Toffoletto De Luca Tamajo e Soci (hereinafter, also, the «Data Controller»), as data controller, wishes to inform you, as a Data Subject, pursuant to the applicable law on personal data protection, including European Regulation 679/2016 on the protection of personal data (the «Regulation»), that the personal data you provided during the establishmentof the contractual relationship and during its execution, will be processed in compliance with the legislative and contractual provisions in force for the purposes and in the ways indicated here below. Some data may also be collected from third parties in some circumstances, where necessary and always in compliance with the applicable legislation.
- Identity and contact details of the Data Controller and of the Data Protection Officer
The Data Controller is Studio Toffoletto De Luca Tamajo e Soci, with registered office in Via Rovello 12, 20121, Milan, certified e-mail address: .
The Data Protection Officer is Ms Paola Pucci, domiciled at the Data Controller’s registered office, email address: (hereinafter, the «DPO»).
- Purposes and legal grounds for data processing
a) The personal data will be processed in digital and hard copy format, with the specific purpose of fulfilling the obligations deriving from the law and from the firm’s engagement - including anti-money laundering regulations pursuant to Legislative Decree February 3, 2006, No. 141 – as well as providing the advice and the assistance requested from the Data Controller.
Data processing for these purposes is necessary and any refusal to provide such data will make it impossible for the firm to fulfil the obligations deriving from law and from the firm’s engagement, with the further consequence that it will be impossible to proceed with the engagement. Moreover, even during the performance of the engagement, any request to delete data necessary for the performance of the obligations deriving from the engagement and the law, or the refusal to provide the same, will render it impossible for the firm to provide the requested assistance.
b) The provided data may also be used to provide you with information or updates, by sending you newsletters and invitations to seminars and conferences, as well as to carry out marketing activities, by sending you news on the products and services offered by the Data Controller, and finally, to allow the Data Subject to use the app of Studio Toffoletto De Luca Tamajo e Soci and the Law Maps™.
The provision of your personal data for these purposes is optional and the refusal to provide them will only result in it being impossible to process the data for the above-mentioned activities providing information, updates and marketing communications.
- Data collected and processed
For the purposes set out under point 2.a), the Data Controller may process:
- the following identification and contact data communicated by the Data Subject: name and surname or business name, fiscal code or VAT registration number, residence or registered office, email address and telephone number;
- personal data of a judicial nature, relating to judicial proceedings or, in any case, to disputes, even out of court disputes, in which the Data Subject is involved;
- data relating to the business organization of the Data Subject;
- special categories of personal data pursuant to Article 9, Paragraph 1 of the GDPR, which are, by way of example: personal data revealing racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, genetic data, biometric data intended to unambiguously identify an individual, data relating to the health or sexual life or sexual orientation of a person.
According to Article 6, Paragraph 1, letters b) and c) of the GDPR, the processing of the provided data is lawful insofar as it is necessary for the execution of the existing engagement and for the fulfilment of the legal obligations to which the Data Controller is subject.
Pursuant to Article 9, Paragraph 2, letter f) of the GDPR, the processing of personal data pursuant to Article 9, Paragraph 1, of the GDPR is lawful insofar as it is necessary to establish, exercise or defend a right before the court or whenever the jurisdictional authorities exercise their jurisdictional duties.
For the purposes referred to under point 2.b) above, the Data Controller may process:
- identification and contact data communicated by the Data Subject: name and surname or business name, fiscal code or VAT registration number, residence or registered office, email address, and telephone number.
- Communication of the data processed
The personal data referred to in Paragraph 3 above will be processed not only by the Data Controller and the DPO, but also by the following recipients: the Data Controller's employees, workers, consultants and professionals, always within the scope of points 2.a) and 2.b) as set out above and with the prior appointment of the same by the Data Controller, including specific instructions necessary for complying with the legislation on the protection of personal data with particular reference to security aspects.
The data provided will not be circulated. However, they may be subject, where necessary, to the mandatory disclosures required by the Regulation referred to in paragraph 2.a) above and may also be disclosed to parties other than the Data Controller, such as organizations that organize conferences, within the scope of the purposes mentioned under point 2.b) above.
- Data transfer
The management and storage of personal data will be done on servers located within the European Union and managed by the Data Controller. The servers are currently located in Italy.
The data will not be transferred to outside the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the server location to another country of the European Union and/or to non-EU countries. In this case, the Data Controller hereby ensures that the transfer of non-EU data will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the European Commission.
- Data retention period
The data provided for the purposes referred to in paragraph 2.a) above will be retained for the entire duration of the contractual relationship. After the termination of the contractual relationship, in order to safeguard the Data Controllers’ rights, the data will be retained – so as to be available only if necessary - for a period of time equal to the statute of limitation period of any rights you may claim against the Company. This period varies depending on the kind of data and on any action or event interrupting or suspending such period.
Should you give your consent to the data processing for the purposes set out under point 2.b), such data will be retained for a maximum period of 24 months from the data collection.
Once these retention periods have expired, the data collected will be deleted, in both digital and hard copy format.
- Rights of the Data Subject
With reference to the data processing above, the Data Subject may exercise the rights provided for by the applicable law concerning personal data protection, including the rights to:
- obtain confirmation as to whether or not personal data concerning him/her is being processed, and, if so, access to the contents of the personal data (right of access);
- update, amend and/or correct his/her personal data (right to rectification);
- request the erasure of or the limitation of the processing of data being processed in breach of the law, including those for which storage is not required for the purposes for which data was collected or otherwise processed (right to erasure and right to restriction of processing);
- object to the processing of data based on a legitimate interest (right to object);
- revoke the consent, if provided, without prejudice to the lawfulness of the data processed on the basis of the consent given before the revocation;
- file a claim before the Watchdog authority in case of violation of the rules concerning personal data protection;
- receive an electronic copy of the data relating to him/her, which was provided during an employment contract (e.g., data relating to salary and internal mobility services) and request that such data be transferred to another data controller (right to data portability).
In order to exercise the rights above, the Data Subject can contact the Data Controller at any time, sending his/her request via registered post to the following address: Via Rovello 12, 20121, Milan, or via registered mail to the following address: , or sending an e-mail to the following address: .
- Processing of data relating to individuals other than the Data Subject, which is connected with the business organization and the existing contract
When processing the personal data you communicated to us, the Data Controller and the other subjects as per clause 4 above, may occasionally also process data, mainly identification data and contact details, relating to other individuals who are part of your business organization. If so, you declare, under your own responsibility, that you showed the content of this notice to such individuals and that they fully understand and accepted it, where necessary. Also, you undertake to inform the Data Controller of any update relating to such data.