Introduction

Horizon (QA/QC) Limited and its subsidiaries is committed to respecting your privacy and protecting your personal information.

This policy contains important information about what to expect when Horizon (QA/QC) collects personal information about you and how we will use your personal data. Please read this policy carefully to understand our views and practices regarding your personal data.

Privacy Notice

Pursuant to article 13 of Regulation (EU) 2016/679 (hereinafter referred to as “GDPR”) and in relation to the data provided by the Supplier or obtained by the Controller during the contractual relations or, in any case, related thereto, the Supplier is hereby informed that its data will be processed by the following means and for the following purposes:

1. Data Controller

The data controller is Horizon (QA/QC) Limited whose registered office is in 98 Westbury Lane, Buckhurst Hill, Essex, IG9 5PW, United Kingdom (Company Registration Number 6446105), as well as the Company(ies) in the Horizon (QA/QC) Group with which you have and/or may sign a services contract (hereinafter the “Controller”). The Controller can be contacted via the contact details shown on the www.horizon-quality.com website, or via the e-mail address for the Data Protection Officer dpo@horizon-quality.com.

2. Purpose of processing

The Controller processes the personal data (hereinafter referred to as “personal data” or also “data”) provided by you, without needing to obtain your explicit consent, for the following purposes:

·       To proceed with the qualification process of the Supplier according to the Controller’s corporate procedures;

·       To conclude supply contracts for the Supplier’s services and/or goods;

·       To fulfil pre-contractual, contractual, and fiscal obligations arising from relations in force with the Supplier;

·       To fulfil the obligations imposed by law or by an order of the competent Authority;

·       To exercise the Controller’s rights, such as the right to defence in a lawsuit.

3. Processing method

The Controller will process personal data in accordance with the principles of lawfulness, fairness and transparency.

Your personal data is processed by means of the following operations: collection, recording, organisation, structuring, storage, consultation, adaptation or alteration, use, dissemination, disclosure by transmission, retrieval, alignment or combination, restriction, erasure or destruction of the data. Your personal data are subjected to both hard-copy and electronic processing.

The Controller will process the personal data for the time necessary to carry out the purposes indicated above and, in any case, for not more than 30 years from termination of contractual relations and not more than 2 years from collecting data for marketing purposes.

Once 10 years have passed since the contractual relations have ceased, access to the data will be limited to heads of departments.

Should the Controller have a need to store the data for a period longer than 30 years (e.g. if erasure

could compromise its legitimate right to defence or in general, to safeguard its company assets), such further storage shall take place, limiting access to said data to the head of the legal department only, in order to guarantee the legitimate exercising of the right of defence of the Controller.

4. Recipients of the Data

Your data may be made accessible for the purposes indicated in section 2 to the following recipients:

Affiliate companies or subsidiaries of the Horizon (QA/QC) Group, in the United Kingdom and abroad, to the extent to which this is necessary for processing, in conformity to the binding corporate rules adopted by the Horizon (QA/QC) Group;

- Companies or other third entities (credit institutions, professional firms, consultants, insurance companies for providing insurance services, auditing companies, supervisory institutions, etc.) who carry out activities on an outsourcing basis, on the Controller’s behalf;

- Public or private Controller’s clients, should this be necessary in order to carry out the activities covered by the relevant
contract;

- Public entities, for fulfilling legal obligations.

Without requiring your explicit consent, the Controller may communicate your data for the purposes indicated in section 2. to supervisory bodies, judicial authorities, insurance companies for providing insurance services, as well as to entities to which communication is mandatory in terms of the law, for carrying out said purposes.

5. Transfers of Data

Personal data are stored on servers located within the European Union. In any case, it is understood that, should this be necessary, the Controller will have the right to move the servers outside the EU. The Controller hereby guarantees that in case of transfer of data outside the EU for the above purposes, the transfer will be done in accordance with the applicable laws, also by means of including standard contractual clauses provided for by the European Commission, and adopting binding corporate rules for intra-group transfers.

6. Consent

The provision of data and related processing for the purposes indicated in section 2 are necessary in order to enter into and implement the contract and for any pre-contractual obligations. Any refusal will make it impossible for the Controller to provide the services covered by the contract.

 7. Rights of the Data Subject

As the data subject, you have the right to:

i. obtain confirmation of whether or not personal data regarding you are processed or not, as well as to obtain a copy of said data;

 ii. obtain an indication of: a) the source of the personal data; b) the purposes and means of processing; c) the logic involved in the case of processing done with the help of electronic instruments; d) the identity and contact details of the controller, controller’s representatives, processors and data protection officer; e) the recipients or categories of recipients to which the personal data can be communicated, or who can come to know the same as the designated representative within the territory of the State, processors, or employees who carry out processing.

 iii. obtain: a) updating, rectification, or completion of the data; b) erasure, transformation into an anonymous form or blocking of data processed in violation of laws; c) certification that the operations referred to in letters a) and b) have been made known, also in relation to their content, to those to whom the data have been communicated or disclosed by transmission, unless this is impossible or involves a disproportionate effort; d) a structured format, from the Controller, commonly used and provided in an intelligible and easily accessible form with the personal data related to you, and, where technically feasible, to obtain transmission of said data directly from one controller to another;

 iv. object to: a) processing of your personal data, even if pertinent to the purpose for which they were collected; b) processing of your personal data for the purposes of sending advertising or direct sales materials, or for carrying out market research or commercial communication, using automated telephone calling systems without an operator, by e-mail and or by means of traditional telephone and/or hard copy postal marketing methods. Such right of object may also be exercised only in part, thereby allowing the data subject to choose whether to receive only communications using traditional means or only automated communications, or neither of the two types of communication.

v. Therefore, in your capacity as data subject, you have the rights pursuant to art 7 of the Privacy Code and art 15 – 21 of GDPR, as well as the right to lodge a complaint with the competent Authority pursuant to art 77 of GDPR.

8. Procedure for exercising rights and communications

The Controller has appointed a Data Protection Officer, who can be contacted for all matters related to processing of your personal data and the exercising of related rights.  Therefore, you may contact the Data Protection Officer at any time, using the following procedures:

By sending a registered letter with notification of receipt to Horizon (QA/QC) Limited,  98 Westbury Lane, Buckhurst Hill, Essex, IG9 5PW, for the attention of the Data Protection Officer, or by sending an e-mail message to dpo@horizon-quality.com

We wish to state that you have the right to withdraw the consent given at any time by writing to dpo@horizon-quality.com