Privacy Policy Suppliers & Clients




In accordance with article 13 of the UE regulation 2016/679


Devon&Devon S.p.A. (hereinafter defined the “Data Controller”), in its position of data controller, in accordance with art. 13 of the UE Regulation 2016/679 (“Privacy Regulation”) and subsequent amendments and integrations, collects and then processes personal data of its customers and suppliers (hereinafter defined “Data Subject”).


  1. Types of processed data

Personal data subject to processing are:


“Common” personal data. The said information includes, for example, personal data, contact data (e-mail address and telephone number);


  1. Purpose and processing method

The subject’s personal data are processed during the ordinary Data Controller activity, in order to pursue the following objectives:


  1. complete and correct fulfilment of obligations of the contractual relationship established (hereinafter defined “Contract”);
  2. fulfilments of administrative and accounting measures strictly linked to the Contract;
  3. fulfilments of specific obligations required by the Law, by a regulation or by the community’s legislation;
  4. promotional activities related to products and services.


The processing of personal data takes place under the authority of the Data Controller, by personnel specifically entrusted, authorized and trained in processing method, in accordance with art. 30 of the Privacy Code and art. 29 of the Privacy Regulation, through manual, computerized or telematic tools, with logics strictly related to the purposes and in any case in order to guarantee the confidentiality and safety of personal data. The processing of personal data may also take place, on behalf of the Data Controller, by the Data Processors specifically designated in accordance with art. 29 of the Privacy Code and art. 28 of the privacy regulation.


  1. Legal basis of processing and nature of the provision

With reference to the purposes referred to in paragraph 2, points 1, 2, 3 above, the provision of personal data is mandatory and constitutes a necessary requirement for the execution of the Contract and the related tax and administrative obligations. Failure to provide data determines the inability to receive the service covered by the Contract itself. The legal basis of the related processing is the correct execution and management of the Contract.


With reference to point 2.4 - activities towards acquired customers -, the legal basis is the legitimate interest of the Data Controller. The customer may stop receiving these communications by e-mail at any time.


  1. Subjects or categories of subjects to whom personal data can be communicated and scope of communication.

In relation to the purposes of the data process indicated above, and within the strictly relevant limits to the same, personal data of the subject party will be or may be disclosed to the following categories of subjects:


  • Financial Administration and other public authorities, where required by law or upon their request;
  • Credit institutions for payment orders or other financial instrumental for the execution of the Contract;
  • Third parties that exercise control activities, such as independent auditors firms, board of statutory auditors, supervisory body;
  • Companies and organizations for credit management and / or for the protection of interests and right;
  • Parties designated as external data processors pursuant to art. 28 of the Privacy Regulation, for related or consequent activities to the execution of the Contract.


The updated list of the indicated parties and the Data Processors can be provided by the data controller upon request by the interested party (data subject).


  1. Extra-EU data transfer

Personal data will not be transferred to non-EU countries; unless for reasons arising from the execution of the contract, or the fulfilment of legal obligations, if a transfer to non-EU countries and / or organizations is necessary, that transfer will take place in compliance with applicable law. The transfers will be made through adequate guarantees, such as adequacy decisions, standard contractual clauses approved by the European Commission or other legal instruments.


  1. Data retention period or criteria for determining the period

Personal data of the data subject are kept by the Data Controller for the time necessary to fulfil the purposes referred to in paragraph no. 2 (points 1 to 3), as well as for that prescribed by civil, fiscal and regulatory norms and rules and in any case no longer than 10 years from the termination of the Contract.


Regarding the promotional purposes towards customers already acquired (paragraph 2, point 4) the data of the subject will be processed until the exercise of the right of opposition (activated at the beginning, on the occasion of sending the individual communications and / or through direct contact of the controller) and in any case no later than 24 months from collection.


Once the retention periods have elapsed, data will be anonymized or deleted, unless it is necessary to keep them for other purposes foreseen by express provision of the law.


  1. Rights of the data subject.

Article 15 and seq. of the Privacy Regulation give the data subject the right to:


  • access to personal data, (or a copy of such personal data), as well as to further information on current on-going treatments;
  • correct or update of personal data processed by the Data Controller, if they are incomplete or out of date;
  • delete personal data from the controller's databases in the cases provided for by current legislation;
  • limitate processing of personal data by the Data Controller;


  • obtain a structured format, commonly used and readable by an automatic device for personal data concerning him;
  • opposite to the processing of personal data by the Data Controller (e.g. promotional activities)


The data subject can exercise his rights by writing to Devon&Devon S.p.A. at the following email address:


In any case, you always have the right to lodge a complaint with the competent Control Authority (Guarantor of the data Protection).


  1. Changes to the privacy policy

The data controller has the right to modify, update, add or remove parts of this information, by giving notice to the data subjects.


Information updated in November 2021