INFORMATION
pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

The Processing Data Controller is the Firm Serantoni e Associati, site in Bologna (BO), Piazza Minghetti, 4/D, fiscal code and V.A.T. 03939290379 (herinafter “Firm” or “Data Controller“).

You can contact the Data Controller:

• at the telephone number +39 051 239789
• at the fax number +39 051 223913
• or by writing to the registered office
• or by sending an e-mail to the address: privacy@studio-serantoni.com.

For the purposes of this statement, the Personal Data of the Data Subject² are those relating to:

• natural persons clients;
• as well as those relating to natural persons who are part of the client’s organization (for example, the legal representative of the client who signs contracts in the name and on behalf of the client, the partners/employees/advisors of the client involved in the activities subject to data processing);
• clients, counterparties and suppliers of clients.

The Data Controller processes the Personal Data of the Data Subject for the following purposes:

1. provision, management and customization of the offered services, object of the professional duty;
2. administrative, accounting and tax purposes (including billing management, payment processing, etc.);
3. fulfillment of obligations provided for by current legislation, as well as by institutions or authorities’ legitimate provisions (these include, e.g. the activities required for the fulfillment of the obligations set forth by anti-money laundering legislation, where applicable; activities aimed at fulfillment of tax and accounting obligations, etc.);
4. exercise of the Firm’s rights (such as, for example, the exercise of the right of defense in court);
5. processing of Particular Categories of Data ³, in which Criminal Judicial Data ⁴ could also be included, for the provision, management and customization of the services offered, object of the professional duty;
6. information and training, provided to the Data Subject by the Firm, related to professional matters and services, also by sending updating communications (by telephone, fax, text message, postal service, newsletter or the use of mailings lists);
7. g) sending of commercial communications (by telephone, fax, SMS, postal service, newsletteror the use of mailing list) concerning the promotion of the services provided by the Firm, including events, conferences or activities organized by the same, considering that the Data Subject may, at the time of the assignment and at any later time, request not to receive commercial communications.

The customer is informed that, when he makes use of his employees or collaborators (including any subcontractors) in the execution of the contractual relationship, their personal data may be processed by the Data Controller, for the purposes mentioned above.

Such processing has the same purposes, methods and times of storage of the data described in this information notice; in relation to such processing, in addition, the interested subjects have the same rights identified in point 12.

The customer has the responsibility to inform potential additional Data Subject (its employees, collaborators etc.) about the above-mentioned treatments correctly, also by the delivery of this information.

The Data Controller processes common Personal Data for the purposes indicated in point 2.

The Firm processes Criminal Judicial Data for the fulfillment of legal obligations in anti-money laundering matters.

In some cases it may be necessary for the Data Controller to process Particular Categories of Data.

The provision of data for the purposes referred to in point 2, letters from a) to e) must be considered mandatory for the provision of the services contractually agreed.

The provision of data, for the purposes referred to in point 2, letters f) and g), is optional.

Considering the purposes of the processing as illustrated, if the provision of data is to be considered mandatory, their failure provision, partial or incorrect, may determine, as a consequence, the inability to perform the activities described and may preclude the Data Controller to fulfill the contractual obligations assumed.

According to the purposes referred to in point 2, letter a), the legal basis of the processing is the execution of a contract to which the Data Subject is party or the execution of pre-contractual measures taken at request of the Data Subject.

For the purposes referred to in point 2, letters from b) to d) the legal basis of the processing is the need to fulfill legal obligations, establish, exercise or defend rights in court, or the pursuit of a legitimate interest of the Data Controller. In the latter case, the processing will be realized if the interest, right or fundamental freedom of the Data Subject does not prevail.

For the purposes referred to in point 2, letter e), with regard to Particular Categories of Data the legal basis is represented by one of the hypotheses referred to in Article 10 of the GDPR , and with regard to Criminal Judicial Data the legal basis is represented by fulfillment of a duty or by exercise of a faculty expressly recognized by law or regulation.

For the purposes referred to in point 2, letters f) and g), the legal basis of the indicated purpose is represented by the legitimate interest of the Data Controller, without prejudice to the right of the Data Subject to oppose the processing, at any time, free of charge.

For the purposes referred to in point 2, letters a) to e), the Personal Data are preserved for a period equal to the duration of the professional assignment (including possible renewals) and after its conclusion, termination or withdrawal from the same, for the period of the applicable prescription terms ex lege, except in cases where it is necessary to keep the Personal Data for a subsequent period for any disputes, for the protection of the rights of the Data Controller, for requests by the competent authorities or in accordance with the applicable legislation.

For the purposes indicated in point 2, letters f) and g), the Personal Data are kept for the duration of the contractual relationship and up to 24 months after the last contact with the Firm (intended as the last assignment, job interview, participation in events or initiatives organized by the Firm), without prejudice to the right of the Data Subject to withdraw consent, to object to the processing or cancellation of Personal Data.

In cases the legal basis is represented by consent, it will be possible at any time, to exercise the right to withdraw consent, in the hypotheses in which the same was provided under the GDPR, using the data contact indicated in this Information. This will make it impossible for the Data Controller to continue to use the Personal Data for the indicated purposes, without prejudice to the lawfulness of the processing based on consent before revocation.

Personal Data will be processed using paper, computerized and electronic means, or by means of the operations indicated in art. 4, n. 2), GDPR, with suitable procedures to guarantee security and confidentiality, in compliance with the provisions of article 32 GDPR.

For the pursuit of the purposes described in point 2 above, the Data Controller may need to communicate the Personal Data to third parties belonging to the following categories:

1. authorities and supervisory bodies and, in general, public or private subjects with public functions, recipients of mandatory communications;
2. subjects who, for the Data Controller, handle administrative, legal and fiscal obligations, or personnel selection;
3. subjects who provide services for the management of the information system of the Data Controller;
4. banking institutes for collections and payments.

The subjects belonging to the categories referred above operate, in some cases, in complete autonomy as separate data controllers, in other cases, as Data Processors specifically appointed by the Data Controller.

Furthermore, for the pursuit of the abovementioned purposes referred to in point 2, Personal Data are processed and known by Data Controller’s employees and collaborators, specifically designated as authorized persons, due to the different tasks and instruction assigned to each of them.

The list of appointed Data Processors and of the authorized persons is made available by the Data Controller for consultation, upon request to his contact details.

Personal Data, processed by the Data Controller, may be transferred to persons legitimated by virtue of current contractual relationships, according to the relevant regulations.

The management and storage of personal data will be realized on servers, located within the European Union, of the Data Controller and / or Third Party companies in charge and duly appointed as Data Processors. The servers are currently located in Italy.

The individual data may eventually be the subject of future transfer outside the European Union, in accordance with the provisions of Chapter V of the GDPR, after the Data Subject has been expressly informed and after the consent has been expressly given, if it is mandatory.

Using the contact details of the Controller indicated in this information, the Data Subject may exercise rights with respect to the Controller expressly recognized in Article 15 of the GDPR and in particular obtain access to the following data and information: a) purpose of the processing; b) categories of personal data; c) recipients or categories of recipients to whom the personal data have been or will be communicated; d) retention period of personal data or the criteria used to determine it; e) if the data is not collected from the Data Subject, information available on the origin; f) existence of an automated decision-making process, including profiling, and information on the logic used as well as the importance and expected consequences of such processing for the Data Subject.

Where applicable, the Data Subject also has the rights provided for in Articles 16 to 22 of the GDPR (to be exercised in the manner provided for in the previous paragraph) such as:

• to request and obtain – in the event that the legal basis is a contract or consent – that the data are transmitted in a structured and legible format by automatic device, also in order to communicate such data to a new data controller (so-called right to portability);
• to obtain: a) the updating, adjustment or, when there is interest, the integration of data; b) where there are the conditions set out in Article 17 of the GDPR, cancellation (so-called right to be forgotten), transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except in the case where such fulfilment is impossible or involves an obvious disproportion relative to the protected right use of means;
• object, in whole or in part, to the processing aimed at the performance of a task of public interest or connected to the exercise of public authority (Article 6, paragraph 1, letter e); object, in whole or in part, to the processing aimed at pursuing the legitimate interest of the Data Controller or third parties (Article 6, paragraph 1, letter f), provided that interests or fundamental rights and freedoms do not prevail of the Data Subject who request the protection of personal data, in particular if the Data Subject is a minor; oppose the processing of personal data for direct marketing purposes. Upon receipt of the objection to the processing at the address indicated in the epigraph, the personal data will no longer be processed, except to the extent permitted by applicable laws and regulations;
• to limit the processing of data, i.e. to allow processing within the limits of retention, for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of relevant public interest of the Union or of a Member State, in the cases provided for by the GDPR (a. the Data Subject disputes the accuracy of personal data for the period necessary for the Controller to verify the accuracy of such personal data; b. the processing is unlawful and the Data Subject opposes the cancellation of personal data and asks instead for its use limitation; c. personal data are necessary for the Data Subject to ascertain, exercise or defend a right in court; d. the Data Subject has opposed the processing, pending verification of the possible prevalence of the legitimate reasons of the Controller with respect to those of the Data Subject);
• only in cases where the legal basis is represented by consent, to exercise, at any time the right to revoke the consent, in the cases in which it was given pursuant to the GDPR. This will make it impossible for the Data Controller to continue to use personal data for the purposes indicated, without however prejudicing the lawfulness of the processing based on consent before revocation.

At last, the Data Subject has the right to complain to the Guarantor Authority, which may be exercised:

• a. by registered letter, with return receipt, addressed to “Garante per la Protezione dei Dati personali”, Piazza Venezia, 11 – 00187 Rome;
• b. by e-mail to: garante@gpdp.it, or protocollo@pec.gpdp.it; fax to the number: 06 / 69677.3785.