pursuant to Article 13 of EU Regulation No. 2016/679 (GDPR)

This document provides a set of information to all individuals who, by engaging in commercial relationships with STUDIO CATANIA S.r.l., provide their personal data. In this regard, we wish to inform users that the “EU Regulation No. 2016/679 concerning the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data” (commonly referred to as GDPR) establishes the protection of natural persons regarding the processing of personal data as a right safeguarded by European law.

The data controller is STUDIO CATANIA S.r.l. (hereinafter also referred to as “Studio Catania” or the “data controller”), with its registered office at Via del Progresso, 18, ZIP Code 20125 Milan (MI), Tax Code and VAT Number 06755800965, Certified Email (PEC): info [at] pec.studiocataniasrl.com, represented by its current Legal Representative. pro tempore.

Pursuant to Article 13 of the GDPR, users are informed that such processing will be carried out in accordance with the principles of fairness, lawfulness, and transparency, safeguarding the confidentiality and rights of the user. The processing of personal data that the data controller intends to carry out has the following purposes:

Purposes of Data Processing

1) Management of commercial activities (contact with potential clients and handling all commercial aspects of relationships with actual clients).

The processing of personal data of potential and actual clients is primarily aimed at populating Studio Catania’s client database by creating profiles for both potential and actual clients. It is also intended to manage communications with users interested in obtaining information through the contact channels provided by the data controller (postal correspondence, email, and phone numbers). Additionally, it is aimed at preparing quotations, drafting contracts, completing orders through the issuance of legal participation titles (tickets), and managing the commercial archive where all documents related to the ongoing commercial relationship with clients are stored. Finally, the processing of personal data of potential and actual clients may also be carried out for marketing and advertising activities to promote the services of the data controller.

2) Management of purchases (contact with potential suppliers and handling all commercial aspects of relationships with actual suppliers).

The processing of personal data of potential and actual suppliers is primarily aimed at populating Studio Catania’s supplier database by creating profiles for both potential and actual suppliers. It is also intended to manage communications with users interested in providing or receiving information through the contact channels made available on the website (postal correspondence, email, and phone numbers). Additionally, the processing is aimed at receiving quotations, issuing purchase orders and order confirmations, drafting supply contracts, and their subsequent execution and fulfillment. Finally, it serves to manage the supplier archive, where all documents related to the ongoing commercial relationship with suppliers are stored.

3) Management of administrative activities related to purchases and sales.

The processing involves the management of invoices and commercial documents related to sales and purchases, relationships with banking and insurance institutions, cash flow accounting, and, in general, assets, insurance, financial statements, vehicles, fuel cards, treasury operations, scheduling of supplier payments, and customer collections.

The transmission of accounting and tax documents to industry specialists, such as accountants, is organized in compliance with the methods prescribed by law.

Legal Basis

In compliance with Article 6.1 of the GDPR, the legal basis for the lawful processing of personal data collected by the Data Controller is represented by:

• the execution of the contractual relationship with clients or suppliers [Article 6.1(b)];
• compliance with legal obligations imposed on the data controller in accounting, tax, and insurance matters [Article 6.1(c)];
• its legitimate interest in promoting its services and activities to actual clients [Article 6.1(f) of the GDPR and Article 130.4 of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018];
• the free, explicit, and unequivocal consent expressed by the user through a positive action, such as using one of the tools provided by the Data Controller to communicate with the company (e.g., contact forms, corporate email, and phone numbers). This same legal basis authorizes the sending of advertising/promotional communications via email to potential contacts interested in learning about events organized by the Data Controller [Article 6.1(a)].

Methods of Processing

The Data Controller processes the personal data provided using paper-based and electronic tools, employing methods closely related to the stated purposes and, in any case, ensuring the security and confidentiality of the data.

Retention Periods

All personal data processed by the Data Controller within the scope of its activities are retained according to the following periods or criteria:

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

|

Should a dispute arise during these phases, whether in judicial or extrajudicial proceedings, between the Data Controller and the data subject, the latter’s personal data may be retained beyond these limits until the final resolution of the dispute.

At the expiration of these terms, any personal data contained in the aforementioned documents or commercial correspondence will be destroyed or deleted.

Mandatory Nature and Consequences of Refusal to Provide Data

The personal data of clients or suppliers processed by the Data Controller within its activities are necessary for the conclusion of purchase or supply contracts as well as for managing commercial correspondence. The provision of such data is not mandatory; however, without it, it is not possible to manage the commercial relationship with the client or supplier.

Subjects to Whom Personal Data May Be Disclosed

To comply with certain legal obligations in tax, fiscal, insurance, social security, and banking matters, or to protect its rights in judicial or extrajudicial settings, the Data Controller, within the scope of its activities, may disclose the personal data processed to:

• External professionals/consultants in accounting, tax, and legal matters;
• External professionals/consultants in management systems (e.g., Workplace Safety and Privacy);
• Providers of IT services and cybersecurity solutions;
• Supervisory bodies (e.g., Revenue Agency, Guardia di Finanza, etc.);
• Insurance, credit, banking, and postal institutions.

The Data Controller processes the personal data necessary to achieve the stated purposes through individuals within its organization who are formally authorized with a letter of appointment, trained, and committed to maintaining the confidentiality of the information processed. Some of the recipients to whom the Data Controller discloses personal data act on its behalf and are therefore designated as “Data Processors” pursuant to Article 28 of the GDPR through a formal agreement. A list of the main processors is available by contacting the Data Controller at the following email address: press [at] cesarecatania.eu

Transfer Outside the EU (to Non-EU Countries)

The personal data processed as described in this privacy notice are not in any way transferred outside the borders of the EU, either through paper-based or electronic means.

Automated Decision-Making, Including Profiling

Your personal data are not subject to any fully automated decision-making process, including profiling as referred to in Article 22.1 and 4 of the GDPR.

Rights of the Data Subject

In relation to the processing of personal data by Studio Catania Srl for the purposes described above, every data subject always has the right, within the limits and under the conditions set out in Articles 15-22 of the GDPR, to exercise the following rights:

• Right of access;
• Right to rectification and erasure;
• Right to data portability;
• Right to restriction of processing;
• Right to object to processing for direct marketing purposes based on the legitimate interest of the Data Controller;
• Right not to be subject to a decision based solely on automated processing.

The Data Controller informs all recipients to whom the personal data of the data subjects have been disclosed about any rectifications, erasures, or restrictions of processing, unless this proves impossible or involves a disproportionate effort.

To effectively exercise these privacy rights under the conditions provided by the GDPR, every data subject can contact Studio Catania Srl at the email address provided below and request the dedicated form: email: press [at] cesarecatania.eu

• The data subject also has the right to file a complaint with the Data Protection Authority if they believe that their data is being used unlawfully and the processing persists despite having requested the Data Controller to cease such processing. For submitting a complaint, it is possible to consult the dedicated webpage on the Authority’s official website.

PRIVACY RIGHTS

RIGHT OF ACCESS

The right of access means that the data subject can obtain the following information from the data controller:

1) purposes of the processing,

2) categories of personal data concerned,

3) recipients or categories of recipients to whom such personal data have been or will be disclosed, particularly if they are recipients in third countries or international organizations,

4) the existence of the data subject’s right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning them, or to object to their processing,

RIGHT TO RECTIFICATION AND ERASURE

The right to rectification means that the data subject can obtain:

1) the correction of inaccurate personal data concerning them without undue delay,

2) the completion of incomplete personal data, including by providing a supplementary statement.

The right to erasure of personal data can be exercised if:

1) the personal data to be erased are no longer necessary for the purposes for which they were collected or otherwise processed,

2) consent has been withdrawn, and there is no other legal basis for the processing,

3) the right to object to processing has been exercised, and there are no overriding legitimate grounds for continuing the processing,

4) the personal data subject to the erasure request have been processed unlawfully,

5) the personal data subject to the erasure request must be deleted to comply with a legal obligation,

6) the personal data subject to the erasure request were collected in relation to the offer of information society services.

RIGHT TO DATA PORTABILITY

The right to data portability means that, without prejudice to the rights and freedoms of others:

The data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format, and has the right to transmit such data to another data controller without hindrance from this company. This request may also be directed to this company to have the data transmitted directly to another data controller.

This right can be exercised if the legal basis for the processing is:

1a) consent that has been freely, informed, specific, and unequivocally given,

o

1b) a contract concluded with the data subject,

and

2) the processing is carried out by automated means.

RIGHT TO RESTRICTION OF PROCESSING AND RIGHT TO OBJECT

The right to restriction of processing can be exercised by you if:

1) if the data subject contests the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data,

2) when the processing is unlawful; the data subject opposes the erasure of their personal data and instead requests the restriction of its use,

3) when the personal data of the data subject are necessary for the establishment, exercise, or defense of a legal claim, even though the data controller no longer needs them for processing purposes,

4) when the right to object to processing has been exercised,

The right to object to the processing of personal data can be exercised by the data subject at any time for any reason related to their particular situation and for direct marketing purposes.

The data controller shall refrain from further processing such personal data unless they demonstrate the existence of compelling legitimate grounds for processing that override the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defense of a legal claim.

RIGHT NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them.

Such automated decision-making is permitted if it is necessary for the conclusion or performance of a contract between the data subject and a data controller, or if it is authorized by law, which must specify appropriate safeguards for the rights, freedoms, and legitimate interests of the data subject. Alternatively, it may occur if it is based on the explicit consent of the individual subject to the decision (the data subject).

If the decision is based on a contract or explicit consent, the data controller implements appropriate measures to safeguard the rights, freedoms, and legitimate interests of the data subject, including the following:

at least the right to obtain human intervention from the data controller,

the right to express their opinion and

the right to contest the decision.

Automated decisions cannot be based on special categories of personal data unless the exceptions apply, such as the explicit consent of the data subject or a significant public interest established by national or European law. In such cases, the processing must be proportional to the purpose pursued, respect the essence of the right to data protection, and include appropriate and specific measures to safeguard the fundamental rights and interests of the data subject.