[email protected]


+39 02 55014101

Sede Italiana

Via G. Donizetti, 4
20122 Milano IT

customers and suppliers

disclosure for processing of personal data

In compliance with the provisions of D.Lgs 196/03 as emended and of the Regulation (EU) 2016/679 of the European Parliament and Council (“General Data Protection Regulation” or “GDPR”), Stefano Boeri Architetti S.r.l., with registered office at Via Donizetti 4 – 20122 Milano, VAT Registration No. 07526210963, acting in its capacity as Controller, informs you of the procedures and purposes of the processing of your personal data.

1. Data which are subject to the Processing 

During commercial negotiations, or the stipulation and performance of contracts or commercial agreements with Stefano Boeri Architetti S.r.l., you will be asked for or you will provide the following data to Stefano Boeri Architetti S.r.l.:

– personal identification information (e.g. name, surname, Taxpayer Identification Number, VAT Registration Number, address, telephone, e-mail address, bank details, etc.) of the owner or legal representative of your company.
– Possibly, but not always, the personal identification information (e.g. name, surname, e-mail address, telephone number) of your employees or contract workers.

2. Legal basis and purpose of processing 

Your personal data, as described hereinabove, shall be processed by Stefano Boeri Architetti S.r.l.:

a) in order to perform activities leading to the stipulation and performance of contracts, and to satisfy legal obligations stemming from existing relationships with you, and possibly allow the Controller to exercise its own rights, e.g. its right to defence in court;
b) the personal identification data of Your employees and/or contract workers may instead be processed by Stefano Boeri Architetti S.r.l. in support of its own legitimate interest in managing communications as necessary to perform the agreement made with You;
c) the personal data of Your Owner, Your Legal Representatives or Your employees and/or collaborators may also be handled by Stefano Boeri Architetti S.R.L. for the transmission of any communications relating to the activities carried out by Stefano Boeri Architetti S.r.l., or invitations to events organized by Stefano Boeri Architetti S.r.l. or to which his staff participates. The legal basis of the treatment for such purposes is the legitimate interest of the Owner, expected that Stefano Boeri Architetti S.r.l. believes that, on the basis of the relationship with You, between Your reasonable expectations is to receive invitations and information about the Owner’s activities. In any way Stefano Boeri Architetti S.r.l. has carefully balanced the above-mentioned interest in relation to the fundamental rights and freedoms of the persons concerned, which are not in any way compromised by the abovementioned treatment.

All other purposes shall be covered by a dedicated disclosure and eventual, specific, separate consent. 

3. Processing procedures 

The personal data shall be processed by means of the operations indicated in Article 4(2) GDPR, and specifically through the collection, recording, organisation, storage, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, block, communication, deletion, and destruction of the data. 

The personal data shall be subject both to paper and electronic and/or automated processing. 

The Controller shall adopt appropriate security measures to prevent the unauthorised access, disclosure, modification, or destruction of the personal data. 

The personal data shall be processed not only by the Controller but also by the Controller’s employees, contract workers, consultants, and professionals. They shall always do so within the framework of the purposes mentioned hereinabove and after their being designated by the Controller as authorised parties, including specific instructions as necessary to comply with personal data protection regulations. 

Your data shall not be distributed and shall be rendered accessible, only for the purposes indicated in Article 2 hereinabove, to the Controller’s employees and contract workers in their capacity as internal persons in charge of the processing and/or internal data processors, to external consultants for the management of tax and social security contribution compliance, and to system administrators as well as eventually transmitted to third parties that will operate as autonomous Data Controllers (Control Authorities, Banking Institutes, Insurance Institutions, etc.).

The personal data shall be managed and stored on servers located within the European Union and managed by the Controller. The servers are currently located in Italy. 

The data treated for the purposes set forth above to chap. a) and b) Art. 2 above, shall not be transferred outside the European Union. Regardless, it is agreed that the Controller may also move the servers to another country in the European Union and/or outside the European Union if necessary. In that case, Stefano Boeri Architetti S.r.l. hereby assures that the data shall be transferred outside the European Union in compliance with the provisions of applicable laws, after stipulating agreements guaranteeing an adequate level of protection and/or by adopting the standard contractual clauses required by the European Commission.

Personal data treated for the purpose set forth to letter c) of art. 2 above, shall be treated also by using the services provided with Mailchimp. 

MailChimp is a Newsletter distribution platform owned by the US provider Rocket Science Group, located in LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

The email addresses, name and surname of people included in our Newsletter list are stored on the MailChimp servers in the USA to allow MailChimp to spread our Newsletters more quickly and in a more personalized way.

MailChimp uses this information to send and evaluate the Newsletters on our behalf.

Please note that emails sent with Mailchimp contain a “web beacon”, such as a pixel file, which is retrieved by the MailChimp server each time the email is opened. This means that when our email is received, technical information is collected and is used to improve the newsletter distribution services. The information can be give evidence of the specific recipient of the newsletter only in case of technical necessity. The statistical survey allows us to know if the newsletters have been opened, when and what links have been consulted. This type of information helps us adapt the contents of our newsletters and send You emails always of your interest.

In any case, we inform you that, as included in the list for sending the Newsletter, we will send the recipient an e-mail to give notice of it and to allow him, if he does not agree to receive our newsletter, to deactivate the service simply and quickly by clicking a button in our email.

If any further information is required, we suggest you to read the specific Privacy Policy for Newsletter published on our website

4. Duration of the processing

The data will be stored for the entire duration of the contractual relationship. After termination of the relationship, the data shall be stored, in protection of the Controller’s rights and in such a manner as to be accessible only when necessary, for a period of time corresponding to the statute of limitations on any rights that might be claimed against the Controller. That period varies according to the type of information and any occurrence of causes for the interruption or suspension of the statute of limitations.

Once those terms for record retention expire, the collected datatreated for the purposes set forth above to chap. a) and b) Art. 2shall be eliminated from all computer and/or paper media.

The collected data treated for the purposes set forth above to chap. c) Art. 2 shall be treated until the opt out communication from Newsletter service.

5. Nature of the provision of data and consequences of failure to provide them

Provision of the data and issuance of the consent to processing for the processing indicated at Article 2 hereinabove are absolutely necessary to accomplish the purposes described hereinabove. Failure to provide the collected data might render it impossible to pursue the aims mentioned hereinabove.

The opt-out option from Newsletter service in no way compromises the processing of data for the purposes referred to in points a) and b) of art. 2 above.

6. Data subject’s rights

In connection with the purposes of processing, you may exercise the rights envisaged in Articles 15 et seq. GDPR, and in particular the right to:

• access, or to obtain confirmation whether or not information concerning you exists, to know their origin, and the logic and purposes on which the processing is based, the recipients or categories of recipients to whom the data may be transmitted, and determination of the data retention period, if that can be defined;
• correction of inexact data;
• deletion (“right to be forgotten”), when the data are no longer necessary for the purposes of the data collection, or when the data subject has revoked his/her consent to the processing (when that consent is envisaged as optional or when there are no legal grounds for the processing);
• limitation, the right to have the Controller limit access to the personal data by all those parties who have a service agreement or employment agreement with the Controller. In all cases, the Controller guarantees access to his or her special category and judicial personal data to a restricted number of persons to guarantee the security, integrity, and accuracy of those data;
• portability, the right to receive the personal data concerning the data subject in a structured and commonly used format that can be read by an automated device, with the possibility of transmitting them to another Controller. This right shall not apply to non-automated processing (e.g. archives or paper records). Moreover, only the data that are processed with the data subject’s consent may be processed, and only if the data have been provided by the data subject himself/herself;
• opposition, i.e. the right to oppose processing for reasons connected with your own particular situation;
• complaint, to be sent to the personal data protection authority: Garante per la Protezione dei dati personali, Piazza di Monte Citorio n. 121 – 00186 Roma ([email protected]; telephone + 39 06 69677.1; fax + 39 06 69677.3785).

Moreover, pursuant to Article 7, paragraph 3, GDPR, you are granted the right to revoke your consent at any time. The revocation of consent does not prejudice the legality of the processing based on your consent before revocation.

7. Procedure for exercising rights 

The data subject may exercise his/her rights at any time, as provided at clause 8 hereinabove, by sending:  

– a certified letter with return receipt to Stefano Boeri Architetti S.r.l., at its office at Via Donizetti 4 – 20122 Milano, VAT Registration No. 07526210963

– an e-mail to

8. Controller, data processors, and persons in charge of the processing 

The Controller is Stefano Boeri Architetti S.r.l. with office at Via Donizetti 4 – 20122 Milano, VAT Registration No. 07526210963.  

The updated list of categories of data processors and persons in charge of the processing is kept at the registered office of the Controller. 

Confirmation upon having read and promise to share the disclosure

We declare we have read the disclosure and we promise to share the disclosure to employers and collaborators, whose personal data are transmitted to and processed by Stefano Boeri Architetti S.r.l. who processes data for the business.