INFORMATION pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

The Processing Data Controller is the Firm Serantoni e Associati, with registered office in Bologna (BO), Piazza Minghetti, 4/D, fiscal code and V.A.T. 03939290379 (the “Firm” or “Data Controller”).

You can contact the Data Controller:

• at the telephone number +39 051 239789
• at the fax number +39 051 223913
• or by writing to the registered office
• or by sending an e-mail to the address: privacy@studio-serantoni.com.

The Data Controller processes the Personal Data of the Data Subjectⁱⁱ, for the following purposes:

1. provision, management and customization of the offered services, object of the professional duty;
2. administrative, accounting and tax purposes (including billing management, payment processing, etc.);
3. fulfillment of obligations provided for by current legislation, as well as by institutions or authorities’ legitimate provisions (these include, e.g. the activities required for the fulfillment of the obligations set forth by anti-money laundering legislation, where applicable; activities aimed at fulfillment of tax and accounting obligations, etc.);
4. exercise of the Data Controller’s rights (such as, for example, the exercise of the right of defense in court);
5. processing of Particular Categories of Data ⁱⁱⁱ, in which Judicial Data ^iv could also be included, for the provision, management and customization of the services offered, object of the professional duty;
6. information and training, provided to the Data Subject by the Data Controller, related to professional matters and services, also by sending updating communications (by telephone, fax, text message, postal service, newsletter or the use of mailings lists);
7. sending, to the e-mail address provided by the Data Subject on the occasion of the Data Controller’s services purchase, of promotional messages about similar services to those purchased, without prejudice to the right of opposition, in accordance with article 130 of D. Lgs. 30 June 2003 n. 196.
8. g) sending of commercial communications (by telephone, fax, SMS, postal service, newsletter or the use of mailing lists) concerning the promotion of the services provided by the Firm, including events, conferences or activities organized by the same, considering that the Data Subject may, at the time of the assignment and at any later time, request not to receive commercial communications;
9. documentation, drafted by the Data Controller, related to references on provided services.

The Data Controller processes common Personal Data for the purposes indicated in point 2.
In some cases it may be necessary for the Data Controller to process Particular Categories of Data and Judicial Data.

The provision of data for the purposes referred to in point 2, letters from a) to e) must be considered mandatory for the provision of the services contractually agreed.

The provision of data, for the purposes referred to in point 2, letters from f) to i), is optional.

Considering the purposes of the processing as illustrated, if the provision of data is to be considered mandatory, their failure provision, partial or incorrect, may determine, as a consequence, the inability to perform the activities described and may preclude the Data Controller to fulfill the contractual obligations assumed.

According to the purposes referred to in point 2, letter a), the legal basis of the processing is the execution of a contract to which the Data Subject is party or the execution of pre-contractual measures taken at request of the Data Subject.

For the purposes referred to in point 2, letters from b) to d) the legal basis of the processing is the need to fulfill legal obligations, establish, exercise or defend rights in court, or the pursuit of a legitimate interest of the Data Controller. In the latter case, the processing will be realized if the interest, right or fundamental freedom of the Data Subject does not prevail.

For the purposes referred to in point 2, letter e), with regard to Particular Categories of Data the legal basis is represented by the express consent, and with regard to Judicial Data the legal basis is represented by fulfillment of a duty or by exercise of a faculty expressly recognized by law or regulation.

For the purposes referred to in point 2, letters f) and g), the legal basis of the indicated purpose is represented by the legitimate interest of the Data Controller, without prejudice to the right of the Data Subject to oppose the processing, at any time, free of charge.

For the purposes referred to in point 2, letters h) and i), the legal basis of the indicated purpose is represented by the express consent.

For the purposes referred to in point 2, letters a) to e), the Personal Data are preserved for a period equal to the duration of the professional assignment (including possible renewals) and after its conclusion, termination or withdrawal from the same, for the period of the applicable prescription terms ex lege, except in cases where it is necessary to keep the Personal Data for a subsequent period for any disputes, for the protection of the rights of the Data Controller, for requests by the competent authorities or in accordance with the applicable legislation.

For the purposes indicated in point 2, letters from f) to i), the Personal Data are kept for the duration of the contractual relationship and up to 24 months after the last contact with the Firm (intended as the last assignment, job interview, participation in events or initiatives organized by the Firm), without prejudice to the right of the Data Subject to withdraw consent, to object to the processing or cancellation of Personal Data.

For the purposes mentioned above and in cases the legal basis is represented by consent, it will be possible at any time, to exercise the right to withdraw consent, in the hypotheses in which the same was provided under the GDPR, using the data contact indicated in this Information. This will make it impossible for the Data Controller to continue to use the Personal Data for the indicated purposes, without prejudice to the lawfulness of the processing based on consent before revocation.

Personal Data will be processed using paper, computerized and electronic means, or by means of the operations indicated in art. 4, n. 2), GDPR, with suitable procedures to guarantee security and confidentiality, in compliance with the provisions of article 32 GDPR.

For the pursuit of the purposes described in point 2 above, the Data Controller may need to communicate the Personal Data to third parties belonging to the following categories:

1. authorities and supervisory bodies and, in general, public or private subjects with public functions, recipients of mandatory communications;
2. subjects who, for the Data Controller, handle administrative, legal and fiscal obligations, or personnel selection;
3. subjects who provide services for the management of the information system of the Data Controller;
4. banking institutes for collections and payments.

The subjects belonging to the categories referred above operate, in some cases, in complete autonomy as separate data controllers, in other cases, as Data Processors specifically appointed by the Data Controller.

Furthermore, for the pursuit of the abovementioned purposes referred to in point 2, Personal Data are processed and known by Data Controller’s employees and collaborators, specifically designated as authorized persons, due to the different tasks and instruction assigned to each of them.

The list of appointed Data Processors and of the authorized persons is made available by the Data Controller for consultation, upon request to his contact details.

Personal Data, processed by the Data Controller, may be transferred to persons legitimated by virtue of current contractual relationships, according to the relevant regulations.

The management and storage of personal data will be realized on servers, located within the European Union, of the Data Controller and / or Third Party companies in charge and duly appointed as Data Processors. Currently the servers are located in Italy.

The individual data may eventually be the subject of future transfer outside the European Union, in accordance with the provisions of Chapter V of the GDPR, after the Data Subject has been expressly informed and after the consent has been expressly given, if it is mandatory.

In addition to what has already been indicated in point 8 and in relation to the purposes described in paragraph 2 above, using the contact details of the Data Controller indicated in this information, as Data Subject, you may exercise rights with respect to the Data Controller expressly recognized in Articles 15 et seq. of the GDPR including:

1. to obtain confirmation of the existence or non-existence of personal data concerning you, even if not registered yet, and their communication in an intelligible form;
2. to obtain the indication about: a) the origin of personal data; b) the purposes and methods of the processing; c) the logic applied in case of processing carried out with the aid of electronic instruments; d) the identification details of the Data Controller, of the Processors pursuant to art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or can learn about them as processors or authorized persons;
3. to request and obtain – in the event that the legal basis is a contract or consent – that the data are transmitted in a structured and legible format by an automatic device, also in order to communicate such data to a new data controller (so-called right to portability);
4. to obtain: a) the updating, rectification or, when there is interest, the integration of data; b) cancellation (so-called right to be forgotten), transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except in case such fulfillment is impossible or involves a manifestly disproportionate to the protected right use of means;
5. to proceed to: a) the opposition, in whole or in part, for legitimate reasons to the processing of personal data provided, even if pertinent to the purpose of the collection; b) to the request to be informed about the existence of a decision-making process aimed at sending advertising material or carrying out market research or commercial communication. Once the opposition to the processing data has been received at the address indicated in the epigraph, the personal data will no longer be processed, except to the extent permitted by applicable laws and regulations;
6. to limit the processing of data, i.e. to allow processing within the limits of retention, for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of relevant public interest of the Union or of a Member State, in the cases provided for by the GDPR (a. the Data Subject disputes the accuracy of personal data for the period necessary for the Data Controller to verify the accuracy of such personal data; b. the processing is unlawful and the Data Subject opposes the cancellation of personal data and asks instead for its use limitation; c. personal data are necessary for the Data Subject to ascertain, exercise or defend a right in court; d. the Data Subject has opposed the processing, pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject).

At last, the Data Subject has the right to complain to the Guarantor Authority, which may be exercised:

1. by registered letter, with return receipt, addressed to “Garante per la Protezione dei Dati personali”, Piazza Venezia 11, 00187 Rome;
2. by e-mail to: garante@gpdp.it, or protocollo@pec.gpdp.it; fax to the number: 06 / 69677.3785.