Valmet Tissue Converting S.p.A - Complete privacy policy for Suppliers

The company Valmet Tissue Converting S.p.A., with its registered office in 55100 Lucca, Via Giovanni Diodati 50 (hereinafter also the "Data Controller"), as Data Controller will see to the confidentiality of your personal data and guarantee its necessary protection from any event that could put it at a risk of violation. The Data Controller applies policies and practices concerning the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever it becomes necessary and in any case whenever regulatory and organisational changes that may affect the processing of your personal data arise.

The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have questions about the policies and practices adopted. The contact details of the Data Protection Officer are as follows: dpo.ti.luc@valmet.com

The Data Controller collects and/or receives information about you, such as:

• name, surname
• fiscal code
• e-mail
• phone number
• address
• VAT number
• Bank account number
• images/videos
• company position
• copy of ID or passport
• health fitness

The personal data will be processed for the following purposes:

• the management of the contractual relationship in all its phases; from the negotiations to its definition, whatever the cause is
•  monitoring and updating the conditions of supply and/or services and assignments
• registration, invoicing and bookkeeping

Execution of pre-contractual and contractual activities

Fulfilment of legal obligations and contractual obligations besides obligation deriving from the relationship established, such as, among others, those arising from:

• Presidential Decree no. 633/1972 and subsequent amendments and integrations
• Presidential Decree no. 600/1972 and subsequent amendments and integrations
• Code of Ethics of the Data Controller

Fulfilment of economic, financial and social reporting obligations

Your personal data is also collected from third parties such as, by way of example:

• other data controllers
• IT service provider

Communication to third parties, such as;

• Companies of the group for administrative purposes
• Financial administration, public supervisory bodies
• External accounting and tax consultants
• Credit institutions for the management of payments
• Legal advisors for the management of litigation and contracts
• IT service provider, HW and SW assistance and maintenance
• Public and private entities
• Couriers -Auditors
• Data Controller Customers (also abroad)

Execution of pre-contractual and contractual activities

Fulfilment of obligations depending on the contract

Fulfilment of legal obligations, such as, among others, depending on:

• Presidential Decree no. 633/1972 and subsequent amendments and integrations
• Presidential Decree no. 600/1972

Observance of transparency and economic and social reporting obligations

The Data Controller may transfer your personal data abroad (non-EU countries) and in particular:

China, Brazil USA (Sister Companies) - Standard contractual clauses aimed at ensuring adequate safeguards, including data subjects' rights with regard to the transfer of personal data outside the EU.

Japan (Sister Company) – Adequacy decision EU-Japan.

The personal data of the interested party could be transferred globally. The Data Controller guarantees the adoption of adequate measures pursuant to the applicable legislation.
The communication and dissemination concern the categories of data whose transmission and/or disclosure are necessary for the performance of the activities and purposes pursued by the Data Controller in the management of the relationship established. The relative data processing does not require the consent of the data subject in the event that it takes place against legal obligations or to fulfil the obligations deriving from the contractual relationship or if other exclusion hypotheses occur (in particular application of the provisions of the Code of Ethics and/or legitimate interest of the Data Controller) expressly provided for or dependent on the legislation and regulations applied by the Data Controller, or even through third parties identified as data processors.

• implementation of the detection and notification of personal data violation (data breach)

Execution of activities depending on the established relationship

Fulfilment of legal obligations (detection and notification of data breach events)

Legitimate interest

How
The data processing is performed through paper supports or IT procedures by specially authorized internal subjects. Such internal subjects are allowed access to your personal data to the extent that it is necessary to carry out the processing activities that concern you.
The Data Controller periodically verifies the tools through which your data is processed and the security measures provided for which it provides for constant updating; verifies, also through the subjects authorized to the treatment, that personal data of which the processing is not necessary or whose purposes are exhausted, is not collected, processed, filed or stored; verifies that the data is stored with the guarantee of integrity and authenticity and their use for the purposes of the treatments actually performed.
The Data Controller guarantees that the data, even after the verifications, are found to be excessive or irrelevant will not be used except for the possible retention, according to the law, of the deed or document that contains them.

Where
The data is stored in paper, computerized and software archives located within the European economic area. and adequate security measures are ensured.

For how long
The personal data processed are kept for the time necessary to carry out the activities related to the management of the contract that you have stipulated with the Data Controller and for the fulfilments, including those required by law. arising therefrom.

In particular:

• identifying data
• accounting data
• data relating to professional and commercial activity
• data relevant to health fitness

Duration of the contractual relationship Without prejudice to:

• termination of the contract (for any reason)
• the purposes that continue beyond the conclusion of the contract (e.g. bookkeeping, art. 2220 of the Italian Civil Code)
• the prescription terms: from five to ten years from the definition of the relationship and in any case from the moment in which the rights that depend on it can be exercised (articles 2935, 2946 and 2947 of the Italian Civil Code)
• for particular after-sales needs related to the average life of the product up to twenty years after the termination of the relationship

Except in the event of litigation if it involves an extension of the aforementioned terms, for the time necessary to pursue the related purpose

Computer data (access log to systems and to the network and / or IP addresses)

The duration of the storage depends on the presumed and / or detected risk and the prejudicial consequences that derive from it, without prejudice to the measures to make the data anonymous or to limit its treatment.
In any case, the data must be kept (with effect from the knowledge / detection of the hazard event or data breach) for the time necessary to notify the authority of the violation of the data detected through the procedures implemented by the Data Controller and in any case take remedial actions.

Once all the purposes that legitimize the retention of your personal data are exhausted, the Data Controller will take care of deleting them or making them anonymous.

The rights that are recognized to you allow you to always have control of your data. Your rights are the following:

• access;
• correction;
• cancellation;
• treatment limitation;
• opposition to treatment;
• portability.

In substance, you, at any time and free of charge and without special charges and formalities for your request, can:

• obtain confirmation of the processing carried out by the Data Controller;
• access your personal data and know the origin (when the data are not obtained from you directly), the purposes and the aims of the processing, the data of the subjects to whom they are communicated, the period of retention of your data or the criteria useful for determining it;
• update or correct your personal data so that they are always exact and accurate;
• delete your personal data from the data banks and / or archives including backups of the Data Controller in the case, among others, where they are no longer necessary for the purposes of the processing or if it is assumed to be illicit, and always if they exist the conditions required by law; and in any case if the treatment is not justified by another equally legitimate reason;
• limit the processing of your personal data in certain circumstances, for example where you have disputed its accuracy, for the period necessary for the Data Controller to verify its accuracy. You must be informed, in due time, even when the suspension period has been completed or the reason for the limitation of the processing has ceased, and therefore the limitation itself revoked
• obtain your personal data, if the processing is based on a contract and with automated tools, in electronic format also for the purpose of transmitting them to another data controller.

The Data Controller must proceed in this way without delay and, in any case, at the latest within one month from receiving your request. The deadline can be extended by two months, if necessary, taking into account the complexity and the number of requests received. In such cases the Data Controller, within a month of receiving your request, must inform you and inform you of the reasons for the extension.
For any further information and in any case to send your request, contact the Data Controller at dpo.ti.luc@valmet.com.

For reasons related to your particular situation, you can oppose the processing of your personal data at any time when this takes place for legitimate prevailing reason or if it concerns the processing of personal data whose disclosure is subject to your consent, sending your request to the Data Controller at the address privacy.ti.luc@valmet.com

You have the right to the deletion of your personal data if there is no legitimate prevailing reason with respect to the one that gave rise to your request, and in case in the event that you are opposed to the processing of data.

Without prejudice to any other administrative or judicial action, you may file a complaint with the control authority, unless you reside or work in another Member State. In the latter case, or where the breach of the data protection legislation occurs in another EU country, the authority to receive and hear the complaint will be the control authority established therein.

Any update of this privacy policy will be communicated to you promptly and by appropriate means and you will also be notified before proceeding and in time to give your consent if necessary.