Pursuant to article 13 of the General Data Protection Regulation Compliance (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 (hereinafter referred to as “GDPR”).

Dear Supplier,
While we would like to remind you that the GDPR applies only to personal data of natural persons, we would also like to follow up on our previous oral communication to inform you, this time in writing, that your personal data will be processed in compliance with the aforementioned law and with the confidentiality obligations to which the business activities of our company are inspired.

Purposes and methods of data processing for which data are intended (Art. 13, paragraph 1, letter c) e art. 13, paragraph 2, letter a) of the GDPR).
Your personal data will be used for administrative purposes, connected with or instrumental to the activities of SIRTON PHARMACEUTICALS S.P.A. (hereinafter referred to as “Sirton” or as “the Company”), concerning the selection of the supplier as well as the conclusion and execution of the contract entered into, namely:
- Fulfilment of any obligations provided by law as well as any EU laws and regulations;
- Fulfilment of tax and/or accounting obligations;
- Acquisition of preliminary information upon conclusion of the contract with the supplier;
- Fulfilment, before the conclusion of the contract, to specific supplier requests;
- Fulfilment of obligations deriving from the contract that has been concluded;
- Supplier administration (personal data, negotiation of contract terms and conditions, contract work management);
- Management of orders, incoming shipments, services, contracts and invoices;
- Dispute management.
The processing of your personal data will be based on principles of correctness, lawfulness and transparency, protecting your privacy and your rights and will take place through appropriate tools to ensure security and confidentiality. The methods of data processing relating to you will include the use of manual, computerized and electronic tools, governed by rules strictly related to the purposes indicated above. Your personal data will be kept for the limitation period required by law.

Categories of processed data.
For the pursuit of the aforementioned purposes, Sirton shall process your personally identifiable information (name, surname, address, VAT number, tax code, fax, email) for which it is not necessary to acquire your permission to process your data (art. 6, paragraph 1, letter b) of the GDPR).

Compulsory or optional nature of the provision of data and consequences if you refuse to respond (art. 13, paragraph 2, letter c) of the GDPR).
The provision of your personal data is necessary for entering into, executing and properly managing the contractual relationship and it is also mandatory for the fulfilment of the law. Therefore, failure to provide data makes it impossible to enter into and execute the contract.

Categories of subjects to whom personal data may be communicated (and possible consequences of non-disclosure data) or subjects who may become aware of them as managers or persons in charge of processing and scope of dissemination of the same (Art.13, paragraph 1, letter e) and art. 13, paragraph 2, letter e) of the GDPR.
Insofar as the obligations, tasks or purposes indicated above must be fulfilled and in order to comply with the law, your personally identifiable information may be communicated only to service companies, consultants, self-employed professionals as well as to competent authorities and public and/or private bodies.
Your personal data will be processed exclusively by Sirton employees and/or collaborators appointed as Data Processors or Appointed Persons, in compliance with law provisions, including with regard to security measures aimed at protecting and safeguarding your data.
The communication of your personally identifiable information, as specified above, is necessary for the execution and correct management of the contract and is also mandatory for the fulfilment of the law. Therefore, failure to communicate data makes it impossible to execute the contract.
Your personal data (name and surname and invoice data) will be transmitted to Excel Partners-3 SBIO in China in order to obtain the bank authorization necessary to pay any amounts due to you.
This communication is thus necessary to enable Sirton to fulfil the agreement entered into and to remit the payment to you in compliance with art.49, letter b) of the GDPR so as the payment.
Our parent company Excel Partners-3SBIO has adopted the necessary measures to provide your personal data with adequate protection.
Your data will not be divulged in any way.
Your personal data are stored electronically at Synthesis Services GmbH, in the servers located in Lugano, Switzerland, the company that has been appointed as External Data Processor for data storage and maintenance and server maintenance.

Rights pursuant to art. 13, paragraph 2, letter b) of the GDPR.
We would like to remind you that you may ask the Data Controller for access and correction of data concerning you at any time.
Furthermore, if the conditions are met, you may request the deletion of data concerning you (art. 17 of the GDPR), the extent to which your data may be processed (art. 18 of the GDPR), their portability (art. 20 of the GDPR) and your may also object to the processing of your data (art. 21 of the GDPR).

Identification details of the Data Controller and information on how to access the updated list of Data Processors (art. 13, paragraph 1, letter a) and letter b) of the GDPR).
The Data Controller is SIRTON PHARMACEUTICALS S.P.A., headquartered in Villa Guardia at Località Civello, Piazza XX Settembre 2, Italy.
Should you deem it necessary, you may contact the Data Controller for any further information or to request an updated list of appointed Data Processors.

Villa Guardia, Italy, January 9, 2019

Data Controller
(Matteo Bartalena – CEO)

SIRTON PHARMACEUTICALS SPA - Registro Imprese CO – CCIAA 07223270963 - REA CO 306979 - c.f e p.iva 07223270963 - Cap.Soc. €300.000 iv - Società con Socio unico [email protected]