process the Data related to Prospective Suppliers for Contractual Purposes (see defined above);

  • We process the Data related to Suppliers and Prospective Suppliers for Legal Obligation Purposes (see defined above);

  • We process the Data related to Suppliers and Prospective Suppliers for Legitimate Interest Purposes (see defined above).

We will only process the Data where We have a legal basis for doing so. In many cases, We will obtain consent from Data Subjects prior to processing their Data, including a separate consent where required by applicable law, as the legal basis for the processing. Other legal bases that We may rely on to process the Data, including where consent may not be required, may include:

a)   the processing is necessary for the conclusion or performance of a contract, or where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;

b)   the processing is necessary for us to perform our statutory duties or obligations;

c)   the processing is necessary for us to respond to a public health emergency, or for protecting the life, health or property security of a natural person in the case of an emergency;

The processing is necessary for any other circumstances as provided by law or administrative regulations.

13.1.2 International Data Transfer

The Data are accessed and processed by Reply Group Companies that are based outside of the PRC (see “Offices” at www.reply.com). We have put in place appropriate and suitable safeguards to protect the Data during international transfer. Accordingly, Data Subjects’ Data are transferred in compliance with the requirements and the obligations provided by applicable data protection laws.

13.1.3 Data Subjects’ Rights

Data Subjects that reside in the PRC can exercise the following rights free of charge and at any given time by contacting us via the information set forth above:

a)   obtain confirmation of the existence of Data relating to them;

b)   know and to be explained with the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means;

c)   verify the accuracy of Data and request its integration, update or amendment;

d)   request the erasure, anonymisation or restriction of the processing of Data processed in breach of the applicable laws, and object, on legitimate grounds, to the processing of Data;

e)   withdraw previously given consents, if any;

f) request to limit the processing of the Data where (i) Data Subjects contest the accuracy of the Data until We have taken sufficient steps to correct or verify its accuracy; (ii) the processing is unlawful but the Data Subjects do not want Us to erase the Data; (iii) We no longer need the Data for the purposes of the processing, but the Data Subjects require them for the establishment, exercise or defense of legal claims; or (iv) Data Subjects have objected to processing justified on any applicable legal basis, pending verification as to whether We have the legal basis to continue the processing;

g)   object to the processing of the Data for the processing activities that are based on “consent”;

h)   request the erasure of the Data in prescribed circumstances according to applicable laws; and

i)   obtain Data portability to receive the Data that had been previously supplied to Us in a structured, common use and readable format.

We may not always be able to grant your request. We will explain clearly whether we cannot accept your request, the rationale for our decision, and what will happen next.

13.2. Switzerland

This Section 13.2 applies If the Swiss Federal Act on Data Protection (“FADP”) applies to the Data processed, Prospective Suppliers and Suppliers. When the Swiss Federal Act on Data Protection applies, the following provisions of the Privacy Notice shall be read as follows: 

13.2.1. Section 3:

Please refer to Section 3 above for Reply’s DPO contact details.

13.2.2. Section 9.1:

If the FADP applies to Data transferred to recipients located in a country that does not have an adequate statutory level of data protection (as determined by the Swiss Federal Council), We will contractually require the recipient to comply with the FADP. For this purpose, We use standard contractual clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC). An exception may apply, for example, in the case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if Data Subjects have consented, or if Data Subjects have made the Data generally available and Data Subjects have not objected to the processing.

13.2.3. Section 10.1:

This Section also applies if the processing of Data relating to Data Subject is subject to the FADP.

13.2.4. Section 10.4:

Data Subjects located in Switzerland have the right to lodge a complaint with the competent data protection supervisory authority. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

13.3. United States

Additional information for California Residents

This subsection provides California residents with additional information regarding our collection, use and disclosure of their personal information, as well as their privacy rights, under the California Consumer Privacy Act (“CCPA”). This section does not address or apply to our handling of publicly available information or other personal information that is exempt under the CCPA. 

Categories of Personal Information Collected and Disclosed.

While our processing of personal information varies based upon our relationship and interactions with you, the table below identifies, generally, the categories of personal information (as defined by the CCPA) that we have collected about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose.

Categories of personal information collected

Sources of Personal Information.

We generally collect Personal Information from the following categories of sources: directly and indirectly from you; affiliates and subsidiaries; customers.

Purposes of Collection, Use, and Disclosure.

As described above in Section 6. (Data Processing Purposes and Legal Basis) and Section 8. (Third Parties and Data Recipients), in general, we may collect, use, disclose, and otherwise process personal information for the following business or commercial purposes and as otherwise directed or consented to by you:

  • Pre-contractual Purposes;

  • Contractual Purposes;

  • Legal Obligation Purposes; and

  • Legitimate Interest Purposes.

Sensitive Personal Information.

We do not collect, use, or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our services; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; (v) for compliance with our legal obligations; (vi) to our third parties service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.

Sales and Sharing of Personal Information.

The CCPA defines “sale” as disclosing or making available personal information to a third-party in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third-party for purposes of cross-context behavioral advertising.

While we do not disclose Personal Information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA) Personal Information, such as user information collected using certain third-party targeting/marketing, advertising, and analytics cookies to social network and cookie providers. We do so prior user’s consent in order to obtain statistical information and trace a user’s profile in order to display advertisements on the website targeted on the basis of the user’s interests. We do not sell or share information about individuals who we know are under 16 years old.

Retention.

We retain the personal information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection and as otherwise necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements. In some cases, we may aggregate or de-identify information, such that it is no longer linked or reasonably linkable to you, and we may maintain such non-identifiable information indefinitely.

Privacy Rights for California Residents.

The CCPA provides California residents with specific rights regarding personal information. Subject to certain conditions and exceptions, California residents have the following rights with respect to their personal information:

  • Right to Know. You have the right to request: (i) the categories or personal information we collected about you; (ii) the categories of sources from which the personal information is collected; (iii) our business or commercial purposes for collecting, selling, or sharing personal information; (iv) the categories of third parties to whom we have disclosed personal information; and (v) a copy of the specific pieces of personal information we have collected about you.

  • Right to Delete. You have the right to request we delete personal information we have collected from you.

  • Right to Correct. You have the right to request that we correct inaccuracies in your personal information.

  • Right to Opt-Out of Sales and Sharing. You have the right to opt-out of “sales” and “sharing” of your personal information, as those terms are defined under the CCPA.

  • Right to Limit Use and Disclosure. You have the right to limit use and disclosure of your sensitive personal information. We do not use or disclose sensitive personal information beyond the purposes authorized by the CCPA; thus, this right is not available to California residents.

  • Right to Non-Discrimination. You have the right not to be subjected to discriminatory treatment for exercising any of the rights described in this section.

Submitting Privacy Requests.

California residents may exercise their CCPA privacy rights as set forth below:

  • Right to Know, Delete, Correct. California residents may submit verifiable requests to access/know, delete, and correct their personal information as well as request to limit the use and disclosure of their personal information by emailing us at supplier.privacy@reply.com.

    Verification. If you submit a request to access/know, correct, delete, or limit the use/disclosure of your personal information, we will take steps to verify your request by matching the information provided by you with the information we have in our records. We will process your request based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request. In some cases, we may request additional information in order to verify your request or where necessary to process your request.

    Authorized Agent. You may also designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent. 

  • Right to Opt-Out of Sales and Sharing. To exercise your right to opt-out of the “sale” or “sharing” of your personal information, you may do so via our cookie preference manager. We will apply you opt out based upon the personal information in our records that is linked or reasonably linkable to the information provided in your request. You may also follow the instructions described on the Site.