Privacy Notice for Suppliers of Bureau Veritas Switzerland AG

PRIVACY NOTICE FOR SUPPLIERS OF BUREAU VERITAS SWITZERLAND AG pursuant to Article 19 of Federal Act on Data Protection (“FADP”)

This privacy notice is provided pursuant to art. 19 of Federal Act on Data Protection (“FADP”) in relation to the processing of personal data of Bureau Veritas Switzerland AG suppliers (the "Suppliers" and/or the "Data Subjects").

1. Data Controller

The Data Controller is Bureau Veritas Switzerland AG, with registered office in Grossächerstrasse 25, CH-8104, Weiningen, Switzerland; VAT no. CHE107701676 (hereinafter “Bureau Veritas” or the “Data Controller”).

2. Data collected

The Data Controller processes the personal data of the Suppliers  –  collected through the contractual documentation relating to the contract stipulated with them – such as identification data (first name, last name, date and place of birth, Tax Code and VAT number), contact data (such as address, e-mail and telephone number) and any other information found in the signed contracts and the bank and tax data necessary for the payment of the services and services provided by the Data Subject (the "Data" and/or "Personal Data").

The Data Subject's data is collected electronically or on paper through the contract, any order forms and, more generally, the contractual documentation signed between the Supplier and the Data Controller. The Data collected is, therefore, limited to data that is necessary for the management and execution of the contractual relationship with the Supplier.

3. Purpose and legal basis of the processing

The Data Controller processes the Data according to the following purposes and legal bases:

3.1 Execution of the contractual relationship
Data will be processed in order to correctly execute the supply contract with the Data Controller and, in particular:

A. to allow effective management of the contractual relationship with the Data Controller:
(i) for the provision of the services offered and payment thereof.

B. to carry out the obligations deriving from the supply contract, such as for example:
(i) for accounting purposes;
(ii) for the purpose of transmitting orders.

Data provision for the above-mentioned purposes is mandatory and necessary for the proper execution of the aforementioned activities. In the event of a total or partial refusal to provide the Data for these purposes, the Data Controller will not be able to establish and execute the contractual relationship.

3.2 Compliance with legal obligations
The Data may also be processed to allow the Data Controller to fulfil the obligations established by law, by a regulation or by an order by Authorities.
The provision of Data for this purpose is necessary to follow up on the legal obligations to which the Data Controller is subject.

3.3 Overriding interest (legal protection)
The Data will be processed to exercise the rights of the Data Controller, such as the right of defence in court. This overriding interest is to be considered prevailing because it corresponds to a constitutionally guaranteed right and, as such, is socially recognized as prevailing over the interests of the individual concerned. Data provision for this purpose is necessary to allow the Data Controller to defend itself in legal and out-of-court proceedings. 

4. Data Recipients

The Data will be processed by the Data Controller’s employees, specifically appointed as authorized processors (such as, but not limited to, those in charge of the purchasing department), where necessary to carry out the activities referred to in article 3 above.

Personal Data may also be notified to third parties if necessary for the establishment, management, execution and/or termination of the contractual relationship with the Data Controller. In this case, the third-party recipients of Personal Data – autonomous data controllers or duly appointed as data processors – belong to the following categories:

A. external subjects operating as autonomous controllers such as, for example, Authorities and supervisory and control bodies and in general to subjects, including private individuals, entitled to request the data (such as accounting consultants, legal consultants), Public Authorities that make an express request for administrative or institutional purposes, in accordance with the provisions of current national legislation;

B. subjects outside the company who provide services to the company and who are useful for its activities (for example: IT service providers for the management of databases, including contacts and e-mails, digital service providers and IT consultants who provide technical assistance to the company, offices that provide payroll services, training institutions, banking and financial intermediaries); these subjects have received a specific assignment as data processors and their names are available upon request to the Data Controller, using the contact details indicated in article 7 below.


5. Data retention period

The Data processed for:

(i) the execution of the contractual relationship to which the Data Subject is a party is retained for the entire duration of the contractual relationship and for the ordinary limitation period of 10 years provided for by the applicable regulations;

(ii) the fulfilment of legal obligations to which the Data Controller is subject is kept for the duration provided for by law (10 years for administrative-accounting obligations);

(iii) the overriding interest of the Data Controller, and specifically in the case of judicial litigation, will be kept for the entire duration of the same, until the exhaustion of the terms of practicability of appeals.

6. Transfer of data to third countries

The Data Controller may disclose the Data to the European Union, accordingly to the European Commission Decision No 2000/518/EC of 26 July 2000 (as confirmed by the Report from the Commission to the European Parliament and the Council of 15 January 2024). The processing of the Data will be carried out at the Data Controller's offices and the Data will be stored in servers and/or archives in Switzerland, the European Union and in third countries. Data may be disclosed abroad only if the Swiss Federal Council has decided that the legislation of the State concerned or the international body guarantees an adequate level of protection, accordingly to art. 16 FADP. In the absence of a decision by the Federal Council, Data may be disclosed abroad only if an adequate level of data protection is guaranteed in accordance with the provisions of art. 16.1 FADP or by the exception of art. 17 FADP.

7. The rights of the Data Subject

The Suppliers, as data subjects (i.e., subjects to whom the Data refers), are holders of rights conferred by the FADP. In particular, pursuant to articles 25, 28, 32 and 49 of FADP, Data Subjects have the right to request and obtain, at any time, access to their personal data, information on the processing carried out, the correction and/or updating of personal data. Additionally, they also have the right to object to the processing and to request data portability (i.e. to receive personal data in a structured, commonly used, machine-readable format). Finally, Data Subjects always have the right to revoke their consent at any time (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before the revocation) and to lodge a complaint with a supervisory authority (in Switzerland: the Federal Data Protection and Information Commissioner).

The above-mentioned rights may be exercised at any time by simply sending a request to the Data Controller: