Soource has raised €1.5M to revolutionize procurement
Read the articlepursuant to Articles 13 and 14 GDPR – General Data Protection Regulation
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), the Data Controller provides this notice regarding the processing of personal data in the context of the management of its B2B professional contacts database, aimed at procurement and scouting activities between companies.
The Data Controller is Soource S.r.l., with registered office at Via A. Volta 13/A, NOI Techpark – 39100 Bolzano (BZ), Italy.
VAT number: 03237710219
Dedicated Privacy contact: privacy@soource.com
This notice applies exclusively to the processing of personal data relating to natural persons acting in business or professional contexts (B2B contacts), included in the Soource database as potential suppliers or contacts of supplier companies, and specifically concerns the following activities:
− Creation and management of the B2B professional contacts database;
− Making contacts available to platform customers for procurement, scouting and requests for quotation (RFQ/RFI) purposes;
− Handling data subjects’ requests (access, deletion, objection).
This notice does not apply to:
− Already established contractual relationships and the related legal, tax and administrative obligations (for which a separate specific notice will be provided);
− Private users (B2C) not acting in a professional or business capacity.
The Data Controller processes exclusively personal data of a professional or business nature, in particular:
− First name and last name
− Corporate or professional email address
− Corporate or professional telephone number
− Job title, professional role and company department/division
− Name, company name and sector of the company to which the individual belongs
− LinkedIn profile or other professional social networks
No data belonging to special categories under Article 9 GDPR (sensitive data) are collected. Should the data subject spontaneously provide such data, the Data Controller shall proceed with their immediate deletion.
| Purpose of processing | Legal bases | Details |
|---|---|---|
| Inclusion in the database and making data available to customers for B2B procurement and scouting | Art. 6(1)(f) GDPR – Legitimate interest of the Data Controller and the platform customers. Please refer to the summary of the LIA in section 8 of this notice. | Professional contact data are made available to Soource’s client companies for the sole purpose of enabling the establishment of B2B commercial relationships in the context of procurement, sourcing and requests for quotation activities. Use for mass marketing or unrelated purposes is not permitted. |
| Handling data subjects’ requests | Art. 6(1)(c) GDPR – Compliance with legal obligations; Art. 6(1)(f) GDPR – Legitimate interest. | Response to requests for access, rectification, deletion, restriction or objection to processing, as well as handling complaints. |
The personal data processed by the Data Controller come from the following sources:
− Publicly accessible sources: company websites, LinkedIn pages and other professional social networks, public registers and institutional databases (e.g. Companies Register, Chamber of Commerce);
− Databases provided by third-party partners: providers specialised in corporate databases and GDPR-compliant B2B professional contacts (the list of suppliers may be requested by contacting the Data Controller);
− Data enrichment and integration tools: technological platforms for the verification, validation and integration of professional contact data.
For data not collected directly from the data subject, the Data Controller provides this notice in accordance with the methods set out in Article 14 GDPR. Where providing the notice individually would involve a disproportionate effort — due to the plurality of sources, the public and dynamic nature of the data, and the absence of a reliable contact channel at the time of collection — the Data Controller relies on the exemption set out in Article 14(5)(b) GDPR, by publishing this notice on its website (www.soource.com) and making it available at the first useful contact.
Personal data are processed using electronic and IT tools, by adopting appropriate technical and organisational measures to ensure:
− The confidentiality, integrity and availability of the data (Art. 32 GDPR);
− The protection of data against unauthorised or unlawful processing, loss, destruction or accidental access;
− Access to data limited exclusively to authorised and adequately trained personnel.
The Data Controller uses database management systems and cloud storage platforms with encryption measures, periodic backups and multi-factor authentication. All data are stored and processed exclusively on infrastructures located within the European Union. No transfer is made to third countries outside the European Economic Area (EEA).
Personal data are retained in the Soource database for the time strictly necessary to achieve the indicated purposes, and in any case as long as:
− the data remain up to date, relevant and accurate in relation to the data subject’s professional role;
− the Data Controller’s legitimate interest in their availability for B2B procurement purposes continues to exist;
− no request for deletion or objection has been received from the data subject.
The Data Controller undertakes to periodically monitor the accuracy and current relevance of the data in the database and to proceed with their deletion or updating when the above conditions no longer apply. Data subsequently acquired and retained by customers in their own systems are subject to the retention policies independently defined by such customers, who act as independent data controllers.
Personal data may be disclosed or made available to the following categories of recipients:
− Internal personnel of the Data Controller, duly authorised and trained in personal data protection matters;
− External collaborators operating on the basis of specific assignments conferred by the Data Controller;
− Customers of the Soource platform (registered companies), who access the data as independent data controllers, exclusively for B2B procurement, scouting and requests for quotation purposes;
− IT and hosting service providers (cloud providers, IT infrastructure managers), appointed as data processors pursuant to Art. 28 GDPR;
− External consultants and professionals (legal, tax, administrative) assisting the Data Controller;
− Public and judicial authorities, in cases provided for by law or upon request in the exercise of their functions.
The data are not transferred or sold to third parties for their own commercial purposes. The complete and updated list of data processors is available upon request by contacting the Data Controller at privacy@soource.com.
The Data Controller has carried out a formal assessment (Legitimate Interest Assessment – LIA) to verify the existence of legitimate interest as the legal basis for the creation and management of the B2B professional contacts database. The assessment considered the following elements:
The creation and management of a structured B2B professional contacts database is an essential condition for the operation of the Soource platform, as it makes it possible to:
− Make available to customers a qualified set of potential suppliers, identified by product category, role and geographical area;
− Support the procurement and scouting processes of client companies, enabling the launch of requests for quotation (RFQ/RFI) to relevant subjects;
− Ensure the continuity and effectiveness of the service over time, also through the periodic updating of the data contained in the database.
The Data Controller has assessed that the interests of data subjects do not override the legitimate interest of the Data Controller and its customers, taking into account the following factors:
− Professional nature of the data: the data processed are exclusively of a professional nature (corporate emails and telephones, job roles), devoid of any private or personal character, and have been published or made accessible by the data subjects themselves in work-related contexts;
− Reasonable expectation: individuals operating in business contexts, particularly in decision-making or procurement roles, may reasonably expect to be contacted for commercial proposals relevant to their company’s activities;
− Purpose limitation: the data are made available exclusively for B2B procurement and scouting purposes, with an explicit contractual prohibition for customers to use them for mass marketing or unrelated purposes;
− Absence of automated profiling: the Data Controller does not carry out automated decision-making processes or profiling activities pursuant to Articles 22 and 4(4) GDPR;
− Transparency and right to object: this notice is published on the website www.soource.com and is made available at the first useful contact; the data subject may object or request deletion at any time with immediate effect.
In order to ensure a proper balancing of interests, the Data Controller has adopted the following measures:
− Preliminary verification of the sectoral and professional relevance of the contacts included in the database;
− Exclusion of data of a private nature and of special categories pursuant to Art. 9 GDPR;
− Contractual restrictions on customers regarding the use of the data, limited solely to the context of B2B procurement and scouting;
− Immediate opt-out mechanism: upon any request for deletion or objection, the Data Controller removes the data from the database without undue delay;
− Periodic review of the database to ensure the updating and relevance of the retained data.
Data subjects have the right to obtain from Soource, where applicable, access to their personal data and the rectification or erasure thereof, or restriction of processing concerning them, in accordance with the applicable personal data protection legislation. The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her based on the Data Controller’s legitimate interest (Art. 6(1)(f) GDPR).
The Data Controller shall refrain from further processing the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
The data subject also has the right to object at any time, without the need to provide reasons, to the use of his or her data by platform customers for commercial contact purposes. In such a case, the personal data shall no longer be processed for such purposes and the Data Controller shall remove them from the database without undue delay.
The data subject may exercise the rights listed above by sending a written request to the Data Controller at privacy@soource.com.
Furthermore, data subjects who believe that the processing of personal data relating to them is carried out in breach of the applicable legislation have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or to bring proceedings before the competent judicial authorities.
This notice may be updated periodically in order to adapt it to regulatory, organisational or technological changes. Updates shall become effective from the publication date indicated at the bottom of the document.
In the event of substantial changes affecting the rights of data subjects, the Data Controller shall provide appropriate notice through the available contact channels or by publication on the company website www.soource.com.
Version: January 2024 - Soource S.r.l.