Privacy Notice

pursuant to Regulation (EU) 2016/679 (“GDPR”)

1. Data Controller

The Data Controller is Alejandro Santos, with registered office at Milan, email studio@studiosantos.it.

2. Types of Data Processed

The Data Controller processes personal data provided directly by the data subject, including:

• identification and contact details;
• tax and administrative data;
• documents and information necessary for the performance of the professional engagement.

3. Purposes of Processing

Personal data are processed for the following purposes:

• management of the professional relationship and performance of the requested services;
• compliance with legal, tax and accounting obligations;
• operational and administrative communications with the client;
• protection of the Data Controller’s rights in judicial or extrajudicial proceedings.

4. Legal Basis for Processing

The processing of personal data is based on:

• performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR);
• compliance with legal obligations (Art. 6(1)(c) GDPR);
• the legitimate interest of the Data Controller (Art. 6(1)(f) GDPR), where applicable.

5. Processing Methods

Data are processed using paper and electronic tools, in compliance with the principles of lawfulness, fairness, transparency and data minimisation, and by adopting appropriate security measures to protect personal data.

6. Use of Artificial Intelligence Tools

In the course of its professional activity, the Data Controller may use advanced IT tools, including artificial intelligence systems, exclusively as operational support for the services requested by the client (for example, analysis, processing, summarisation or translation of content).

Such tools are used in compliance with confidentiality and security principles. Personal data are not used for the training of artificial intelligence systems nor for purposes other than those related to the performance of the engagement. The use of such tools does not involve automated decision-making processes.

7. Data Recipients

Personal data may be disclosed to:

• tax and accounting advisors;
• IT and cloud service providers;
• public authorities, where required by law.

Such entities process the data as data processors or independent data controllers, as applicable.

8. Transfer of Data to Third Countries

Where the use of services located outside the European Union is required, personal data transfers will take place in compliance with Articles 44 et seq. of the GDPR.

9. Data Retention Period

Personal data are retained for the duration of the professional relationship and thereafter for the period necessary to comply with legal obligations and to protect the rights of the Data Controller.

10. Data Subject’s Rights

Data subjects may exercise at any time the rights provided for in Articles 15–22 of the GDPR, including:

• access to personal data;
• rectification or erasure;
• restriction of processing;
• objection;
• data portability.

Requests may be submitted using the contact details provided in Section 1.

11. Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with the competent supervisory authority.

12. Updates

This Privacy Notice may be subject to updates. The most recent version is always available on this website.