Privacy Policy ENG

Privacy and Cookie policy

(Articles 13–14 of Regulation (EU) 2016/679 – GDPR)
View full Privacy Policy

1. Introduction

Pursuant to Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”), the undersigned, acting as Data Controller, provides this notice describing the purposes and methods of processing the personal data provided by data subjects.

2. Sources and categories of personal data

The personal data processed are collected:

  • directly from the data subject, who provides them voluntarily;

  • from third parties, such as employment consultants, professional firms, or public bodies;

  • from public registers or institutional databases, such as the Italian Social Security Institute (INPS), the National Institute for Insurance against Accidents at Work (INAIL), the Revenue Agency, or the Tax Collection Agency.

The categories of data processed may include:

  • personal and identification data;

  • financial and economic data;

  • data belonging to special categories (so-called sensitive data) and, where applicable, judicial data, referring to the data subject or related third parties (family members, employees, collaborators, clients, suppliers, etc.).

For the purposes of this notice, “sensitive data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health, sex life, or sexual orientation. “Judicial data” means data disclosing criminal convictions, offenses, or related security measures, as well as information indicating a person’s status as a suspect or defendant pursuant to the Italian Code of Criminal Procedure.

When using the web applications available on the website, certain navigation data may be automatically collected, such as: IP address, domain names, URI (Uniform Resource Identifier), time of the request, request method, response size, HTTP status code, country of origin, browser and operating system characteristics, navigation times and paths, and other parameters related to the user’s IT environment.

The user of any web application must coincide with the data subject or be duly authorized by the data subject to provide their data.

3. Purposes and legal bases of processing

Personal data are processed within the professional activities of the Controller (ATECO code 69.20.11 – Services provided by chartered accountants) for the following purposes:

a) Provision of requested services To perform and manage professional and contractual services in compliance with civil, fiscal, accounting, tax, social security, and insurance obligations (Articles 6(1)(b) and 9(2)(a) GDPR). Examples include bookkeeping, financial statements and tax filings, payroll processing, tax management, corporate and labor consultancy, succession matters, arbitration, liquidation, and bankruptcy procedures.

b) Management of relationships with the data subject Activities related to the establishment, execution, and management of the professional relationship, including anti-money-laundering registration, administrative and accounting procedures, and potential credit recovery or assignment (Articles 6(1)(b) and 9(2)(a) GDPR).

c) Compliance with legal obligations and orders from authorities Processing required to comply with legal obligations or orders from competent authorities (Articles 6(1)(c) and 9(2)(b)(g)(h) GDPR).

d) Protection of the Controller’s rights Processing carried out for the establishment, exercise, or defense of legal claims, whether judicial or extrajudicial (Articles 6(1)(f) and 9(2)(f) GDPR).

4. Consequences of failure to provide data

Providing personal data is optional, yet necessary for the purposes set out under points (a) and (b). Failure to provide the essential data may make it impossible to perform the requested services and fulfill contractual or legal obligations (accounting, fiscal, social security, etc.).

Consent to processing shall be considered implicitly given when the data are voluntarily provided for the execution of the professional relationship.

5. Methods of processing and data security

Data are processed manually and/or by electronic and telematic means, according to principles of lawfulness, fairness, transparency, and proportionality, as set out in Article 5 of the GDPR.

Appropriate technical and organizational measures are adopted to ensure the confidentiality, integrity, and availability of data. All registered professionals are bound by professional secrecy (Presidential Decree no. 1068 of 27 October 1953, art. 4). Employees and collaborators of the Controller are bound by a confidentiality obligation. No automated decision-making or profiling is carried out.

6. Extended information on cookies

The website uses technical and aggregated statistical cookies necessary for proper operation and to improve the browsing experience. Third-party cookies may also be used, which are subject to their respective privacy policies.

Users can manage their cookie preferences directly through their browser settings, blocking or deleting installed cookies. For further details, please refer to the Extended Cookie Policy available on the website.

7. Data transfer abroad

Data processing is carried out exclusively within the territory of the European Union. No transfer of data to third countries or international organizations is envisaged.

8. Data retention period

Personal data are stored for as long as necessary to achieve the purposes for which they were collected and, in any case, in compliance with the applicable civil, fiscal, and professional retention periods.

9. Data recipients

Personal data may be communicated, within the limits strictly necessary, to:

  • internal and external data processors and authorized persons;

  • public and private entities as required by law (e.g., Revenue Agency, INPS, INAIL, CAF, professional funds, etc.);

  • banks, insurance companies, and other third parties, subject to specific consent, acting as independent data controllers.

Under no circumstances will the data be made publicly available.

10. Data subject rights

At any time, the data subject may exercise the rights provided by Articles 15–22 of the GDPR, including:

  • right of access to personal data;

  • right to rectification and updating;

  • right to erasure (“right to be forgotten”);

  • right to restriction of processing;

  • right to data portability;

  • right to object to processing;

  • right not to be subject to a decision based solely on automated processing.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it). Where processing is based on consent, such consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

11. Data Controller and contact details

Data Controller: Dr. Barbara Antonini Registered Office: Via Carlo Goldoni 33, 21100 Varese (VA), Italy Tel.: +39 0332 319899 E-mail: barbara@studio-antonini.com PEC: barbara.antonini@odcec.legalmail.it

The full list of appointed data processors is available upon request.

12. Final clause

Given the complexity of technologies used for cookies and other third-party tracking systems, any inquiries regarding their use may be addressed to the Controller using the contact details provided above.