Privacy center
Cookies policy
Privacy policy
Candidate privacy notice
Privacy notice for suppliers and commercial partners
Data protection certification BS10012

Privacy notice on the processing of personal data of suppliers and commercial partners

Most recent update: 10/06/2025

 

This privacy notice explains how the company Bvlgari manages the personal data of suppliers and commercial partners ("Supplier") and their employees/consultants ("personal data") during the course of the contractual relationship and specifies the information required by EU Regulation 679/2016 on the protection of personal data ("GDPR") and by the applicable data protection legislation.

Personal data means:

  • in the case of a "Supplier” that is a legal entity, the general personal data (including first name, last name, date of birth, place of birth, type and number of identity document, email address and phone number) of natural persons processed by Bvlgari for the establishment and execution of the contract.
  • in the case of a “Supplier” that is a natural person, the general personal data relating to said person (including, but not limited to, first name, last name, date of birth, place of birth, type and number of identity document, email address and phone number).

In this regard, the following should be noted:

 

1. Legal basis, purpose of processing and provision of data

The aforementioned personal data will be processed by Bvlgari:

  1. for purposes related to the establishment and execution of the contractual relationship between the Supplier and Bvlgari, including accounting and treasury management and invoicing (e.g. verification and inputting of invoices), in accordance with the requirements of applicable laws and internal company procedures;
  2. if necessary, to establish, exercise and/or defend the rights of Bvlgari in court;
  3. to manage reports of alleged illegal conduct (“whistleblowing”) for the purpose of carrying out the necessary investigations to verify the validity of the reported incident and the adoption of any resulting measures;
  4. to comply with regulatory obligations to which Bvlgari is subject, including, but not limited to, anti-money laundering regulations, anti-corruption laws, international sanctions screening, sustainability and corporate social responsibility, and health and safety at work legislation;
  5. for physical access control (including video surveillance) to ensure the safety of persons and the protection of company assets.

For the purposes of (a) above, the legal basis for processing is the execution of the contract to which the data subject is a party, pursuant to Art. 6.1(b) of the GDPR.

The legal basis for processing for the purposes referred to in (b) above is the legitimate interest of the Data Controller, pursuant to Art. 6.1(f) of the GDPR.

The legal basis for processing for the purposes referred to in (c) above is:

  • i) the legitimate interest of the Data Controller, pursuant to Art. 6, paragraph 1, sub-section f) of the GDPR, who, having been made aware of the report raised, intends to protect and preserve all company assets;
  • ii) where there is a legal requirement, the processing of personal data is connected to the need to comply with legal obligations to which the Data Controller is subject (see Art. 6, paragraph 2a et seq. of Italian Legislative Decree June 8, 2001, No. 231),
  • iii) the need to ascertain, exercise or defend a right in court, should this need arise.

 

Should the personal data of the parties involved need to be communicated, the legal basis is the consent of the data subject pursuant to Art. 6, paragraph 1, sub-section a) of the GDPR.

The legal basis for processing for the purposes referred to in (d) above is the need to comply with a legal obligation to which Bvlgari is subject, pursuant to Article 6.1(c) of the GDPR.

The legal basis for processing for the purposes referred to in (e) above is the legitimate interest of the Data Controller, pursuant to Article 6.1(f) of the GDPR.

The provision of personal data is necessary for the establishment and/or execution of the contract; failure to provide the data therefore prevents the establishment of the contractual relationship and/or fulfillment of the ensuing obligations.

 

2. Processing method 

The processing of personal data will be based on the principles of fairness, lawfulness and transparency and may also be carried out using automated methods designed to store, manage and transmit the data. Such processing will be carried out using appropriate tools, as far as reasonable and in line with the state of the art, in order to ensure security and confidentiality through the use of appropriate procedures that prevent the risk of loss, unauthorized access, unlawful use and dissemination.

Personal data may be processed using automated, decision-making or monitoring IT systems (including systems using Artificial Intelligence), in order to ensure better management of the relationship or in order to comply with legal requirements.

 

3. Scope of communication, extra-EU transfer and publication of data 

Personal data may be processed by the employees of Bvlgari’s departments responsible for pursuing the aforementioned processes, who have been expressly authorized to process it and who have received appropriate instructions to do so. Personal data may be processed, on behalf of the Data Controller, by external parties designated as data processors pursuant to Art. 28 of the GDPR, who perform specific activities on behalf of the Data Controller such as, by way of example, accounting, tax and insurance obligations, collections and payment management, etc.

A complete list of such third parties can be obtained by writing to privacy@bulgari.com.

Personal data may be processed by any companies in the Bulgari Group, LVMH Hennessy Moet Louis Vuitton SE and their subsidiaries worldwide for specific purposes, such as the use of (i) IT and cybersecurity services and (ii) the centralized internal whistleblowing tool. Such sharing is carried out in accordance with the binding corporate rules (BCR) adopted by LVMH and validated by the French Data Protection Authority (CNIL), which provide an adequate level of protection even in the event of data transfers to LVMH subsidiaries based outside the European Economic Area (EEA).

Bvlgari undertakes to protect the confidentiality of your personal data when it is transferred abroad and to ensure that adequate protection is provided through appropriate contractual agreements or in accordance with the law.

Personal data may be disclosed to third parties acting as data controllers such as, by way of example, supervisory and control authorities and bodies and, more generally, public or private entities entitled to request the data.

 

4. Data retention period 

The personal data collected will be retained for the duration of the contract and for ten (10) years after the contract ends, corresponding to the standard limitation period.

In the event of legal proceedings, personal data will be retained throughout their duration until all appeal time limits have expired.

Data relating to access to company premises will be retained for a maximum of 180 days. Images recorded by the video surveillance system will be retained for the period of time indicated in the specific information notice and internal policy.

Personal data processed for the purpose of whistleblowing management will be retained for five (5) years starting from the notification date of the final outcome of the reporting process.

After the aforementioned retention periods have expired, personal data will be destroyed or rendered anonymous in accordance with technical deletion and backup procedures.

 

5. Data subject rights 

Information may be requested at any time regarding the processing of your personal data and how it is carried out. It is also possible to correct or delete data, limit its processing, object to its processing and/or request that the data be sent to another controller. Bulgari S.p.A. and its subsidiaries must respond to requests within deadlines provided for by applicable regulations; they must also correct incorrect data, ensure that incomplete data is completed, and update data that is no longer correct; and finally, if requested, they must delete personal data and limit and/or stop its processing, or ensure that it is, where technically possible, sent to another controller.

To exercise their statutory rights stated above or to request further information, and/or to report any errors or issues, the data subject may proceed as follows in order to receive a prompt reply: send an email to privacy@bulgari.com ; fill in the online form using the following link; or send a written request to the Data Protection Officer (DPO) at Bulgari S.p.A., Lungotevere Marzio 11, Rome, Italy. If the data subject is not satisfied with the response they receive, they may address the data protection Supervisory Authority.

In relation to processing the personal data outlined in paragraph 2, sub-section c) above, the data subject can exercise all rights provided by current legislation, if the exercising of those rights does not result in any effective and concrete detriment to the confidentiality of the whistleblower's identity.

 

6. Contact details of the Data Protection Officer (DPO)  

The person responsible for data protection is Guido Sandonà at Lungotevere Marzio 11, tel. 0668810211, email privacy@bulgari.com .

 

7. Identity and contact details of the data controller 

The Data Controller of the personal data is the Bvlgari subsidiary of which the Supplier is a contracting party, acting through its duly appointed legal representative, whose details are specified in the applicable contract. In relation to the processing of personal data for the purposes of managing whistleblowing reports, the data controllers will be LVMH and the individual companies of the Bulgari Group, which act as joint controllers on the basis of the joint controller agreement entered into pursuant to Article 26 of the GDPR. A complete list of data processors designated by data controllers may also be requested by sending an email to privacy@bulgari.com.

 

 

Print