The information regarding the processing of Personal Data is provided below, in compliance with the requirements set out under art. 13 of the General Data Protection Regulation 2016/679 (hereafter, the “GDPR”).
DATA CONTROLLER’S IDENTITY AND CONTACT DETAILS
The Data Controller is Ditrag S.r.l. (the “Firm” or “Ditrag”), with registered office at Largo Donegani, No. 2 – 20121 Milan, tel. 0229005386; e-mail: firstname.lastname@example.org. Our internal privacy contact person is Mr. Luigi Filippini.
DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA
The Firm may process the Personal Data (therefore, information referred to identified or identifiable natural persons) of:
- clients (or prospect clients), if natural persons; if the client is a legal entity: persons who act on their behalf or in the framework of an employment or other relationship with the legal entity (hereafter, for the sake of simplicity, referred to as “Clients”);
- Client’s shareholders, directors or attorneys;
- Client’s relatives (included minors);
- individuals other than the ones listed above, whose situation or relation with the Client is relevant for the sake of our assistance (or who act on behalf of those individuals);
- individuals mentioned as “Beneficial Owner” under the anti-money-laundering laws.
The personal data processed by the Firm shall consist, as the case may be, of:
- personal details (name, family name, date of birth, address, VAT code);
- contact details (phone number, fax, e-mail address, addresses);
- company’s position and professional info;
- content of communications;
- content of ID, photos;
- audio-video contents;
- opinions, memos and other written documents;
- bank details (e.g.: account number);
- in exceptional cases: special categories of personal data as defined by Art. 9 of the GDPR, namely: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- for sake of carrying out the Client due diligence: quality of / relation with the politically exposed person; further information on the Client (if necessary);
- in exceptional cases, judicial data as defined by Art. 10 of the GDPR;
- in exceptional cases: personal data related to minors.
PURPOSE AND LEGAL BASIS FOR DATA PROCESSING
The Personal Data which you will communicate to us, or however, of which we will become aware during the contractual relationship will be processed exclusively for the purpose of performing the task received (as the case may be, in order to analyse the issues within the scope of our professional assistance, to prepare opinions and communications to the Client or to third parties, or briefs and memos) and for the related accounting and administrative purposes (managing the client database and the paper-based and electronic files relating to the individual cases).
Therefore, the processing of such data is necessary to perform the contract and/or the related preparatory measures.
As far as the anti-money laundering legislation is concerned, we shall also identify our Client and carry out the risk assessment. In this context, the processing of Personal Data is required by law and is aimed at pursuing a public interest.
The mandate conferred on the Firm’s professionals includes the informal requests for consultancy services and is not necessarily formalised in a written document.
If the Client has given their consent, the e-mail address will be used to send the periodic newsletters regarding issues of importance for our Clients, or regarding initiatives which we have organized. The consent that may have been given can be revoked at any time, by simply sending a request to the e-mail address email@example.com.
SPECIAL CATEGORIES OF DATA AND JUDICIAL DATA
In the exceptional cases that we will ask or you will disclose Personal Data belonging to the special categories indicated in art. 9 of the GDPR, on a need-to-know basis, we will rest on our processing on your consent.
The consent may be revoked at any time. However, the waiver of the consent may prevent us from performing the professional services and then may imply the waiver or the mandate by the Firm.
In the case of politically exposed person, the processing of the information thereof is required by law and is aimed at pursuing a public interest.
The Judicial Data pursuant to Art. 10 of GDPR shall only be processed on a need-to-know basis and only if the needed legal requirements occur.
MANDATORY OR NON-MANDATORY REQUIREMENT TO PROVIDE PERSONAL DATA
Some Personal Data, in particular, the personal and contact details, the bank details and the information required in the context of the client identification (as required by the anti-money laundering law) as well as banking details, are necessary to establish the contract. Without such data we will not be able to or we will be prevented from providing our services.
The further Personal Data required during our services shall be voluntarily given, but as they refer to the subject of our assistance they are fundamental in order to carry out the required services.
HOW PERSONAL DATA ARE PROCESSED AND RETAINED
The Personal Data are processed and stored on servers and/or cloud supports provided by third parties and located in the UE and shall be retained for 10 years from the date the contract execution is completed or the case in the context of which the Personal Data were collected or conferred is closed.
The personal data used for the newsletter shall be retained for 5 years unless their cancellation is required before by the Client.
PERSONS OR ENTITIES WHO OR WHICH MAY HAVE ACCESS TO PERSONAL DATA ON BEHALF OF THE FIRM OR TO WHOM THE DATA ARE COMMUNICATED
The Personal Data we collect will be processed exclusively by our persons in charge of data processing.
Furthermore, the Personal Data will be accessible to the providers of the IT infrastructure, as well as the hardware and software assistance providers.
Each external person or entity who has access to Personal Data is appointed as Data Processor, pursuant to art. 28 of the GDPR, subject to strict constraints regarding confidentiality and security.
Some of the Personal Data, namely the personal and bank details, may also be communicated to payment and delivery service providers.
The Personal Data shall also be communicated to public authorities (e.g.: judicial or supervisory authorities) and administrations (e.g.: Tax Agency and business register), on a need-to-know basis.
Again, the Personal Data shall also be communicated to deputed bodies in case of suspicious transaction. In such a case, the communication is required by law and is justified by the public interest to money laundering prevention.
Under no circumstance will your Personal Data be transferred outside the European Economic Area, unless the country of destination is the subject of an adequacy decision by the European Commission, pursuant to art. 45 of the GDPR (as, f.i. is the case of Switzerland and UK) or any other legal basis for transfer pursuant to Art. 45, 46 and 47 of GDPR occurs.
DATA SUBJECT’S RIGHTS
We take this opportunity to remind that the GDPR gives the data subjects the following rights: (i) the right of access the personal data and information, for example: the purpose of data processing and the types of data held by us (art. 15 of the GDPR); (ii) the right to obtain the rectification of incorrect personal data which concern you, or to integrate incomplete personal data (art. 16 of the GDPR); (iii) the right to erasure (“right to be forgotten”) of the personal data which concern you, if one of the grounds envisaged under art. 17 of the GDPR applies; (iv) the right to restriction of processing, i.e. to obtain that the personal data which may be subject to dispute are flagged and not deleted, for the period necessary to exercise a given right regarding such data (art. 18 of the GDPR); (v) the right to data portability (art. 20 of the GDPR); (vi) the right to revoke the consent given to the processing of Personal Data.
Lastly, the GDPR confers on all data subjects the right to submit a complaint to the Supervisory Authority, if the Authority’s provisions have been violated.
You may use the following e-mail address: firstname.lastname@example.org for any request or observation.