Information on the Processing of Personal Data for Customers and Suppliers

(pursuant to Article 13 of EU Regulation 2016/679)



1. Introduction: purpose and scope of application of this information


In accordance with Article 13 of Regulation (EU) 2016/679 (hereinafter "GDPR"), UNIFREDDO S.R.L. provides this notice to describe how it processes the personal data of its customers and suppliers.


It is essential to clarify the scope of this document. The GDPR protects the personal data of "natural persons." Therefore, this notice is specifically addressed to the following categories of individuals (hereinafter "Data Subjects"):

  • natural persons acting as customers or suppliers in the form of sole proprietorships or as self-employed professionals with a VAT number;
  • natural persons acting in the name and on behalf of customers and suppliers established as legal entities (e.g., corporations or partnerships), such as, but not limited to, legal representatives, directors, employees, collaborators, and company contacts whose personal data are communicated to UNIFREDDO S.R.L. in the context of commercial relationships.

Data processing will be based on the principles of lawfulness, fairness, and transparency, to protect the privacy and rights of interested parties.



2. Data Controller


The Data Controller, i.e., the entity that determines the purposes and means of processing personal data, is:


UNIFREDDO S.R.L.



  • Registered Office: Via Muselle 1374, 37050 Isola Rizza - Verona
  • Data Controller's email address: amministrazione@unifreddo.it
  • Certified Email Address (PEC): unifreddo@pec.it

3. Data Protection Officer (DPO)


Please note that, as of the date of publication of this policy, the Data Controller has not designated a Data Protection Officer (also known as a Data Protection Officer or DPO), as the mandatory requirements set forth in Article 37 of the GDPR do not apply.


4. Purposes, legal bases, and categories of data processed


The personal data of the Data Subjects are processed exclusively for the purposes described below and in accordance with the corresponding lawfulness requirements set forth in Article 6 of the GDPR. To ensure maximum clarity and transparency, the information relating to each processing activity is summarized in the following table.


Purpose of the processing Description of the activities Categories of Personal Data Processed legal basis (art. 6 GDPR) Retention period
1. Management of the contractual relationship Pre-contractual activities, stipulation, management, and execution of contracts for the supply of goods or services. This includes order management, invoicing, payments, customer support, and any other activity strictly related to the commercial relationship. Personal and contact details (name, surname, email address, telephone number), professional role, company details, banking and payment details (if relating to natural persons). Art. 6, paragraph 1, letter b): "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject's request prior to entering into a contract." For the entire duration of the contractual relationship and, after its termination, for a period of 10 years to fulfill document retention obligations and for legal protection purposes.
2. Compliance with legal obligations Activities necessary to fulfill obligations under national and EU legislation, particularly accounting, tax, and administrative matters (e.g., recordkeeping, VAT compliance, communications to competent authorities). Data required for invoicing and accounting (name, surname, tax code, VAT number, address), details of financial transactions. Art. 6, paragraph 1, letter c): "Processing is necessary for compliance with a legal obligation to which the data controller is subject." For 10 years from the date of issue of the accounting document or registration, in accordance with art. 2220 of the Italian Civil Code and applicable tax legislation.
3. Exercise and defense of legal claims Data processing to ascertain, exercise, or defend a right of the Data Controller in or out of court (e.g., litigation management, debt collection, actions for breach of contract). All data relating to the contractual relationship, including communications, correspondence, payment history, and contractual documentation. Art. 6, paragraph 1, letter f): "Processing is necessary for the purposes of the legitimate interests pursued by the data controller," consisting in the protection of its economic and legal rights and interests. For the duration of the litigation, until the terms for exercising legal remedies have expired. In the absence of litigation, for 10 years from the termination of the contract, corresponding to the ordinary limitation period for contractual rights.
4. Protection of company assets and organizational needs (Video Surveillance) Processing of images of individuals accessing company premises for the purpose of preventing unlawful acts (theft, damage), protecting company assets, and organizational and production needs. Video images (without audio recording) captured by the closed- circuit television (CCTV) system. Art. 6, paragraph 1, letter f): "Processing is necessary for the purposes of the legitimate interests pursued by the data controller," as specified, balanced, and regulated in the dedicated extended privacy policy. Images are retained for a maximum of 48 hours, unless there are specific and documented needs for further retention (e.g., requests from judicial authorities, holidays, or company closures), as detailed in the extended privacy policy.

For the processing referred to in Purpose 4 (Video Surveillance), express reference is made to the Extended Notice on the Processing of Personal Data through Video Surveillance Systems, which can be requested from our offices. This document, drafted in accordance with Guidelines 3/2019 of the European Data Protection Board (EDPB) and the indications of the Italian Data Protection Authority (Garante Privacy), provides full details on the processing methods, the areas monitored, and the safeguards adopted, also pursuant to the trade union agreement signed on July 22, 2021.



5. Nature of the data provision


The provision of personal data for the purposes referred to in points 1 (Management of the contractual relationship) and 2 (Fulfillment of legal obligations) of the previous table is mandatory. It constitutes a necessary requirement for the establishment and continuation of the business relationship. Failure to provide the requested data would make it impossible for UNIFREDDO S.R.L. to execute the contract and fulfill the related legal obligations.


6. Categories of recipients and international transfers


The personal data of the Data Subjects will not be disseminated, i.e., they will not be disclosed to unspecified parties. However, they may be disclosed, for the purposes described above, to well-defined categories of parties, who will act as independent Data Controllers or Data Processors pursuant to Article 28 of the GDPR, based on specific contractual agreements. These categories include:


  • consultants and freelancers who provide legal, tax, and accounting services.
  • credit institutions and payment processing companies.
  • companies that provide maintenance and support services for IT systems and technological infrastructure.
  • public authorities, supervisory and control bodies, if required by law or regulation.


7. Rights of the Data Subject


In relation to the processing of their personal data, each Data Subject may exercise the rights provided for in Articles 15 to 22 of the GDPR at any time. In particular, the Data Subject has the right to:


  • right of access (Article 15): obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, obtain access to the data and all the information required by law.
  • right to rectification (Article 16): obtain the correction of inaccurate personal data concerning them without undue delay.
  • right to erasure ("right to be forgotten") (Article 17): obtain the erasure of personal data concerning them, subject to limitations arising from legal obligations (for example, the obligation to retain tax and accounting data for ten years) or the need to ascertain, exercise, or defend a right in court.
  • right to restriction of processing (Article 18): obtain restriction of processing where one of the conditions set out in Article 18 of the GDPR applies.
  • right to object (Article 21): the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data carried out for the purposes of the Data Controller's legitimate interests (purpose 3). the Data Controller will refrain from further processing the data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject.


The exercise of these rights is free of charge. To exercise their rights, the Data Subject may send a written communication to the Data Controller using the contact details provided in Section 2 of this Privacy Policy. The Data Controller will respond within one month of receiving the request.



8. Right to lodge a complaint


If the data subject believes that the processing of their personal data violates the provisions of the GDPR, they have the right to lodge a complaint with the competent supervisory authority. In Italy, the supervisory authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali). The contact details for the Authority are as follows:


  • Address: Piazza Venezia n. 11, 00187 - Roma, Italia
  • Switchboard: (+39) 06.696771
  • Email: protocollo@gpdp.it
  • Certified email (PEC): protocollo@pec.gpdp.it (abilitata a ricevere solo comunicazioni provenienti da PEC)
  • Institutional website: www.gpdp.it o www.garanteprivacy.it

Further information and the necessary forms for filing a complaint are available on the Authority's website.