INFORMATION

The Processing Data Controller is the Firm Serantoni e Associati, site in Bologna (BO), Piazza Minghetti, 4/D, fiscal code and V.A.T. 03939290379 (herinafter “Firm” or “Data Controller“).

You can contact the Data Controller:

• at the telephone number +39 051 239789
• at the fax number +39 051 223913
• or by writing to the registered office
• or by sending an e-mail to the address: privacy@studio-serantoni.com.

For corporate clients, the Firm processes personal data both in its capacity as Data Controller and -where applicable- in its capacity as Data Processor.

In particular, the Firm:

• acts as a Data Controller when it independently determines the purposes and means of processing personal data;
• acts as a Data Processor when it carries out purely executive activities or activities governed by the client’s detailed instructions, which strictly define the scope, tools, and duration of the processing.

Where the Firm acts as a Data Processor, the relationship is governed by an appointment pursuant to Article 28 of the GDPR, agreed with the client or, failing that, by the default appointment available at the following page:

https://www.studio-serantoni.it/responsabile-del-trattamento-dei-dati-personali/

In any case, the corporate client remains responsible for:

• properly inform the data subjects (in particular employees, collaborators, consultants, and other natural persons whose data are processed) regarding the use of their data and the role of the Firm as data processor;
• ensure the lawfulness of the processing of personal data provided to the Firm, including the correct identification of the legal bases and compliance with the information obligations set out in Articles 13 and 14 of the GDPR.

For the purposes of this statement, the Personal Data of the Data Subject² are those relating to:

• natural persons clients;
• as well as those relating to natural persons who are part of the client’s organization (for example, the legal representative of the client who signs contracts in the name and on behalf of the client, the partners/employees/advisors of the client involved in the activities subject to data processing);
• clients, counterparties and suppliers of clients.

The Data Controller processes the Personal Data of the Data Subject for the following purposes:

1. provision, management and customization of the offered services, object of the professional duty;
2. administrative, accounting and tax purposes (including billing management, payment processing, etc.);
3. fulfillment of obligations provided for by current legislation, as well as by institutions or authorities’ legitimate provisions (these include, e.g. the activities required for the fulfillment of the obligations set forth by anti-money laundering legislation, where applicable; activities aimed at fulfillment of tax and accounting obligations, etc.);
4. exercise of the Firm’s rights (such as, for example, the exercise of the right of defense in court);
5. processing of Special Categories of Data³, in which Criminal Data⁴ could also be included, for the provision, management and customization of the services offered, object of the professional duty;
6. information and training, provided to the Data Subject by the Firm, related to professional matters and services, also by sending updating communications (by telephone, fax, text message, postal service, newsletter or the use of mailing lists);
7. sending of commercial communications (by telephone, fax, SMS, postal service, newsletter or the use of mailing list) concerning the promotion of the services provided by the Firm, including events, conferences or activities organized by the same, considering that the Data Subject may, at the time of the assignment and at any later time, request not to receive commercial communications.
8. [with regard to the services providing access to Ago Infinity and Ago My Infinity Portal]⁵ the provision to the client of shared cloud-based digital spaces for the storage and sharing of professional documentation;
9. the processing of Special Categories of Data in connection with the services referred to in letter h).

The client is informed that, when he makes use of his employees or collaborators (including any subcontractors) in the execution of the contractual relationship, their personal data may be processed by the Data Controller, for the purposes mentioned above.

Such processing has the same purposes, methods and times of storage of the data described in this information notice; in relation to such processing, in addition, the interested subjects have the same rights identified in point 12.

The client has the responsibility to inform potential additional Data Subject (its employees, collaborators etc.) about the above-mentioned treatments correctly, also by the delivery of this information.

The Data Controller processes common Personal Data for the purposes indicated in point 2.

The Firm processes Criminal Judicial Data for the fulfillment of legal obligations in anti-money laundering matters.

In some cases it may be necessary for the Data Controller to process Particular Categories of Data.

The provision of data for the purposes referred to in point 2, letters from a) to e), and letter h) and i), is mandatory for the provision of the services contractually agreed.

The provision of data, for the purposes referred to in point 2, letters f) and g), is optional.

Considering the purposes of the processing as illustrated, if the provision of data is mandatory, failure to provide such data, or the provision of incomplete or inaccurate data, may result in an inability to perform the activities described and may preclude the Data Controller to fulfill the contractual obligations undertaken.

According to the purposes referred to in point 2, letter a), the legal basis of the processing is the execution of a contract to which the Data Subject is party or the execution of pre-contractual measures taken at request of the Data Subject or the pursuit of the legitimate interests of the client who has granted the mandate. In the latter case, the processing will be carried out provided that no overriding interest or fundamental rights and freedoms of the Data Subject prevail.

For the purposes referred to in point 2, letters from b) to d) the legal basis of the processing is the need to fulfill legal obligations, establish, exercise or defend rights in court, or the pursuit of a legitimate interest of the Data Controller. In the latter case, the processing will be carried out if the interest, right or fundamental freedom of the Data Subject does not prevail.

For the purposes referred to in point 2, letter e) and i), with regard to Special Categories of Data the legal basis is represented by one of the conditions set out in  Article 9 of the GDPR , and with regard to Criminal Data the legal basis is represented by fulfillment of a duty or by exercise of a faculty expressly recognized by law or regulation.

For the purposes referred to in point 2, letters f) and g), the legal basis of the indicated purpose is represented by the legitimate interest of the Data Controller, without prejudice to the right of the Data Subject to oppose the processing, at any time, free of charge.

For the purposes referred to in point 2 letter h), the legal basis for the processing is the execution of a contract to which the Data Subject is party or the execution of pre-contractual measures taken at request of the Data Subject or the pursuit of the legitimate interests of the client who has purchased the service. In the latter case, the processing will be carried out provided that no overriding interest or fundamental rights and freedoms of the Data Subject prevail.

For the purposes referred to in point 2, letters a) to e), the Personal Data are retained for a period equal to the duration of the professional assignment (including possible renewals) and after its conclusion, termination or withdrawal from the same, for the period of the applicable prescription terms ex lege, except in cases where it is necessary to keep the Personal Data for a subsequent period for any disputes, for the protection of the rights of the Data Controller, for requests by the competent authorities or in accordance with the applicable legislation.

For the purposes indicated in point 2, letters f) and g), the Personal Data are kept for the duration of the contractual relationship and up to 24 months after the last contact with the Firm (intended as the last assignment, job interview, participation in events or initiatives organized by the Firm), without prejudice to the right of the Data Subject to withdraw consent, to object to the processing or cancellation of Personal Data.

For the purposes referred to in point 2(h) and (i), Personal Data are retained for a period corresponding to the duration of the service (including any renewals) and, following its expiry, termination or withdrawal, for the period of limitation provided for by law. This is without prejudice to cases where it is deemed necessary to retain the Personal Data for a longer period in connection with potential disputes, for the protection of the Controller’s rights, in response to requests from competent authorities, or in accordance with applicable laws and regulations.

Where the legal basis is consent, it will be possible at any time, to exercise the right to withdraw consent, in the cases in which the same was provided under the GDPR, using the data contact indicated in this Information. This will make it impossible for the Data Controller to continue to use the Personal Data for the indicated purposes, without prejudice to the lawfulness of the processing based on consent before revocation.

Personal Data will be processed using paper, computerized and electronic means, or by means of the operations indicated in art. 4, n. 2), GDPR, with suitable procedures to guarantee security and confidentiality, in compliance with the provisions of article 32 GDPR.

For the pursuit of the purposes described in point 2 above, the Data Controller may need to communicate the Personal Data to third parties belonging to the following categories:

1. authorities and supervisory bodies and, in general, public or private entities with public functions, recipients of mandatory communications;
2. entities who, for the Data Controller, handle administrative, legal and fiscal obligations, or personnel selection;
3. entities who provide services for the management of the information system of the Data Controller;
4. banks for collections and payments.

The entities belonging to the categories referred above operate, in some cases, in complete autonomy as separate data controllers, in other cases, as Data Processors specifically appointed by the Data Controller.

Furthermore, for the pursuit of the abovementioned purposes referred to in point 2, Personal Data are processed and known by Data Controller’s employees and collaborators, specifically designated as authorized persons, due to the different tasks and instruction assigned to each of them.

The list of appointed Data Processors and of the authorized persons is made available by the Data Controller for consultation, upon request to his contact details.

Personal Data, processed by the Data Controller, may be transferred to persons legitimated by virtue of current contractual relationships, according to the relevant regulations.

The management and storage of personal data will be realized on servers, located within the European Union, of the Data Controller and / or Third Party companies in charge and duly appointed as Data Processors. The servers are currently located in Italy.

The individual data may eventually be the subject of future transfer outside the European Union, in accordance with the provisions of Chapter V of the GDPR, after the Data Subject has been expressly informed and after the consent has been expressly given, if it is mandatory.

Using the contact details of the Controller indicated in this information, the Data Subject may exercise rights with respect to the Controller expressly recognized in Article 15 of the GDPR and in particular obtain access to the following data and information: a) purpose of the processing; b) categories of personal data; c) recipients or categories of recipients to whom the personal data have been or will be communicated; d) retention period of personal data or the criteria used to determine it; e) if the data is not collected from the Data Subject, information available on the origin; f) existence of an automated decision-making process, including profiling, and information on the logic used as well as the importance and expected consequences of such processing for the Data Subject.

Where applicable, the Data Subject also has the rights provided for in Articles 16 to 22 of the GDPR (to be exercised in the manner provided for in the previous paragraph) such as:

• to request and obtain – in the event that the legal basis is a contract or consent – that the data are transmitted in a structured and legible format by automatic device, also in order to communicate such data to a new data controller (so-called right to portability);
• to obtain: a) the updating, adjustment or, when there is interest, the integration of data; b) where there are the conditions set out in Article 17 of the GDPR, cancellation (so-called right to be forgotten), transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except in the case where such fulfilment is impossible or involves an obvious disproportion relative to the protected right use of means;
• object, in whole or in part, to the processing aimed at the performance of a task of public interest or connected to the exercise of public authority (Article 6, paragraph 1, letter e); object, in whole or in part, to the processing aimed at pursuing the legitimate interest of the Data Controller or third parties (Article 6, paragraph 1, letter f), provided that interests or fundamental rights and freedoms do not prevail of the Data Subject who request the protection of personal data, in particular if the Data Subject is a minor; oppose the processing of personal data for direct marketing purposes. Upon receipt of the objection to the processing at the address indicated in the epigraph, the personal data will no longer be processed, except to the extent permitted by applicable laws and regulations;
• to limit the processing of data, i.e. to allow processing within the limits of retention, for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of relevant public interest of the Union or of a Member State, in the cases provided for by the GDPR (a. the Data Subject disputes the accuracy of personal data for the period necessary for the Controller to verify the accuracy of such personal data; b. the processing is unlawful and the Data Subject opposes the cancellation of personal data and asks instead for its use limitation; c. personal data are necessary for the Data Subject to ascertain, exercise or defend a right in court; d. the Data Subject has opposed the processing, pending verification of the possible prevalence of the legitimate reasons of the Controller with respect to those of the Data Subject);
• only in cases where the legal basis is represented by consent, to exercise, at any time the right to revoke the consent, in the cases in which it was given pursuant to the GDPR. This will make it impossible for the Data Controller to continue to use personal data for the purposes indicated, without however prejudicing the lawfulness of the processing based on consent before revocation.

At last, the Data Subject has the right to complain to the Guarantor Authority, which may be exercised:

• a. by registered letter, with return receipt, addressed to “Garante per la Protezione dei Dati personali”, Piazza Venezia, 11 – 00187 Rome;
• b. by e-mail to: garante@gpdp.it, or protocollo@pec.gpdp.it; fax to the number: 06 / 69677.3785.