Clients Policy Arts. 13-14 of EU Regulation No. 679/2016 In pursuance of the General Regulation on Protection of Personal Data of the natural persons (GDPR- (EU) Reg. No. 679/ 2016), the undersigned, Data Controller, states the following:
SOURCES AND CATEGORIES OF PERSONAL DATA
The held personal data are collected directly from the interested parties, who directly and freely provided us with the same, and from others such as employment agencies or job experts, or through Public Registers or by downloading from National Social Security Institute, National Institute for Insurance against Accidents at Work, Revenue and Collection Agency, etc. Such information represents personal and property data and likely sensitive and judicial data of the interested parties and others identified and identifiable that have natural relationships stipulated by the civil law with the interested party (such as families, employees, clients, suppliers, etc.). Sensible data mean such information suitable to disclose racial and ethnic origin, religious philosophic beliefs or others, political opinions, membership of religious, philosophic, political or syndicate trade unions, associations or organizations, health status and sexual life. Judicial data mean such information suitable to disclose provisions relating to criminal records, register of administrative sanctions depending on a crime or on related pending charges, or the status of accused or suspected according to the criminal procedural code. Using these applications in the site, we collect the IP addresses or the domain name of the computers utilized by the User and connect with the Application, the addresses having URI (Uniform Resource Identifier), request time, the way used to apply the request to the server, the dimension of the output file, the code referring to the server response status (successful, error, etc..), the country of origin, the characteristics of browser and working system, various temporal connotations of the visit (for example; the time spent on each page), and the related details of the route followed within the application, with special reference to the sequence of browsing pages, to the parameters in connection with the operational system and with IT environment. The User who utilizes the application should work in with the interested party, or authorized by it to communicate the data being processed.
PURPOSES AND LEGAL BASES OF THE PROCESSING
The personal data are processed in the field of the normal activity executed by the data controlling organization (Ateco codes and descriptions: 69.20.11 Services offered by chartered accountants;) and under the following purposes (the legal basis is indicated to between brackets in accordance with GDPR): a) Purposes closely related to the completion and execution of the required services (GDPR Arts. 6 (b) and (9) (a)), especially such compliances in connection with civil, financial, tax, counting, remuneration, social security and security regulations, etc., including dispatching circulars and communications related to the activity of professional mandate and/ or the contract of services provision; including but not limited to: bookkeeping and processing, preparation of financial statements and tax declarations, payments of taxes and duties, preparation of models UNICO, 730, 740, 770, F23, F24, IMP, IMU, TASI, ISEE, RED, DSU, INTRASTAT, etc., including the additional declarations referred to in the statements prepared by the Revenue Agency, auditing, keeping and managing company books, refund assistance, facilities, inspections, disputes, management of arbitrations, preparation of succession practices, establishment of companies, management of liquidations and bankruptcies, assistance and documentation in the field of labour law, payroll processing, etc. b) Purposes tightly related and instrumental to management of the relationships with the interested parties (GDPR Arts. 6 (b) and 9 (a)), such as acquisition of initial information, implementation of operations in accordance with the contractual obligations, registration of data for anti-money laundering, administrative and accounting operations, recovery and assignment of credit, etc. c) Purposes in connection with obligations stipulated by laws, as well as the provisions issued by authorities entitled by the law (GDPR arts. 6 (c) and 9 (b, g and h); d) For assessment, exercise and defence of a right in and out of court (legitimate interest) of the data controller (GDPR Arts. 6 (f) and 9 (f)); e) Main purposes of the activities for which the interested party can or cannot express its consent, such as receiving notifying mails (GDPR Art. 6 (a) and 9 (a)).
RESULTS OF OBJECTION TO GIVE DATA
Giving data is optional, but it is indispensable to process them for the purposes of the letters Nos. (a) and (b). In the event that the interested parties neither communicate the proper indispensable data nor allow processing them, it cannot be proceed with completion and execution of the proposed services and following up the mutual contractual obligations, resulting violation of the correct fulfilment of the regulatory obligations, such as accounting, financial and administrative regulations, etc. Processing data for the purposes above is necessary for the regular fulfilment by the client interested in the above financial and non-financial practices. Therefore, it is believed that charging the data with the data controller (for purposes of compliance with the contractual obligations) refers undoubtedly to the approval of processing the same, including the sensible data (such as the ones related to handicap status, deductible charges, tax deductions, etc.), for purposes for which they were charged. For such data, in case of fully or partly refusal of or misrepresentation, including sensible data, the required fulfilments may be incomplete to the extent that causes damage, sanctions or loss of interests. Failure to provide with the mailing address on which to receive information emails (point (e) of the processing) will have the sole consequence of failing to update on any tax / administrative / … issues at a general level and failure to receive reminders relating to tax deadlines.
METHODS OF PROCESSING DATA AND EXTENDED INFORMATION ON COOKIES
TRANSFERS OUT OF THE EU
The processing shall exclusively occur in Italy and EU. Personal data will be kept, in general, as long as the purposes of the processing persist.
CATEGORIES OF RECEPIENTS
The indispensable data only are sent: · To appointees and responsible parties for the processing, who carrying out specified duties and operations, whether they are into or out of the Controller’s organization. · In case of and to the entities stipulated by law (such as Tax Authority, Customs Agency, INAIL, INPS, CAF, Pensions Funds, etc.) The data shall not be disclosed, except as permitted by law. Specified and proper approvals shall be required, if necessary, and the entities which shall receive the data (different from the aforesaid entities, such as banks, insurance companies, suppliers, etc.), they shall utilize them in their capacity of autonomous owners.
RIGHTS OF INTERESTED PARTY
At any time, it may exercise its rights (access, correction, cancellation, limitation, portability, objection, absence of automated decision-making processes) whenever provided for regarding the data controller, in pursuance of the Arts. from 15 to 22 of GDPR (below mentioned); complain about the Sponsor (www.garanteprivacy.it); in the event that the processing is based on the approval, withdraw such given approval, taking into consideration that the cancellation of approval does not breach the legality of processing based on consent before cancellation.
DELIVERY AND CONTACT DETAILS
Extract from the EU Regulations No. 679/ 2016 Article 15- “Right of access of the Interested Party”
1 The interested party may have confirmation by the data controller as to whether or not personal data concerning it are being processed and, in such a case, get access to personal data and the following information:
2 the purposes of the processing;
3 The categories of these personal data;
4 the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
5 where possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
6 the existence of the right of the interested party to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
7 the right to lodge a complaint with a supervisory authority;
8 if the data are not collected from the data subject, all information available on their origin;
9 the existence of an automated decision-making process, including the profiling referred to in Article 22 (1) and (4) and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party.
10 Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the existence of adequate safeguards pursuant to Article 46 relating to the transfer.
11 The data controller provides a copy of the personal data being processed. In the event of further copies requested by the data subject, the data controller may charge a reasonable fee contribution based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.
12 The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others
Article No. (16)- “Right of Rectification” The data subject has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. Article No. (17) “Right of Cancellation” (“Right to Oblio”)
1 The data subject has the right to obtain from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay if one of the following reasons exists:
1 a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
2 the data subject revokes the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and whether there is no other legal basis for the processing ;
3 the data subject opposes the processing pursuant to Article 21 (1) and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21 (2);
4 personal data have been processed unlawfully;
5 personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the controller is subject; (26)
6 the personal data have been collected in relation to the information society service offer referred to in Article 8 (1).
7 The controller shall, if he / she has made personal data public and is obliged, pursuant to paragraph 1, to delete it, taking into account the available technology and implementation costs, shall take reasonable steps, including technical measures, to inform the data controllers who are processing personal data of the request of the person concerned to delete any link, copy or reproduction of his personal data.
8 Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
9 for exercising the right to freedom of expression and information;
10 for the fulfilment of a legal obligation requiring treatment under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority of which the data controller is invested; (26)
11 for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3);
12 for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 risks making it impossible or to seriously affect the achievement of the objectives of this treatment; or
13 for the assessment, exercise or defense of a right in court..
Article No. (18)- “Right of Limitation of Treatment”
1 The data subject has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
2 the interested party disputes the accuracy of personal data for the period necessary for the data controller to verify the accuracy of such personal data;
3 the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited;
4 although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
5 the interested party has opposed the treatment pursuant to Article 21 (1), pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
6 If the processing is restricted pursuant to paragraph 1, such personal data shall only be processed, except for storage, with the consent of the data subject or for the establishment, exercise or defense of a right in court. or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or of a Member State
7 The data subject having obtained the processing restriction pursuant to paragraph 1 shall be informed by the controller before the limitation is revoked.
Article 19- Obligation of notification regarding rectification or erasure of personal data or restriction of processing The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it. Article 20- Right to data portability
1 The data subject shall have the right to receive personal data concerning him / her provided to a data controller in a structured, commonly used and readable form by automatic device and has the right to transmit such data to another data controller without impediments on the part of the data controller to whom he has provided them if: (a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) or on a contract within the meaning of Article 6 (1) b); is b) the treatment is carried out by automated means.
2 In exercising its rights relating to the portability of data in accordance with paragraph 1, the data subject shall have the right to obtain direct transmission of personal data from one controller to another, if technically feasible.
3 The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right does not apply to the treatment necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority as the data controller is invested.
4 The right referred to in paragraph 1 must not affect the rights and freedoms of others.
Article No. (21) “Right of Opposition”
1 The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2 Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3 Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4 At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5 In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
1 Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest
Article 22- Automated individual decision-making related to the natural persons, including profiling
1 The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2 Paragraph 1 shall not apply if the decision:
1 is necessary for entering into, or performance of, a contract between the data subject and a data controller;
2 is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3 is based on the data subject’s explicit consent.
1 In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
2 Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.