Data protection

INFORMATION ON THE PROCESSING OF PERSONAL DATA OBLIGATIONS OF COOPERATION OF THE CLIENT WITH REGARD TO COMMUNICATION AND SECURITY OF PERSONAL DATA

ACTIVITIES IN THE CONSULTANCY AND FIDUCIARY FIELD

INTRODUCTION

The purpose of this document (hereinafter, the "Disclosure") is to inform Clients, potential Clients, persons interested in the services, users or visitors of the website or other communication channels and other persons who come into contact with the firm (hereinafter, in general, the "Client(s)") about the processing of personal data carried out within the scope of the advisory and fiduciary services covered by the respective mandate and within the www.cortesiassociati.ch and related contact resources (e.g. e-mail and telephone number, hereinafter referred to collectively as the "Site"), such as (for example) the management and storage of the Client's file, telephone records and e-mail.

Paragraphs A and B specify the data Controller and contact persons and describe the mechanism for accepting and reviewing the Information Notice. Information on personal data processing activities is specified in paragraph C. The rights of data subjects are listed in paragraph D. Paragraph E describes the management of cookies. Finally, paragraph F defines the possibilities for amending this Policy, while paragraph G regulates the substantive law applicable to the legal relationship between the parties and establishes the competent court in the event of a dispute related to that relationship.

A. DATA CONTROLLER AND COMMUNICATIONS

The data Controller (and of the Site), as the entity that establishes the purpose and means of the processing of personal data, is Cortesi & Associati SA, Via Cantonale 19, 6900 Lugano (Switzerland) (hereinafter, the "Data Controller").

Attention: since filters are used to protect the security of the Owner and the users, a communication by e-mail shall be considered received only in the presence of a reply or confirmation of receipt. Otherwise, the Controller may not consider the communication as delivered.

Contact:

Cortesi & Associati SA, Via Cantonale 19, 6900 Lugano (Switzerland)
E-mail generale: This email address is being protected from spambots. You need JavaScript enabled to view it.
Tel: +41 91 923 27 47

B. ACKNOWLEDGEMENT OF THE INFORMATION │ ACCEPTANCE │ CHANGES │ COMMUNICATION TO THE PERSONS CONCERNED BY THE CLIENT

The Policy of reference is the official one in force at the time of use of the trust services, respectively access to the Site. The most up-to-date version can be viewed by activating the following link: https://cortesiassociati.ch/it/protezione-dati. Alternatively, it can be requested from the e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or in hard copy.

It is the Client's responsibility to carefully check the status of the Information Notice during the contractual relationship, respectively prior to the use of the Site, the right of the Controller to update the Information Notice at any time being reserved, in particular according to the evolution of the applicable law, as well as the services provided to Clients.

The parties agree that the Client shall ensure that a hard copy or electronic copy of this Policy (and any amendment thereto) is sent independently and without delay, in the name and on behalf of the Controller, to the persons affected by the processing of personal data under its control during the contractual relationship. The Controller may at any time request documentary evidence of the transmission of the Information Notice or contact the persons concerned directly.

C. PROCESSING OF PERSONAL DATA

Obligation to protect access credentials and personal devices. The use of the Internet and e-mail is exposed to security risks. The Client has a duty to ensure the security of his devices and passwords (in particular his e-mail passwords) by means of appropriate technical and organisational measures (see Sections 1 to 5 of the DPA). He shall indemnify and hold the Controller harmless from any damage and/or loss in this respect.

Obligation to communicate correct data as well as any changes to personal data. The data subject and the Client are responsible for the correctness of the personal data communicated to the Controller. The Client must communicate spontaneously, promptly and in writing (an e-mail will suffice for this purpose) any changes in his own or mandate-related personal data (including those of third parties) so that the registers/Client dossiers can be kept constantly up-to-date.

General Exclusion of Liability │ Obligations of the Client in respect of Electronic Communications. In view of the nature of the Internet as an "open network", the Controller does not guarantee that data supplied or received by the Client via this channel cannot be falsified, intercepted or acquired by unauthorised third parties.

The Client authorises the Controller to transmit by ordinary (non-secured) e-mail documents and/or information, including those containing personal and/or confidential data (even to the extent that they involve the payment of a sum of money, the execution of instructions or the sending of confidential documents), using the e-mail address provided by the Client (even in response to requests received by telephone, e-mail or other means of communication). The Client, in full awareness of the risks mentioned above, releases the Controller from any liability in the event of unauthorised access by third parties to personal and/or confidential documents and/or information transmitted or received by e-mail from the Controller. In the event of any doubt, the Client is obliged to check all communications received by telephone.

The Client is solely responsible for choosing his or her own e-mail and Internet access service provider for the proper and secure processing of his or her personal data outside the Controller's resources.

Specialised service providers in contact with personal data. The Controller uses external service providers, particularly in the field of information technology, to ensure the provision of its services to Clients. These providers only have access to the data to the extent that is strictly necessary for the performance of their tasks, subject to strict confidentiality and non-use obligations in relation to the personal data. In addition, they must be established in Switzerland or (where strictly necessary) in foreign states with the benefit of an adequacy decision by the Federal Council. For reasons of data security and computer systems, certain information may be anonymised or masked out.

Relationship with European data protection law

The Data Controller does not direct business to the EU, nor does it monitor the behaviour of those in the EU, so the General Data Protection Regulation (EU) 679/2016 (hereinafter "GDPR") is inapplicable. Swiss law offers adequate protection of personal data, as determined by the European Commission on 26 July 2000 (the adequacy decision can be downloaded here).

In the (exceptional) case of being subject to the GDPR, this document is valid as information pursuant to and for the purposes of Articles 13 and 14. In addition to benefiting from all the protections provided for by the GDPR, the Client may assert the rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR, by addressing the Controller.

Without prejudice to any other administrative and jurisdictional recourse, if he/she considers that the processing of personal data concerning him/her violates the provisions of the GDPR, the Client has the right to lodge a complaint with the competent Data Protection Supervisory Authority (EU: list of National Authorities).

In no case are references to the GDPR to be understood as voluntary subjection to such legislation, respectively, to the supervision and/or decision-making power of any foreign authority (with respect to Switzerland).

Detailed information on personal data processing activities

1. identity and contact details of the data Controller: see paragraph A. above

2. purpose of the processing

communication and correspondence (including the right of the Controller to answer requests and also to call back by telephone a person by disclosing his identity / the calling number to the caller) with the Client;
start and definition of a mandate, management of the Client and the related dossier in compliance with the mandate contract and applicable law (including the acquisition of information and documents to the dossier) and execution of contractual relations;
archiving of the Client file at the end of the mandate and its destruction;
invoicing and collection of fees, advances and expenses;
management and support in the areas of accounting, payroll, tax declarations, IT, education and training, improvement of internal processes and other administrative tasks (of both the Client and the Controller); fulfilment of legal obligations and prevention and detection of violations. These include the fulfilment of information, communication or notification obligations, e.g. in connection with surveillance obligations, the fulfilment of filing obligations and the support in preventing, discovering and clarifying offences and other violations, but also the acceptance and processing of complaints and other communications, the surveillance of communication, internal or external investigations or the disclosure of documents to an authority, if the Controller has an objective reason or is legally obliged to do so;
assert claims of the Controller and defend against claims of others, including the safeguarding of rights, in judicial, preliminary and extrajudicial proceedings as well as before authorities in Switzerland and possibly abroad;
allow navigation on the Site;
perform anonymous analyses and statistics on the use of the Site for the purpose of optimising the security, usability and quality of services and content, as well as introducing new content, products, services, functions and interfaces.

3. categories of personal data processed

contact/identification data of the Client and the natural persons connected with the mandate (e.g. relatives and beneficiaries, including information on the relationship with the Client), in particular: surname, first name, address, title, function, e-mail address, mobile or landline telephone number, official identification document, age, gender, citizenship, date and place of birth;
in the case of specific consultations in certain scope, further data may also be processed, such as: titles, professional functions, marital status, date of marriage or divorce, inheritance data, age, gender, nationality and place of origin, information from identification data (e.g. from your passport, identity card or other identification document), tax register numbers and other information required to complete tax returns, AHV numbers, contract numbers, policy numbers and insured number, information from your tax returns, AHV numbers, policy numbers and insured number. from your passport, identity card or other identification document), tax register numbers and other information required to complete tax returns, AHV number, contract, policy and insurance number, information on pension or vested benefits institutions, date of joining and leaving employers, category of personnel, degree of capacity to work, degree of employment, duration of employment, salary data, housing data (real estate and rental relationships), leasing, company functions and organisational charts, contractual data in general, commercial, financial and credit data;
other data pertinent to the contractual relationship (in particular: reference consultant, information and documents necessary for the fulfilment of the mandate communicated by the Client or collected from persons, authorities or third parties on the Client's behalf or in the Client's interest, ordinary mail/email, sms/chat/other means of communication used by the Client);
technical data in general of those who contact the Controller (under a mandate or as a potential data subject) or use its Site, systems (including wi-fi networks) or other electronic means, such as: identification and content of communications, identity of the sender, e-mail, mobile or landline phone number; time and duration of calls; location of the caller (prefix/roaming); telecommunications data and metadata; IP address of the user's device; settings and features of the browsing program (name, language, plug-ins installed); approximate location based on the IP address (usually corresponding to the location of the Internet access provider); unique identifier of the mobile device (tablet, mobile phone, etc. ) used, system usage logging protocols.

4. categories of recipients of personal data

third parties known to the Client in fulfilment of the mandate contract;
parties providing IT and telecommunications services to the Controller (data processors), in particular in the areas of administration / maintenance / support and Cloud computing (word and data processing, archiving, backup, IT management and e-mail);
provider of hosting / administration / maintenance / design services for the Site;
parties providing services to the Data Controller in the marketing, legal, technical, accounting, administrative, tax and auditing fields (data processors);
credit institutions;
collection companies;
authorities, offices, courts and other public services.

5. transfers abroad and protection guarantees adopted (in compliance with Switzerland)

the Controller processes data almost exclusively in Switzerland;
in special cases, it is possible for data to be transmitted abroad. In such cases, this takes place to states that are equal to Switzerland by virtue of having been granted an adequacy declaration by the Federal Council (cf. Appendix 1 of the Data Protection Ordinance) or where measures are in place to ensure adequate data protection (e.g. by concluding contracts concerning the transmission of data with recipients of personal data located in third states that provide the necessary data protection. These include contracts that have been approved, drawn up or recognised by the European Commission and the Federal Data Protection and Information Commissioner, known as standard contractual clauses). It should also be noted that such contractual measures partly compensate for weaker or missing protection, but cannot completely exclude all risks (e.g. from state access abroad). Transmission to countries without adequate protection may exceptionally also be permitted in other cases, e.g. on the basis of consent, in connection with judicial or administrative proceedings abroad or when transmission is necessary for the performance of a contract.

6. rights of the data subject person: see paragraph D. below

7. duration of data retention

the Controller processes and retains personal data for as long as is necessary for the purpose for which it was collected.
generally, this is for the duration of the mandate contract and thereafter for as long as the Controller has a legitimate interest in retaining the information (e.g. for applicable statute of limitations, document retention, data security and know-how purposes). In addition, there may be a contractual or legal obligation to retain or document the data (e.g. in accordance with the Swiss Code of Obligations, tax legislation, etc.).
it is also possible that personal data may be retained for as long as claims can be asserted by or against the Controller (or other data Controllers) or to the extent that the Controller is otherwise obliged by law or its legitimate business interests so require (e.g. for purposes of proof and documentation). If the personal data is no longer needed, it will be deleted or anonymised as far as possible. In the absence of an explicit written agreement, the Controller is not obliged to retain personal data for a specific period of time.

8. additions regarding data retention

as a rule, the originals of documents, including those concerning the Client (and other connected persons), as well as those transmitted to the Controller for the activities requested herein (such as tax declarations and their supporting documents, taxation notifications, bank documents, accounting receipts, payroll documents, etc.) are not kept in paper form by the Controller, but only in electronic form.

D. RIGHTS OF CONCERNED PERSONS

Legitimation and exercise. The data subject person may exercise his/her rights in writing by means of a reasoned request to be sent by ordinary mail (for contact details, see section A above) or electronically (This email address is being protected from spambots. You need JavaScript enabled to view it.) to the Data Controller, attaching the necessary proof of identity and legitimation.

Rights. If subject to the provisions of federal data protection law (DPA), under the conditions laid down by law, data subjects have the following rights in particular in relation to their personal data:

obtain rectification or erasure of personal data;
be informed if personal data concerning you are being processed;
request a restriction on the processing of data or object to it in general;
obtain delivery of your personal data or demand that they be transmitted to third parties;
have it established that the processing of personal data is unlawful.

If the Client has given consent to processing, it may be revoked at any time. This does not affect processing that has already taken place. Once notification of withdrawal of consent has been received, the Controller will cease processing, unless there is another legitimate interest or legal limitation (e.g. in the case of obligations to retain or process certain data, if there is an overriding interest of the Controller (to the extent such interests can be invoked), if required to maintain confidentiality or if the Controller needs the data to enforce its rights). If the exercise of certain rights involves costs for the Client, this will be communicated in advance.

Advice and information request

In order to promote transparency and a relationship of trust with Clients, the Controller may be contacted by e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone on +41 91 923 27 47.

Questions concerning the rights of data subjects in relation to the processing of personal data and their exercise in the private sector may be addressed to the Federal Data Protection and Information Commissioner (FDPIC), who can be contacted via the online form (link).

E. COOKIES

What are cookie?

I Cookies are small text files deposited in the user's system by servers during web browsing. Thanks to cookies, the servers are able to recognise the user's navigator (browser) during the current navigation and on subsequent visits.

Types of cookies. Cookies are divided into various types.

When the party depositing the cookie on the user's system coincides with the site visited, the cookie is called a "first party" cookie.
"Session" cookies are automatically deleted when the user closes the browser, while "persistent" cookies remain stored until their expiry date. Technical" cookies make it possible to browse the web safely and easily and to provide the services and content requested by the user.
"Analytical-statistical" cookies are assimilated to technical cookies when they are used directly by the site to collect information, in aggregate form, on the number of users and how they interact with the site.
"Tracking" / "profiling" cookies are cookies, generally third-party cookies, used to detect and analyse the user's online behaviour, in particular in order to serve personalised advertisements.

Which cookies the Site implements:

The Controller may make use of suppliers who may in turn install cookies for the proper functioning of the services it provides. For information about these third party cookies and how to disable them please access the links below:

Google Maps service, strictly necessary technical cookie.
Read more: www.google.com/intl/it/policies/technologies/cookies/

Privacy policy for the use of Google Analytics. This website uses Google Analytics, a web analytics service provided by Google Inc., which generates so-called "cookies", text files that are stored on the user's device and which enable an analysis of the use of the website. The information generated is transmitted to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, your IP address will be truncated by Google in advance in all member states of the European Union or other parties to the European Economic Agreement. Only in exceptional cases will the full IP address be sent to a Google server and shortened thereafter. Google will use this information for the purpose of evaluating your use of the website, compiling reports and statistics. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. The IP address provided to Google Analytics will not be merged with other Google data or services. You can prevent the installation of cookies via your browser settings. However, if you do so, some features of the site may no longer be available and may not function properly. By using this website, you consent to the processing of data about you by us and Google in the manner and for the purposes set out above.

For privacy assurance purposes, the Controller itself does not track the data of users of the Site and does not implement alternative technologies for tracking users. For this reason, the Site does NOT have a cookie banner.

Use of social media “plug-in” and “widget”:

For privacy assurance purposes, the Site does NOT implement social media plug-ins/widgets or alternative user tracking technologies.

F. AMENDMENT OF THIS POLICY

This Information Notice may be unilaterally adapted by the Data Controller at any time, in particular if data processing methods change or new legal provisions come into force. For data processing, the updated version of the Policy published on the Website applies: www.cortesiassociati.ch (which can also be requested from the Controller). Please consult the Site and our Policy regularly for any updates or changes.

G. APPLICABLE LAW AND PLACE OF JURISDICTION

The legal relationship between the Client and Cortesi & Associati SA, Lugano, also with reference to the access and use of the Site (and connected resources) is governed by Swiss substantive law, excluding the rules of international private law.

The exclusive place of jurisdiction in the event of a dispute arising out of or simply connected with the use of the Site (and related resources) is Lugano, Switzerland.

Version: 25.04.2024

This notice in English has been translated from the binding version in Italian that can be downloaded from our website.