INFORMATION ON THE PROCESSING OF PERSONAL DATA
pursuant to article 13 of EU Regulation 2016/679
A. Why are we providing you with this document?
Studio Batini Colombo Saottini Chartered Accountants Associates, also due to the peculiar activity performed towards all its customers, has always considered it of fundamental importance to ensure that the processing of personal data, especially if "sensitive", carried out in any manner, both automated and manual, takes place in full compliance with the protections and rights recognized by Regulation (EU) 2016/679 of 27 April 2016, relating to the protection of individuals with regard to the processing and circulation of personal data (the "Regulation") and by the additional applicable rules on the protection of personal data.
The term "Personal data" refers to the definition referred to in Article 4 point 1) of the Regulation, ie "any information concerning an identified or identifiable natural person; the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity is considered identifiable, physiological, genetic, psychological, economic, cultural or social "(the" Personal Data ").
The Regulation provides that, before proceeding with the "Processing" of Personal Data - that is "any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or l 'interconnection, limitation, cancellation or destruction "(the" Treatment ") - it is necessary that the person concerned is informed about the reasons for which such data are requested and how they will be used.
This document is intended to provide you, in a simple and intuitive way as far as possible, with all the useful and necessary information so that you can provide your Personal Data, including sensitive data (particular categories of data), in a conscious and informed way and, in at any time, request and obtain clarifications and / or corrections.
This information is prepared on the basis of the principle of transparency and all the elements required by art. 13 of the Regulations, is divided into sections, each of which deals with a specific topic in order to make reading, as expressly provided, quicker, easier and easier to understand (the "Information").
The same is accompanied by a specific form for the release of consent as required by art. 7 of the Regulation, formulated on the basis of the specific type of use that we will have to make of your Personal Data, all in accordance with the provisions of the mandate you have given us.
B. What data?
The processing will concern, as per the Regulations, any information concerning you as a natural person, useful or necessary for the performance of the assignment entrusted to us or for the use of the tools made available to you such as your name, an identification number, data relating to the location, an online identifier or one or more characteristic elements of its physical, physiological, genetic, psychic, economic, cultural or social identity. For some types of activities, such as, without claiming to be exhaustive, the processing of wages and contributions, tax returns or other obligations commissioned by you, may also concern data considered "sensitive", that is to say suitable for disclosing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data suitable for disclosing the health or sexual status. The processing carried out on sensitive data has the sole purpose of correctly and promptly fulfilling the obligations established by current legislation on information and declarations to be made to the State Administrations or to any other Public or Private Entity involved, regarding taxes, fees , contributions etc.
C. Who will process your data?
The subject who will process your Personal Data for the main purpose referred to in Section D of this Notice and who will play the role of Data Controller according to the definition contained in art. 4 point 7 of the Regulation, "the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data" is:
Studio Batini Colombo Saottini Chartered Accountants Associated with registered office in Via Tornaghi n. 59 Cassano d'Adda - Milan, Tax Code and VAT no. 02956020966 (the "Data Controller")
The Data Controller, for some treatments as identified in the following Section E, will be joined by the following companies that will act as joint data controllers, meaning "two or more companies that jointly determine the purposes and means of the treatment" as well as provided for by article 26 of the Regulation:
Professional Partners Consulting Srl Via Tornaghi 59, Cassano d'Adda (MI), Register of Companies of Milan, CF and VAT no. 03985180961 (the "Joint Data Controllers")
The Joint Data Controllers have entered into a joint ownership agreement, pursuant to Article 26 of the Regulation, with which they have undertaken to:
jointly determine some purposes and methods of processing your personal data;
jointly determine, in a clear and transparent manner, the procedures to provide you with a timely response if you wish to exercise your rights, as provided for by articles 15, 16, 17, 18 and 21 of the Regulation as well as in cases of portability of Personal Data provided for by Article 20 of the Regulations as better described in Section L of this Notice,
jointly define this Information in the parts of common interest indicating all the information required by the Regulation.
D. Who can you contact?
In order to facilitate relations between you, as the interested party, that is the "identified or identifiable natural person" to whom the Personal Data refer pursuant to Article 4 in point 1) of the Regulation (the "Interested") and the Data Controller of the Processing and / or the Joint Controllers of the Processing, the Regulation has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks entrusted, also acts as a contact point with the interested party.
Studio Batini Colombo Saottini, although not obliged by law to appoint a "Data Protection Officer" or DPO, has, for the purposes of maximum transparency and usability, decided to adopt the figure of a " GDPR contact person ", calling him to carry out, inter alia, the following activities:
inform and advise the Data Controller, the Joint Data Controllers, the Data Controller as well as the employees who carry out the Processing regarding the obligations deriving from the Regulation as well as from other provisions of the Union or of the Member States relating to the protection of Personal Data;
monitor and supervise compliance with the Regulations, the applicable regulations regarding the protection of Personal Data as well as the policies and procedures adopted by the Data Controller and the Joint Data Controllers;
provide support in the feedback to the interested party;
cooperate with the competent Authority for the Protection of Personal Data.
You can freely contact the GDPR Contact for all matters relating to the processing of your personal data and / or if you wish to exercise your rights as provided for in Section L of this information, by sending a written communication to the e-mail address: roberta. firstname.lastname@example.org, by writing to the GDPR Referent of Studio Batini Colombo Saottini Chartered Accountants, Lawyer Roberta Agostino, at the studio of the same name in via Tornaghi 59, 20062 - Cassano d'Adda (MI) or by calling +39 0363.360254 .
E. For what main purpose will your Personal Data be processed?
The Data Controller, in order to carry out its business in all possible areas:
registration on the mailing lists or on the portal of the Firm;
receiving general information;
subscription to the Firm's newsletter service;
professional administration positions;
accounting, tax and declarative management of one's own and customers;
management of own employees and customers;
other specific mandates;
all operational, administrative and / or legal obligations resulting from the above operations summarized in the professional mandate you conferred upon signing the contract.
To allow the Data Controller to carry out the processing activities for the aforementioned purposes, it will be necessary to provide the Personal Data marked as mandatory. In the absence of even one of the marked data, it will not be possible to proceed accordingly and you will not be allowed to complete your registration on the Website and / or benefit from the services provided.
The Personal Data that will be requested for the pursuit of the aforementioned purposes will be those reported in the registration and / or contact form, i.e., by way of example and not limited to: name, surname, company, username, date of birth, address of domicile / residence, e-mail address, telephone numbers of fixed and / or mobile users, tax code.
F. Further purposes
The Data Controller, together with the Joint Data Controllers, subject to your express, free and unequivocal consent pursuant to Article 6, paragraph 1, point a) of the Regulation, may request, in addition to the above data, additional Personal Data such as , by way of example and not limited to, data relating to tastes, preferences, habits, needs and consumption choices, for the following purposes:
Direct marketing purposes: this term means the will of the Joint Controllers to carry out promotional and / or marketing activities for you. This category includes all activities carried out to promote products, services, sold and / or provided by the Joint Controllers on the basis of their legitimate interest in pursuing their corporate purpose.
Purpose of indirect marketing: this term means the will of the Joint Controllers to carry out promotional and / or marketing activities for you on behalf of third parties. This category includes all the activities carried out to promote products, services, sold and / or supplied by third parties with whom the Joint Controllers have legal relationships without any communication of data in this case.
Purpose of profiling: this term means the will of the Joint Controllers to profile you or to evaluate your tastes, preferences and consumption habits also related to market surveys and statistical analyzes. This category includes any form of automated processing of personal data to evaluate certain personal aspects such as those concerning, by way of example and not limited to, professional performance, economic situation, personal preferences, interests, reliability, behavior, location or travel.
The processing of your personal data for the purposes referred to in points (ii) and (iii) cannot disregard the obtaining of your consent which must necessarily comply with the conditions set out in article 7 of the Regulation, thus determining the lawfulness of the processing of your personal data.
With regard to the direct marketing purpose referred to in point (i), it should be noted that, by virtue of Article 6, paragraph 1, point f) of the Regulations, the Joint Controllers may carry out this activity based on their legitimate interest, to regardless of your consent and in any case up to your opposition to this treatment as better explained in Recital 47 of the Regulation in which it is "considered legitimate interest to process personal data for direct marketing purposes". This will also be possible following the evaluations carried out by the Joint Data Controllers regarding the possible and possible prevalence of your interests, fundamental rights and freedoms that require the protection of Personal Data over their legitimate interest in sending direct marketing communications.
The contact methods aimed at direct, indirect and profiling marketing activities as in the previous points (i), (ii) and (iii), may be of an automated type (email, sms, mms, fax, telephone calls without operator) both traditional (telephone calls with operator, postal items). In any case, and as better specified in Section I below, you can revoke your consent, even partially, for example by consenting only to traditional contact methods.
With regard to the contact methods that involve the use of your telephone contacts, we remind you that the direct marketing activities by the Joint Controllers will be carried out after checking your possible registration in the Register of Oppositions as established pursuant to and for the effects of the DPR 7 September 2010, n. 178 and subsequent amendments.
G. To which subjects may your Personal Data be disclosed?
Your personal and sensitive data where necessary, may be disclosed to specific subjects considered "Recipients". Article 4 at point 9) of the Regulation defines as the recipient of a Personal Data "the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is a third party "(Hereinafter the" Recipients ").
In order to correctly carry out all the processing activities necessary to pursue the purposes referred to in this Notice, the following Recipients may be in a position to process your Personal Data:
third parties who carry out part of the processing activities and / or activities connected and instrumental to them on behalf of the Data Controller or the Joint Data Controllers. These subjects have been appointed as data processors, having to be understood individually with this term, pursuant to Article 4 at point 8) of the Regulation, "the natural or legal person, public authority, service or other body that processes Personal Data on behalf of the Data Controller "(hereinafter the" Data Processor ");
individuals, employees and / or collaborators of the Data Controller or the Joint Data Controllers, who have been entrusted with specific and / or more processing activities on your Personal Data. These individuals have been given specific instructions regarding the security and correct use of Personal Data and are defined, pursuant to Article 4 at point 10) of the Regulation, "persons authorized to process Personal Data under the direct authority of the Data Controller. or the Data Processor "(hereinafter the" Authorized Persons ").
Where required by law or to prevent or suppress the commission of a crime, your Personal Data may be disclosed to public bodies or judicial authorities without these being defined as Recipients. In fact, pursuant to article 4 at point 9), of the Regulation, "the public authorities that may receive communication of Personal Data in the context of a specific investigation in accordance with Union or Member State law are not considered Recipients".
State administrations or any other public or private body involved in matters of taxes, fees, contributions, etc.
H. How long will your Personal Data be processed?
One of the principles applicable to the Processing of Personal Data concerns the limitation of the retention period, governed by Article 5, paragraph 1, point e) of the Regulation which states "Personal Data are stored in a form that allows the identification of the Data Subjects for a period of time not exceeding the achievement of the purposes for which they are processed; Personal Data may be stored for longer periods provided that they are processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the implementation of technical measures and organizational requirements required by this regulation to protect the rights and freedoms of the interested party ".
In light of this principle, your Personal Data will be processed limited to what is necessary for the pursuit of the purpose referred to in Section E of this Information. In particular, your Personal Data will be processed for a period of time equal to the minimum necessary, as indicated in Recital 39 of the Regulation, that is, until the termination of the contractual relationship between you and the Data Controller, without prejudice to a further retention period. which may be imposed by law as also provided for by Recital 65 of the Regulation. By way of example, in the event that the mandate, as in the majority of cases, concerns the performance of accounting and / or tax management activities or declarative obligations in general, the retention period will comply with the period provided by law for the prescription of the relative controls, usually to be understood as equal to ten years. Within this period there remains the possibility, which has always been provided for in the contract signed with us, to access the complete return of all your documentation, the conservation of which would then become the sole and exclusive responsible.
With regard to the processing carried out for the achievement of the purposes referred to in Section E of this Notice, the Joint Controllers may lawfully process your Personal Data until you communicate, in one of the methods provided for in this Notice, your will to revoke the consent to one or all of the purposes for which it was requested. Any withdrawal of consent will in fact require the Joint Controllers to cease the processing of your Personal Data for these purposes.
I. Is it possible to revoke the consent given and how?
As required by the Regulations, you must give consent to the processing separately for each activity that you will instruct us to carry out and for each resource and / or service managed by the Firm which you will ask us to access. If you have given your consent to the processing of your personal data for one or more purposes for which it was requested, you may, at any time, revoke it totally and / or partially without prejudice to the lawfulness of the processing based on the consent given prior to the revocation.
The methods of withdrawal of consent are simple and intuitive: you just need to contact the Data Controller and / or the Joint Data Controllers and / or the GDPR Manager using the contact channels reported in this Information and respectively in sections C and D.
In addition to the above, if you receive information e-mail messages from the Joint Controllers that are no longer of your interest, simply click on the "unsubscribe" button at the bottom of the same to no longer receive any communication even through other channels. contact details for which your consent was obtained (SMS, MMS, paper mail, fax, telephone calls).
L. What are your rights?
As required by article 15 of the Regulation, you will be able to access your Personal Data, request its correction and updating, if incomplete or incorrect, request its cancellation as well as oppose the processing for legitimate and specific reasons.
In particular, we report below all the rights that you may exercise, at any time, towards the Data Controller and / or the Joint Data Controllers:
Right of access: you will have the right, pursuant to Article 15, paragraph 1 of the Regulations, to obtain from the Data Controller confirmation that your Personal Data is being Processed or not and, in this case, to obtain access to such Personal Data and to the following information: a) the purposes of the Processing; b) the categories of Personal Data in question; c) the Recipients or categories of Recipients to whom your Personal Data have been or will be communicated, in particular if Recipients from third countries or international organizations; d) when possible, the retention period of the Personal Data envisaged or, if not possible, the criteria used to determine this period; e) the existence of the right of the interested party to ask the Data Controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment; f) the right to lodge a complaint with a supervisory authority; g) if the Personal Data are not collected from the Data Subject, all available information on their origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4, of the Regulation and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of this treatment for the interested party. All this information can be found in this Information which will always be available to you in the Privacy section of the Website.
Right of rectification: you will be able to obtain, pursuant to Article 16 of the Regulation, the rectification of your Personal Data that are inaccurate. Furthermore, taking into account the purposes of the processing, you will be able to obtain the integration of your personal data that are incomplete, also by providing an additional declaration.
Right to cancellation: pursuant to Article 17, paragraph 1 of the Regulation, you may obtain the cancellation of your Personal Data without undue delay and the Data Controller will have the obligation to cancel your Personal Data, if there is even only one of the following reasons: a) the Personal Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) You have revoked the consent on which the processing of your personal data is based and there is no other legal basis for their processing; c) You have opposed the processing pursuant to article 21, paragraph 1 or 2 of the Regulation and there is no longer any legitimate overriding reason to proceed with the processing of your Personal Data; d) your Personal Data have been unlawfully processed; e) it is necessary to delete your Personal Data to comply with a legal obligation provided for by a community standard or internal law. In some cases, as provided for by article 17, paragraph 3 of the Regulation, the Data Controller is entitled not to delete your Personal Data if their processing is necessary, for example, to exercise the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest, for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, for the assessment, exercise or defense of a right in court.
Right to limit the processing: You may obtain the limitation of the processing, pursuant to Article 18 of the Regulation, in the event that one of the following hypotheses occurs: a) you have contested the accuracy of your Personal Data (the limitation will continue for the period necessary for the Data Controller to verify the accuracy of such Personal Data); b) the processing is unlawful but you have opposed the cancellation of your personal data, requesting, instead, that its use be limited; c) although the Data Controller no longer needs it for the purposes of the Processing, your Personal Data are used to ascertain, exercise or defend a right in court; d) You objected to the processing pursuant to Article 21, paragraph 1, of the Regulation and is awaiting verification of the possible prevalence of the Data Controller's legitimate reasons with respect to yours. In case of limitation of processing, your Personal Data will be processed, except for storage, only with your consent or for the ascertainment, exercise or defense of a right in court or to protect the rights of a 'other natural or legal person or for reasons of significant public interest. We will inform you, in any case, before this limitation is lifted.
Right to data portability: You may, at any time, request and receive, pursuant to Article 20, paragraph 1 of the Regulations, all your Personal Data processed by the Data Controller and / or by the Joint Data Controllers in a structured format , commonly used and legible or request its transmission to another data controller without hindrance. In this case, it will be your responsibility to provide us with all the exact details of the new data controller to whom you intend to transfer your Personal Data by providing us with written authorization.
Right to object: pursuant to article 21, paragraph 2 of the Regulation and as also reiterated by Recital 70, you may object, at any time, to the processing of your personal data if these are processed for direct marketing purposes, including profiling insofar as it is related to such direct marketing.
Right to lodge a complaint with the supervisory authority: without prejudice to your right to appeal to any other administrative or judicial office, if you believe that the processing of your personal data conducted by the Data Controller and / or by the Joint Data Controllers is in violation of the Regulations and / or applicable legislation, you may lodge a complaint with the competent Personal Data Protection Authority.
To exercise all your rights, simply contact the Data Controller alternatively:
Writing to the GDPR Manager at Studio Batini Colombo Saottini, Via Tornaghi 59, 20062 - Cassano d'Adda (Milan);
by sending an e-mail to the e-mail address email@example.com
by calling the telephone number +39 0363 360254 and asking for the lawyer Roberta Agostino
M. Where will your Personal Data be processed?
Your Personal Data will be processed by the Data Controller and / or by the Joint Data Controllers within the territory of the European Union.
If for any reason it is necessary to make use of subjects located outside the European Union, we inform you as of now that these subjects will be appointed as Data Processors pursuant to and for the purposes of Article 28 of the Regulation and the transfer of your Personal Data to these subjects, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of Chapter V of the Regulation. All necessary precautions will therefore be taken in order to guarantee the most complete protection of your Personal Data by basing this transfer: (a) on adequacy decisions of the recipient third countries expressed by the European Commission; (b) on adequate guarantees expressed by the third party recipient pursuant to Article 46 of the Regulation; (c) on the adoption of corporate binding rules.
In any case, you may request more details from the Data Controller and / or the Joint Data Controllers if your Personal Data have been processed outside the European Union, requesting evidence of the specific guarantees adopted.
Cassano d'Adda 24 May 2018.