PRIVACY INFORMATION – DATA COLLECTED AND TREATED
Agreement pursuant to and for the purposes of art. 13-14, EU Reg 2016/679
(European regulation on the protection of personal data)

Dear Sir / Madam
We wish to inform you that the EU Reg. 2016/679 (“European Regulation on the protection of personal data”) provides for the protection of persons and other subjects and respect for the processing of personal data.
Under the articles 13 and 14, we therefore provide you with the following information:

1. Purpose, legal basis of the processing for which the data are intended
The processing of personal data supplied by you is aimed solely at performing contractual obligations and fulfilling specific requests, as well as fulfilling regulatory obligations, in particular contractual, accounting, and tax obligations.
For the purpose of the indicated processing, the holder will not be aware of data defined as “sensitive” in accordance with the EU Regulation 2016/679, such as those suitable to reveal the racial or ethnic origin, religious beliefs, philosophical or other kinds, political opinions, membership of parties, trade unions, associations of religious, philosophical, political or trade union organizations, health status and sexual life.

2. Source of personal data origin
Personal data come from:
a. Copies of identity, tax, and accounting documents needed for customer identification;
b. Copies of identity, tax, and accounting documents needed for the identification of suppliers;
c. Copies of Visure Camerali (Italian form of Certificate of Incorporation or Business Entity Certificate or similar);
d. Invoices and active and passive correspondence, with indication of the fiscal and statutory data required by law to identify the subjects between whom a legal or economic relationship has occurred;
e. Payment models for taxes, fees, and contributions;
f. Any other documentation or accounting, tax or extra-accounting information that is useful and / or necessary for the accomplishment of the Company’s activities.

3. Methods of processing
In relation to the indicated purposes, your data are processed both electronically and on paper. The processing operations are carried out in such a way as to guarantee the logical, physical security, and confidentiality of your personal data.
Data processing is carried out by the subjects and in the following ways:
a. By the owner and / or processors,
b. By means of the operations or set of operations indicated such as: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and distribution of data.
c. By using procedures – also computerized – in the ways and within the limits necessary to pursue the aforementioned purposes.

4. Legitimate interests pursued by the data controller or third parties
Nest Consulting Company Srl processes personal data, for the conduct of its business.
This report has been prepared, in compliance with EU Regulation 2016/679, to define and describe the security policies adopted by the Studio regarding the processing of personal data and the organizational criteria followed for their implementation and to provide suitable information on this matter also to third parties.
The information provided below is considered useful support to provide information suitable for assessing the security policy pursued by the Company.

5. Nature of personal data
Subjects processed are your personal, judicial, and administrative data – concerning the performance of the service requested by you.
During the provision of the service, it may be necessary to acquire and carry out processing operations of your personal, judicial, and administrative data.
The data processed will be of a purely ordinary nature; they are aimed at maintaining the commercial relationship stipulated previously by contract. You are asked to express your agreement in writing.

6. Aim of communication and dissemination of data
Your data may be communicated to:
• all the subjects to whom the right of access to such data is recognized by virtue of regulatory provisions;
• to our collaborators, employees, as part of their duties;
• to all those natural and / or legal persons, public and / or private, when the communication is necessary or functional for carrying out our activity and in the manner and for the purposes described above.

7. Transfer of personal data to another country
Your personal data will not be transferred to countries outside the EU or to international organizations.

8. Mode and duration of personal data retention
The invoices, the documents relating to collections and payments, and the different documents related to the activity are kept by the Company for the time necessary to fulfill the legal obligations.

9. Extreme identification of the owner, manager, and Privacy Officer
The data controller (DPI) is Massimiliano Cappelli, with registered office in Scandicci (FI) at Via Ernesto Codignola 20, telephone 055254676, mail: info@nestconsulting.it , PEC: nest.consulting@legalmail.it .
The employees and collaborators of the company in the performance of their duties are also appointed as data processors.
Given the organizational size, the Data Privacy Officer (DPO) is not provided.

10. Rights of the interested party
10.1 Article 15 (right of access), 16 (right of rectification) of EU Reg. 2016/679
The interested party has the right to obtain from the data controller confirmation that it is or is not undergoing the processing of personal data concerning them and – in this case – to obtain access to personal data and the following information:
a. the purposes of the processing;
b. the categories of personal data in question;
c. the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
d. the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
e. the existence of the right of the interested party to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
f. the right to lodge a complaint with a supervisory authority;
g. the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.

10.2 Right pursuant to art. 17 of EU Reg. 2016/679 – right to cancellation (“right to be forgotten”)
The data subject has the right to obtain from the data controller the deletion of personal data concerning them without undue delay and the data controller is obliged to cancel the personal data without undue delay if one of the following reasons exists:
a. personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
b. the data subject revokes the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and whether there is no other legal basis for the processing;
c. (c) the data subject opposes the processing pursuant to Article 21 (1) and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21 (2);
d. personal data have been processed unlawfully;
e. personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the controller is subject;
f. personal data have been collected in relation to the information society service offer referred to in Article 8, paragraph 1 of EU Reg. 2016/679

10.3 Right referred to in art. 18 Right of limitation of treatment
The interested party has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
a. the interested party disputes the accuracy of personal data for the period necessary for the data controller to verify the accuracy of such personal data;
b. the processing is illegal, and the interested party opposes the cancellation of personal data and asks instead that its use is limited;
c. although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to verify, exercise or defend a right in court;
d. the interested party has opposed the treatment pursuant to article 21, paragraph 1, Reg EU 2016/679 pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested part

10.4 Right referred to in Article 20 Right to data portability
The data subject has the right to receive, in a structured, commonly used and automatically readable form, the personal data concerning them provided to a data controller and has the right to transmit data to another data controller without impediments from part of the data controller.

11. Revocation of consent to treatment
You have the right to withdraw your consent to the processing of your personal data by sending a registered letter to the following address: Via Ernesto Codignola, 20 – 50018 Scandicci (FI), or via PEC to the address nest.consulting@legalmail.it accompanied by a photocopy of your ID, with the following text: << revocation of consent to the processing of all my personal data>>. At the end of this operation, your personal data will be removed from the archives within 60 days, except for data whose conservation is mandatory under current legislation in civil, tax, and administrative matters.
If you would like more information on the processing of your personal data, or exercise the rights referred to in paragraph 10 above, you can send a registered letter to the following address: Via Ernesto Codignola, 20 – 50018 Scandicci (FI), or via PEC at nest.consulting@legalmail.it. Before we can provide you, or change any information, you may need to verify your identity and answer some questions. An answer will be provided within 10 days.