According to art. 13 of European Regulation no. 679/2016

Dear Client/Supplier,

Insight Studio Legale, with registered office in (20122) Milano, Via Pietro Cossa 2, e-mail address privacy@insightlegal.it, as Data Controller of your personal data (hereinafter “Data Controller”), according to article 13 of the European Regulation no. 679/2016 (hereinafter “GDPR”), has to provide you with the information regarding the processing of your personal data related to the management of the contract in place between you and Insight.

Purpose and legal basis
The personal data of customers/suppliers (such as, e.g., contact details, accounting and billing data, etc.) that have business relations with the Data Controller on the basis of agreements and/or contracts, are processed for the following purposes:

1. correct and complete performance of the professional assignment and/or contractual relationship between the Parties;
2. fulfilment of administrative, tax and accounting obligations;
3. fulfilment of specific obligations established by Italian law and regulation or EU legislation;
4. protection of rights in judicial proceedings.

For the purposes mentioned above, the legal bases for processing are:

• performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract, according to art. 6, par. 1, let. b), GDPR. This basis applies in particular for the purposes no. 1. and 2.;
• compliance with a legal obligation to which the Data Controller is subject, according to art. 6, par. 1, let. c), GDPR. This basis applies in particular for the purposes no. 2. and 3.;
• legitimate interests pursued by the Data Controller or by a third party, according to art. 6, par. 1, let. f), GDPR. This basis applies in particular for the purpose no. 4.

The provision of data is a necessary requirement for the establishment and management of the professional assignment and/or contractual relationship; failure to provide such data, when expressly requested, makes it impossible to continue the relationship.

Modalities of processing
The personal data of the Data Subject are processed in compliance with privacy principles, including lawfulness, correctness and transparency according to art. 5, GDPR. The data collected are recorded and stored by the Data Controller in computer and paper files, as well as kept and controlled in order to minimise the risks of destruction or loss, including accidental loss, unauthorised access and processing that is not permitted or does not comply with the purposes of collection.
The personal data of the Data Subject are not subject to disclosure or to any fully automated decision-making process, including profiling, nor are they transferred to third countries or international organisations.
In particular, any possible transfer outside the EU, in compliance with the limits on the dissemination of personal data set out in the previous paragraph, will take place only in the presence of an adequacy decision previously adopted by the European Commission and/or under ‘standard contractual clauses’ approved by the Commission itself.

Retention period
The personal data of the Data Subject will be processed and stored by the Data Controller for the entire duration of the professional assignment and/or contractual relationship between the Data Subject and the Data Controller and/or in compliance with the timeframes provided for by individual legal obligations.

Data Communication
The personal data of the data subject will be disclosed to and processed, in compliance with the current legislation on the subject, only by duly authorised employees.
The data provided may be communicated for the purposes indicated above to subjects identified respectively as Autonomous Data Controllers or as Data Processors such as public and/or private subjects for whom the communication of the data is obligatory or necessary in fulfilment of legal obligations or is in any case functional for the management of the relationship.
This is without prejudice, in any event, to communication, in accordance with the law, to the Public Security Authority, the Judicial Authority or other public entities for purposes of defence, State security and the investigation of offences, as well as communication to the Judicial Authority in compliance with legal obligations, where criminal offences are detected.

Data Subjects rights
The Data Subject may exercise the following rights, according to articles 15-22 of the GDPR, towards the Data Controller: access, deletion, rectification, portability or restriction of the processing of personal data concerning him or her, or objection to the processing (unless there is a legitimate reason of the Data Controller which overrides the interests of the Data Subject, or for the establishment, exercise or defence of a right in court). He/she may also file a complaint with the Data Protection Authority (www.garanteprivacy.it) if he/she deems it necessary (according to art. 77 GDPR).

These rights may be exercised by contacting the Data Controller at privacy@insightlegal.it.