Clients’ Privacy Notice


CARAVATI PAGANI – Dottori Commercialisti Associati (hereinafter only “CARAVATI PAGANI”), with Taxpayer’s Code and VAT No. 01186760037, with registered offices at Piazza De Filippi No. 7 in Arona (NO), at Via Giosué Carducci No. 31 in Milan (MI), and at Via Beltrami No. 47 in Gozzano (NO), acting as Data Controller of the personal data you voluntarily disclosed under Regulation (EU) No. 679/2016General Data Protection Regulation (GDPR), henceforth also referred to as only the “GDPR”, recognises the importance of protecting personal data and considers their protection one of the main objectives of its activity.

We hereby provide the necessary information regarding the processing of personal data provided relating to an identified or identifiable natural person (data subjects, e.g. clients and other natural persons, also acting in the name and on behalf of clients that are legal persons, associations and organisations, in accordance with Article 13 of the GDPR). Therefore, before you provide any personal data, CARAVATI PAGANI asks you to carefully read this notice because it contains important information regarding the protection of personal data and the security measures taken to ensure their confidentiality in full compliance with the legislation in force.

CARAVATI PAGANI informs you that your personal data will be processed using manual, computerised and/or electronic means and will be processed lawfully, fairly, in a transparent manner, the will be collected for specified, explicit and legitimate purposes, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation), they will be accurate and processed in a manner that ensures appropriate security of the personal data, in order to safeguard the rights and freedoms of the data subject. Your personal data will therefore be processed with logic strictly related to the purposes mentioned below, in accordance with the provisions of the GDPR and, otherwise, to ensure the security and confidentiality of the same data.


“GDPR” (i.e. General Data Protection Regulation) means Regulation (EU) No. 679/2016 of the European Parliament and of the Council and it is applicable from May 2018 on the protection of natural persons with regard to the processing of personal data.

“Personal data” means any information relating to an identified or identifiable natural person (the “Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Special categories of personal data” means personal data which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, data concerning health or data concerning sex life or sexual orientation of the data subject.

“Judicial data” means personal data relating to criminal convictions and related offences or security measures.

“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  1. Purpose of the Processing

The Data Controller processes the personal data you voluntarily disclosed (orally, with business cards, e-mail, delivery of documents through the Data Controller’s website, etc.), for example: name, surname, place and date of birth, residential address and domicile, registered office of the workplace, business name, VAT number, taxpayer’s code, landline or mobile telephone number, fax number, e-mail address, certified PEC e-mail address, employer company, role and/or corporate salary scheme, bank details, etc.

CARAVATI PAGANI will process such data in accordance with the GDPR, assuming that they refer to you, your company or to third parties, including family members who have expressly authorised you to provide them, according to a suitable legal basis which legitimises the data processing in question. With respect to the foregoing assumptions, you are positioned as an independent data controller, thereby undertaking all legal obligations and responsibilities. In this respect, you accordingly provide the broadest indemnity for any dispute, claim, request for damages from processing, etc. that CARAVATI PAGANI may receive from third parties whose personal data have been processed at your request and/or in execution of the granted mandate.

  1. Purpose and legal basis of the processing, obligatory or voluntary nature of the provision, consequences of refusal, consent

Your personal data will be processed:

  1. without your express consent (Article 6, letters b, c, f, of the GDPR) for the following purposes:
    1. to fulfil the pre-contractual and contractual obligations arising from a potential professional job position; more specifically, to execute the mandate with which the Data Controller is vested as the tax, accounting, corporate and legal consultant. This task requires drafting all acts, documents and declarations required to fulfil the obligations under civil and tax legislation, in relation to the characteristics of the person and of the activity carried out (for example: preparing and filing personal income tax declarations, preparation and filing with the Chamber of Commerce for Industry, Agriculture and Craft, all kinds of agreements, Chamber of Commerce company registration reports, land registry documents, accounting books or records, etc.), and to meet any other request made by the client;
    2. for administrative and management purposes and to fulfil the obligations provided by law (such as accounting and tax or anti-money laundering obligations), by a regulation, by EC legislation or by an order of the Authority, to which the Data Controller is subject;
    3. for the purposes necessary to establish, exercise or defend a right in court or whenever the judicial bodies exercise their judicial powers.
  2. with your consent (Article 7 of the GDPR) for the following purposes:
    1. to send the newsletter containing information and communication material, articles and publications, also regarding the professional business of the Data Controller.

The legal basis of the processing of the personal data for the purposes laid down in paragraph I, sub-paragraph a) above is to execute an agreement to which you are a party or to execute pre-contractual measures adopted at your request, therefore to execute the pre-contractual and contractual obligations as regards the privities established and/or to be established with you.

The legal basis of the processing of the personal data for the purposes laid down in paragraph I) b) is to fulfil a legal obligation to which the Data Controller is subject, while the purpose of paragraph I) c) is the pursuit of the legitimate interests of the Data Controller. Please be informed that, taking into account the purposes of the processing as illustrated above, the provision of your personal data for the purposes set forth in paragraph I) is mandatory. Any failure on your part to provide [your data], whether partial or incorrect, and/or any expressed refusal to the processing will make it impossible for the Data Controller to respond to your requests, to fulfil the contractual obligations arising from the mandate or a legal obligation to which the Data Controller is subject or the requests of the competent authorities.

The provision of data for the purposes set out in paragraph II) above is optional, with the consequence that you may decide not to provide your consent or to withdraw it at any time.

When processing your data for the purposes illustrated in paragraph I) above, we might also become aware of special categories of personal data, as defined above in the introduction. For these reasons, we ask you to provide your consent in writing to the processing of such data, stating that you will have the right to withdraw consent at any time, without affecting the lawfulness of the processing based on the consent given before its withdrawal.

  1. Data processing procedures and storage period

Your personal data are collected and processed by the Data Controller in accordance with the principles of lawfulness, fairness and transparency, in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The data collected will be processed using electronic or automated means, information technology and computerised systems, or through hard copies, with logic strictly related to the purposes for which the personal data were collected and, in any event, in a manner that ensures the security of the same and for the time strictly necessary to achieve the purposes for which they were collected, except when necessary to store the data to comply with the obligations under the laws in force, also after terminating the processing or until the time allowed by Italian law to protect the interests of the Data Controller.

More information on the storage period for personal data and on the criteria used to determine this period may be obtained by writing to the Data Controller.

  1. Categories of recipients of personal data

Notwithstanding communications made to fulfil legal and contractual obligations, all your personal data collected and processed may be shared, exclusively for the purposes specified above, with the following categories of recipients:

  • employees and independent contractors of the Data Controller, in their capacity as persons tasked with processing personal data, which have undertaken an obligation of confidentiality, or have an appropriate legal obligation to do so;
  • persons, companies, firms or other third parties with which the Data Controller maintains the relations required to conduct their tasks for the abovementioned purposes or required by law, which have received a specific mandate and for the time necessary to achieve the purposes for which the data was collected, which typically act as Data Processors of CARAVATI PAGANI;
  • courts or supervisory bodies, administrations, agencies and public bodies, in the performance of their duties.

The Data Controller ensures that the abovementioned recipients process your personal data in accordance with the laws in force.

  1. Communication of personal data

Without the need for your express consent (Article 6, letters b, c, f, of the GDPR), the Data Controller may disclose your personal data for the purposes listed above to supervisory bodies, courts, insurance companies for the provision of insurance services, banks and credit institutions, professionals and consultants, third parties in general, including platforms that offer storage services and to exchange data you specifically indicated, etc., as well as to those persons to whom the communication is a legal or contractual obligation or is to fulfil your specific request, with the clarification that these persons will process data in their capacity as independent data controllers.

In any case, your personal data will not be disclosed.

  1. Storage and transfers of personal data

Your personal data are stored on servers located at the registered offices of the Data Controller, inside the European Union. It is in any event understood that the Data Controller, where necessary, shall have the right to move servers also outside of the EU. In this case, the Data Controller henceforth ensures that the transfer of data to non-EU countries will be in accordance with the provisions of applicable law, after entering into the standard contractual terms provided for by the European Commission.

  1. Rights of the Data Subject

In accordance with the provisions of the GDPR, you are entitled to exercise the following rights:

  1. right of access – to obtain confirmation as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data and the following information regarding, more specifically: the purpose of the processing, the categories of personal data concerned and the envisaged period for which the personal data will be stored, the recipients or categories of recipient to whom the personal data have been or will be disclosed (Article 15 of the GDPR);
  2. right to rectification – to obtain without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed, including by means of providing a supplementary statement (Article 16 of the GDPR);
  3. right to erasure – to obtain the erasure of personal data concerning you without undue delay, in the cases provided for by the GDPR (Article 17 of the GDPR);
  4. right to restriction of processing – to obtain from the Data Controller restriction of processing, in the cases provided for by the GDPR (Article 18 of the GDPR);
  5. right to data portability – to receive the personal data concerning you, which you provided to the Data Controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, in the cases provided for by the GDPR (Article 20 of the GDPR);
  6. right to object – to object to the processing of personal data concerning you, unless the Data Controller demonstrates compelling legitimate grounds to continue the processing (Article 21 of the GDPR);
  7. right to withdraw your consent at any time without affecting the lawfulness of processing based on the consent given before its withdrawal;
  8. right to lodge a complaint with the supervisory authority – to lodge a complaint with the Italian Data Protection Authority, with registered office at Piazza di Montecitorio No. 121, 00186 Rome (RM).
  1. How to exercise your rights

You may exercise your rights at any time by sending:

  • a registered letter to: CARAVATI PAGANI, Piazza De Filippi No. 7 – 28041 Arona (NO)
  • an e-mail to the following address:
  1. Data Controller

Under the GDPR, the Data Controller of the data processing is CARAVATI PAGANI – Dottori Commercialisti Associati, as defined above. For any information related to the processing of personal data of CARAVATI PAGANI, including the list of the Data Processors processing data, please write to the following e-mail address:

  1. Amendments

This notice has been in force since 25 May 2018. CARAVATI PAGANI reserves the right to modify it or to merely update its contents, in part or completely, also when resulting from variations of the laws in force, and we suggest that you regularly visit the specific section of our website to become aware of the latest version of the same.