THE PRIVACY POLICY OF TOFFOLETTO DE LUCA TAMAJO AND ASSOCIATES
Toffoletto De Luca Tamajo e soci (hereinafter, the “Data Controller”) wishes to inform you, as Data Subject, in accordance with the applicable legislation on personal data protection, including EU Regulation 679/2016 relating to the protection of personal data (the “Regulation”), that any personal data provided when entering into a contract and during its life will be processed in compliance with the legislative and contractual provisions in force for purposes and with methods indicated below. In some circumstances, data may also be collected from third parties, where necessary and always in compliance with the applicable legislation.
1. Identity and contact details of the Data Controller
The Data Controller is Studio Toffoletto De Luca Tamajo e Soci, with registered office on Via Rovello n. 12, 20121, Milan, PEC (certified email) toffolettodeluca@legalmail.it.
2. Purpose and legal basis of processing
- The data provided will be processed, on paper and electronically, with the specific purpose of fulfilling the requirements deriving from the law and as pursuant to the mandate conferred upon the Data Controller – including the provisions governing anti-money laundering legislation, pursuant to Ministerial Decree no. 141 of 3 February 2006 – and of providing the requested consultancy and assistance services. The provision of data for such purposes is necessary, and any refusal in this regard makes it impossible to fulfil the statutory requirements under law and the mandate conferred upon the Data Controllers. Moreover, even during the implementation of the mandate, the request for deletion of data necessary for the fulfilment of requirements deriving therefrom and from the law, or the refusal to provide data, makes it impossible to provide the services under the mandate.
- Any data provided may also be used to conduct information and update activities, by the delivery of newsletters and invitations to seminars and conferences, as well as marketing activities, by the delivery of communications on products or services offered by the Data Controller, as well as to allow data subjects to use the app of Studio Toffoletto De Luca Tamajo e soci, and the Law Maps™. The provision of data for these purposes is optional and any refusal to provide them will only make it impossible for the Data Controller to conduct the information, update and marketing activities described above.
- Any data provided may also be used to carry out telephone surveys in relation to satisfaction with the services provided by the Firm. Clients selected for these activities will be notified in advance by email. The provision of data for these purposes is optional and any refusal to provide them will only make it impossible for the Data Controller to conduct the activities related thereto.
3. Data subject to processing
For the purposes referred to in point 2.a. above, the Data Controller may process:
- the following personal, identification and contact data provided by data subjects: name and surname or company name, Tax ID or VAT number, residence or registered office, email address, and telephone number;
- personal data of judicial nature, relating to court proceedings or, in any case, disputes, including those of an out-of-court nature, to which the data subject is a party;
- data relating to the internal organisation of the data subject and any personal data of company personnel, which are necessary for carrying out the mandate (legal advice and assistance and/or payroll processing) and thus, by way of example only: common data (identification data, tax and administrative data, attendance data, salary data, leave-related data, judicial data relating to court proceedings or, in any case, to disputes of any kind); data belonging to the special categories referred to in Art. 9, paragraph 1, of the GDPR, and namely, by way of example: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sexual life, or sexual orientation of the person.
Pursuant to Art. 6 (1) (b) and (c) of the GDPR, the processing of data provided is lawful, since it is deemed to be necessary for the implementation of the mandate and to fulfil the legal requirements imposed on the Data Controller.
Pursuant to Art. 9 (2) (f) of the GDPR, the processing of personal data, as set forth in Art. 9 (1) of the GDPR, is lawful, being deemed necessary to ascertain, exercise or defend a right in court or whenever the courts act in their judicial capacity.
For the purposes referred to in point 2.b. above, the Data Controller may process:
- the following personal, identification and contact data provided by data subjects: name and surname or company name, Tax ID or VAT number, residence or registered office, email address, and telephone number.
For the purposes referred to in point 2.c. above, the Data Controller may process:
- the following personal, identification and contact data, provided by the data subject: name and surname or company name, Tax ID or VAT number, residence or registered office, email address, telephone number as well as all data provided when taking a survey and, in particular, information on the degree of satisfaction with the services and products offered by the Firm.
Pursuant to Art. 6 (1) (f) of the GDPR, the processing of data provided for the purposes set forth in b) and c) is lawful, as it constitutes a legitimate interest of the Data Controller.
Processing for statistical purposes: The data in points 2.b. and c. will also be processed for statistical purposes intended to improve the quality of the services offered. Statistical processing will take place only once the personal data have been made definitively and irreversibly anonymous, and exclusively on aggregated data. Therefore, once data have been made anonymous, it will no longer be possible to connect them again in any way to the data subject – not even at the request of the data subject; therefore, any requests in this regard cannot be applied to anonymised data.
4. Recipients of personal data to be processed
The personal data referred to in point 3 above will be processed by the Data Controller and, possibly, the following recipients: employees of the Data Controller, as well as its collaborators, consultants and professionals, always within the scope of the aforementioned purposes and after their designation by the Data Controller, including by way of specific instructions necessary for compliance with personal data protection legislation and, in particular, provisions concerning data security. Any data processed for purposes under 2.a. may also be shared with firms of the international Ius Laboris alliance of which the Firm is a part, and/or with firms serving as domiciliation agents.
The data provided will not be disseminated. However, they may be subject, where necessary, to mandatory sharing, as provided for by the legislation referred to in point 2.a. above, and may also be shared with subjects external to the Data Controller, such as entities that organise conferences, within the scope of the purposes referred to in points 2.b. and 2.c. above.
5. Transfer of personal data to a third country or to an international organisation
Personal data will be managed and stored on servers located within the European Union.
The data will not be transferred outside the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the location of the servers to another country of the European Union and/or to non-EU countries or, where necessary for the execution of the mandate, to transmit the data to Ius Laboris alliance firms located outside the EU. In this case, the Data Controller pledges that the transfer of non-EU data will take place in compliance with the applicable statutory provisions by entering into, if necessary, agreements that guarantee an adequate level of protection, and/or adopting the standard contractual clauses provided for by the European Commission.
6. Personal data retention period
Data provided for the purposes referred to in point 2.a. above will be kept for the entire duration of the contractual relationship. Once a contract has expired, in order to protect the rights of the Data Controller, the data will be stored – so as to be accessible only in case of need – for a period of time corresponding to the limitation period inherent in any rights that may be claimed against the Data Controller. This period varies depending on the type of data and on any cause of suspension or interruption of the limitation period.
Data provided for the purposes referred to in point 2.b. above will be kept for 24 months following their registration.
Data provided for the purposes referred to in point 2.c. above will be kept for 12 months following their registration.
Once the retention terms have elapsed, the data collected will be deleted from any computer and/or paper support.
7. Rights of Data Subjects
In relation to the data processing described therein, you can exercise the rights provided for by the applicable personal data protection legislation, including the right to:
- receive confirmation of the existence of your personal data and access their content (right to access);
- update, amend and/or update your personal data (right to amend);
- request data deletion or limitation of processing concerning data that have been processed in violation of the law, including those that do not need to be kept for the purposes for which they were originally collected or processed (right to be forgotten and right to restriction);
- object to processing based on legitimate interest (right to object);
- revoke the consent, where given, without prejudice to the lawfulness of processing based on the consent given before the revocation;
- file a complaint with the Supervisory Authority in case of violation of personal data protection provisions;
- receive a copy of personal data in electronic format, which may have been provided for purposes related to the employment contract (e.g., data relating to salaries and internal mobility services), and request that such data be transmitted to another data controller (right to data portability) .
The data subject may exercise the aforementioned rights at any time by sending a registered letter to the following address: Via Rovello n. 12, 20121, Milano, or a PEC (certified) email to: toffolettodeluca@legalmail.it, or regular email to: privacy@toffolettodeluca.it.
8. Processing of data relating to natural persons other than the data subject, connected with the latter’s organisation and any duties assigned
At the time of processing of any personal data provided, the Data Controller and other persons referred to in clause 4 above may occasionally process data referable to other subjects within your business organisation. In this case, you declare, under your own responsibility, that you have shown this Privacy Policy to all interested parties and that the Policy has been understood and – to the extent necessary – accepted by such parties. Furthermore, you undertake to notify the Data Controller of any updates relating to the data of these parties.
Additional information is available on the Firm website www.toffolettodeluca.it.