Ifi Advisory s.r.l. statement pursuant to Article 13 of EU Regulation no. 679/2016 (“GDPR”)
IFI Advisory s.r.l. ensures the confidentiality of Personal Data and protects it from any potential breach.
As required by European Union Regulation no. 679/2016 (“GDPR”), and especially Article 13, we provide users (“Data Subject”) with the information below concerning the processing of their Personal Data.
1) Data processing (Article 13, paragraph 1, letter a, and Article 15, letter b of GDPR) and appointment of the DPO (Article 37 of GDPR)
IFI Advisory s.r.l., in the person of its legal representative – with registered office in Via della Fonte Meravigliosa, 88, Roma – acts as Data Controller and can be contacted at [email protected]. Specifically, IFI Advisory s.r.l collects and/or receives information on the Data Subject for the purpose of data processing. The Data Controller will only process Personal Data including, for example, first name and last name, tax code, VAT number, home address, workplace address, email or certified email address, telephone and fax number, employing company, company role and/or position, etc.
IFI Advisory s.r.l. does not require the Data Subject to provide sensitive data, namely – pursuant to the GDPR (Article 9) – any personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, data relating to the health or sexual life or sexual orientation of the Data Subject. If the service IFI Advisory s.r.l. is asked to perform should require the processing of any such data, the Data Subject will receive prior notice and be required to give consent.
The Data Controller has appointed Mr Angelo Russo as Data Protection Officer (DPO). Please use the following contact details to communicate with Mr Russo:
VIA DELLA FONTE MERAVIGLIOSA, 88 RM 00143 ROMA
CERTIFIED EMAIL [email protected]
EMAIL [email protected]
1) The purposes of Personal Data processing (Article 13, paragraph 1 of GDPR)
The data is needed by the Data Controller to act on the data registration request and arrange a contract or the selected service and/or the purchased product, manage and execute the contact requests submitted by the Data Subject, provide assistance, comply with legal and regulatory obligations which the Data Controller is required to fulfil as a result of the business activity carried out. Under no circumstances will IFI Advisory s.r.l. disclose Personal Data to third parties or use it for undeclared purposes.
The Data Controller will process the User’s data if any of the following conditions is met:
- The User has given consent for one or more specific purposes. Note: in some jurisdictions, the Data Controller may be authorised to process Personal Data without the User’s consent or without any of the other legal requirements below being in place, unless the User “opts out” of the processing. However, this is not applicable if the Personal Data processing is regulated by EU Personal Data protection legislation;
- The processing is a requirement to execute a contract with the User and/or put pre-contractual provisions in place;
- The processing is a requirement to fulfill a legal obligation to which the Data Controller is subject;
- The processing is a requirement for the Data Controller to perform a task carried out in the public interest or in the exercise of public authority;
- The processing is a requirement to pursue the legitimate interest of the Data Controller or third parties.
In any case, Users may ask the Data Controller to detail the legal grounds for each data to be processed and specify whether the processing is required by law, provided for by a contract or a requirement to conclude a contract.
Personal Data will be processed:
1) Without the consent of the Data Subject (Article 6, letters b, c, f of GDPR), for the following purposes:
To fulfill the pre-contractual and contractual obligations resulting from a professional assignment, comply with national or EU laws and regulations, or comply with an order issued by a judicial or supervisory body which the Joint Controllers are subject to, and exercise the rights of the Joint Controllers, and especially the right to defend yourself in court. The User’s Personal Data may be used by the Data Controller in court or in the pre-trial stage for defence against any misuse of this Application or related Services by the User.
The User understands that the Data Controller may be obliged to disclose the data by order of public authorities.
- With the consent of the Data Subject (Article 7, GDPR), for the following purposes:
Organisation of events, meetings, conferences and seminars, also for professional training purposes, marketing activities of various kinds, including the promotion of professional services, the dissemination of promotional information and material, the transmission of newsletters and publications, the management of surveys and questionnaires, also for customer satisfaction purposes.
Data unavailability and/or any explicit refusal to give consent to the processing will make it impossible for the Joint Controllers to carry out the assigned task. If the User refuses to give the data, it may be impossible for this Application to provide the Service. In cases where this Application refers to some data as optional, Users are free to refrain from providing such data, without this having any consequence on Service availability or operations.
2) Personal Data recipients
For the purposes listed in the previous section, the Personal Data may be made accessible to:
- Employees and co-workers of the Joint Controllers, in their capacity as authorised data processing personnel;
- Third parties performing outsourcing activities on behalf of the Joint Controllers, in their capacity as data controllers,
- Judicial or supervisory authorities, administrations, national and foreign public bodies and entities.
3) Data retention and transfer
The Data is processed at the offices of the Data Controller and in any other place where the parties involved in the processing are located.
In the event of Data transfer (see point 2 above), the User can refer to the relevant sections of this document or inquire with the Data Controller through the contact details in Part I.
The Personal Data is managed and retained through servers located in the European Union, owned and/or available to the Joint Controllers and/or any duly appointed third-party companies acting as data controllers.
4) Personal Data retention period
The data is processed and retained for the time required by the purposes for which it has been collected. After the date of termination of service/relationship, for any reason whatsoever, the data will be retained under the time limits set by law.
In light of the above:
- The Personal Data collected for purposes related to the execution of a contract between the Data Controller and the User will be retained until contract execution is completed;
- The Personal Data collected for purposes related to the legitimate interest of the Data Controller will be retained until such interest is satisfied. The User can seek further information regarding the legitimate interest pursued by the Data Controller in the relevant sections of this document or by contacting the Data Controller.
Besides, the Data Controller may be required to retain the Personal Data for a longer period, in compliance with a legal obligation or an official order.
The Personal Data will be deleted at the end of the retention period. Therefore, at the end of this period, the right to data access, erasure, rectification, and portability can no longer be exercised.
5) Rights of the Data Subject
In compliance with the provisions of Chapter III, Section I of the GDPR, You may exercise the rights listed below:
- Right of access– To get confirmation of whether or not Personal Data concerning You is being processed and, in this case, to receive information relating, in particular, to: purpose of processing, types of Personal Data processed and retention period, recipients Your data may be made accessible to (Article 15, GDPR);
- Right to rectification– To check the correctness of Your data and request data updating or correction without undue delay, and to have Your partial Personal Data completed (Article 16, GDPR),
- Right to erasure – To have, without undue delay, Your Personal Data deleted, as required by the GDPR (Article 17, GDPR),
- Right to restriction – To have data processing by Joint Controllers restricted, as required by the GDPR (Article 18, GDPR)
- Right to portability– To receive Your Personal Data in a commonly used, well-structured, machine readable format, and to have it transmitted to another controller with no restrictions, as required by the GDPR (Article 20, GDPR)
- Right to object – To oppose the processing of Personal Data concerning You when the legal grounds for processing are different from those of consent, unless there are legitimate reasons for the Joint Controller to continue the processing (Article 21, GDPR).
- Right to file a complaint to the supervisory authority – To file a complaint to the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali, Piazza di Montecitorio 121, 00186, Rome).
- Right to withdraw consent at any time. Data Subjects can withdraw consent to the processing of their Personal Data.
You may exercise the above rights by simply sending a request to the certified email address of the Data Protection Officer (see Part I).
6) Information security
The Controller will take all appropriate security measures to prevent unauthorised access, disclosure, rectification or destruction of Personal Data.
As required by Recital 49 of the GDPR, the Controller will process – also via its suppliers (third parties and/or recipients) – the Data Subject’s Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted Personal Data.
The Data Controller will promptly inform the Data Subject of any specific risks of data breach without prejudice to the obligations under Article 33 of the GDPR concerning notification of Personal Data breach.
The legal grounds for such processing is compliance with legal obligations and the legitimate interest of the Data Controller to carry out processing for the protection of corporate assets and the security of its offices.