Information Notice pursuant to Section 13, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation” – “GDPR”)
Giovanardi Pototschnig & Associati – Studio Legale (“GPA” or the “Controller”), having its seat in (20121) Milan, Piazza del Liberty n. 8, in person of its pro-tempore legal representative, as Controller of your personal data spontaneously communicated (verbally, by means of your visit card, by e.mail, or by means of giovanardilex.it website, or by other similar ways), provides you the following information pursuant to Section 13, GDPR.
(a) Identity and contact details of the Controller
Giovanardi Pototschnig & Associati – Studio Legale
Piazza del Liberty, 8 – 20121 Milano
VAT number: 10527000151
Tel: 0039 (02) 776721
Certified email address: firstname.lastname@example.org
(b) Processed categories of personal data
Within the purposes of processes mentioned under par. (d) below, the Controller shall exclusively process personal data concerning, by way of example: your name and family name, date and place of birth, residence, domicile, work address, tax code, VAT number, email, certified email address, phone number (landline and mobile), fax number, numbers and codes, messaging, chat and audio-video communication codes, employer company and group, business role and/or position, etc.
(c) Processing operations
Your personal data are processed by automated means, limited to the following operations: collection, recording, organisation, structuring, update, storage, adaption and alteration, retrieval and analysis, consultation, use, disclosure by transmission to the recipients under par. (e) above, alignment or combination, restriction, erasure or destruction.
(d) Purposes and legal basis of the processing of personal data
(d.1) Your personal data will be processed by the Controller, even without your consent, limited to the following purposes:
(i) performance of contractual obligations arising from the execution of a professional service or taking steps at your request prior to entering into a contract, pursuant to Section 6, item (b), GDPR;
(ii) compliance with legal obligations, as provided for by a law (national or EU) or perform an order of any authority and/or any entity to which the Controller is subject, pursuant to Section 6, item (c), GDPR;
(iii) exercise the rights of the Controller, with particular reference to the rights arising from professional services assigned or about to be assigned to the Controller, including judicial defence rights, pursuant to Section 6, item (f), GDPR.
(d.2) Your personal data will be processed by the Controller with your consent for the following purposes, pursuant to Section 7, GDPR:
(i) invitations to events, conferences and workshops on legal and/or professional subjects;
(ii) sending information notes, studies and publications on legal and/or professional subjects;
(iii) submitting questionnaires, surveys, customers’ satisfaction requests, etc.
For the purposes under par. (d.1) above, processing your personal data is necessary and your consent is not expressly required. Any lack of the data or any express refusal of consent to process the data may cause the impossibility to the Controller to perform the professional services contract or the violation of legal obligations and /or the competent authorities requests to which the Controller is subject.
For the purposes under par. (d.2) above, your personal data are processed on a voluntary basis; consequently, you may decide non to provide us with any consent, or withdraw it at any time, without affecting the lawfulness of processing based on consent before withdrawal.
(e) Categories of recipients
For the purposes under par. (d.1) above, your personal data could be transferred to:
(i) employees and collaborators of the Controller, in their capacity of person duly authorised to data processing;
(ii) any third parties, performing outsourced activities on behalf of the Controller, in their capacity of data processors;
(iii) any judicial authorities, public administrations, public entities, whether national or foreign ones.
Upon your express consent to processing the personal data for the purposes under par. (d.2) above, data may be transferred to those subjects indicated under items (i), (ii) and (iii) above.
(f) Place of personal data storage and transfer of personal data to third countries
Personal data are processed and stored on servers allocated within EU, belonging to or in the full possession of the Controller and/or third party processors, duly appointed.
The transfer of personal data to non-EU countries, if any, is performed under standard data protection clauses, expressly approved by the third parties authorized, pursuant to Section 46, GDPR.
(g) Personal data storage period
Personal data collected for the purposes under par. (d.1.) above are processed and stored by the Controller for the entire duration of the professional services contract and, even after termination, as long as legal limitation periods be elapsed.
Personal data collected for the purposes under par. (d.2) above are processed and stored by the Controlled for the time necessary for the perfomance of the same purposes and, anyhow, not later than two years form the date of the consent.
(h) Data subject’s rights
Pursuant to Chapter III, Section I, GDPR, you may exercise the right herein, even by certified email to the Controller:
– right of access: obtain from the Controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access the personal data and the following information: the purposes of the processing, the categories of personal data concerned, the recipient or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries, the envisaged period for which the personal data will be stored (Section 15, GDPR);
– right of rectification: obtain from the Controller without undue delay the rectification of inaccurate personal data concerning you or have incomplete personal data completed (Section 16, GDPR);
– right to erasure (or “right to be forgotten”): obtain from the Controller without undue delay the erasure of personal data concerning you, if no longer necessary in relation to the purposes for which they were collected or otherwise processed, and in the other cases provide for by GDPR (Section 17, GDPR);
– right to restriction: obtain from the Controller restriction of the processing in the cases provided for by GDPR (Section 18, GDPR);
– right to data portability: receive the personal data concerning you in a structured, commonly used and machine-readable format and obtain the transmission of such data to another controller without hindrance (Section 20, GDPR);
– fight to object: object at any time to processing of personal data concerning you, unless the Controller have compelling legitimate grounds for the processing, including the exercise or the defence of legal claims (Section 21, GDPR);
– right to file a complaint with the Supervisory Authority: file a complaint to Autorità Garante per la protezione dei dati personali, Palazzo di Montecitorio n. 121, 00186 Roma (RM).