Privacy notice for existing or potential customers and suppliers and other contacts for work-related communications

articles 13-14 of EU Regulation 2016/679

Pursuant to the General Data Protection Regulation relating to the personal details of private persons in art. 13 of Italian Legislative Decree n. 196 30/6/2003 and article 13 of EU Regulation 2016/679, the ILPA GROUP’s companies (I.L.P.A. S.P.A, ILIP S.R.L., MP3 S.R.L., AMP RECYCLING S.R.L.), Data Controller, hereby informs you that your personal details will be processed using the methods and for the purposes described below:

1. Subject of data processing

Any personal details in the possession of the undersigned organisation are collected from the interested parties directly and are provided by them voluntarily and directly, and from third parties (including the Internet, public records, etc.).

Such information includes your name, contact and banking information, address, telephone numbers, post- and email address. The interested parties are identified and identifiable third parties who share an interest with the undersigned organisation or an existing or potential party to the contract, such as customers, suppliers, partners, public administrations, and associations, and with whom relations linked to work/interest exist with the undersigned.

2. Purpose of data processing

Personal details are processed to enable communication between the undersigned organisation, including its personnel, and the interested party as part of day-to-day operations.

Your personal details will be processed without your explicit authorisation (art. 24 comma a), b), c) Privacy Code and art. 6 comma b), e) GDPR) for the following Purposes:

  1. purposes strictly linked to the execution and implementation of services required (GDPR articles 6(b) and 9(a)), and in particular the management of existing or potential customers and suppliers, carried out by entering data in company databases in order to comply with regulatory and contractual obligations, for internal organisation of work, statistics and other purposes linked to the business of the undersigned organisation, including obligations linked to civil, fiscal, tax, accounting, remuneration, welfare, insurance regulations, including the sending of circular letters and notices associated with the contracted operations for the delivery of the services required;
  2. purposes linked to legal obligations and the provisions issued by authorities with the legal power to do so (GDPR articles 6(c) and 9(b,g,h)).

3. Effects in case of refusal to provide personal details

You can decide whether to provide your personal details or not, but providing them is essential for them to be processed for the purposes described in commas a) and b). Should you refuse to provide essential personal details, it will not be possible to go ahead with the exchange of communications between the personnel of the undersigned organisation and you, as the interested party. Providing non-essential personal details is optional.

Refusing authorisation or providing incomplete or incorrect personal details, including sensitive details, could result in obligations not being fulfilled, thus resulting in damages in terms of fines or the loss of benefits due to the impossibility to guarantee the adequacy of the data processing with regard to the obligations for which it is carried out, and due to the possible failure of the results of data processing to fulfil obligations, and exonerating the undersigned organisation from any liability in case of fines or punitive action.

4. Methods of processing and security

Data processing refers to the collection, recording, organisation, storage, processing, modification, deletion, and destroying of data, or the combination of two or more of said operations. With regard to the above-mentioned purposes, the processing of personal details is done on paper and using manual, computerised and remote instruments, which may be automated, in order to store and handle the details, using logic closely linked to the purposes themselves and, in any case, so as to safeguard their security and confidentiality. Personal details will be processed using the methods indicated in art. 5 of EU Regulation 2016/679, which also requires data to be handled lawfully and correctly, collected and recorded for purposes that are stated, explicit and legitimate, exact and, if necessary, updated, pertinent, complete and not excessive with respect to the purpose of processing, respecting the rights and fundamental liberties and dignity of the interested party with particular reference to confidentiality and personal identity, making use of measures for its safety and protection. The undersigned organisation has implemented and will continue to improve a security system for access to data and its storage.

No automated decision-making processes are in use (such as profiling).

5. Transfer outside the EU

Data processing will take place primarily in Italy and within the EU, but may be carried out in countries outside the EU and EEA should this be considered useful in order to pursue the purposes more effectively and with safeguards in place in favour of the interested parties.

6. Period of storage

Generally speaking, personal details are stored as long as the purposes of processing continue to exist: they will be stored for the full duration of the contractual relationship and, after this has been terminated, until the end of any legal requirements, unless the relationship is reinstated.

7. Categories of recipients

Personal details (essential details only) are shared with:

  • Persons associated or responsible for data processing, who may be employees of the undersigned organisation or third parties, who carry out specific duties and actions (sales network in-house or sales reps, companies carrying out market research, commercial partners, third parties working with the company to safeguard its compliance with all or part of its obligations as specified in the contract or associated with them, banks and similar institutes in general, risk agencies and/or companies providing business information services, business associations and the like).
  • In the cases and to the persons as specified by law
  • Personal details will not be shared unless this is required by law.

Furthermore, without the prior general authorisation of the interested party with regard to notification to third parties, it will only be possible to provide services that do not require such notification. In case of need, specific and prompt authorisation will be sought and the persons receiving personal details will make use of them as independent data controllers.

8. Rights of the interested party

You may, at any time: exercise your rights (access, rectify, delete, limit, portability, oppose, lack of automated decision making processes) when envisaged with respect to the controller of data processing, pursuant to articles 15 to 22 in GDPR (provided below); file a complaint with the Italian Data Protection Authority (; should the processing require your authorisation, withdraw said authorisation, bearing in mind that withdrawing your authorisation does not affect the legitimacy of any processing based on your authorisation given prior to withdrawal.

9. Exercising your rights

You may exercise your rights at any time by sending written notice to:

I.L.P.A. S.P.A.
Via Castelfranco 52
40053 Valsamoggia (BO)

The full list of data processors is available on request.