The information regarding the processing of Personal Data is provided below, in compliance with the requirements set out under art. 13 of the General Data Protection Regulation 2016/679 regarding Natural Persons and the free circulation of said data (hereafter, the “GDPR”).
DATA CONTROLLER’S IDENTITY AND CONTACT DETAILS
The Data Controller is B&C Legal – Avvocati e Commercialisti associati (hereinafter the “Firm” or “B&C Legal”), with registered office at Largo Donegani, No. 2 – 20121 Milan, tel. 0229005476; fax 0229005470; e-mail: firstname.lastname@example.org. Our internal privacy contact person is Ms. Federica Brevetti.
DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA
The following information refers to our processing of the Personal Data (therefore, referred to identified or identifiable natural persons) of:
- clients (or prospect clients), if natural persons; if the client (or prospects) is a company or a legal entity: data of the persons who act on behalf of clients, (hereafter, for the sake of simplicity, referred to as “Client/Clients”);
- Client’s attorneys;
- Client’s relatives (even minors);
- individuals other than the ones listed above, whose situation or relation with the Client is relevant for the sake of our legal assistance (or who act on behalf of those individuals);
- the individuals mentioned as “beneficial owner” under the anti-money-laundering laws (if applicable).
The personal data processed by the Firm shall consist, as the case may be, of:
- personal details (name, family name, date and place of birth, tax code);
- contact data (phone number, fax, email address, PEC);
- company role and professional info;
- content of communications;
- content of IDs, photo;
- audio-video contents;
- opinions, memo and other written documents;
- in exceptional cases: special categories of personal data as defined by Art. 9 of the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
- for sake of carrying out the due diligence required by the anti-money-laundering laws: quality of / relation with the politically exposed person; patrimonial information on the politically exposed person; patrimonial information on the Client (if a natural person);
- In exceptional cases, judicial data as defined by Art. 10 of the GDPR.
PURPOSE AND LEGAL BASIS FOR DATA PROCESSING
The Personal Data which you will communicate to us, or however, of which we will become aware during the contractual relationship will be processed exclusively for the purpose of performing the task received (as the case may be, in order to analyse the issues within the scope of the assignment, to prepare opinions and communications to the Client or to third parties) and for the related administrative purposes (managing the client database and the paper-based and electronic files relating to the individual cases), as well as – if required – to comply with the anti-money laundering legislation, where necessary.
Therefore, the processing of such data is necessary to perform the contract and/or the related preparatory measures. As far as the personal data processed for sake of the anti-money laundering legislation is concerned, process is required by law and is aimed at pursuing a public interest.
The assignment conferred on the Firm’s professionals includes the informal requests for consultancy services and is not necessarily formalised in a written document.
If you have given your consent, only the e-mail addresses will be used to send the periodic newsletters regarding legal issues, or regarding initiatives which we have organised. The process at hand is based on the data subject’s consent, which can be revoked at any time, by simply sending a request to the following e-mail address: email@example.com.
SENSITIVE AND JUDICAL DATA
In most cases, the Personal Data we process do not pertain to the special categories indicated in art. 9 of the GDPR (“Sensitive Data”), nor do they refer to criminal convictions and crimes, pursuant to art. 10 of the GDPR (“Judicial Data”).
In those exceptional cases that we will ask or you will disclose the above mentioned categories of data, we will ask your consent to such data being processed, that will be restricted to the data strictly necessary for the fulfilment of the services (consultancy or judicial assistance).
The consent shall be revoked at any time. However, the waiver of the consent to processing may imply the waiver to the assignment by our Firm, as their lack may prevent its correct execution.
In the case of politically exposed person, the processing of the information thereof is required by law and by the public interest to crime prevention.
Judicial Data shall be processed only to the extent they are necessary, based on the data subject’s consent and on the further (if any) legal requirements.
MANDATORY OR NON-MANDATORY REQUIREMENT TO PROVIDE PERSONAL DATA
Some Personal Data, in particular, the personal and contact details (if referred to a Client who is a natural person), are necessary to establish the assignment, and without such data we will be unable to open the file (unless such details are already in our archives) or provide the essential services related thereto.
As far as the assignment implies the obligation to B&C Legal to carry out the due diligence and risk evaluation required by the anti-money-laundering laws, personal data referred to the identification of the Client and of the Beneficial Owner must be disclosed mandatorily as, in their absence, the Firm shall not be allowed to provide the legal assistance required.
The further Personal Data required during our services shall be voluntarily given, but as they refer to the subject of our legal assistance they are fundamental in order to carry out the required services.
STORAGE AND RETENTION
The Personal Data will be stored on a server used by the Firm and located within the EU and/or on cloud solutions provided by third parties.
Personal Data shall be retained for a period of 10 years from the date the file referred to assignment is closed, which normally occurs in the six-month period after the collection of the last proforma note or invoice (if issued prior to payment) referred to that assignment.
As for the Personal Data processed for sending the newsletters, they will be kept for a period of five years or until the request for cancellation by the data subject.
PERSONS OR ENTITIES WHO OR WHICH MAY HAVE ACCESS TO PERSONAL DATA ON BEHALF OF THE FIRM OR TO WHOM THE DATA ARE COMMUNICATED
The Personal Data we collect will be processed exclusively by our persons in charge of data processing, and where necessary, may be made accessible to external consultants, or to professionals appointed by us for domiciliation of a judicial assignment (where this is functional for a more efficient management of the assignment) who are directly appointed by us. Furthermore, the Personal Data will be accessible by the IT providers.
Each of the external entities which has access to Personal Data has been appointed as Data Processor, pursuant to art. 28 of the GDPR, subject to strict obligations regarding confidentiality and secrecy.
Data may be also communicated to third providers of logistics or payment services, or otherwise appointed for carrying out services related to the assignment.
At the same time, Personal Data may also be communicated to Authorities before which the Firm’s professionals represent the Client, f.i. judicial authority, as well as to other parties involved in the same proceeding.
If an external professional (also a non-legal professional) co-operates with one of the Firm’s professionals in the assignment, based on a direct trust relationship with the Client, said professional will act as an independent data controller, subject to the obligations set out in the privacy laws.
In these cases, the exchange of Personal Data between the Firm and said professionals will be limited to only the necessary information and shall be considered as a communication from a data controller to another data controller, functional to the performance of the assignment.
The Personal Data shall also be communicated to the courts and tribunals in the framework of a lawsuit, or to the Tax Agency or other agencies and public entities and bodies on a need-to-know basis.
Again, the Personal Data may also be communicated to deputed Authorities in case of suspicious transaction, in compliance with the professionals’ obligations pursuant to the anti-money-laundering laws.
Under no circumstance will your Personal Data be transferred outside the European Economic Area, unless the country of destination (where, for example, the professional who we may need to contact to perform the assignment is based) is the subject of an adequacy decision by the European Commission, pursuant to art. 45 of the GDPR, or however another condition for the transfer occurs pursuant to artt. 45, 46 and 47 of GDPR.
DATA SUBJECT’S RIGHTS
We remind you that, in relation to your Personal Data, you will be entitled to exercise the rights acknowledged by the GDPR, namely: (i) the right of access the Personal Data and information, for example: the purpose of data processing and the types of data stored by our Firm (art. 15 of the GDPR); (ii) the right to obtain the rectification of incorrect Personal Data which concern you, or to integrate incomplete personal data (art. 16 of the GDPR); (iii) the right to erasure (“right to be forgotten”) of the Personal Data which concern you, if one of the grounds envisaged under art. 17 of the GDPR applies; (iv) the right to limitation of processing, i.e. to obtain that the Personal Data which may be subject to dispute are flagged and not deleted, for the period necessary to exercise a given right regarding such data (art. 18 of the GDPR); (v) the right to data portability (art. 20 of the GDPR); (vi) the right to revoke the consent given to the Personal Data processing.
Lastly, we inform you that the GDPR grants all the data subjects the right to submit a complaint to the Supervisory Authority (Garante per la privacy, with legal office at Piazza Venezia, n. 11 – 00187 Roma – email: firstname.lastname@example.org – CEM: email@example.com), if any of the provisions thereof has been violated.
You may use the following e-mail address: firstname.lastname@example.org for any request or observation.