Information regarding circularization processes
Consistent with the values of transparency and diligence that we share AUDIT4FIRM provides the following information regarding the processing of personal data
Disclosure pursuant to Articles 13 and 14 of the GDPR as part of the external confirmation procedures required for the performance of audit assignments
Pursuant to Article 26 of European Regulation No. 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data (in short, "GDPR"), the auditing firm AUDIT4FIRM S.r.l. (hereinafter, "FORFIRM AUDIT") provides this notice, pursuant to Articles 13 and 14 of the GDPR (in short, "Notice") regarding the processing of personal data acquired for the purpose of the performance of audit engagements conferred by client companies.
​a) Identity and contact details of AUDIT4FIRM
AUDIT4FIRM S.r.l.
Corso Sempione, 15/A, 20145, Milano MI, Italy
Tax code and VAT number: 03742420122
PEC: forfirmauditsrl@legalmail.it
​
b) Purpose of the processing for which the personal data is intended and legal basis
Personal data is processed for the following purposes:
(i) fulfill the pre-contractual and contractual obligations regarding audit assignments as governed by European Union law and national legislation, as well as by the applicable Auditing Standards;
(ii) fulfill the obligations established by national and community laws and regulations (e.g. anti-money laundering and anti-terrorism legislation) or, as applicable, by regulations in force in third countries;
(iii) carry out an order from judicial authorities, bodies or bodies to whose supervisory power AUDIT4FIRM is subject;
(iv) carry out the provisions of the AUDIT4FIRM procedures regarding organisational, managerial and operational processes and aspects relating to the assignment and execution of tasks as well as relationships with customers (e.g. checks on independence and potential conflicts of interest, risk management and quality control);
(v) exercise the rights of AUDIT4FIRM, in particular, the right of defense in court.
The processing of personal data carried out for the purposes indicated above is necessary to implement the regulatory provisions in force, to be able to carry out the audit assignments conferred by AUDIT4FIRM clients, in application of the relevant obligations established by national and European Union law and contractual agreements as well as, more generally, for the pursuit of the legitimate interest, including of third parties with whom AUDIT4FIRM client companies have commercial relationships, in the regular execution of this activity and the consequent expression of the opinion on the financial statements.
The processing therefore does not require the consent of the interested parties.
c) Categories of personal data processed:
In accordance with article 4, n. 1, GDPR "personal data" (hereinafter also “Data”) means any information relating to a natural person identified or identifiable, directly or indirectly, by means of any identifier such as the name, an identification number, data relating to location, an online identifier or one or more characteristic elements of your physical, physiological, genetic, mental, economic, cultural or social identity, which has been acquired by AUDIT4FIRM through client companies or from private databases and/or public registers.
For the purposes of carrying out audit assignments, taking into account the characteristics of the audit activity, in some cases it may also be necessary to process particular categories of Data such as, by way of example but not limited to, those referred to in article 9, GDPR (for example, Data suitable for revealing the state of health), or Data relating to criminal convictions and crimes or connected to security measures, as defined by article 10, GDPR.
d) Categories of recipients of personal data
As part of the execution of audit assignments, the Data may be made accessible to:
(i) corporate bodies and other corporate bodies existing within the client companies that have assigned the task, according to the governance model adopted,
(ii) external bodies (including private ones) Italian or foreign, which carry out supervisory activities on client companies, on the group to which the company belongs and/or on AUDIT4FIRM (for example, Consob, Bank of Italy, Ivass), administrations , as well as judicial authorities in the context of civil, criminal or administrative proceedings,
(iii) employees and collaborators of AUDIT4FIRM, in their capacity as authorized data processing staff (or so-called "Data Processors"),
(iv) external companies and bodies and trusted professionals of AUDIT4FIRM who carry out activities functional to the execution of audit tasks or other tasks assigned to AUDIT4FIRM,
(v) other auditors, in the cases provided for and regulated by the law and the applicable auditing standards, as well as upon specific request of the client companies,
(vi) other third parties who carry out outsourced activities on behalf of AUDIT4FIRM, also for the purposes of data storage, in their capacity as data controllers,
(vii) professionals appointed by client companies for the execution of other assignments or by third-party companies for the execution of assignments in which the client companies have an interest (e.g. due diligence assignments in which the client company is involved).
The updated list of managers and authorized data controllers is kept at the AUDIT4FIRM headquarters.
​
e) Transfer of personal data abroad
The Data may also be transferred and stored outside the European Union, including countries that do not guarantee an adequate level of protection. In any case, such transfers will always take place in compliance with the conditions set out in articles 45 and 46, GDPR.
The management and storage of personal data takes place in the cloud and on servers located inside and outside the European Union owned and/or available to AUDIT4FIRM and/or third-party companies duly appointed as data controllers .
Any transfer abroad of data to non-EU countries takes place in compliance with current regulatory provisions, as well as in compliance with the provisions adopted by the European Court of Justice and by national and foreign authorities regarding the protection of personal data.
The Data will not be disclosed.
f) Data retention period
The Data will be kept for the entire duration of the professional relationship with the client company that assigned the assignment. Starting from the date of termination of this relationship for any reason or cause, the Data will be retained for the time established by the applicable Auditing Standards regarding the conservation of the documentation of the audit work, as well as for the limitation periods applicable ex lege, increased twelve months.
In any case, the Data will be kept for the time necessary for the fulfillment of specific regulatory obligations (e.g. anti-money laundering legislation), as well as for any need to ascertain, exercise or defend AUDIT4FIRM's rights also deriving from the need to demonstrate the regular execution of the Audit Engagement.
g) Rights of the interested party
In compliance with the provisions of Chapter III, Section I, GDPR, the interested party may exercise the rights contained therein and in particular:
Right of access - Obtain confirmation as to whether or not data relating to the interested party is being processed and, in this case, receive information relating to, among others: purposes of the processing, categories of data processed and retention period, recipients to whom these can be communicated (Article 15, GDPR),
Right of rectification - Obtain, without unjustified delay, the rectification of inaccurate data concerning the interested party and the integration of incomplete personal data (Article 16, GDPR),
Right to cancellation - Obtain, without unjustified delay, the cancellation of the Data concerning the interested party, in the cases provided for by the GDPR (Article 17, GDPR),
Right of limitation - Obtain from AUDIT4FIRM the limitation of processing, in the cases provided for by the GDPR (article 18 GDPR),
Right to portability - Receive the Data provided to AUDIT4FIRM in a structured format, commonly used and readable by an automatic device, and obtain that the same are transmitted to another owner without impediments, in the cases provided for by the GDPR (Article 20 GDPR) ,
Right to object - Object to the processing of Data concerning the interested party, unless there are legitimate reasons for AUDIT4FIRM to continue processing (Article 21 GDPR),
Right to lodge a complaint with the supervisory authority - Propose a complaint with the Guarantor Authority for the protection of personal data, (information and contact details on the website: www.garanteprivacy.it).
The interested party may send a request to exercise these rights by means of a communication to be sent to the office of the Data Protection Officer via the PEC address indicated above.
​
h) Method of treatment
The processing of Data by AUDIT4FIRM is carried out by means of the operations indicated in the art. 4, no. 2), GDPR, carried out with or without the aid of IT systems and precisely: collection, recording, organisation, structuring, updating, conservation, adaptation or modification, extraction and analysis, consultation, use, communication by transmission, comparison, interconnection, limitation, deletion or destruction of Data.
AUDIT4FIRM undertakes, from now on, to keep confidential the Data and information received for the purpose of carrying out the Services and to adopt measures to ensure adequate protection of the same, ensuring the necessary confidentiality and confidentiality regarding their content. The confidentiality obligations indicated above will also be effective beyond the date on which the performance of the tasks conferred by AUDIT4FIRM clients is completed.
In compliance with the provisions of Article 32, GDPR, taking into account the nature, object, context and purposes of the processing, AUDIT4FIRM declares to have implemented adequate technical and organizational measures, also with regard to the particular categories of Data referred to in articles 9 and 10, GDPR, to guarantee a level of security suitable for the risk, which include, by way of example and not exhaustively: (i) the encryption of Personal Data; (ii) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to promptly restore availability and access to Data in the event of a physical or technical incident; (iv) a procedure to regularly test, verify and evaluate the effectiveness of technical and organizational measures in order to guarantee the security of the processing.
​
This page has been self-translated, for more precise information please contact us.