Skip to Content
Enter
Skip to Menu
Enter
Skip to Footer
Enter

Privacy notice pursuant to Article 13 of EU Regulation No. 679/2016

Dear User,
Bios Group is an international organization comprised of multiple national companies interconnected at the corporate level.

Within this structure, the Italian company Bios Management S.r.l., located at Strada Statale 231, 80/D, Santa Vittoria d'Alba (12069 – CN – Italy), VAT number IT03029760042, has been designated as the Data Controller (hereinafter referred to as "Controller" or "Bios"). This designation includes a commitment, on behalf of the entire group, to fulfill all legal obligations related to data processing.

In accordance with Article 13 of EU Regulation No. 679/2016 (commonly known as the "GDPR"), the Controller informs you that it is necessary to process the personal data you provided when signing the contract or purchase order for goods, services, or requested performances. This processing will be conducted in full compliance with applicable laws, as outlined below.

1. Subject of the Processing and Categories of Data Processed

The Data Controller processes the following personal data (hereinafter "Data") collected during your visits to our website:

1 Navigation Data

The computer systems and software used to operate this website automatically acquire certain personal data during normal operation. This data transmission is implicit in the use of Internet communication protocols. Although not collected to identify users, this information could, through processing and association with data held by third parties, potentially identify individuals.

This category of data includes IP addresses or domain names of the devices used to access the site,URI (Uniform Resource Identifier) addresses of requested resources, time of the request, method used to submit the request to the server, size of the file obtained in response, numerical codes indicating the server's response status (e.g., successful, error), and other parameters related to the user's operating system and IT environment.

2 Data voluntarily provided by the user

When you voluntarily send emails to the addresses listed on this website, complete forms to request information, or send messages via the WhatsApp chat, the sender's email address and/or phone number are acquired to respond to your requests. Any additional personal data provided will also be processed.

Data processing will adhere to principles of fairness, lawfulness, transparency, and privacy protection. The data will be processed and stored using IT tools for the time strictly necessary to fulfill the purposes for which they were collected. Specific security measures are in place to prevent data loss, unauthorized access, and unlawful use.

3 Cookies

Cookies are small text files sent by websites to your device, stored locally, and retransmitted to the websites upon subsequent visits.

The website uses the following types of cookies:

  • Session Cookies: Used to transmit session identification data generated by the server. These cookies are not stored persistently on your device and are automatically deleted when you close your browser.
  • Technical Cookie: Enables saving of user preferences (e.g., vehicle search preferences). This cookie is stored locally on your device, not transmitted externally, and solely enhances the browsing experience.
  • Third-Party Cookies: Used to display Google Maps. The Data Controller does not access or process data collected by third parties. For information on how Google Maps handles data, please refer to the respective privacy policies.
  • Note: Technical cookies are not used for profiling purposes, and the website does not employ any profiling cookies.

Managing Cookies

Users can enable or disable cookies by modifying browser settings. For guidance on managing cookie preferences, consult the instructions provided by your browser vendor:

On the website biosmanagement.com, there is a banner that allows users to individually enable or disable cookies.

4 Newsletter

The website allows users to subscribe to the Data Controller's newsletter through a dedicated form. The email address provided is entered into the Data Controller's CRM system and is used to send institutional and/or commercial communications.

5 Join our team

The website provides the option for users to submit their application to join the Data Controller's staff. This function involves the collection of personal and contact information, as well as details related to the candidate's professional and educational background, with the additional possibility of attaching an externally produced CV. 

The Data Controller does not knowingly collect data from individuals under the age of 18.

2. Purposes, Legal Basis of Processing, and Consequences of Failing to Provide the Data

Your data is processed lawfully and fairly for the purposes outlined below:

A. Performance of Contractual and Pre-Contractual Obligations

This purpose is the legal basis for processing your data, as it is essential for the Data Controller to:

  • Conduct preliminary activities and fulfill contractual obligations.
  • Address any issues related to managing the services you have requested.
  • Fulfill administrative and accounting duties, such as invoicing, historical archiving, credit recovery (including factoring, credit insurance, debt assignment, etc.), and measures to mitigate credit risk (e.g., assessing financial reliability).

Providing this data is, depending on the context, either a contractual obligation or a prerequisite for concluding the contract. Failure to provide the necessary data may prevent the Data Controller from establishing or executing the contractual relationship.

B. Compliance with Legal Obligations

This legal basis justifies processing when the Data Controller is required to:

  • Fulfill legal, accounting, fiscal, administrative, and contractual obligations related to the services provided.
  • Manage relationships with authorities, regulatory bodies, and third-party public entities for compliance with specific requests, legal obligations, or procedures.

Providing data for these purposes is mandatory under the law. If you do not provide this data, the Data Controller may be unable to establish the contractual relationship and may be legally obligated to make reports.

C. Legitimate Interests of the Data Controller

This legal basis applies when processing is necessary for the Data Controller to share certain personal data with other companies in the Bios Group for internal administrative purposes.

D. Promotional and Institutional Communications

This purpose requires your explicit consent, such as when you subscribe to a newsletter. Consent must be clearly provided when sharing the requested data.

E. Staff Recruitment

This purpose is governed by the need to execute contractual obligations (per Article 6, paragraph 1, letter b of the GDPR). Specific consent is required for:

  • Retaining your information beyond the duration of the selection process.
  • Processing special categories of data that you may voluntarily share with the Data Controller.

3. Methods of Processing

The processing of your data is carried out through the operations indicated in Article 4, paragraph 2) of the GDPR, specifically: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication through transmission, comparison or interconnection, restriction, deletion, or destruction of the data.
Your data is processed both in paper and electronic and/or automated formats.
The acquired data is subject to processing in full compliance with legal regulations, as well as the principles of lawfulness, fairness, transparency, data minimization, and the protection of your privacy and rights.

4. Data Retention Period

The Data Controller retains the data in compliance with local laws and internal company policies and procedures for the time necessary to fulfill the purposes outlined above and to satisfy its legitimate commercial interests, legal obligations, or to establish, exercise, or defend legal rights. Once the need to retain the data for these purposes has expired, the data will be securely deleted. For more information on the document retention policy, you can consult the excerpt of the data retention policy available in the privacy section on the Data Controller’s website.

5. Categories of recipients of personal data

Your data may be made accessible for the purposes described above to the following:

1. Internal Personnel and Collaborators

Employees and collaborators of the Data Controller, both in Italy and abroad, in their capacity as:

  • Authorized personnel under Article 29 of the GDPR.
  • Individuals assigned specific roles and responsibilities under Article 2-quaterdecies of Legislative Decree No. 196/2003.
  • Data processors or sub-processors under Article 28 of the GDPR.

2. Sub-Processors

Sub-processors appointed by the Data Controller under Article 28 of the GDPR. This includes companies within the Bios Group that may act as data processors for your data, for example:

  • Marketing and profiling activities using client databases.
  • System administrator tasks for the client.
  • Provision of funded services on behalf of the client.

3. Affiliates and Group Companies

Companies related to the Data Controller (parent, subsidiary, or affiliated), both in Italy and abroad (Bios Group), including their employees and collaborators, for purposes such as administrative and accounting activities.

4. Third-Party Entities

Third-party companies or organizations performing outsourced activities on behalf of the Data Controller, in their capacity as data processors. Examples include:

  • Credit institutions and financial intermediaries.
  • Credit insurance providers.
  • Professional firms, consultants, and auditors.
  • Travel agencies organizing business trips (e.g., booking flights, trains, accommodations).
  • Suppliers of services ancillary to the outlined purposes.

5. Specific Third Parties

The Data Controller may also make data accessible to:

  • IT providers for system development and technical support.
  • Auditors and consultants ensuring compliance with internal and external requirements.
  • Legal entities, law enforcement agencies, and involved parties, in accordance with legal obligations or claims.
  • Potential successors or business partners in the event of a sale, transfer, or other extraordinary operations involving the Data Controller or affiliated companies.
  • Public authorities, police, and armed forces to fulfill legal, regulatory, or EU obligations.

6. Non-EU Data Transfers

If data is transferred to entities based in non-EU countries, the Data Controller guarantees that such transfers will comply with applicable legal provisions, ensuring the protection of your personal data.

6. Data Transfer

The data is stored on servers and storage devices located within the European Union. However, the Data Controller may transfer data to countries outside the European Union or the European Economic Area if necessary. Transfers will only occur to countries recognized by the European Commission as providing an adequate level of personal data protection. For countries that do not meet this standard, data transfers will only proceed under contractual agreements that ensure a level of protection equivalent to EU standards and uphold the rights of data subjects. In all cases, the Data Controller ensures compliance with applicable legal requirements and implements all necessary safeguards to protect personal data during transfers outside the EU

7. Rights of the data subject

As a data subject, you have the rights provided under Articles 13(2)(b), (c), (d), 15, 16, 17, 18, 19, and 21 of the GDPR, where applicable to the specific data processing activities. These rights include the following:

  • Right to Access: Obtain confirmation of whether your personal data is being processed, even if not yet recorded, and receive such data in an intelligible form.
  • Right to Information: Receive details about:
    • The origin of the data (if not directly provided by you).
    • The purposes, methods, and legal basis for processing.
    • The logic applied when processing is conducted electronically.
    • The identity of the Data Controller, data processors, Data Protection Officer, and any designated representative under Article 13(1) GDPR.
    • The entities or categories of entities to whom the data may be disclosed or who may process it within the State's territory.
  • Right to Rectification and Erasure:
    • Request the updating, correction, or supplementation of your personal data.
    • Demand the deletion, anonymization, or blocking of data processed unlawfully or retained unnecessarily for the original purposes of processing.
    • Be informed that these actions have been communicated to those to whom the data was disclosed, unless this is impossible or requires disproportionate effort.
  • Right to Object: Object, fully or partially, to the processing of your data for legitimate reasons, even if it relates to the purpose of its collection.
  • Additional Rights Under Articles 16-21 GDPR:
  • Right to rectification, erasure, restriction of processing, data portability, and objection.
  • Right to lodge a complaint with the Supervisory Authority (contact details available on www.garanteprivacy.it).
  • Right to Withdraw Consent: Withdraw consent at any time. Note that withdrawal may limit the availability of certain data, potentially impacting the Company's ability to manage contractual obligations effectively.

8. Methods of exercising rights

You can exercise your rights with Bios Group at any time by submitting a request through one of the following methods:

By Mail: Send a registered letter to Bios Management S.r.l., located at Strada Statale 231, 80/D, Santa Vittoria d'Alba (12069 – CN – Italy), VAT number IT03029760042.

By Email: Write to privacy@biosmanagement.it.

The response will typically be provided within one month. For particularly complex requests, this period may be extended by up to two additional months. If an extension is necessary, you will be notified within one month, along with an explanation for the delay.

The Data Controller may request additional information to verify your identity. In most cases, exercising your rights is free of charge. However, for requests that are manifestly unfounded or excessive, the Data Controller reserves the right to charge a reasonable fee to cover administrative costs.

9. Data Controller, Data Protection Officer and categories of Data Processors

The Data Controller for all companies within the Bios Group is Bios Management S.r.l., located at Strada Statale 231, 80/D, Santa Vittoria d'Alba (12069 – CN – Italy), VAT number IT03029760042.

You can contact the Data Protection Officer by sending an email to privacy@biosmanagement.it.

A detailed list of the categories of Data Processors is maintained at the registered office of the Data Controller and is available upon request.

Bios Group