Privacy policy – ES+ DSS

Information required by EU Reg. 2016/679

The EU Regulation 2016/679 (from now on, ‘GDPR’), as well as other legal provisions (including Legislative Decree 196/2003 from now on, ‘Privacy Code’) and regulations, protect the confidentiality of personal data and impose several obligations on those who process personal information on natural persons, defined as data subjects. Among the essential duties imposed by the GDPR is informing data subjects and acquiring their consent to the processing, where required as a legal basis.

This statement refers to the processing of personal data – provided directly by the company, entity, or professional and acquired from third parties – for the procedures related to the participation of ES+ Srl in a tender or to the submission (and subsequent evaluation) of an offer, but also for the stipulation and execution of a contract (contract/supply or other), the related fulfilments and the related administrative-accounting activities.

For the purposes mentioned above, personal data relating to legal representatives, technical managers, employees/collaborators of the other party and any subcontractors may or shall be collected and processed.

Given that the data processing carried out by ES+ srl will be based on the principles of lawfulness, correctness and transparency, minimisation and limitation of data retention, accuracy, integrity and confidentiality, the following information is provided:

The Data Controller is ES+ Srl, with a registered office in Milan (MI), Piazza della Repubblica n. 10 CAP 20121, tax code and VAT no. 12651560968, PEC: Es-piu@pec.it;
ES+ Srl has not appointed a Data Protection Officer. Still, the Sole Director and Legal Representative, Mr Antonio Lobosco, who has the necessary powers of signature, is the reference person to apply the data processing regulations.
Data provided by or acquired from third parties will be lawfully processed due to the legal basis and solely for the purposes described in the table below:

Purpose	GDPR Legal Basis
1) Carry out preliminary activities, and verify the technical, economic and financial suitability and the existence of all requirements imposed by the applicable regulations, to enable the subsequent conclusion and execution of the contract. Stipulation and execution of the contract.	6.1.b – Contract 6.1.c – Legal Obligation
2) Where required by law, judicial data relating to the company’s legal and technical representatives are also processed to verify the absence of grounds for exclusion and the lack of disqualification measures for the company according to Legislative Decree 231/01 or the Anti-Mafia Regulations.	6.1.c – Legal Obligation
3) In the case of construction sites or works in areas managed by the Controller, data of employees/collaborators with a role in the execution of the contract are also processed to manage accident prevention issues.	6.1.c – Legal Obligation
4) Accounting, administrative and financial management.	6.1.c – Legal Obligation
5) Exercise of a right in court to defend the interests of the Controller.	6.1.f – Legitimate Interest
6) Promotion and disclosure of services By way of example, sending – by automated or non-automated means of contact (such as e-mail, social media) – newsletters relating to the services offered by ES+ Srl.The condition that makes the processing lawful is consent.se	6.1.a – Consent of the person concerned

The data will be processed on paper and magnetic media, manually and by electronic or, in any case, automated means, and will be kept for 10 years and, in the event of litigation, until the judgments at all levels have become final.

The provision of data is compulsory for all that is required for legal and contractual fulfilment. The data may be processed to comply with requests by the competent administrative or judicial authorities and, more generally, by public subjects in compliance with legal obligations.
The data may be processed by parties qualified as Data Processors according to Articles 4.8 and 28 of the GDPR (Professionals with internal control roles; Safety Coordinator during the execution phase, in the case of construction sites; Director of Works, if appointed; Accountants; Consultancy and service companies; Hardware and software assistance companies; …) and by parties (employees and collaborators in various capacities) specifically authorised to process the data according to Article 29 of the GDPR, who operate under the direct authority of the Data Controller, who has instructed them to do so.
Bearing in mind that communication to third parties does not exempt the latter from providing the information and from lawfully processing the data only based on a valid legal basis, it is hereby specified that, except for communication to parties whose right to access the data is recognised by provisions of Law or orders of Authorities, the data may be communicated to Banks and Financial Institutions; Leasing/Factoring companies; Insurances and Brokers; Professionals and Service Companies; Authorities responsible for fulfilling obligations of Law and provisions of public bodies; Authority for the supervision of public contracts for works, services and supplies, according to art. 1 paragraph 32, Law no. 190/2012 for tender agreements.
The data dissemination is limited to possible publication in compliance with legal obligations.
Regarding any Cloud services that the Data Controller uses, the data may be transferred to a third country, only to countries with a high standard of personal data protection, subject to adequacy decisions by the Authorities.
By contacting the Sole Administrator, it will be possible at any time to exercise one’s rights under Articles 15 to 22 of the GDPR, i.e. the right to request from the data controller access to, rectification or deletion of personal data or restriction of the processing thereof, as well as to object to the processing. The Sole Administrator may also request a list of the persons appointed as Data Processors.
It is the prerogative of the data subject to address a complaint to a supervisory authority.