Policy pursuant to Article 13 of Regulation (EU) 679/2016 on the processing of the data subject’s personal data Dear Client, Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council dated 27th April 2016 on data protection (hereinafter, the “Regulation” or “GDPR”), in relation to the processing of your personal data, the Studio Legale Musumeci, Altara, Desana e Associati (hereinafter, the “Studio” or the “Data Controller”), whose identity and details are shown below, hereby
informs you
of the following:
1) Identity and Details of the Data Controller.
Pursuant to Articles 4 and 24 of the Regulation, the Data Controller is the Studio Legale Musumeci, Altara, Desana e Associati, in the person of the legal representative pro tempore, with registered office at Via Ettore de Sonnaz 14 – 10121 Turin (TO), having telephone number +39 011.21.70.911 and fax number +39 011.21.70.900. You may contact the Data Controller by writing to the above address or by sending an email to the dedicated email address of segreteria@madlex.it.
2) Purpose and Lawfulness of Data Processing.
The personal data you provide to the undersigned Data Controller shall be processed exclusively for the purposes related to the execution of the professional appointment upon stipulation or already underway with the Studio, in compliance with the provisions indicated by Article 13 of the Regulations and the obligations of confidentiality that in any case inspire the professional activity of the undersigned. The purposes related to the execution of the professional assignment refers to any data processing operation concerning the management, administration and fulfilment of the contractual relationship in question. The legal basis of the processing for the aforementioned purposes is Article 6(1)(b) of the GDPR (“processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract”).
In the context of these purposes, processing is also carried out for the fulfilment of specific legal obligations relating to the management of the contractual relationship and the performance of the appointment (for example, in relations with the Judicial Authority or for the fulfilment of the obligations dictated by Italian legislation on anti-money laundering). The legal basis of the processing for the aforementioned purposes is Article 6(1)(c), cit. (“Processing is necessary for compliance with a legal obligation to which the controller is subject”).
3) Particular Categories of Personal Data.
If in the execution of the professional appointment or to fulfill specific legal obligations inherent to the management of the contractual relationship, the undersigned Data Controller must also acquire data that falls within the scope of the particular categories of personal data pursuant to Article 9 of the Regulation (in particular, personal data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”) such categories of data may be processed only with your free and explicit consent. The legal basis of the processing of the data conferred by you belonging to the aforementioned particular categories of personal data referred to in Article 9 of the Regulation will be represented, in this case, by your specific consent pursuant to Article 9(2)(a) of the Regulation (“the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”).
4) Data Processing Methods.
In relation to the aforementioned purposes, your personal data shall be processed using manual, electronic and telematic tools, exclusively for the stated purposes and, in any case, using methods that guarantee data security and privacy, in compliance with the provisions of Article 32 of the Regulation on security measures and by specifically appointed subjects, in compliance with the provisions of Article 29 of the Regulation.
5) Recipients or Categories of Recipients of Personal Data.
The processing of the personal data you provide will be carried out by means of subjects expressly and specifically designated by the Data Controller who work in the interest of the Studio as Data Processors (Article 28 cit.) or as authorised subjects (Article 29 cit.) or as subjects expressly designated to process the data in the terms provided for by the Regulation and by the national legislation of adaptation to the provisions of the GDPR. The data provided may also be processed by the Data Controller directly and also communicated to third parties if such processing is functional to the legal obligations and execution of the contract. For this purpose of communication, the data may be brought to the attention of companies or external professionals whose collaboration the Data Controller may utilise for the purposes indicated in this Policy.
In order to facilitate the fulfilment of contractual and legal obligations, the data may be communicated to post offices, shippers and couriers for the sending of documentation, as well as to banking institutions for the accounting management deriving from contract execution, as well as to Public Administrations in accordance with the law, along with third parties for the provision of IT or storage services, as well as to correspondent colleagues and domiciliaries.
The Data Subjects’ personal data are not subject to disclosure and the Data Controller will not disclose or make available in any way to indeterminate subjects.
6) Transfer of Personal Data to Third-Party Countries or International Organisations.
As a rule, no personal data of the Data Subject will be transferred to third-party countries outside the European Union nor to international organisations. If this is necessary for the performance of the appointment conferred to the Studio, the latter undertakes to ensure that any transfer takes place in compliance with the provisions of Articles 45 (on the basis of an adequacy decision of the Commission) and 46 (on the basis of the existence of adequate guarantees), if applicable, or in any case pursuant to Article 49 of the Regulation.
7) Data Retention Period.
Personal data being processed will be stored in compliance with the provisions of Article 5(1)(e), in a form that allows for the identification of Data Subjects for a period of time not exceeding the achievement of the purposes indicated above, for which the personal data is collected and processed. Personal data is stored according to the following criteria: (a) for the time strictly necessary to achieve the “purposes inherent in the realisation of the object of the contract” for which it is processed and in any case for a period not exceeding 10 (ten) years; (b) for the time strictly necessary for the fulfilment of legal, regulatory obligations or provisions issued by Supervisory and Control Bodies. At the end of the retention period, your data will be deleted or archived anonymously.
8) Rights of the Data Subject.
In accordance with Article 15 and following Articles of the Regulation, you as Data Subject have the right to request from the Data Controller:
– Access to your personal data;
– Rectification or erasure of your data or the limitation of the purposes for which the data can be processed;
– Objecting to the processing;
– Data portability in accordance with Article 20 cit;
– If the processing is based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, withdrawal of consent at any time, without prejudice to the lawfulness of the processing based on the consent provided before consent was withdrawn.
Without prejudice to any other administrative or judicial remedy, if the Data Subject believes the data processing infringes the GDPR, they have the right to file a complaint with the supervisory authority, in the country in which they habitually reside, work or in which the alleged infringement occurred, in accordance with Article 77 cit. (the Italian Supervisory Authority is the Data Protection Authority).
To exercise the above rights, the Data Subject may contact the Data Controller at the addresses indicated in Point 1 of this Policy.
9) Communication of Personal Data as a Legal or Contractual Obligation or Necessary Requirement for Contract Conclusion and Possible Consequences for Failure to Communicate Such Data.
The communication of your personal data and the consequent processing by the Data Controller are necessary for the establishment, continuation and proper management of the relationship in question, with such communication thus being considered as mandatory.
Any refusal on your part to provide the personal data requested may result, on the part of the Data Controller, in the impossibility of completing and managing the contractual relationship with you.
10) Application of Automated Processing (Including Profiling).
Pursuant to Article 13(2)(f) of the GDPR, we inform you that your personal data will not be subject to automated processing, including profiling, as provided by Article 22(1) and (4) of the Regulation.
11) Processing for Purposes Other Than Those for Which the Data Was Collected.
Should the Data Controller wish to process your personal data for purposes other than those for which the data was collected, before proceeding, they will inform the Data Subject about this additional purpose and provide them with any other pertinent information, in accordance with Article 13(2) of the Regulation.
Data Controller
Studio Legale Musumeci, Altara, Desana e Associati
