Privacy Policy

This Privacy Policy refers to the website (hereinafter, the ‘Website’) and does not affect any other websites which may be reached through links to other websites/web pages contained therein. This policy has been published under the terms of the EU General Data Protection Regulation (hereinafter, the ‘GDPR’) and the applicable Italian legislation (hereinafter, referred to jointly as the ‘Applicable Legislation’) and is for the benefit of all those who interact with the Website (hereinafter ‘Users’ or, when the singular is appropriate, ‘User’) by browsing its contents.
For specific information about our use of cookies, please see our Cookie Policy, which is to be understood as an integral part of this Privacy Policy.

    The Data Controller is Studio Pasotto & Partners, located at Via Albere 29/A, 37138 – Verona (VR), Italy, social security/VAT no. 03794860233, hereinafter also referred to as ‘Data Controller’ or simply ‘Controller’.
    For any clarification or further information, or to exercise the rights laid down in this Cookie Policy, you may contact the Data Controller in the following ways:  tel +39 045577977, e-mail:, certified email:    

    The personal data processed through the website is as laid down below. 
    1. Browsing data
      As part of their normal functions, the IT systems enabling the Website to function acquire personal data in an aggregate and not immediately identifying form; the transmission of this information is inherent to the use of internet communication protocols. This type of data is not gathered in order to be associated with identified parties, but by their nature could make it possible to identify Users if processed and collated with data held by third parties. This type of technical/computing data is used only for the purposes of gathering anonymous or aggregate statistical data concerning Website use, ensuring that the services offered through the Website are correctly provided and detecting any problems and/or misuse. This data is deleted after being processed. 
    2. Data provided voluntarily by the user
      Through the Website, Users can voluntarily provide personal data, such as:
      • personal data provided by the User (for example: name, surname, email address, telephone number and any other details inserted in the message field) by filling out the form contained in the ‘Contact Us’ section of the Website;
      • personal data provided by the User and gathered through the ‘Work For Us’ section of the Website (for example: name, surname, email address, telephone number, town and postcode, the personal information contained in their CV, any other information provided in the message field). To this end, applicants/data subjects are invited not to provide any details which could reveal their state of health, racial or ethnic origin, religious convictions, political opinions, sex life or any other type of information considered as special under the terms of art. 9 of the GDPR. Any special data provided by the User will be immediately deleted in the absence of express written consent to its being processed. Users are also invited not to provide any information regarding criminal records, as laid down in the Applicable Legislation. If the User provides this type of data, it will also be immediately deleted.
      The Data Controller will handle the User’s data in compliance with the Applicable Legislation, assuming that it refers to the User themself or to third parties who have expressly given their permission to the User to provide it, or whose personal data the User has the right to provide. On this matter, the User undertakes to exempt and exonerate the Data Controller from any and all protests, claims, and requests for compensation for damages regarding the processing of their personal data lodged by such third parties.
    3. Cookies and other tracking tools
      For information on the types of cookies used by the Website, please refer to our Cookie Policy.  

    The data gathered will be handled for the purposes and on the legal bases listed below:

     aProvide responses to any requests for information/clarification made using the form available on the Website.
    Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [art. 6(1)(b) of the GDPR].
    • Provide a response to job applications sent by Users using the email address given in the ‘Work For Us’ section of the Website;
    • Carry out the various stages of the personnel selection process, including but not limited to: receiving and storing CVs on the Controller’s database, evaluating the information contained in a CV in order to decide whether the applicant is suitable for being offered employment or an internship with the Controller, organizing interviews and all other necessary tasks
    Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract [art. 6(1)(b) of the GDPR].

    In the event of the applicant voluntarily adding special data to their CV, the legal basis for the data processing consists of the applicant expressly giving their consent at the same time (for example, inserting their consent at the bottom of the page or in the text of the covering email) [art. 9(2)(a) of the GDPR].  
     cMake marketing communications relating to Studio Pasotto & Partners and/or the services it offers, by email or telephone; these communications include a promotional newsletter.
    The data subject has consented to the processing of his or her personal data [art. 130 of Leg. Act  196/2003, known as the ‘Privacy Code’ – art. 6(1)(a) of the GDPR].
     dFulfil the Controller’s legal obligations, including replying to any requests from Users to exercise their rights as data subjects pursuant to the Applicable Legislation.Processing is necessary for compliance with a legal obligation to which the controller is subject [art. 6(1)(c) of the GDPR].
     eInvestigate the possibility of fraudulent or illicit use of the Website and ensure that it is both secure and functional for Users and the Controller alike.It is in the legitimate interest of the Controller and the Users in order to prevent or detect any fraudulent or otherwise illicit use of the Website [art. 6(1)(f) of the GDPR].
     fCarry out surveys/statistical analyses on aggregate or anonymous data, i.e. without being able to identify the User, as well as measuring site traffic and assessing Website use and the interest shown by Users.It is in the legitimate interest of the Controller to measure the usability and attractiveness of the Website [art. 6(1)(f) of the GDPR].
     gAssess, exercise or defend legal claims in judicial proceedings or any time the judicial authorities interveneIt is in the legitimate interest of the Controller to assess, exercise or defend a right in judicial settings or any time the judicial authorities exercise their functions [art. 6(1)(f) of the GDPR].
    Provision of data by Users is entirely optional. However, failure to provide the requested data, whether completely or in part, could lead to it being impossible for the Website to provide the required service and/or the User to receive responses to any requests for information/clarification or requests to exercise their rights as a data subject.

    Data is processed using manual and/or digital instruments, all of which employ suitable methods to ensure security and confidentiality. For this purpose, the Data Controller has adopted and implemented both technical and organizational security measures of an adequate kind for the level of risk associated with the processing operations performed.
    Specifically, the Website functions are provided through an encrypted HTTPS connection, and the personal data provided is gathered, filed and stored on secure servers protected by firewalls which are physically located within the European Union.

    Data is processed by members of the Controller’s staff who have been expressly authorized to do so as part of their responsibilities, and also by Data Managers specifically identified in writing, according to their individual responsibilities and in compliance with the instructions given to them by the Controller, ensuring that suitable measures for the security of the processed data are employed and guaranteeing that it remains confidential; these subjects may be companies, consultants or professionals engaged to install, perform maintenance on or update the Website and, in more general terms, to manage the hardware and software employed by the Controller, including hosting providers and cloud computing service providers. The complete list of Data Managers is available upon request.
    Data may moreover be forwarded to the following categories of recipients:
    • subjects, organizations or public authorities to which, as independent data controllers, it is mandatory to forward Users’ personal data to comply with legal obligations or orders from the authorities, or to prevent and/or assess any fraudulent activities or misuse of the Website or the services offered by the Controller;
    • legal firms, professional partnerships, consultants or freelance professionals (for example, firms providing legal, administrative and/or financial consultancy) which the Controller has appointed to process data in full compliance with all the legal obligations it is bound by and/or to assist with assessing, exercising or defending a right in court or through out-of-court proceedings, or any time the judicial authorities exercise their functions.

    The servers used by the Controller’s hosting provider are located within the European Economic Area (EEA). This means that Users’ personal data will not be transferred to extra-European countries or international organizations.

    The personal data provided by Users will be stored for a period not exceeding the time necessary to fulfil the previously stated purposes for which it is being processed.
    • data processed for the purpose of responding to requests for information/clarification will be stored for a maximum of six months after receipt of the last request for information/clarification received by the Controller from a given User. In the event that the request for information/clarification leads to the signing of a contract, the retention time for the data will be ten years from the time of the contract being signed, in order to allow the Controller to demonstrate that it has duly fulfilled its contractual obligations;
    • data processed for the purpose of responding to job applications sent by Users, which are necessary in order to proceed with the personnel selection procedure, will be stored for a maximum of 12 months from receipt of the CV, except in the event that the application leads to an employment contract/freelance arrangement, in which case the time will be adjusted accordingly; 
    • data processed for the purpose of sending marketing/advertising materials will be stored for a maximum of 24 months from the time of the User giving their consent to their data being used for this purpose; the User may withdraw their consent at any time without prejudice to the legality of the data-processing activities performed on the basis of the consent given prior to the withdrawal; 
    • data processed in order to comply with legal obligations will be retained for as long as is necessary to complete the procedure and in adherence to the minimum retention times foreseen by the law applicable at the time or, in the event of there being no set period, for as long as is necessary to demonstrate compliance with the obligation; 
    • data processed in order to pursue a legitimate interest of the Controller and/or a third party will be retained until said interest has been satisfied; this period will, however, not exceed the term laid down by the law for the expiry of the period allowed for filing protests or for the further time necessary to enforce or undergo enforcement of orders issued by the judicial or administrative authorities and/or of arbitration awards and/or resolutions taken/agreements reached through out-of-court proceedings.

    Users and/or third parties on whose behalf Users provide data have the right to:
    • Request and obtain confirmation whether there are currently data-processing activities taking place which concern them, and if so, gain access to the data and to certain relevant information, including but not limited to, information concerning: a) the purpose(s) of the data processing; b) the categories of personal data being processed; c) the subjects or categories of subjects to whom the personal data has been or will be forwarded; d) the data retention time or, if there is no set time, the criteria used to establish this period; e) the origin of the personal data, in the event that it was not provided by the User;
    • Request and obtain updates to the data, corrections to any inaccurate data or, when in the User’s interests, supplement any incomplete data;
    • Request and achieve the deletion of the data in the event that: a) the data is no longer necessary for fulfilment of the purpose(s) for which it was gathered or processed originally; b) the User wishes to protest against their data being processed based on the principle of the Controller’s legitimate interest and there is no longer any predominant legitimate reason to continue processing the data; c) the data has been processed illegally; e) the data has to be deleted by the Controller in order to fulfil a legal obligation;
    • Request and obtain restrictions to the data-processing activities in the event of: a) doubts being raised as to the accuracy of the data, for the time needed by the Data Controller to perform the required checks; b) the Controller having processed the data illegally, should the User not wish their data to be deleted but instead prefer to impose a restriction on its use; c) a right of the User being assessed, exercised or defended in judicial proceedings, provided that the Controller no longer needs the data for the stated purpose(s); d) there being a waiting period while a dispute over whether the Controller’s legitimate reasons prevail over the User’s or vice versa is resolved;
    • In the cases where processing of the data is based on a contract and is carried out using electronic devices, the User may request and receive the data pertaining to them in a structured, commonly used format which can be read by an electronic device, and, if technically feasible, request the Controller to forward the data directly to another data controller;
    • For reasons connected with the User’s special situation, protest against their personal data being processed, either in whole or in part, even if it is relevant to the stated purpose(s) of the data collection;
    • When the data is processed following receipt of the User’s express consent, withdraw that consent at any time without prejudice to the legality of the data-processing activities performed on the basis of the consent given prior to the withdrawal;
    • Protest to the Personal Data Protection Authority under the terms of and pursuant to art. 77 of the GDPR and articles 140-bis and subsequent of the Italian Privacy Code, should the User believe their rights as laid down in the Applicable Legislation have been violated.
    The Data Controller will inform each of the recipients to which the personal data was forwarded of any amendments or deletions or restrictions to the processing activities performed, except when this proves impossible or requires unjustifiable effort.

    As data subjects, Users can exercise the above rights at any time by contacting the Data Controller at the addresses and numbers given above.
    To make a protest to the Personal Data Protection Authority, data subjects can use the forms provided on the Authority’s own website.

    This Privacy Policy is subject to amendments and/or supplementation and/or updates, which may occur following changes to the Applicable Legislation. In this case, the Data Controller will inform Users about the amendments and/or supplementation and/or updates concerning the Privacy Policy by publishing the news on the Website.

Last updated: 15.05.2023