Pursuant to art. 13 Reg. UE 679/2016 (hereinafter, for brevity, the “GDPR”) and in relation to personal, common, special categories of personal data pursuant to art. 9 GDPR and personal data relating to criminal convictions and offences pursuant to art. 10 GDPR, which RP Legal & Tax Associazione Professionale will come into possession for carrying out its professional duty (hereinafter, for brevity, the “Data”), we inform you of the following.
- Data controller
1.1 Data controller will be RP Legal & Tax Associazione Professionale, with registered office in in Turin, via Amedeo Avogadro n. 26 (hereinafter, for brevity, the “Controller” or the “Firm”).
1.2 The Data will be processed also by persons authorised by the Controller and by data processors. The complete and updated list of authorised subjects and data processors is available by contacting the Controller, in the person of the Partner who signed the letter of assignment.
- Data processing
2.1 The Data will be processed for purposes of the correct and complete execution of the engagement, both in and out of court, for specific, explicit and legitimate purposes (hereinafter, for brevity, “Engagement”). The legal basis of such processing is the need to carry out the Engagement conferred by Client. The duration of data retention in relation to data processing is equal to the duration of the Engagement.
2.2 The Data will be also processed for the purposes envisaged by the legislation applicable to the Firm’s professional activity, in particular in the field of anti-money laundering applicable to professionals pursuant to Legislative Decree no. 231/2007, as amended by Legislative Decree no. 90/2017. The legal basis of such processing is the need to comply with legal obligations. The duration of data retention in relation to such processing is equal to the period of data retention required by aforesaid legislation.
2.3 The Data may also be processed to prevent or control unlawful conducts or to protect and enforce rights. The legal basis of such processing is the Firm’s legitimate interest to protect its rights and to prevent wrongdoings. The period of data retention of Your Data is equal to the time reasonably necessary for us to enforce our rights from the time we become aware of a threat of a legal action or of a wrongdoing or of its potential commission.
- Purpose of processing and consequences of a possible refusal to consent
3.1 The communication of Data for the purposes referred to in point 2.1. above is mandatory. In the event of Your refusal, therefore, it would not be possible for the Controller to carry out correctively and exhaustively the Engagement conferred hereto.
- Communication of Data
4.1 The Data may be communicated, for the purposes of carrying out the Engagement (purposes referred to in point 2.1) and to comply with obligations imposed by law (purposes referred to in point 2.2) to external collaborators, banking institutions of our confidence, subjects operating in the judicial sector, to counterparties and their defenders, to arbitration boards and, in general, to all those subjects whose communication is necessary for the correct accomplishment of the Engagement.
4.2 Furthermore, the Data may be communicated to police forces, courts or other public bodies, in compliance with the legal obligations connected with the Engagement (purposes referred to in points 2.1 and 2.2) as well as for the purposes referred to in point 2.3.
4.3 Finally, the Data may be communicated to external suppliers for the purposes of carrying out the Engagement (purposes referred to in point 2.1).
4.4 All subjects who process the Data on behalf of the Firm are identified and contractualized in accordance with art. 28 GDPR, by providing them with adequate instructions on the processing to be carried out and by periodically verifying that they comply with these instructions and, in general, that they provide sufficient guarantees to implement appropriate technical and organizational measures so that processing complies with the requirements of the GDPR and ensures protection of data subject’s rights.
4.5 The Firm uses third party service providers (such as cloud, hosting, electronic communication services) which operate as data controllers under agreements in accordance with art. 28 GDPR. These providers shall only process such personal data as is strictly necessary for the performance of their tasks and may use them solely for the purposes of performing such tasks on our behalf or to comply with legal requirements. The updated list of third party suppliers, operating as data processors pursuant to art. 28 GDPR, is now available by contacting the Controller, in the person of the Partner who signed the engagement letter.
- Data processing methods
5.1 The data processing is carried out by means of operations or series of operations indicated in art. 4, no. 2 of the GDPR, namely: collection, registration, storage, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, block, communication, deletion and destruction of Data.
5.2 The Data will be processed on magnetic support, with the help of computing and telematic tools and on paper, in full compliance with the confidentiality and security provisions required by law.
- Data Dissemination
The Data are not subject to dissemination.
- Data transfer overseas
7.1 The Data may be transferred to countries within the European Union and to countries outside the European Union for the purposes referred to in paragraph 2 hereto.
7.2 In particular, the Data may be processed in third countries by suppliers of the Firm to which the Data are transmitted on the basis of agreements entered into in accordance with art. 28 GDPR, along with standard contractual terms approved by the European Commission (“SCC”) or pursuant to an adequacy decision of the European Commission. Where the level of protection of such third countries is not adequate and the SCCs are likely to result insufficient to secure the required protection of personal data as required by GDPR, supplemental measures as required by the EDPB from time to time will be put in place to strengthen the protection provided by the SCCs. The updated list of third party suppliers, operating as data processors pursuant to art. 28 GDPR, is available by contacting the Controller, in the person of the Partner who signed the engagement letter.
- Data subject’s rights
8.1 You may contact the Firm to request access to Your personal data, their rectification and deletion or limitation of processing, to oppose processing and to request their portability; You may also revoke Your consent at any time (this will not affect the lawfulness of processing based on the consent given prior to the revocation).
8.2 You have the right to lodge a complaint to the Data Protection Authority and to ask the Controller, at any time, for information about the data processors and the subjects authorized by the data controllers to process Your Data.
8.3 You can exercise your rights by contacting the Controller, in the person of the Partner who signed the engagement letter or by sending an email to firstname.lastname@example.org.
RP Legal & Tax Associazione Professionale
[28-11-2019 – V 1.0]