DETAILED NOTICE PURSUANT TO ARTICLES 12, 13 AND, IF REQUIRED, 14 OF GDPR – EUROPEAN REGULATION 2016/679 CONCERNING THE PROTECTION OF NATURAL PERSONS, WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER, GDPR)
Raimondi & Partners
Below, R&P CONSULTING S.r.l. releases the following notice pursuant to articles 12, 13 and, if required, 14 of the GDPR concerning the processing of personal data provided by the Customer/Data subject by filling in and undersigning the Contract in order to purchase products/services offered for sale by R&P CONSULTING S.r.l. and by spontaneously uploading personal data to this website (in particular, by filling in an online form) or simply by browsing the website.
1. PERSONAL DATA AND CONTACT DETAILS CONTROLLER
The data controller of personal data is R&P CONSULTING S.r.l., established in Milan (MI) 20124, Via S. Gregorio n. 53, tax code and VAT number 8635890968, tel. 059 359536, fax 059 340810, e-mail info@rp-cons.com, website www.rp-cons.com (hereinafter, the Site).
2. PRINCIPLES THAT APPLY TO PROCESSING
Pursuant to the provisions of the GDPR, R&P CONSULTING S.r.l. endeavours constantly to ensure that personal data are:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date;
(e) kept for no longer than is necessary for the purposes for which the personal data are processed;
(f) processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures;
(g) processed, if based on consent given by a freely taken decision by the Customer/Data subject, on the basis of a request for consent presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
R&P CONSULTING S.r.l. shall adopt appropriate technical and organisational measures to ensure the protection of the personal data by design and to guarantee that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
R&P CONSULTING S.r.l. shall collect and take utmost account of the instructions, observations and opinions sent by the Customer/Data subject to the aforementioned addresses, in order to implement a dynamic privacy management system which ensures the effective protection of persons with regard to the processing of their data.
This Notice may be amended, in accordance with the evolution of the reference regulations and of the technical and organisational measures that are adopted by R&P CONSULTING S.r.l. at any given time; the Customer/Data subject should, therefore, visit this section of the Site periodically (or another section of similar content published on social or web applications by R&P CONSULTING S.r.l.), in order to read the updates made to the Notice over time.
3. MODALITIES OF PROCESSING OF PERSONAL DATA
Personal data shall be processed manually and with electronic tools, using procedures and logics strictly related to the purposes listed below and in such a way as to guarantee the security and confidentiality of the data.
4. PURPOSES OF PROCESSING OF PERSONAL DATA
4A. PURPOSES REQUIRING DATA PROCESSING
The personal data provided by the Customer/Data subject shall be processed mainly for the performance of the Contract and the management of credit and, more generally, for the management of the relationship arising from the Contract.
The provision of data in the Contract or subsequently, during the contractual relationship, for the purposes of the processing in question is mandatory; therefore, failure to provide such data or their partial or incorrect provision shall render the establishment and/or the performance of the Contract impossible. The Customer/Data subject will not be able to use the products/services offered by R&P CONSULTING S.r.l., potentially exposing the Customer/Data subject to liability for breach of contractual obligation.
Personal data provided by the Customer/Data subject may also be subject to processing if this is necessary for the fulfilment of a legal obligation of R&P CONSULTING S.r.l., in order to safeguard the vital interests of the Customer/Data subject or of another natural person, for the performance of a task of public interest or linked to the exercise of public powers with which R&P CONSULTING S.r.l. is tasked, or to satisfy a legitimate interest of R&P CONSULTING S.r.l. or of third parties, on the condition that the rights and fundamental freedoms of the Customer/Data subject do not prevail; also in those cases, the provision of data is mandatory and, therefore, failure to provide such data or their partial or incorrect disclosure may expose the Customer/Data subject to liabilities and sanctions as foreseen by the Law.
4B. ADDITIONAL PURPOSES OF DATA PROCESSING FOLLOWING THE SPECIFIC AND EXPLICIT CONSENT OF THE CUSTOMER/DATA SUBJECT
Other than the aforementioned purposes of processing, provided personal data may be processed, with the consent of the Customer/Data subject (besides what will be specified below regarding the so-called ‘soft spam’) to be granted by selecting the box “I consent” on the Contract or the Site (or using other social or web applications by R&P CONSULTING S.r.l.), also for market research and for commercial and promotional communications over the telephone (also using the mobile number provided) and by automated contact systems (e-mail, SMS, MMS, fax, etc.) regarding products/services offered by R&P CONSULTING S.r.l., including invitations to events, meetings, etc.
Consent for the purposes of processing under this point (4b) is optional; therefore, following refusal to grant such consent, data will be processed exclusively for the purposes under the previous point (4a), except for the cases mentioned below with reference to the legitimate interests of the data controller or of third parties.
5. CATEGORIES OF PROCESSED PERSONAL DATA
R&P CONSULTING S.r.l. shall process mainly identification/contact data (name, surname, addresses, ID documents type and number, telephone numbers, mobile phone numbers, e-mail addresses, tax/invoicing data, among others) and financial data (related to banking, especially details of current accounts, credit card numbers, and other data related to commercial transactions) and, potentially, Site browsing data, as set forth hereinbelow.
The processing carried out by R&P CONSULTING S.r.l., both for the execution of the Contract and based on the express consent of the Customer/Data subject, shall not concern, in general, particular categories of personal data that are recognised as sensitive (that reveal racial or ethnic origin, political opinions, religious convictions, state of health or sexual orientation, etc.), or genetic and biometric data or so-called judicial data (related to criminal convictions and offences).
However, it cannot be ruled out that R&P CONSULTING S.r.l., in order to fulfil the obligations arising from the Contract and/or arising from the Law, may be obliged to store and/or process sensitive, genetic, biometric or judicial data of the Customer/Data subject or of third parties, which the Customer/Data subject holds in his/her capacity as data controller; in the case in question, (i) the processing by R&P CONSULTING S.r.l. shall be mandatory, under the conditions and within the limits of the appointment of R&P CONSULTING S.r.l. as data controller by the signed Contract or by a separate document; (ii) the Customer/Data subject acts as owner of personal data, assuming all consequent obligations and liability under the Law (with particular reference to, inter alia, the existence of a proper legal basis in order to make data processing legitimate), explicitly and fully relieving R&P CONSULTING S.r.l. from any dispute, claim or compensation request that may be put forward by third parties, when data are processed due to the fact that the Customer/Data subject uses products/services offered by R&P CONSULTING S.r.l. With reference to the Site (or other social or web applications by R&P CONSULTING S.r.l.), R&P CONSULTING S.r.l. shall also process so-called browsing data, normally in the aggregate/statistical form only. Computerised systems and software procedures dedicated to the operation of websites acquire, throughout their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated to identified subjects but which, by its very nature, may allow the identification of the data subject. It may also happen by crossing data among various functionalities, cookies or by using different identification techniques (so-called fingerprinting), based on the processing of information or partial information that is not, or not yet, considered as personal data; however, if in association with other pieces of information, even belonging to third parties, they may become personal data in order to achieve device unequivocal identification (so-called single out) and, through it, the identification of the user/users profile associated to the specific device. This category of information includes geolocalisation data, IP addresses, the type of browser, the operating system, the domain name and the website addresses from which the site was accessed or exited, information on pages visited by the users inside the site, the time of access, the duration of presence on an individual page, the analysis of internal browsing and other parameters related to the user’s operating system and IT environment. This is, therefore, information that, by its nature, allows, through elaboration and association with data held by third parties, the identification of users.
Further, the Site may use both session cookies (that are not stored on the data subject’s computer and disappear once the browser has been closed) and persistent cookies, for the transmission of personal information, or, in any case, systems to track the data subjects. In this respect, reference should be made to the cookie policy, published on the Site.
6. PERSONAL DATA SOURCE
Personal data processed by R&P CONSULTING S.r.l. are collected directly by R&P CONSULTING S.r.l. from the Customer/Data subject at the time of and during his/her browsing of the Site (or by using other social or web applications by R&P CONSULTING S.r.l.), on the occasion of or following the signature of the Contract, during its performance or from public sources.
7. LEGITIMATE INTERESTS
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, provided that interests, rights or fundamental freedoms of the data subject do not prevail. In general, such legitimate interests may arise from a pertinent and appropriate relationship between the data controller and the data subject, for example if the data subject is a customer of the data controller. The following, in particular, shall constitute a legitimate interest of R&P CONSULTING S.r.l. for the processing of the personal data of the Customer/Data subject: for the purposes of prevention of fraud, for purposes of direct marketing towards existing customers (by e-mail, for products/services similar to those previously purchased), to ensure the free circulation of such data to and from the Professional Firm RAIMONDI & PARTNERS, established in Modena (MO), Via Martiniana n. 325/B, tax code and VAT number 02689530364, or related to the traffic, in order to guarantee the security of networks and of the information, i.e. the ability of a network or a system to resist unforeseen events or illegal acts that may compromise the availability, authenticity, integrity and confidentiality of data.
8. CIRCULATION OF PERSONAL DATA
8A. PERSONAL DATA DISCLOSURE – CATEGORIES OF RECIPIENTS
Aside from the employees and various partners of R&P CONSULTING S.r.l. (who have been authorised by R&P CONSULTING S.r.l. to process data based on adequate written operational instructions, in order to guarantee the confidentiality and security of data), certain processing operations may also be carried out by third parties, to whom/which R&P CONSULTING S.r.l. entrusts certain activities or part thereof, useful for the purposes under point (4a), i.e. in fulfilment of both contractual and legal obligations, among which the following are worthy of mention, by way of a non-limiting example: the aforementioned Professional Firm RAIMONDI & PARTNERS; commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt recovery companies; auditing and financial statement certification companies; rating companies; persons carrying out professional support and consultancy activities for R&P CONSULTING S.r.l.; companies providing customer care services; factoring companies, companies securitising receivables or credit transfer companies; persons providing commercial information; IT service companies. Persons belonging to the aforementioned categories shall process persona data in question as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of R&P CONSULTING S.r.l.; R&P CONSULTING S.r.l. shall provide data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, as to guarantee the security and confidentiality of the data.
Certain processing operations may be carried out by third parties, to whom/which R&P CONSULTING S.r.l. entrusts certain activities or part thereof, useful also for the purposes under point (4b), among which the following are worthy of mention, by way of a non-limiting example: the aforementioned Professional Firm RAIMONDI & PARTNERS; commercial and/or technical partners; companies institutionally providing marketing services; advertising agencies; persons carrying out support and consultancy activities with regard to competitions and sweepstakes. Persons belonging to the aforementioned categories shall process personal data as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of R&P CONSULTING S.r.l.; R&P CONSULTING S.r.l. shall provide data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, as to guarantee the security and confidentiality of the data.
The periodically updated list of data processors with whom/which R&P CONSULTING S.r.l. maintains relationships is available on written request addressed to the registered office of R&P CONSULTING S.r.l..
Personal data may also be communicated, on request, to the competent authorities, in fulfilment of obligations arising from binding provisions of the Law.
8B. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The personal data of the Customer/Data subject may also be transferred abroad, both in European Union Countries and Countries outside the European Union and, in the latter case, either based on a decision of adequacy or in the context and with the adequate guarantees provided for by the GDPR (i.e., in particular, in the presence of model contractual clauses for the protection of data approved by the European Commission) or, other than the aforementioned circumstances, under one or more of the derogations provided for by the GDPR (in particular, following the explicit consent of the Customer/Data subject, or for the performance of the Contract concluded by the Customer/Data subject, or for the implementation of a Contract stipulated between R&P CONSULTING S.r.l. and another natural or legal person in favour of the Customer/Data subject, notably for the performance of activities required by R&P CONSULTING S.r.l. for the performance of the Contract concluded with the Customer/Data subject). In the event of transfer of data to Countries outside the European Union, the Customer/Data subject may, on written request addressed to the registered office of R&P CONSULTING S.r.l., get to know the adequate guarantees (and, hypothetically, to receive a copy of the document describing the contractual terms stipulated with data importer in order to provide adequate guarantees for the protection of privacy, rights and fundamental freedoms, in connection with personal data processing), or the derogations that justify the cross-border transfer.
It goes without saying that, in the event of transfer of the data to Countries outside the European Union, for all requests concerning data and for the exercise of the rights granted to the Customer/Data subject by the GDPR, the latter may always address R&P CONSULTING S.r.l..
9. CRITERIA FOR THE DETERMINATION OF THE RETENTION PERIOD OF PERSONAL DATA
For the purposes under point (4a) above, the retention period of personal data provided by the Customer/Data subject and their eventual subsequent processing shall coincide with the statutory limitation period of rights/obligations (legal, tax, etc.) arising from the Contract: i.e. usually 10 years, unless in the case of acts that interrupt the limitation period which could, in fact, prolong it.
For the purposes under point (4b) above, the potential data processing period shall end with the withdrawal of the consent previously issued by the Customer/Data subject or, in the absence of consent, three years after the end of all relationships between R&P CONSULTING S.r.l. and the Customer/Data subject.
10. RIGHTS OF THE CUSTOMER/DATA SUBJECT
R&P CONSULTING S.r.l. recognises – and facilitates the exercise by the Customer/Data subject of – all the rights granted by the GDPR, especially the right to request access to personal data concerning him/her and to obtain a copy thereof (article 15 of the GDPR), the right to rectification (article 16 of the GDPR), and to the erasure of the data (article 17 of the GDPR), the rights of restriction of the processing that concerns him/her (article 18 of the GDPR), the right to the portability of data (article 20 of the GDPR, if the requirements are met) and the right to object to the processing that concerns him/her (articles 21 and 22 of the GDPR, for the cases mentioned above and, in particular, in case of processing for marketing purposes or that is carried out via an automated decision-making process, including profiling, which produces legal effects that concern him/her, if the requirements are met).
R&P CONSULTING S.r.l. also recognises, in cases where the processing is based on consent, the right of the Customer/Data subject to withdraw said consent at any time, without prejudice to the lawfulness of the processing based on the provided consent prior to the withdrawal. In order to do this, the Customer/Data subject may at any time unregister from the Site (or other social or web applications of R&P CONSULTING S.r.l.) either by using the link at the bottom of all commercial communications received, or by contacting R&P CONSULTING S.r.l. at the aforementioned addresses.
R&P CONSULTING S.r.l. shall also inform the Customer/Data subject of the right to lodge a complaint with the Personal Data Protection Authority in its capacity as supervisory authority in Italy and to bring court proceedings both against a decision of the Data Protection Authority and against R&P CONSULTING S.r.l. and/or a data processor.
11. SECURITY OF SYSTEMS AND OF PERSONAL DATA
Bearing in mind the state of the art and the implementation cost, as well as the nature, the object, the scope and the purposes of processing, as well as the risk, in terms of probability and severity, to the rights and freedoms of natural persons, R&P CONSULTING S.r.l. shall adopt the technical and organisational measures that can guarantee a security level appropriate to the risk presented, especially by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in case of physical or technical incident, and by adopting internal procedures aiming at regularly testing, verifying and assessing the efficacy of the technical and organisational measures adopted.
In assessing the adequate level of security, R&P CONSULTING S.r.l. shall take into account the risks presented by the processing and which arise, in particular, from the unauthorised destruction, loss, modification, disclosure of or from the accidental or illegal access to the personal data transmitted, stored or in any way processed.
R&P CONSULTING S.r.l. shall endeavour to ensure that anyone acting under its authority and having access to personal data does not process them unless he/she has been authorised and trained by R&P CONSULTING S.r.l..
Having said this, the Customer/Data subject understands and accepts that no security system guarantees certain and absolute security; therefore, R&P CONSULTING S.r.l. shall not be liable for acts or deeds by third parties who may access the systems while not duly authorised, despite the adequate protections that have been adopted.
12. AUTOMATED DECISION-MAKING PROCESSES, INCLUDING PROFILING
R&P CONSULTING S.r.l. shall not carry out any automated processing that produces legal effects which concern the Customer/Data subject or which impinge significantly on his/her person, except where this is necessary for the conclusion or the performance of the Contract, is authorised by the law or is based on the explicit consent of the Customer/Data subject, always recognising the latter’s right to obtain human intervention, to express his/her opinion and to appeal against the decision.
R&P Consulting
Below, R&P CONSULTING S.r.l. releases the following notice pursuant to articles 12, 13 and, if required, 14 of the GDPR concerning the processing of personal data provided by the Customer/Data subject by filling in and undersigning the Contract in order to purchase products/services offered for sale by R&P CONSULTING S.r.l. and by spontaneously uploading personal data to this website (in particular, by filling in an online form) or simply by browsing the website.
1. PERSONAL DATA AND CONTACT DETAILS CONTROLLER
The data controller of personal data is R&P CONSULTING S.r.l., established in Milan (MI) 20124, Via S. Gregorio n. 53, tax code and VAT number 8635890968, tel. 059 359536, fax 059 340810, e-mail info@rp-cons.com, website www.rp-cons.com (hereinafter, the Site).
2. PRINCIPLES THAT APPLY TO PROCESSING
Pursuant to the provisions of the GDPR, R&P CONSULTING S.r.l. endeavours constantly to ensure that personal data are:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date;
(e) kept for no longer than is necessary for the purposes for which the personal data are processed;
(f) processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures;
(g) processed, if based on consent given by a freely taken decision by the Customer/Data subject, on the basis of a request for consent presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
R&P CONSULTING S.r.l. shall adopt appropriate technical and organisational measures to ensure the protection of the personal data by design and to guarantee that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
R&P CONSULTING S.r.l. shall collect and take utmost account of the instructions, observations and opinions sent by the Customer/Data subject to the aforementioned addresses, in order to implement a dynamic privacy management system which ensures the effective protection of persons with regard to the processing of their data.
This Notice may be amended, in accordance with the evolution of the reference regulations and of the technical and organisational measures that are adopted by R&P CONSULTING S.r.l. at any given time; the Customer/Data subject should, therefore, visit this section of the Site periodically (or another section of similar content published on social or web applications by R&P CONSULTING S.r.l.), in order to read the updates made to the Notice over time.
3. MODALITIES OF PROCESSING OF PERSONAL DATA
Personal data shall be processed manually and with electronic tools, using procedures and logics strictly related to the purposes listed below and in such a way as to guarantee the security and confidentiality of the data.
4. PURPOSES OF PROCESSING OF PERSONAL DATA
4A. PURPOSES REQUIRING DATA PROCESSING
The personal data provided by the Customer/Data subject shall be processed mainly for the performance of the Contract and the management of credit and, more generally, for the management of the relationship arising from the Contract.
The provision of data in the Contract or subsequently, during the contractual relationship, for the purposes of the processing in question is mandatory; therefore, failure to provide such data or their partial or incorrect provision shall render the establishment and/or the performance of the Contract impossible. The Customer/Data subject will not be able to use the products/services offered by R&P CONSULTING S.r.l., potentially exposing the Customer/Data subject to liability for breach of contractual obligation.
Personal data provided by the Customer/Data subject may also be subject to processing if this is necessary for the fulfilment of a legal obligation of R&P CONSULTING S.r.l., in order to safeguard the vital interests of the Customer/Data subject or of another natural person, for the performance of a task of public interest or linked to the exercise of public powers with which R&P CONSULTING S.r.l. is tasked, or to satisfy a legitimate interest of R&P CONSULTING S.r.l. or of third parties, on the condition that the rights and fundamental freedoms of the Customer/Data subject do not prevail; also in those cases, the provision of data is mandatory and, therefore, failure to provide such data or their partial or incorrect disclosure may expose the Customer/Data subject to liabilities and sanctions as foreseen by the Law.
4B. ADDITIONAL PURPOSES OF DATA PROCESSING FOLLOWING THE SPECIFIC AND EXPLICIT CONSENT OF THE CUSTOMER/DATA SUBJECT
Other than the aforementioned purposes of processing, provided personal data may be processed, with the consent of the Customer/Data subject (besides what will be specified below regarding the so-called ‘soft spam’) to be granted by selecting the box “I consent” on the Contract or the Site (or using other social or web applications by R&P CONSULTING S.r.l.), also for market research and for commercial and promotional communications over the telephone (also using the mobile number provided) and by automated contact systems (e-mail, SMS, MMS, fax, etc.) regarding products/services offered by R&P CONSULTING S.r.l., including invitations to events, meetings, etc.
Consent for the purposes of processing under this point (4b) is optional; therefore, following refusal to grant such consent, data will be processed exclusively for the purposes under the previous point (4a), except for the cases mentioned below with reference to the legitimate interests of the data controller or of third parties.
5. CATEGORIES OF PROCESSED PERSONAL DATA
R&P CONSULTING S.r.l. shall process mainly identification/contact data (name, surname, addresses, ID documents type and number, telephone numbers, mobile phone numbers, e-mail addresses, tax/invoicing data, among others) and financial data (related to banking, especially details of current accounts, credit card numbers, and other data related to commercial transactions) and, potentially, Site browsing data, as set forth hereinbelow.
The processing carried out by R&P CONSULTING S.r.l., both for the execution of the Contract and based on the express consent of the Customer/Data subject, shall not concern, in general, particular categories of personal data that are recognised as sensitive (that reveal racial or ethnic origin, political opinions, religious convictions, state of health or sexual orientation, etc.), or genetic and biometric data or so-called judicial data (related to criminal convictions and offences).
However, it cannot be ruled out that R&P CONSULTING S.r.l., in order to fulfil the obligations arising from the Contract and/or arising from the Law, may be obliged to store and/or process sensitive, genetic, biometric or judicial data of the Customer/Data subject or of third parties, which the Customer/Data subject holds in his/her capacity as data controller; in the case in question, (i) the processing by R&P CONSULTING S.r.l. shall be mandatory, under the conditions and within the limits of the appointment of R&P CONSULTING S.r.l. as data controller by the signed Contract or by a separate document; (ii) the Customer/Data subject acts as owner of personal data, assuming all consequent obligations and liability under the Law (with particular reference to, inter alia, the existence of a proper legal basis in order to make data processing legitimate), explicitly and fully relieving R&P CONSULTING S.r.l. from any dispute, claim or compensation request that may be put forward by third parties, when data are processed due to the fact that the Customer/Data subject uses products/services offered by R&P CONSULTING S.r.l. With reference to the Site (or other social or web applications by R&P CONSULTING S.r.l.), R&P CONSULTING S.r.l. shall also process so-called browsing data, normally in the aggregate/statistical form only. Computerised systems and software procedures dedicated to the operation of websites acquire, throughout their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated to identified subjects but which, by its very nature, may allow the identification of the data subject. It may also happen by crossing data among various functionalities, cookies or by using different identification techniques (so-called fingerprinting), based on the processing of information or partial information that is not, or not yet, considered as personal data; however, if in association with other pieces of information, even belonging to third parties, they may become personal data in order to achieve device unequivocal identification (so-called single out) and, through it, the identification of the user/users profile associated to the specific device. This category of information includes geolocalisation data, IP addresses, the type of browser, the operating system, the domain name and the website addresses from which the site was accessed or exited, information on pages visited by the users inside the site, the time of access, the duration of presence on an individual page, the analysis of internal browsing and other parameters related to the user’s operating system and IT environment. This is, therefore, information that, by its nature, allows, through elaboration and association with data held by third parties, the identification of users.
Further, the Site may use both session cookies (that are not stored on the data subject’s computer and disappear once the browser has been closed) and persistent cookies, for the transmission of personal information, or, in any case, systems to track the data subjects. In this respect, reference should be made to the cookie policy, published on the Site.
6. PERSONAL DATA SOURCE
Personal data processed by R&P CONSULTING S.r.l. are collected directly by R&P CONSULTING S.r.l. from the Customer/Data subject at the time of and during his/her browsing of the Site (or by using other social or web applications by R&P CONSULTING S.r.l.), on the occasion of or following the signature of the Contract, during its performance or from public sources.
7. LEGITIMATE INTERESTS
The legitimate interests of the data controller or of third parties may constitute a valid legal basis for the processing, provided that interests, rights or fundamental freedoms of the data subject do not prevail. In general, such legitimate interests may arise from a pertinent and appropriate relationship between the data controller and the data subject, for example if the data subject is a customer of the data controller. The following, in particular, shall constitute a legitimate interest of R&P CONSULTING S.r.l. for the processing of the personal data of the Customer/Data subject: for the purposes of prevention of fraud, for purposes of direct marketing towards existing customers (by e-mail, for products/services similar to those previously purchased), to ensure the free circulation of such data to and from the Professional Firm RAIMONDI & PARTNERS, established in Modena (MO), Via Martiniana n. 325/B, tax code and VAT number 02689530364, or related to the traffic, in order to guarantee the security of networks and of the information, i.e. the ability of a network or a system to resist unforeseen events or illegal acts that may compromise the availability, authenticity, integrity and confidentiality of data.
8. CIRCULATION OF PERSONAL DATA
8A. PERSONAL DATA DISCLOSURE – CATEGORIES OF RECIPIENTS
Aside from the employees and various partners of R&P CONSULTING S.r.l. (who have been authorised by R&P CONSULTING S.r.l. to process data based on adequate written operational instructions, in order to guarantee the confidentiality and security of data), certain processing operations may also be carried out by third parties, to whom/which R&P CONSULTING S.r.l. entrusts certain activities or part thereof, useful for the purposes under point (4a), i.e. in fulfilment of both contractual and legal obligations, among which the following are worthy of mention, by way of a non-limiting example: the aforementioned Professional Firm RAIMONDI & PARTNERS; commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt recovery companies; auditing and financial statement certification companies; rating companies; persons carrying out professional support and consultancy activities for R&P CONSULTING S.r.l.; companies providing customer care services; factoring companies, companies securitising receivables or credit transfer companies; persons providing commercial information; IT service companies. Persons belonging to the aforementioned categories shall process persona data in question as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of R&P CONSULTING S.r.l.; R&P CONSULTING S.r.l. shall provide data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, as to guarantee the security and confidentiality of the data.
Certain processing operations may be carried out by third parties, to whom/which R&P CONSULTING S.r.l. entrusts certain activities or part thereof, useful also for the purposes under point (4b), among which the following are worthy of mention, by way of a non-limiting example: the aforementioned Professional Firm RAIMONDI & PARTNERS; commercial and/or technical partners; companies institutionally providing marketing services; advertising agencies; persons carrying out support and consultancy activities with regard to competitions and sweepstakes. Persons belonging to the aforementioned categories shall process personal data as independent data controllers, or as data processors, with reference to specific processing operations that are included in the contractual performance that said persons carry out in favour/on behalf of R&P CONSULTING S.r.l.; R&P CONSULTING S.r.l. shall provide data processors with adequate written operational instructions, with particular reference to the adoption of the minimum security measures, as to guarantee the security and confidentiality of the data.
The periodically updated list of data processors with whom/which R&P CONSULTING S.r.l. maintains relationships is available on written request addressed to the registered office of R&P CONSULTING S.r.l..
Personal data may also be communicated, on request, to the competent authorities, in fulfilment of obligations arising from binding provisions of the Law.
8B. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The personal data of the Customer/Data subject may also be transferred abroad, both in European Union Countries and Countries outside the European Union and, in the latter case, either based on a decision of adequacy or in the context and with the adequate guarantees provided for by the GDPR (i.e., in particular, in the presence of model contractual clauses for the protection of data approved by the European Commission) or, other than the aforementioned circumstances, under one or more of the derogations provided for by the GDPR (in particular, following the explicit consent of the Customer/Data subject, or for the performance of the Contract concluded by the Customer/Data subject, or for the implementation of a Contract stipulated between R&P CONSULTING S.r.l. and another natural or legal person in favour of the Customer/Data subject, notably for the performance of activities required by R&P CONSULTING S.r.l. for the performance of the Contract concluded with the Customer/Data subject). In the event of transfer of data to Countries outside the European Union, the Customer/Data subject may, on written request addressed to the registered office of R&P CONSULTING S.r.l., get to know the adequate guarantees (and, hypothetically, to receive a copy of the document describing the contractual terms stipulated with data importer in order to provide adequate guarantees for the protection of privacy, rights and fundamental freedoms, in connection with personal data processing), or the derogations that justify the cross-border transfer.
It goes without saying that, in the event of transfer of the data to Countries outside the European Union, for all requests concerning data and for the exercise of the rights granted to the Customer/Data subject by the GDPR, the latter may always address R&P CONSULTING S.r.l..
9. CRITERIA FOR THE DETERMINATION OF THE RETENTION PERIOD OF PERSONAL DATA
For the purposes under point (4a) above, the retention period of personal data provided by the Customer/Data subject and their eventual subsequent processing shall coincide with the statutory limitation period of rights/obligations (legal, tax, etc.) arising from the Contract: i.e. usually 10 years, unless in the case of acts that interrupt the limitation period which could, in fact, prolong it.
For the purposes under point (4b) above, the potential data processing period shall end with the withdrawal of the consent previously issued by the Customer/Data subject or, in the absence of consent, three years after the end of all relationships between R&P CONSULTING S.r.l. and the Customer/Data subject.
10. RIGHTS OF THE CUSTOMER/DATA SUBJECT
R&P CONSULTING S.r.l. recognises – and facilitates the exercise by the Customer/Data subject of – all the rights granted by the GDPR, especially the right to request access to personal data concerning him/her and to obtain a copy thereof (article 15 of the GDPR), the right to rectification (article 16 of the GDPR), and to the erasure of the data (article 17 of the GDPR), the rights of restriction of the processing that concerns him/her (article 18 of the GDPR), the right to the portability of data (article 20 of the GDPR, if the requirements are met) and the right to object to the processing that concerns him/her (articles 21 and 22 of the GDPR, for the cases mentioned above and, in particular, in case of processing for marketing purposes or that is carried out via an automated decision-making process, including profiling, which produces legal effects that concern him/her, if the requirements are met).
R&P CONSULTING S.r.l. also recognises, in cases where the processing is based on consent, the right of the Customer/Data subject to withdraw said consent at any time, without prejudice to the lawfulness of the processing based on the provided consent prior to the withdrawal. In order to do this, the Customer/Data subject may at any time unregister from the Site (or other social or web applications of R&P CONSULTING S.r.l.) either by using the link at the bottom of all commercial communications received, or by contacting R&P CONSULTING S.r.l. at the aforementioned addresses.
R&P CONSULTING S.r.l. shall also inform the Customer/Data subject of the right to lodge a complaint with the Personal Data Protection Authority in its capacity as supervisory authority in Italy and to bring court proceedings both against a decision of the Data Protection Authority and against R&P CONSULTING S.r.l. and/or a data processor.
11. SECURITY OF SYSTEMS AND OF PERSONAL DATA
Bearing in mind the state of the art and the implementation cost, as well as the nature, the object, the scope and the purposes of processing, as well as the risk, in terms of probability and severity, to the rights and freedoms of natural persons, R&P CONSULTING S.r.l. shall adopt the technical and organisational measures that can guarantee a security level appropriate to the risk presented, especially by ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of the processing systems and services (also through the encryption of personal data, where necessary) and the ability to promptly restore the availability of data in case of physical or technical incident, and by adopting internal procedures aiming at regularly testing, verifying and assessing the efficacy of the technical and organisational measures adopted.
In assessing the adequate level of security, R&P CONSULTING S.r.l. shall take into account the risks presented by the processing and which arise, in particular, from the unauthorised destruction, loss, modification, disclosure of or from the accidental or illegal access to the personal data transmitted, stored or in any way processed.
R&P CONSULTING S.r.l. shall endeavour to ensure that anyone acting under its authority and having access to personal data does not process them unless he/she has been authorised and trained by R&P CONSULTING S.r.l..
Having said this, the Customer/Data subject understands and accepts that no security system guarantees certain and absolute security; therefore, R&P CONSULTING S.r.l. shall not be liable for acts or deeds by third parties who may access the systems while not duly authorised, despite the adequate protections that have been adopted.
12. AUTOMATED DECISION-MAKING PROCESSES, INCLUDING PROFILING
R&P CONSULTING S.r.l. shall not carry out any automated processing that produces legal effects which concern the Customer/Data subject or which impinge significantly on his/her person, except where this is necessary for the conclusion or the performance of the Contract, is authorised by the law or is based on the explicit consent of the Customer/Data subject, always recognising the latter’s right to obtain human intervention, to express his/her opinion and to appeal against the decision.