Pursuant to and for the purposes of Article 13 of European Regulation 2016/679 (hereinafter the “GDPR”) concerning the protection of personal data, Barzanò & Zanardo S.p.A., in its capacity as Data Controller (hereinafter referred to as the “Controller”), hereby informs you that the personal data you have provided will be processed in compliance with the aforementioned legislation.
The processing of personal data will be carried out lawfully, fairly, and transparently with respect to the data subject.
For the purposes of this notice, processing means any operation or set of operations performed, with or without the aid of electronic means, concerning the collection, recording, organization, storage, consultation, processing, alteration, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure, or destruction of data, even if not recorded in a database.
This notice is also provided for the purposes of Article 13 of Law 132/2025 “Disposizioni e deleghe al Governo in materia di intelligenza artificiale”, for which reference should be made to the section entitled “Processing methods”.
DATA CONTROLLER
Barzanò & Zanardo S.p.A. (Tax Code: 05051840584 / VAT No. 01347741009), represented by its legal representative pro tempore, with registered office at Via Piemonte, 26 – 00187 Rome, Italy.
Contact details: E-mail: privacy@barzano-zanardo.com – PEC: b-zmilano@pec.barzano-zanardo.com – Tel. +39 06 421771.
DATA PROTECTION OFFICER (DPO)
Lawyer Clementina Baroni (VAT No. 02001880356 – Tax Code BRNCMN73T50L826B), appointed as DPO with ad hoc authorization, with registered office at Via Domenico Francesco Cecati 1/1, 42123 Reggio Emilia (RE), Italy. Contact details: E-mail: dpo@studiolegaleavvbaroni.it – Certified E-mail (PEC): clementina.baroni@ordineavvocatireggioemilia.it – Tel. +39 0522 506307.
CATEGORIES OF DATA PROCESSED
The data subject to processing are as follows:
- For natural persons: identifying personal data (including but not limited to: name, surname, place and date of birth, tax code, ID document, telephone number, e-mail address, IP address, etc.) of the data subject and/or of third parties acting on their behalf.
- For legal persons: company name, e-mail address, certified e-mail (PEC), IBAN, tax code/VAT number, telephone number, company registered address, etc., of the data subject and/or of third parties acting on their behalf.
PURPOSES OF DATA PROCESSING
A. ESTABLISHMENT AND PERFORMANCE OF A CONTRACT, this includes, for example, pre-contractual activities, contract drafting and execution (including the provision of access credentials to dedicated platforms), and management of disputes.
Legal basis: the processing of the collected data is justified by the supply contract of good or services of which you are a party (Art. 6(1)(b) GDPR).
Recipients: the data collected in relation to the specified purpose may be disclosed to professional law firms, accountants, labor consultants, data processors appointed pursuant to Art. 28 GDPR, insurance companies, IT consultants/system administrators, independent or joint controllers.
The updated list of data processors is kept at the Controller’s registered office and may be consulted by you at any time upon request for access to the data.
Retention period: the data collected in relation to the aforementioned purpose will be retained until the termination, for any reason, of the contractual relationship, or for a longer period corresponding to the ordinary limitation period for contractual liability, without prejudice to any specific need for further data retention.
Failure to provide data: providing the data necessary for pursuing the stated purpose is a contractual obligation to which the data subject is bound. Failure by the data subject to provide such data will make it impossible to execute the contract.
B. COMPLIANCE WITH LEGAL OBLIGATIONS, including administrative and accounting obligations, tax obligations.
Legal basis: the processing of the collected data is justified by the need to comply with legal obligations incumbent upon the Controller (Art. 6(1)(c) GDPR).
Data Recipients: the data collected in relation to the specified purpose may be disclosed to banking institutions, the Italian Revenue Agency, other public bodies and/or private entities to whom data communication is required by law, professional law firms, accountants, or labor consultants, data processors appointed pursuant to Art. 28 of EU Regulation 2016/679, insurance companies, IT consultants/system administrators, independent and joint controllers.
The updated list of data processors is kept at the Controller’s registered office and may be consulted by you at any time upon request for access to the data.
Retention: the data collected in relation to the aforementioned purpose will be retained for the period required by the legislation mandating such processing, or for the longer period corresponding to the limitation period of the related rights, without prejudice to specific needs for further data retention due to subsequent legal obligations.
Failure to provide data: providing the data is mandatory and necessary to fulfil the legal obligations. Any refusal to provide such data for this purpose will make it impossible to continue the relationship.
C. COMMERCIAL COMMUNICATIONS (SOFT SPAM): communications about deadlines, legal obligations, invitations to events, conferences, training courses.
Legal basis for processing: the processing of the collected data is justified by the legitimate interest of the Controller (Art. 6(1)(f) GDPR).
Data recipients: the data collected in relation to the specified purpose may be disclosed to: banking institutions, the Italian Revenue Agency, other public bodies and/or private entities to whom data communication is required by law, professional law firms, accountants, or labor consultants, data processors appointed pursuant to Art. 28 of EU Regulation 2016/679, insurance companies, IT consultants/system administrators, and independent controllers.
The updated list of data processors is kept at the Controller’s registered office and may be consulted by you at any time upon request for access to the data.
Retention: the data collected in relation to the aforementioned purpose will be retained for the period required by the legislation mandating such processing, or for the longer period corresponding to the limitation period of the related rights, without prejudice to specific needs for further data retention due to subsequent legal obligations.
With reference to points A, B, and C of this privacy notice, the Data Controller also provides the following information:
Processing methods: the processing of data for the purposes described above is carried out using electronic, IT, or paper-based means, in compliance with the confidentiality and security rules established by the aforementioned legislation and other applicable regulations.
The Data Controller hereby declares, in accordance with Article 13 of Law 132/2025, that it may use artificial intelligence (“AI”) systems to perform activities that are instrumental and/or supportive of its professional activities, without prejudice to the prevalence of the intellectual work that is the subject of the service. AI will be used exclusively for functions supporting professional activities, such as, by way of example, the management of organisational activities, regulatory and case law research, preliminary analysis of documents and the preparation of drafts or summaries. The results obtained, both in terms of output generation and source verification, will be subject to careful and accurate verification (including human supervision) by authorised persons appointed to pursue the above purposes and expressly authorised and instructed by the Data Controller pursuant to Article 29 of the GDPR and 2-quatercedecies of the Privacy Code.
The use of AI, where it involves the processing of personal data, will be employed in full compliance with the provisions of the GDPR and professional duties in order to ensure the protection of the privacy and confidentiality of the data subjects.
Data transfer abroad: the data collected in relation to the aforementioned purposes are not transferred to countries outside the EU. However, the Controller reserves the right to use cloud services; in such cases, the service providers will be selected from those offering adequate safeguards, as provided for in Art. 46 of EU Regulation 2016/679.
Automated decision-making processes: the data collected in relation to the aforementioned purposes are not subject to automated decision-making processes, including profiling.
Rights of the data subject: pursuant to EU Regulation 2016/679, the data subject has the right to:
- access personal data to understand (“reactive transparency”) the purposes of processing, the categories of personal data collected, the recipients of the data, particularly if recipients are located in third countries or international organizations, and the envisaged retention periods (Art. 15);
- obtain rectification of data (Art. 16);
- obtain erasure of personal data where they are no longer necessary for the purposes for which they were collected, and provided there are no further legal obligations to retain them (Art. 17 GDPR);
- request restriction of processing (Art. 18);
- request data portability (Art. 20);
- object to the processing of data for reasons related to their particular situation (Art. 21 GDPR). In such cases, the data will no longer be processed unless compelling legitimate grounds exist for continuing processing (e.g., for the defense of rights in court);
- not be subject to automated decision-making, including profiling (Art. 22).
Finally, the data subject also has the right to lodge a complaint with the Supervisory Authority (Garante per la Protezione dei Dati Personali) pursuant to Art. 13(2)(d) and Art. 77 of the aforementioned Regulation.
Exercise of Rights: the data subject may exercise their rights at any time in accordance with Art. 12 of EU Regulation 2016/679 by contacting the company, sending:
- a registered letter with return receipt to: Barzanò & Zanardo S.p.A., with registered office at Via Piemonte, 26 – 00187 Rome, Italy
- e-mail: privacy@barzano-zanardo.com
- certified e-mail (PEC): b-zmilano@pec.barzano-zanardo.com
Alternatively, the data subject may contact the DPO by sending:
- a registered letter with return receipt to: Lawyer Clementina Baroni, with registered office at Via Domenico Francesco Cecati, 1/1 – 42123 Reggio Emilia (RE), Italy
- certified e-mail (PEC): clementina.baroni@ordineavvocatireggioemilia.it
- e-mail: dpo@studiolegaleavvbaroni.it
Reference clause: for all matters not covered in this privacy notice, reference is made to the applicable laws, in particular Regulation 2016/679, Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018 and subsequent amendments, as well as any other relevant provisions.
Having read and understood the above privacy notice, the undersigned acknowledges and accepts the processing of personal data for the purposes indicated herein.
