INFORMATION PROVIDED IN ACCORDANCE WITH ARTICLES 13 AND 14 OF THE GDPR (GENERAL DATA PROTECTION REGULATION) (REGULATION (EU) NO 2016/679)
According to the legislation indicated, this processing will be based on the principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights.
In accordance with Article 13 of the GDPR (Regulation (EU) No 2016/679), therefore, we hereby provide the following information:
A – Personal data (name, surname, details and copy of identity document, telephone number, email address, etc.) will be provided when joining depending on the type of associated requested.
Realty Advisory S.p.A., Via Carlo Porta 1, 20121 Milan, VAT No and tax code 08117460967, in the capacity of Data Controller for your personal data, hereby provides information about the use of those data and about your rights, so that you can provide your informed consent, where required, and exercise the rights laid down in the General Data Protection Regulation (Regulation (EU) No 679/2016, hereafter the Regulation). Your personal data (provided by you or by third parties or taken, as permitted by law, from public lists) may be processed for the following expressly stated purposes: activities dedicated to consulting and property brokering, such as sale, purchase, rentals, division and disposals of businesses.
We have provided information below on the meaning of the types of purposes, in particular:
1. legal: namely to comply with the obligations laid down by law, by a regulation, by the European Union legislation and by the requirements imposed by authorities empowered to do so by law or by competent supervisory or control bodies (in this case, your consent is not necessary because the processing of the data is related to compliance with those obligations/requirements). The data processed by law include those relating to tax laws or for money laundering registers.
2. contractual and, more generally, administrative and accounting: namely data required to fulfil obligations deriving from contracts to which you are a party or to comply with your specific requests before a contract is concluded, where applicable by means of distance communication techniques, including a dedicated telephone call centre (in this case, your consent is not necessary because the processing of the data is intended to manage the relationship or comply with the request). These processing operations also include the purposes deriving from protection of reciprocal legal interests and for tax requirements or for other legal obligations such as, for example, keeping the money laundering register if applicable.
3. direct commercial and profiling: namely to provide you with information and to send you informative, commercial and advertising material (where applicable using distance communication techniques such as, but not limited to, postal communication, telephone calls (including using automated calling systems), facsimile, email, SMS or MMS messaging or other types) about the company’s products, services or initiatives, to promote those products, services or initiatives, to perform direct sales activities, to perform market research, to verify the quality of the products or services offered to you (where applicable by means of telephone calls or sending of questionnaires), to optimise the offer of products, services or initiatives (where applicable through selected, focused analysis), to provide commercial communications, to undertake statistical research, or to apply one or more profiles to you (in order to make appropriate commercial decisions or to analyse or forecast, still for commercial purposes, your personal preferences, behaviours and attitudes). (In this case, your consent is optional and will not affect your continued relationship with the company).
4. indirect commercial: namely by providing your data to third-party entities so they can perform specific independent commercial activities as indicated in No 3 above. (In this case, your consent is optional and will not affect your continued relationship with the company).
5. commercial post: namely for the purpose of analysing in-depth the underlying reasons following the cessation or termination of the relationship with the company. (In this case, your consent is optional and will not affect your continued relationship with the company).
6. The Data Controller may change the purpose for which your data have been collected. In such a case, the Data Controller will obtain your explicit consent for the new purpose where this is necessary on the basis of the applicable legal requirements.
7. ‘Individual’ data, also referred to as ‘sensitive’ data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9 of the Regulation) or relating to criminal convictions and offences or related security measures (Article 10 of the Regulation). These data may be processed only with your explicit written consent if one of the reasons set out in Article 9(2) and Article 10 of the Regulation applies. Consent is free and optional but a refusal to give consent may affect the performance of one or more activities requested by you from the company specifically concerning situations for which the processing of this type of data is essential.
8. Consent for processing of your data may be binding in order to conclude contracts with the Data Controller or third parties. For the purpose of concluding a contract, only data that must be processed in order to conclude the contract may be binding. You may freely give or refuse your consent for non-essential data, and in particular for the purpose of profiling, commercial communication and marketing.
9. Your personal data may be transferred to third-party entities for the purposes declared by the Data Controller.
10. For technical or organisational reasons or because of the specific nature of the issue being addressed, because of legal obligations or other possible causes, the company may find that it has to manage your data in a way that it cannot be modified.
B – PROCEDURES FOR DATA PROCESSING.
Your data will be processed using manual tools and manual/hard-copy archiving and using electronic and automated systems, using procedures strictly related to the purposes indicated above. Where you have given your consent, processing may also take place by means of data profiling or comparison. The company has put in place technical and organisational measures intended to prevent and limit the risk of loss of, damage to or theft of your data, and to ensure that it can be recovered within a reasonable period in the case of a ‘data breach’.
Processing will be performed in a manner that guarantees the security, protection and confidentiality of your data.
Inside the company, the following people may have access to your personal data, as data controllers and processors:
• employees, managers and directors or shareholders of the company who have taken on or hold, by law or on the basis of the articles of association, administrative, sales or other roles subject to self-employment contracts operating within the company structure. These individuals have been provided by the company with appropriate training and instruction to enable the protection, maintenance, updating, security and confidentiality of your data. Consent for processing by these individuals is not required, as it is implied in the procedures required by law.
Outside the company, your data may be processed by:
• employees subject to non-permanent employment contracts operating outside the company’s structure;
• sales employees subject to non-permanent employment contracts operating outside the company’s structure;
• consultants of all kinds (lawyers, doctors or accountants, engineers, architects, employment consultants or other professionals, whether or not members of professional organisations), who perform technical or support (in particular: legal services, IT services, shipping) and business auditing tasks on behalf of the company.
To achieve the purposes described above, the company may communicate or otherwise send your data to certain entities, including foreign ones, which will use the data received as independent joint data controllers, except in cases where they have been designated by the company as ‘data processors’ for the operations for which they have specific competence. You have the right to request and obtain a list of the third parties to which these data may be transferred. Your consent is required for the data to be sent to these third parties but, if you refuse consent, the company might not be able to provide the services requested or fulfil the obligations it has assumed in relation to you.
It is possible that the data processor may delegate the processing of your data to other sub-processors, which are in turn trained in the procedures for correct processing of those data.
Your personal data may be transferred to a foreign country. In this case, if your data are transferred within the European Union, they will be processed according to the same procedures as in Italy. If they are transferred to countries outside the European Union, they will be processed in accordance with the rights conferred upon you by the European Regulations. If your data are transferred to a country outside the EU, it is possible that they will be processed by entities that guarantee compliance with the rights conferred by the European Regulations by means of voluntary acceptance by those entities of general measures.
Data transfer will take place in any case using tools that guarantee the protection of those data from intrusion by third parties.
Your data have been obtained directly from you and we therefore provide the following information in this form where applicable:
• data about the Data Controller and representative
• data about the data protection processor
• purpose of and legal basis for processing
• recipients of the data
• intention to transfer data abroad
• duration of the storage period or criteria for determination of that duration
• right of access, correction, deletion and objection to processing, portability
• right to withdraw consent for processing if possible except where not permitted by law
• possibility of filing claims with the authority (Supervisor)
• whether the data are mandatory for performance of a contract, or by law and the consequences if consent is withheld
• whether the data are or will be subject to profiling and, if so, the profiling logic
• the existence of automatic decision-making processes and the right of the party concerned to require that decisions be made following human intervention.
Your data will be stored by the Data Controller, for the purposes envisaged, for the time required to manage the relationship existing with you and to guarantee reciprocal legal protection of rights and compliance with the applicable legal obligations, including those relating to tax. Data not required for these latter purposes will be removed by the final deadline laid down in accordance with the right to be forgotten, as indicated below in this document, or, at your request, within a shorter period if this does not conflict with the rights of the Data Controller.
Your data that are not required to be kept on the basis of a specific legal obligation will be deleted within ten years for accounting data, five years following dismissal or resignation for personal data, ten years for client data, and ten years for supplier data.
With regard to profiling systems, the company declares that it does not perform web profiling but rather only profiling for direct market purposes as detailed below.
C – RIGHTS OF THE DATA SUBJECT
You may exercise the following rights expressly recognised by the Regulation, at any time:
• You have the right to file a complaint with the Italian data protection authority (Autorità Garante per la Protezione dei Dati Personali) at any time if you believe your rights have been infringed.
• You have the right to ensure that your data are accurate and up-to-date at all times and you may therefore indicate or request updating of those data at any time.
• You have the right to revoke consent for processing of your data where this is not prohibited by law or by a requirement for protection of the rights of the Data Controller, where applicable through legal action. In any case, a request to revoke consent entails a right to limit processing.
• You have the right to access the data processed by the Data Controller about you by means of a written request, where applicable in electronic form. You must provide proof of your identity, where necessary by access to our database using unique, individual access credentials. You have the right to free access on one occasion, and you may be asked to pay a charge for subsequent accesses. You have the right to obtain a response within thirty days following the request. You have the right to have your data in printable format
• You have the right to have your data corrected and updated and you may request at any time that your data be updated and corrected where it is determined that the data in our possession are not up-to-date or are incorrect. To guarantee that your data are up-to-date, please notify us of any appropriate changes.
• You have the right to have data about you deleted, provided that they are not data that the Data Controller is required to keep because of specific legal obligations, such as, but not limited to, obligations deriving from tax or money laundering requirements or to protect the rights of the Data Controller in the case of a dispute.
• Where you are contesting the accuracy of your data, or the lawfulness of the processing, or the right of the Data Controller to delete your data, or you have objected to the processing of the data and the Data Controller is contesting your objection, you have the right to request that your data be stored but not processed other than as specifically required to resolve the dispute in relation to those data.
• Where the Data Controller modifies or deletes all or some of your data, you have the right to be informed and to object to the modification and deletion.
• You have the right to be able to transfer your data – stored and processed electronically – to another operator, within the limits indicated by the Regulation and provided that this is technically possible, so as to consent to making those data easy to read and acquire by third parties. The data that you have the right to transfer (portability) also include data deriving from the automatic observation of your activities undertaken by means of the Data Controller’s IT services, such as searches and history of activities undertaken.
• You have the right to object to the processing of your data, to profiling, to the use of the data for direct marketing, and to profiling for public interest or for the purposes of scientific or historical or statistical research.
• The company may, in certain circumstances, adopt automated procedures in order to make decisions that relate to you and in particular in order to decide if and under what conditions to conclude contracts with you directly or through third parties. In such a case, you have the right to request that your position be assessed by a human operator performing a substantive assessment before a binding decision is made.
• Under certain circumstances, the Company may process your data in order to communicate with you about commercial or informative or educational initiatives (newsletters).In this case, your consent must be explicit and separate from other forms of consent and you may revoke consent provided for this purpose at any time.
• You have the right to be consulted during assessment of security procedures for the processing and protection of your data.
D – INFORMATION ABOUT THE ENTITIES INVOLVED IN PROCESSING
Your data may be processed by the following entities:
1. Realty Advisory S.p.A., Via Carlo Porta, 1, 20121 Milan, VAT No and tax code: 08117460967
2. Legal Representative: Gian Luca Artizzu, born in Cagliari on 20 March 1967
3. Employee: Emanuela Porzia, born in Rome on 17 July 1988
4. [DPO] Appointment not required
E – PROCEDURES FOR EXERCISING YOUR RIGHTS
Your requests may be exercised by written notification sent to the company’s address: VIA CARLO PORTA, 1, MILAN (MI), or the email address firstname.lastname@example.org, or, if available, posted independently in the personal area made available to you electronically using a unique identifier.