DISCLOSURE FOR THE PROCESSING OF PERSONAL DATA FOR THE CLIENTS/CUSTOMERS OF THE FIRM (pursuant to articles 13 e 14 of the EU Reg. n. 2016/679)

Dear Customer, Dear User

in compliance with the 2016/679 European Regulation (GDPR), Studio Marco Broggini would like to inform you that the personal data you provide or that we acquired in the course of our activity, necessary to execute the services offered to you, will be processed in compliance with the law on privacy and the principles of correctness, lawfulness, transparency and protection of your privacy and your rights. We also wish to transmit the following information:

1. DATA CONTROLLER AND CONTACT DATA

The Data Controller is Studio Marco Broggini.

Contact data: Varese 21100 Via Morazzone, 5 – Tel. 0332 285558 – 285859 Fax 0332 233175 – E-mail: studi1@studiobroggini.com

2. DATA PROCESSED, PURPOSES AND LEGAL BASIS OF THE PROCESSING
   • The computer systems and software used to operate the institutional website of the Studio (https://www.studiobroggini.com/it/) acquire some personal data that are implicitly a consequence of the use of information protocols on the Internet (for example domain names and IP addresses). These data are not accompanied by additional personal information and are used to obtain anonymous statistical information on the use of the site, to check how to use it and to ascertain any responsibility in case of cybercrime. The legal basis that legitimizes the processing of such data is the need to make the functionality of the company website usable as a result of User access.
   • The data provided voluntarily by the user of the site (through the information request Form), from possible future clients and existing customers, are instead those necessary for the Data Controller to provide available services and are treated in a lawful and correct manner. They are also collected and registered for specific, explicit and legitimate purposes indicated below and are used in processing operations that are not incompatible with these purposes.

Personal data (personal identification data such as: name and surname, company name, tax code and VAT number, address, telephone / fax, e-mail, bank and payment details, username and password for access to reserved area of the website) are collected and processed:

1. to perform customer relations activities based on pre-contractual and contractual agreements;
2. for administrative, tax or internal accounting purposes related to the customer-supplier relationship and to fulfil the obligations generally envisaged, borne by the Data Controller, by laws or regulations, by community legislation, by requests of the Judicial Authority, or to exercise the rights of the Data Controller (for example the right of defence in court);
3. to allow you to access the reserved area for the Studio’s customers and registered professional Users, as well as the connection to the Zucchetti MIP Portal if required;
4. in the presence of specific distinct consent of the customer, for the following purposes: to send (via e-mail) newsletters, updates, informative material, possibly customized, relating to the services offered by the Studio.

The legal basis that legitimizes the processing of the data referred to points “a” (pre-contractual and contractual agreements), “b” (administrative, accounting or tax purposes) and “c” (access to the reserved area of the website) is the execution of a contract for the supply of services, of which the customer is a part, or the carrying out of pre-contractual activities at the request of the client, also useful for assessing the feasibility of following a possible professional mandate.

In the cases expressly indicated under point “d” (information, marketing), the legal basis is the consent freely given by the customer.

2.3. Pursuant to articles 9 and 10 of the GDPR the user, the web user and the customer can confer to the Data Controller qualifying data as “particular categories of personal data” (i.e. those data revealing the racial or ethnic origin, political opinions, religious or philosophical convictions, or trade union membership, health data, as well as data covered by confidentiality or intellectual property). These categories of data may be processed by the Data Controller only with the prior consent of the data subject and, expressed in writing by signing this statement, for contractual requirements and related fulfilment of legal and tax obligations. As part of some agreed consultancy activities, the processing of data is aimed not only at the personal data of customers but also at their operating partners, workers, family members and interested third parties.

3. METHODS OF TREATMENT, CRITERIA AND TIMES OF CUSTODY

The processing of personal data is carried out by means of: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. Personal data are collected as a result of direct sending to the Data Controller, through the completion of the form on the website, of forms prepared for the management of pre-mandated consultancy and pre-contractual agreements or for the management of the same. The data are processed either by manual processing in paper format or electronic or automated, computerized or by telematics tools. The collected data are recorded and stored by the Data Controller in computer and paper record, as well as stored and controlled in such a way as to minimize the risks of destruction or loss, even accidental, unauthorized access and treatment not allowed or not in accordance with the purposes of the collection.

Your personal data are subjected to both paper and electronic processing. The Data Controller will process personal data for the time necessary to fulfil the purposes set out in point 2 of this statement. Particularly:

• the preservation of documents relevant for accounting, tax and anti-money laundering purposes will be in compliance with the provisions of the relevant regulations, also in relation to the starting date of the obligation, the duration of the contractual relationship and in any case up to 10 years from the end of the same.
• the retention of data relating to requests received by e-mail or through the internal website form, will take place no later than 12 months if a professional mandate has not been followed.
• for marketing purposes, sending newsletters, up to revocation of consent.

In the event that you should interrupt the service supply relationship, the Firm will preserve only the data expressly requested or required by law and only for the time indicated by the law itself. In case of further use, precautionary data will be delivered to the customer on suitable supports.

4. NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF REFUSAL TO RESPOND

The provision of personal data relating to the processing related to the purposes set out in 2.1, 2.2 a), b), c) is optional, however failure to provide, partial or complete of data, may result in the partial or total inability to establish or to continue the requested relationship, within the limits in which such data are necessary for the execution of the same.

The provision of data for marketing purposes is also optional, the customer can decide not to give any data or subsequently deny the ability to process data already provided: in this case will not receive newsletters, commercial communications and advertising material generally inherent to the services offered by the Data Controller.

5. RECIPIENTS OR ANY CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The data processing of the web user and the customer is carried out by the Data Controller or by third parties appointed as Data Processors (in accordance with article 28 of the GDPR) or “independent” Owners, such as:

• freelancers of the firm who work, mainly at the headquarters of the same;
• subjects identifiable as a partner of the firm;
• professionals, companies, associations or professional firms that lend assistance or advice to the Data Controller for administrative, accounting, tax purposes and legal protection;
• all Public Institutes established by the law and more generally by all the Authorities required by current accounting and tax regulations as recipients of mandatory communications;
• banking institutions for collections and payments.

The updated list of managers is kept at the registered office of the Data Controller.

6. DIFFUSION

Personal data are not subject to distribution.

7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

As part of the management of the contractual relationship there is no transfer of data of the User / Customer to third countries outside the EU or to international organizations.

8. DATA SUBJECT RIGHTS AND METHODS OF OPERATION

According to the EU Reg. 2016/679: articles 15, 16, 17, 18, 19, 20, 21, 22, – data subject rights.

1. The Data Subject has the right to obtain confirmation of the existence of its personal data, even if not yet registered, and their communication in intelligible form.
2. The Data Subject has the right to obtain the indication: of the origin of the personal data; of the purposes and methods of processing; of the logic applied in case of treatment carried out with the support of electronic instruments; of the identifying details of the Data Controller, of the responsible and of the designated representative according to article 5, paragraph 2; of the subjects or the categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, managers or agents.
3. The Data Subject has the right to obtain:
4. updating, rectification or, when interested, integration of data;
5. the deletion, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
6. the attestation that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfilment proves impossible o involves a use of means manifestly disproportionate to the protected right;
7. a copy of the information we hold in a common and interoperable format;
8. e) the limitation of the processing of personal data concerning him / her or of objecting, in whole or in part: for legitimate reasons, to the processing of personal data concerning him / her, even though they are relevant to the purpose of the collection.

Furthermore, the Data Subject has the right to:

1. f) revoke the consent at any time, without prejudice to the lawfulness of the treatment based on consent before revocation;
2. g) propose a complaint to a Supervisory Authority;
3. h) obtain the updating, rectification and integration of data;
4. i) oppose in whole or in part, for legitimate reasons, to the processing of personal data concerning him / her, even if pertinent to the purpose of the collection.

If the request is written, it must be forwarded by registered letter, fax or e-mail at the registered office of the Data Controller to the references indicated in point 1 of this statement.

It is possible to ask the Data Controller for a “declaration of attestation” suitable to certify that the advanced requests have been effectively resolved and brought to the attention of those to whom the data had been previously disclosed and communicated. A Data Subject may also delegate a third person with a copy of the power of attorney or of the proxy signed in the presence of an appointee or signed and presented together with an unauthenticated photocopy of a document of recognition of the person concerned. The Data Controller is required to reply to the request within 15 days from the date of submission or 30 days if the reply is problematic, in any case within the 15th day the Data Subject will be notified in writing about the reasons of the delay.

The exercise of the rights by the interested party (web user, potential client and customer) is free under Article 12 of the GDPR. However, in the case of manifestly unfounded or excessive requests, also due to their repetitiveness, the Data Controller may charge the User a reasonable fee, in light of the administrative costs incurred to manage his/her request, or deny the satisfaction of his/her request.

The last modification to this Privacy Policy was made on 17.10.2018.