图片展示

Information on the processing of personal data for customers and suppliers

(pursuant to art. 13 of EU Regulation 2016/679)

 

 

1. Introduction: purpose and scope of application of this information

In accordance with Article 13 of Regulation (EU) 2016/679 (hereinafter “GDPR”), HANTECH MEDICAL ITALY SPA provides this information to describe how it processes the personal data of its customers and suppliers.

It is essential to clarify the scope of this document. The GDPR protects the personal data of "natural persons." Therefore, this notice is specifically addressed to the following categories of individuals (hereinafter "Data Subjects"):

  1. Individuals operating as customers or suppliers in the form of sole proprietorships or as self-employed professionals with a VAT number.
  2. Natural persons acting in the name and on behalf of customers and suppliers established as legal entities (for example, corporations or partnerships), such as, by way of example and not limited to, legal representatives, directors, employees, collaborators and company contacts whose personal data are communicated to HANTECH MEDICAL ITALY SPA in the context of commercial relationships.

Data processing will be based on the principles of lawfulness, fairness, and transparency, to protect the privacy and rights of interested parties.

 

2. The data controller

The Data Controller, or the entity that determines the purposes and means of processing personal data, is:

HANTECH MEDICAL ITALY SPA

  1. Registered office: Via Giacomo Matteotti 27/A, 45030 Villamarzana (RO), Italy
  2. Tax Code and VAT Number: 00051170298
  3. REA number: RO-72721
  4. Certified Email Address (PEC): hmitaly@legalmail.it
  5. Email address for privacy matters: HR.Italy@hantechmedical.com
  6.  

3. Data Protection Officer (DPO)

Please be informed that, as of the date of publication of this notice, the Data Controller has not designated a Data Protection Officer (DPO), as the mandatory requirements set forth in Article 37 of the GDPR do not apply.

 

4. Purposes, legal bases and categories of data processed

The personal data of the Data Subjects are processed exclusively for the purposes described below and in accordance with the corresponding lawfulness conditions set forth in Article 6 of the GDPR. To ensure maximum clarity and transparency, the information relating to each processing activity is summarized in the following table.

 

Purpose of the Processing

Description of Activities

Categories of Personal Data Processed

Legal Basis (Article 6 GDPR)

Retention Period

1. Management of the contractual relationship

Pre-contractual activities, stipulation, management, and execution of contracts for the supply of goods or services. This includes order management, invoicing, payments, shipping, support, and any other activity strictly related to the commercial relationship.

Personal and contact details (name, surname, email address, telephone number), professional role, company details, banking and payment details (if relating to natural persons).

Art. 6, par. 1, letter b): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

For the entire duration of the contractual relationship and, at its end, for a period of 10 years to fulfill document retention obligations and for legal protection purposes.

2. Fulfillment of legal obligations

Activities necessary to fulfill obligations under national and EU legislation, particularly accounting, tax, and administrative matters (e.g., recordkeeping, VAT compliance, communications to the competent authorities).

Data required for invoicing and accounting (name, surname, tax code, VAT number, address), and details of financial transactions.

Art. 6, par. 1, letter c): “processing is necessary for compliance with a legal obligation to which the controller is subject.”

For 10 years from the date of issue of the accounting document or registration, in accordance with Article 2220 of the Italian Civil Code and applicable tax legislation.

3. Exercise and defense of rights in court

Data processing to ascertain, exercise, or defend a right of the Data Controller in or out of court (e.g., litigation management, debt collection, actions for breach of contract).

All data relating to the contractual relationship, including communications, correspondence, payment history, and contractual documentation.

Art. 6, par. 1, letter f): “processing is necessary for the purposes of the legitimate interests pursued by the data controller,” which consist in protecting their economic and legal rights and interests.

For the duration of the dispute, until the time limit for filing appeals has expired. In the absence of disputes, for 10 years from the termination of the contract, corresponding to the ordinary statute of limitations for contractual rights.

4. Security and protection of company assets (Video surveillance)

Processing images of individuals accessing company premises to prevent unlawful acts (theft, damage), ensure staff safety, and protect company assets.

Video images (without audio recording) captured by a closed-circuit television (CCTV) system.

Art. 6, paragraph 1, letter f): "processing is necessary for the purposes of the legitimate interests pursued by the data controller," as specified, balanced, and regulated in the dedicated extended privacy notice.

Images are retained for a maximum of 24 hours, unless there are specific and documented needs for further retention (e.g., requests from judicial authorities, holidays, or company closures), as detailed in the extended information.

 

For the processing referred to in Purpose 4 (Video Surveillance), express reference is made to the extended Information on the Processing of Personal Data through the Video Surveillance System, which can be requested at the address HR.Italy@hantechmedical.com .This document, drafted in accordance with the European Data Protection Board (EDPB) Guidelines 3/2019 and the indications of the Italian Data Protection Authority (Garante Privacy), provides full details on the processing methods, the areas monitored, and the safeguards adopted, also pursuant to the trade union agreement signed on July 22, 2021.

 

5. Nature of the data provision

The provision of personal data for the purposes set out in points 1 (Management of the contractual relationship) and 2 (Fulfillment of legal obligations) of the previous table is mandatory. It constitutes a necessary requirement for the establishment and continuation of the business relationship. Failure to provide the requested data would make it impossible for HANTECH MEDICAL ITALY SPA to execute the contract and fulfill the related legal obligations.

Data processing for the purpose referred to in point 3 (Exercising and defending legal claims) does not require specific provision, as it pursues the Data Controller's legitimate interest by using data already collected for other purposes. Processing for the purpose referred to in point 4 (Video surveillance) is intrinsically linked to physical access to company premises.

 

6. Categories of recipients and international transfers

The personal data of the Data Subjects will not be disseminated, i.e., will not be disclosed to unspecified parties. However, they may be disclosed, for the purposes described above, to specific categories of parties who will act as independent Data Controllers or Data Processors pursuant to Art. 28 of the GDPR, based on specific contractual agreements. These categories include:

  1. Consultants and freelancers providing legal, tax, and accounting services.
  2. Credit institutions and payment processing companies.
  3. Companies that provide maintenance and support services for IT systems and technological infrastructure.
  4. Public authorities, bodies, and supervisory and control bodies, where required by law or regulation.

Furthermore, please note that aggregated and anonymized data relating to business flows with customers and suppliers, which do not constitute personal data pursuant to Regulation (EU) 2016/679 as they do not allow the identification of natural persons in any way, even indirectly, may be shared with the parent company, HANTECH MEDICAL DEVICE CO. LTD, based in China, for statistical analysis and internal reporting purposes. The processing of personal data outside the European Economic Area is not foreseen.

 

7. Rights of the interested party

In relation to the processing of their personal data, each Data Subject may exercise the rights provided for in Articles 15 to 22 of the GDPR at any time. Specifically, the Data Subject has the right to:

  1. Right of access (Article 15): Obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, obtain access to the data and all the information required by law.
  2. Right to rectification (Article 16): Obtain the correction of inaccurate personal data concerning you without undue delay.
  3. Right to erasure (“right to be forgotten”) (Article 17): Obtain the erasure of your personal data, subject to limitations arising from legal obligations (for example, the obligation to retain tax and accounting data for ten years) or the need to ascertain, exercise, or defend a right in court.
  4. Right to restriction of processing (Article 18): Obtain restriction of processing where one of the conditions set out in Article 18 of the GDPR applies.
  5. Right to object (Article 21): Object at any time, for reasons related to your particular situation, to the processing of your personal data carried out for the purposes of the Data Controller's legitimate interests (purpose 3). The Data Controller will refrain from further processing the data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the Data Subject.

The exercise of these rights is free of charge. To exercise their rights, the Data Subject may send a written communication to the Data Controller using the contact details provided in Section 2 of this policy. The Data Controller will respond within one month of receiving the request.

 

8. Right to lodge a complaint

If the data subject believes that the processing of their personal data violates the provisions of the GDPR, they have the right to lodge a complaint with the competent supervisory authority. In Italy, the supervisory authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali). The contact details for the Authority are as follows:

Address: Piazza Venezia n. 11, 00187 - Rome, Italy

Telephone switchboard: (+39) 06.696771

Email: protocollo@gpdp.it

Certified electronic mail (PEC): protocollo@pec.gpdp.it (enabled to receive only communications from certified email)

Institutional website: www.gpdp.it or www.garanteprivacy.it

Further information and the forms required to submit a complaint are available on the Guarantor's website.

Accept all

 

 

Hantech Medical Italy S.p.A.

 

Add: Via G. Matteotti, 27/A - 45030 Villamarzana (RO) Italy

WhatsApp: +39 347 579 8989

Tel: +39 0425 439 311  

E-mail: info@hantechmedical.it

 

Hantech Medical Italy S.p.A.

Add: Via G. Matteotti, 27/A - 45030 Villamarzana (RO) Italy

WhatsApp: +39 347 579 8989

Tel: +39 0425 439 311  

E-mail: info@hantechmedical.it

 


             


             

Copyright © 2025-2027 Hantech Medical Italy S.p.A. All Rights Reserved. 

添加微信好友,详细了解产品
使用企业微信
“扫一扫”加入群聊
复制成功
添加微信好友,详细了解产品
我知道了