Privacy Policy

INFORMATION NOTICE pursuant to Articles 13 and 14 of Regulation (EU) 2016/679

With this document (hereinafter also the “Information Notice”), the Data Controller (hereinafter also the “Controller”), as defined below, wishes to inform you about the purposes and methods of processing your personal data, as well as about the rights granted to you by Regulation (EU) 2016/679 (hereinafter also “GDPR”) concerning the protection of natural persons with regard to the processing of personal data and their free movement. This Information Notice may be supplemented by the Controller if any additional services you may request involve further data processing.

Who is the Data Controller

The Data Controller (hereinafter also the “Controller”) is CreativeNet SRL, with registered office at
Via Boezio 4/C - 00193 Rome - Italy - VAT number: 12474711004 - email: info@crnetpartners.com.

To exercise your rights, listed in this Information Notice, or for any other request, you may contact the Controller by writing to:

• CreativeNet SRL, with registered office at Via Boezio 4/C - 00193 Rome - Italy
  To the attention of the Internal Privacy Contact Person;
• by sending an email to: info@crnetpartners.com
  To the attention of the Internal Privacy Contact Person.

The Controller, also through designated structures, will take charge of your request and provide you with information on the actions taken regarding your request without undue delay and, in any event, no later than one month from receipt of the request. This period may be extended by two months if necessary, taking into account the complexity and number of the requests.

Please note that if the Controller has reasonable doubts concerning the identity of the natural person submitting the request, further information necessary to confirm the data subject’s identity may be requested.

What personal data we process

2.1. Personal data

For the purposes indicated in this Information Notice, the Controller may process common personal data such as personal details (name, surname, address, phone numbers, email addresses and other contact details, an identification number or code, tax code, VAT number), economic and financial data (for example, personal data related to specific engagements acquired during the contractual relationship with the Controller), which may refer to you, your employees/collaborators, or your family members. With regard to data relating to your employees/collaborators or family members, please ensure that they are duly informed of the contents of this Information Notice.

2.2. Special categories of personal data

The Controller may also process special categories of your personal data or your family members’ personal data, for example in the preparation of income tax returns or other statements arising from tax obligations. Such data may include data revealing racial or ethnic origin, religious, philosophical, or other beliefs, political opinions, membership in political parties, trade unions, associations, or organizations of a religious, philosophical, political, or trade-union nature, as well as personal data revealing health status or sex life.

2.3. Source of personal data

Your personal data processed by the Controller are those provided directly by you to the Controller or collected from third parties, such as, for example, the acquisition of corporate registration reports (“visure camerali”), information from public registers, identification and adequate verification of customers carried out under Legislative Decree 231/2007, as amended (the so-called Anti-Money Laundering legislation), or other open sources. This Information Notice also covers the processing of your personal data acquired from third parties.

What are the purposes of the processing

1. Performance of contracts and regulatory compliance
The processing of your personal data is necessary for the collection of information prior to the conclusion of contracts you will enter into with the Controller, for the finalization and performance of the contracts signed with the Controller, and to ensure efficient management of business relations. Furthermore, the processing of your personal data by the Controller may be related to the fulfillment of administrative, accounting, and management obligations required by laws or regulations and/or EU legislation, or by supervisory and control authorities, or other authorities so authorized (for example, tax legislation, anti-money laundering legislation).

• Purpose of the processing: Pre-contractual activities, contract management, fulfillment of administrative, accounting, and tax obligations, performance of tasks in the public interest.
• Nature of provision: Mandatory.
• Consequences of refusal to provide data: Failure to provide the data will make it impossible for the Controller to carry out pre-contractual/contractual activities, to perform the contract, and/or to perform activities that require compliance with legal obligations and/or the performance of a task in the public interest by the Controller.
• Legal basis of the processing: Performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR), compliance with a legal obligation (Art. 6(1)(c) GDPR), performance of a task in the public interest (Art. 6(1)(e) GDPR).
• Retention period of personal data: Your personal data will be processed for the time necessary to achieve the purposes of the processing described above, and for the 10 years following completion thereof, and until any potential claim of contractual liability on the part of the Controller is time-barred. If the contract is not finalized or the contractual relationship is terminated, your personal data will be retained for a further 10 years or, if later, from the date of any binding decision issued by a competent authority (for example, a court judgment), without prejudice to any retention obligations for certain categories of data for longer periods of time prescribed by the legal system. In the case of processing personal data related to accounting records, the retention period is 10 years from the date of the last entry, as provided by Article 2220 of the Italian Civil Code.

How your personal data will be processed

In compliance with the provisions of the GDPR, your personal data will be processed using paper, computerized, and electronic tools, in ways strictly related to the purposes indicated, and in any case in such a way as to ensure the security and confidentiality of the data, in accordance with Article 32 of the GDPR.

To whom your personal data may be disclosed and who may become aware of it

For the pursuit of the purposes described in section 3 above, your personal data will be known by employees, equivalent personnel, and external collaborators who will act as persons authorized to process and/or data processors.

Furthermore, the Controller may need to disclose your personal data to third parties (also having their headquarters outside the European Union, in compliance with the legal requirements that allow it), for example, to the following categories: public institutions and judicial or administrative authorities as required for compliance with legal obligations; credit institutions; insurance companies; other parties providing services in support of the performance of the assignment or contract; entities responsible for mailing, sorting, shipping, and archiving services (including by electronic means or web portals) for documentation relating to client relations; parties providing IT system management services to the Controller; companies offering server farm services; parties handling debt collection; other professionals or organizations providing professional consultancy or tax/legal/judicial/extrajudicial assistance services; parties handling accounting audits and financial statement certifications; authorities and supervisory and control bodies; and generally public or private entities with public functions.

The Controller may transfer the client’s personal data to third countries provided that it is to a third country considered adequate pursuant to Art. 45 of the GDPR.

Your personal data processed by the Controller are not subject to dissemination.

What rights you have as a data subject

With regard to the processing activities described in this Information Notice, as the data subject, you may, under the conditions set out in the GDPR, exercise the rights provided for in Articles 15 to 22 of the GDPR, and in particular the following rights:

• Right of access (Article 15 GDPR): the right to obtain confirmation as to whether or not personal data concerning you is being processed and, if so, to gain access to your personal data—including a copy of it—and to receive communication of, among others, the following: a) the purposes of the processing
  b) the categories of personal data processed
  c) the recipients or categories of recipients to whom they have been or will be disclosed
  d) the envisaged retention period of the data or the criteria used to determine that period
  e) the existence of the data subject’s rights (rectification, erasure of personal data, restriction of processing, and the right to object to processing)
  f) the right to lodge a complaint
  g) the right to obtain information about the source of the personal data if they were not collected from the data subject
  h) the existence of automated decision-making, including profiling
• Right to rectification (Article 16 GDPR): the right to obtain without undue delay the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data;
• Right to erasure (right to be forgotten) (Article 17 GDPR): the right to obtain, without undue delay, the erasure of personal data concerning you when: a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  b) you have withdrawn your consent and there is no other legal basis for the processing;
  c) you have successfully objected to the processing;
  d) the data have been unlawfully processed;
  e) the data must be erased for compliance with a legal obligation;
  f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. The right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation, the performance of a task carried out in the public interest, or for the establishment, exercise, or defense of legal claims.
• Right to restriction of processing (Article 18 GDPR): the right to obtain restriction of processing where: a) the data subject contests the accuracy of the personal data;
  b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  c) the personal data are required by the data subject for the establishment, exercise, or defense of legal claims;
  d) the data subject has objected to the processing pending verification as to whether the legitimate grounds of the Controller override those of the data subject.
• Right to data portability (Article 20 GDPR): the right to receive in a structured, commonly used, and machine-readable format the personal data concerning you that you have provided to the Controller and the right to transmit those data to another controller without hindrance, where the processing is based on your consent and is carried out by automated means. Furthermore, the right to have your personal data transmitted directly by the Controller to another controller, where technically feasible.
• Right to object (Article 21 GDPR): the right to object at any time to the processing of personal data concerning you, which is based on the legitimate interest of the Controller, including profiling, unless there are compelling legitimate grounds for the Controller to continue the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
• Right not to be subject to automated decision-making (Article 22 GDPR): the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her, unless this is necessary for entering into or performing a contract or if you have provided your consent. In any case, no automated decision-making will involve your personal data, and you can, at any time, obtain human intervention from the Controller, express your opinion, and contest the decision.
• Right to lodge a complaint with the supervisory authority for personal data protection, Piazza di Montecitorio no. 121, 00186, Rome (RM), Italy, or through the procedures published on the authority’s website (www.garanteprivacy.it);
• Right to withdraw consent given at any time and with the same ease with which it was provided.

The aforementioned rights may be exercised against the Controller by contacting the references indicated in section 1 above.

The exercise of your rights as a data subject is free of charge under Article 12 of the GDPR. However, in the event of manifestly unfounded or excessive requests, including due to their repetitive nature, the Controller may charge you a reasonable fee in view of the administrative costs incurred to handle your request, or refuse to act on your request.