Suppliers Privacy Information

Riva Forni Elettrici S.p.A. with registered office in Milan, Viale Certosa 249, as Data Controller pursuant to EU Regulation 679/2016 applicable from 25 May 2018 - General Regulation on Data Protection (“GDPR”) and pursuant to Legislative Decree no. 196/2003 - Personal Data Protection Code (“Privacy Code”) as amended by Legislative Decree 101/18 (hereinafter the Privacy Code and GDPR are collectively referred to as “Applicable Law”) recognizes the importance of protecting Personal Data and considers their protection one of the main objectives of its activities.

In accordance with the Applicable Law, we provide you with the necessary information regarding the processing of the Personal Data you provide. This information is provided in accordance with art. 13 of the Applicable Law and Riva Forni Elettrici S.p.A. invites you to read it carefully as it contains important information on the protection of Personal Data and on the security measures adopted to guarantee their confidentiality in full compliance with the Applicable Law.

Riva Forni Elettrici S.p.A. informs that the processing of Personal Data will be based on the principles of lawfulness, correctness, transparency, limitation of purposes and storage, adequacy, minimization of data, accuracy, integrity and confidentiality. Personal Data will therefore be processed in accordance with the legal provisions of the Applicable Law and the confidentiality obligations provided for therein.

In view of the above, we inform you in accordance with articles 6, 7, 9 and 13 of the GDPR

Privacy Policy


In the context of the execution of the contractual relationship between the Parties, the Data Controller may process the following categories of data:

- Personal Data such as biographical and identification data of employees working in your organization or natural persons who represent you;

- Personal Data relating to Criminal Convictions and Offences, in the context of the processing of economic data accessible by anyone (publicly accessible registers and documents, such as chamber of commerce registration details and public registers).


The processing to which your Personal Data will be subjected has the following purposes:

- Administrative-accounting. For the purposes of applying the provisions on the protection of Personal Data, the processing operations carried out for administrative-accounting purposes are those related to the performance of activities of an organisational, administrative, financial and accounting nature, regardless of the nature of the data processed. In particular, these purposes are pursued by internal organizational activities, those functional to the fulfilment of contractual and pre-contractual obligations, the management of the employment relationship in all its phases, the keeping of accounts and the application of the rules on tax, trade union, social security and welfare, health, hygiene and safety at work.

The legal basis of the treatment is the execution of the contract and the commercial relations with you, as well as the need for Riva Forni Elettrici S.p.A. to conduct all the various administrative, commercial, accounting and fiscal activities deriving from this relationship and necessary to fulfil the legal obligations.

Concerning the data that we are required to know in order to fulfil the obligations arising from existing contracts, and the obligations under laws, regulations, European legislation, or provisions issued by the authorities entitled to do so by law and by supervisory and control bodies, failure to provide them will make it impossible to establish or continue the relationship, to the extent that such data are necessary for the execution of the same.

The Data Controller also informs that the possible non-communication, or incorrect communication, of one of the obligatory information, leads to the following consequences:


- the impossibility of the Data Controller to guarantee the adequacy of the treatment itself to the contractual agreements for which it is performed;

- the possible mismatch between the results of the treatment itself and the obligations imposed by fiscal, administrative and civil law to which it is addressed.



The processing may be carried out manually or with the aid of electronic or automated systems, will take place at the aforementioned headquarters of the Data Controller, at the operating offices or at third parties identified and will include, in compliance with the limits and conditions set forth in art. 5 and 25 of the GDPR, all the operations provided for in art. 4, paragraph 1, no. 2) of the GDPR (collection, registration, processing, etc..), necessary for the processing in question, including the communication to the parties referred to in the next point.



The data being processed will not be disclosed, unless explicitly authorized by the person concerned after proper information. The data may instead be communicated to companies contractually linked to the Data Controller. The data may be communicated to third parties belonging to the following categories:

- service providers used by the Data Controller for the management of the information system and telecommunications networks, and to take care of the maintenance of IT systems (including e-mail);

- professionals, studios or companies providing assistance and consulting;

- auditors and people checking and certifying the activities carried out by the Data Controller;

- competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request of the same.


The identification data processed in application of the corporate security procedures are not subject to communication, except for explicit and specific requests that may be made by the competent judicial and investigative authorities.

The subjects belonging to the above-mentioned categories act as Data Processors or operate in total autonomy as separate Data Controllers. The list of Data Processors is constantly updated and available on request at the headquarters of the Data Controller.

We also inform you that the processing of Personal Data is carried out in a system of joint control between Riva Forni Elettrici S.p.A. and Riva Acciaio S.p.A. The parties have determined in a transparent way their respective responsibilities regarding the observance of the obligations deriving from the Regulation, through an internal agreement stipulated according to art. 26 of the GDPR. In particular, the parties agree that the respective areas of control concern the processing of customer data in compliance with the purposes set out below, such as:

- Management of ICT systems;

- Management of internal control activities and preparation of financial statements;

- Management of the secretariat and access control;


Any further communication or dissemination will take place only with the express consent of the person concerned.

Moreover, in the course of ordinary processing activities, the subjects expressly designated by the undersigned as being in charge of processing, authorised according to their respective profiles, may have access to personal and identification data and therefore become aware of them.



Due to the configuration of the IT infrastructure your data may be communicated to companies contractually linked to Riva Forni Elettrici S.p.A. with registered offices in third countries outside the EU, in accordance with and within the limits provided for by the Applicable Law. In particular, your Personal Data may be transferred to Switzerland, a country in respect of which the EU Commission has taken a decision of adequacy pursuant to art. 45 of the GDPR.



The processing of the Personal Data in question and their storage will have a duration coinciding with the time necessary for the exhaustion of the purposes indicated in this statement and in any case with the duration of the contractual or commercial relationship in place and up to 10 years from the end of the contractual or commercial relationship with you. Beyond this term, Riva Forni Elettrici S.p.A. reserves the right to store and process your Personal Data for the sole purpose of ascertaining, exercising or defending a right in court.



As a Data Subject, you have the right to request from the Data Controller the access your Personal Data, the rectification or erasure thereof and to limit or object to the processing of your Personal Data.

As a Data Subject, you have the right to lodge a complaint with the competent supervisory authority (Personal Data Protection Authority).



The Data Controller is the company Riva Forni Elettrici S.p.A. with registered office in Milan Viale Certosa 249, tel. 02307001, e-mail address In turn, Riva Forni Elettrici S.p.A. has appointed GetSolution di Paola Generali, with registered office in Via Ippolito Rosellini, 12 20124 Milan, tel. 0239661701 e-mail address, as Data Protection Officer (DPO), available for any information regarding the processing of Personal Data carried out by the Data Controller.