The company Racheli S.r.l. (hereinafter referred to as the ‘Company’ or the ‘Controller’) is particularly attentive to the application of the principles in force regarding the processing of personal data and, in particular, to the principles related to lawfulness, correctness, transparency, purpose limitation and storage, minimisation, accuracy, integrity and confidentiality, as well as to the security measures adopted to protect the same.
That being said, in compliance with the provisions of Articles 13 and 14 of EU Regulation 2016/679 (hereinafter also referred to as the “Regulation”), and, where applicable, of Legislative Decree no. 196 of 30 June 2003 (hereinafter referred to as the “Code”), with this information notice, (hereinafter referred to as the “Information Notice”), describes in the following, the nature of the personal data collected, the purposes and methods of processing adopted, the entities to which the personal data of current and potential clients (hereinafter referred to as “Clients”) involved in the processing are destined, in respect of whom the Company provides – generally after professional assignment – services in the field of IP (Intellectual Property) in Italy and worldwide, better described on the website www.racheli.it.
This Information Notice can be printed by using the print command in the settings of any browser.
The data controller is the company Racheli S.r.l., with registered office at Viale San Michele del Carso No. 4, 20144 Milan (MI), with tax code and VAT no. 09683760962 duly registered with the Milan Register of Companies, which can be reached at the contact e-mail firstname.lastname@example.org.
Type of Data Processed
Considering the type of services provided by the Company, the personal data processed relating to Customers belong to the following categories
- data relating to natural persons who request the provision of IP services or who are holders of IP rights;
- data relating to natural persons who represent – by office or by power of attorney – the legal persons requesting the provision of IP services, or who are holders of IP rights;
- data relating to natural persons who perform activities in favour of the rights holders and who collaborate and interact with the Company in the context of the IP services provided;
- data relating to inventors, authors, designers, etc.
The category of data voluntarily provided by Clients by any means, in the pre-contractual or contractual phase, for the performance of the assignment conferred, may consist of personal contact data such as name, surname, e-mail address, telephone number, date and place of birth, tax code, address of residence or domicile, data in identity documents, accounting, tax, financial, administrative, banking data, as well as any information necessary and/or useful for the performance of the assignment.
Purposes of Data Processing
Clients’ personal data are processed:
- for the fulfilment of contractual obligations relating to the management, completion, and monitoring of the assignment conferred;
- for the fulfilment of legal obligations relating to IP, as provided for by current tax and fiscal legislation applicable to the contractual relationship;
- for the protection of the Controller’s contractual rights;
- for marketing purposes, through the transmission – subject to the explicit consent of the Client – of informative communications on the services and activities provided by the Controller, also in concert with other professionals or service companies, also through newsletters. In particular, the e-mail address(es) provided by the Customers may be used by the Company – with the explicit consent of the interested parties – to send commercial information regarding services similar to those offered and requested by the Customers, without prejudice to the Customers’ right to object to the sending of such communications at the time of data collection and at any time thereafter.
In fact, it is possible to refuse to receive further communications at any time by clicking on the appropriate unsubscribe link at the bottom of all communications.
Legal Basis for Treatment
The legal basis for the processing for the purpose referred to in point a) of the foregoing Article is the granting of the professional assignment, as provided for in Article 6¹ letter b) of the aforementioned Regulation and does not require explicit consent; the legal basis for the processing referred to in point b) is the fulfilment of the legal obligations referred to in point c) of the aforementioned Regulation and does not require explicit consent; the legal basis for the processing referred to in point c) of the above article is represented by Article 6(1)(f) of the Regulation, without the need for explicit consent, in order to promote its services to Customers who have already used them, by sending information and commercial communications by e-mail, without prejudice to the Customers’ right to object to the processing at any time. It is understood that such processing is carried out in compliance with the provisions of Article 130, paragraph 4, of the Code².
Nature of Data Provision
The provision of data for the purposes set forth in points a), b) and c) of the article on “PURPOSES OF DATA PROCESSING” is compulsory; refusal to provide the data or complete opposition to their processing for the aforementioned purposes may make it impossible to perform the assignment conferred. The provision of one’s own data for the processing operations referred to in point e) is not compulsory and failure to provide consent does not determine any consequences with regard to the existing contractual relationship with the Controller, but only results in the impossibility of sending informative and commercial communications in relation to IP services. In any case and as better specified above, Customers may revoke their consent at any time, even partially.
Customer’s data may be communicated to third parties, for contractual, technical, and operational requirements – strictly related to the purposes set out above – in particular to the following categories of subjects:
- aentities, professionals, companies, or other structures, appointed by the Controller to deal with processing connected with the fulfilment of the assignment conferred and with administrative, accounting, and management obligations related to the ordinary performance of the activity carried out, also for debt collection purposes;
- public authorities and administrations, for purposes connected with the fulfilment of contractual and/or legal obligations, or to parties legitimated to access the data by virtue of applicable provisions of law, regulations, including foreign ones;
- banks, financial institutions or other subjects, to which the communication of the aforesaid data is necessary for the performance of the Controller’s activities in relation to the fulfilment of contractual obligations undertaken with Customers
- suppliers of installation, assistance, and maintenance services for computer systems and equipment, as well as telematics and all services functionally connected and necessary for the fulfilment of the professional assignment conferred.
The list of data processors is available upon request.
Method of Treatment
Personal data are processed by staff and/or collaborators specifically appointed by the Controller or by persons formally and specifically designated as data processors pursuant to Article 28 of the Regulation.
The data is processed using computer and/or telematic tools designed to store, manage, and transmit the data, with organisational methods and logic strictly related to the purposes indicated in this Information Notice.
The Controller takes appropriate security measures to prevent unauthorised access, disclosure, modification, or destruction of Customers’ personal data.
The Controller does not transfer personal data to third countries (outside the EEC) or to international organisations, except where such transfer is necessary for the performance of the assignment conferred by the Customers, subject to the adoption of all safeguards to ensure the protection of personal data, transferred in compliance with Articles 45 and 46 of the Regulation.
In any case, the Controller reserves the right to use cloud services; in such case, the service providers will be selected from among those who provide adequate guarantees, as provided for in Article 46 of the Regulation.
Data Retention Period
Personal data processed for the purposes specified in the Policy shall be retained for the period required by the purposes for which such data were collected and in accordance with domestic and foreign laws applicable to the IP services performed.
Once the contractual relationship is terminated, personal data will be kept in the historical archives, without prejudice to the rights referred to in Article 7 of the Regulation and the application of the general principles in force regarding processing, including and above all the principle of minimisation.
Rights of the Interested Parties
The Controller informs the Customers, as Data Subjects, of their rights as provided for by Articles 15, 16, 17, 18, 20, 21 and 22 ³ of the Regulation on the processing of personal data. In particular, Customers have the right to request, at any time, access to their personal data, their rectification or cancellation, the limitation of processing in the cases provided for by Article 18 of the Regulation; to obtain, in a structured, commonly used and machine-readable format, the data concerning them, in the cases provided for by Article 20 of the GDPR; to revoke at any time, pursuant to Article 7 of the GDPR, the consent given (where consent has been requested); to lodge a complaint with the Personal Data Protection Authority, if they consider that the processing of their data is contrary to the legislation in force; the right to object at any time, for reasons related to their particular situation, unless the Controller demonstrates the existence of compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a legal claim; the right not to be subject to automated decision-making, including profiling.
How to Exercise Your Rights
In order to exercise their rights, the Customers identified above may address a request to the contact details of the Controller, indicated in this document. Requests will be dealt with by the Controller as soon as possible, or in any case within one month of their receipt.
Customers Using the Website www. racheli.it
Customers using the Controller’s institutional site are invited to carefully read the specific information notice reserved for USERS, published at www.racheli.it.
1) Article 6 of the Regulation on the ‘Lawfulness of processing’ provides: ‘1. Processing shall be lawful only if and to the extent that at least one of the following conditions is met:
- (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- (b) the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request
- (c) processing is necessary for compliance with a legal obligation to which the controller is subject; […]
- (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data are not overridden, in particular where the data subject is a child’.
2) On this point, Article 130 of the Code, paragraph 4 provides:
“Without prejudice to the provisions of paragraph 1, if the data controller uses, for the purposes of direct sales of its own products or services, the e-mail coordinates provided by the data subject in the context of the sale of a product or service, it may not request the data subject’s consent, provided that the services in question are similar to those being sold and that the data subject, adequately informed, does not refuse such use, either initially or on the occasion of subsequent communications. The data subject shall be informed, at the time of collection and at the time of sending any communication made for the purposes referred to in this paragraph, of the possibility of objecting at any time to the processing, easily and free of charge’.
3) For the sake of completeness, the texts of the following articles are given:
Article 15 – Right of access. The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data relating to him are being processed and, if so, to obtain access to the personal data and information concerning such processing.
Article 16 – Right of rectification. The data subject has the right to obtain from the Controller the rectification of inaccurate personal data concerning him without undue delay. Bearing in mind the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
Art. 17 – Right to erasure (right to be forgotten) The data subject has the right to obtain from the Controller the erasure of personal data concerning him without undue delay, and the Controller has the obligation to erase the personal data without undue delay.
Art. 18 – Right to restriction of processing The data subject has the right to obtain from the Controller the restriction of processing when one of the following cases occurs (a) the data subject contests the accuracy of the personal data, for the period necessary for the Controller to verify the accuracy of such personal data; (b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that its use be restricted (c) although the Controller no longer needs them for the purposes of the processing, the personal data are necessary for the establishment, exercise or defence of legal claims by the data subject; (d) the data subject has objected to the processing pursuant to Article 21(1), pending the verification as to whether the legitimate reasons of the Controller prevail over those of the data subject.
Article 20 – Right to data portability. The data subject has the right to receive in a structured, commonly used and machine-readable format the personal data concerning him/her that he/she has provided to a data controller and has the right to transmit those data to another data controller without hindrance from the data controller to whom he/she has provided them. When exercising his or her data portability rights under paragraph 1, the data subject has the right to obtain the direct transmission of personal data from one controller to another, if technically feasible.
Article 21 – Right to object. The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her in accordance with Article 6(1)(e) or (f), including profiling on the basis of these provisions.
Article 22 – Right not to be subject to automated decision-making, including profiling. A data subject shall have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which produces legal effects concerning him or significantly affects him in a similar way.
This notice has been updated as of 21 March 2023.
Customers are kindly requested to visit this section periodically in order to be constantly updated on any changes to the above-mentioned notice.