Annex A – INFORMATion sheet EX ART. 13 AND 14, EU REGULATION No. 2016/679 (GDPR)
With this information sheet, the Data Controller, as defined and identified below, wishes to inform you about the purposes and methods of the processing of your personal data and your rights as an interested party.
DATA CONTROLLER The Data Controller responsible for handling personal data is Maurizio Castelli, enrolled in the Register of Chartered Accountants of Padua at n. 00821 A, with headquarters in Padova – Galleria delle Porte Contarine, 4; e-mail: firstname.lastname@example.org.
PERSONAL DATA PROCESSED
For the purposes indicated in this information sheet, the Data Controller processes the common personal data which are, for example, personal data (name, surname, address, telephone number, e-mail address and other addresses), financial data, income and assets. The Data Controller may also process particular categories of personal data, such as data suitable to detect membership in trade unions, political parties, religious beliefs and of a judicial nature. The personal data processed will be freely communicated by you or by one of your representatives directly to the Data Controller or to another person specifically appointed, on the basis of the requested professional assignment to be carried out.
PURPOSE OF THE DATA HANDLING AND LEGAL BASIS
Personal data are processed for the management of the professional assignment conferred by you to the Data Controller, as well as for the resulting regulatory compliance required by national and European Community laws and/or regulations that the Data Controller is required to observe. In particular, in order to reach these objectives, the Data Controller will process your personal data for the purposes of the professional assignment, such as, for example, preparation of financial plans, business plans, information memorandums, management of bank relationships, M & A transactions, etc.
NATURE OF THE PROVISION AND CONSEQUENCES OF A REFUSAL TO CONFER PERSONAL DATA
Provision of the personal data processed is a necessary and essential requirement for the execution of the requested professional services and any failure to provide the requested data will make it impossible for the Data Controller to fulfill the contractual obligations set out in the letter of engagement.
PERIOD OF RETENTION OF YOUR PERSONAL DATA
Your personal data will be processed by the Data Controller for the entire duration of the professional mandate, as indicated in the professional letter of engagement, and for the fulfillment of the related regulatory obligations. Subsequently, personal data will only be stored, in a manner suitable to guarantee confidentiality, for 10 years from the end of the professional engagement, in compliance with the prescription period provided for by the Civil Code.
METHOD OF HANDLING OF PERSONAL DATA
The processing of your personal data will be carried out using paper, computerized and electronic means, with logic strictly related to the purposes indicated and, in any case, using methods that guarantee security and confidentiality in accordance with the provisions of Art. 32 of EU Reg. 2016/679.
SUBJECTS WHO CAN KNOW ABOUT PERSONAL DATA OR TO WHOM PERSONAL DATA CAN BE DISCLOSED
Subject to communications carried out in compliance with legal and contractual obligations, all data collected and processed may be communicated in Italy and transferred abroad exclusively for the purposes specified above to external companies/professional firms that provide assistance and labor consulting services in accounting, business, tax and financial matters, to Public Administrations and to those subjects provided for by law who fulfill obligations required by law. To carry out the purposes described above, your personal data will be known by the employees, by the assimilated staff and by the collaborators of the Data Controller, who will operate as authorized persons to process personal data. Furthermore, the persons in charge, internally and/or externally, of the management of your data can have access to it after being identified in writing and after being given specific instructions. The subjects belonging to the above categories operate, in some cases, in complete autonomy as separate data controllers, in other cases, as data controllers specifically appointed by the Data Controller in compliance with Art. 28 of EU Reg. N. 2016/679. Your data may be disclosed, as a result of inspections or verifications (if required), to all inspection bodies responsible for verifications and checks relating to the regularity of legal obligations.
THE RIGHTS OF THE INTERESTED PARTY
In relation to the data handling described in this information sheet, as an interested party you can exercise the rights set out in Articles 15 to 21, EU Reg. N. 2016/679 and, in particular, the following rights:
- right of access: the right to obtain confirmation that personal data concerning yourself is being processed and, in this case, obtain access to your personal data, including a copy thereof;
- right to amendment: the right to obtain, without undue delay, the correction of inaccurate personal data concerning yourself and/or the integration of incomplete personal data;
- right to cancellation (right to be forgotten): the right to obtain, without undue delay, the deletion of personal data as provided for by the terms indicated in EU Reg. 679/2016;
- right to limitation of handling: right to obtain data handling limitation;
- right to data portability: the right to receive, in a structured, commonly used format that is readable by an automatic device, your personal data that you provided to the Data Controller and the right to transmit it to another Data Controller without impediments, if the data handling is based on consent and is done by automated means. Furthermore, the right to have your personal data transmitted directly by the Data Controller to another Data Controller if this is technically feasible;
- right to object: the right to object, at any time, to the processing of your personal data based on the condition of legitimate interest, including profiling, unless there are legitimate reasons for the Data Controller to continue the data processing that prevail over the interests, rights and freedom of the interested party or for the assessment, exercise or defense of a right in court;
- to revoke consent previously granted;
- to submit a complaint to the legal Authorities (guarantor) for the protection of personal data, Piazza di Montecitorio n. 121, 00186, Rome (RM).
The above rights may be exercised against the Data Controller, by contacting the references identified above. The Data Controller will take on your request and provide you without undue delay and, in any case, no later than 30 days after receipt of the request, all information relating to the action taken regarding your request.