Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the Privacy Code (Legislative Decree 196/2003) expressly recognise the right of each individual to the protection of their personal data, understood as the right to exercise a power of control over the information concerning them.
The personal data processing that we carry out is explained below.


Personal Data (Data): any information concerning an identified or identifiable natural person (e.g. name, surname, tax identification number, phone number, licence plate, email address, photograph, etc.). They are divided into Special Data, which may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a health or a natural person’s sex life or sexual orientation, and Common Data, i.e. all Data that are not Special.
Data Subject: the natural person to whom the Data refer.
Data Controller (Controller): the natural or legal person, authority, agency or other body that determines the purposes and means of the processing of Data.
Processing: any operation performed on the Data (e.g. collection, recording, organisation, use, disclosure, etc.).
Data Processor (Processor): the natural or legal person, authority, agency or other body that processes Data on behalf of the Controller pursuant to Article 28 of the GDPR.
Person Processing Data: the person who processes Data under the direct authority of the Controller pursuant to Article 29 of the GDPR.
Further definitions can be found in Article 4 of the GDPR.


The regulations require that the Controller process the Data in accordance with the following principles, which the Data Subject should be aware of in order to understand the logic and methods used to carry out Processing:

  • lawfulness, fairness and transparency: each Processing must be lawful (according to the law), fair and transparent in relation to the Data Subject;
  • purpose limitation: Data must be collected for explicit, specified and legitimate purposes and processed only to achieve those purposes, except where permitted by law;
  • data minimisation: Data must be adequate, relevant and limited to what is necessary in relation to the purposes being pursued;
  • accuracy: Data must be accurate and, where necessary, kept up to date;
  • storage limitation: Data must be kept for the time necessary to achieve the intended purpose and then deleted or made anonymous, except where permitted by law;
  • integrity and confidentiality: the Data must be processed in such a way as to ensure appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
  • accountability: the Controller must be able to demonstrate compliance with all legal requirements;
  • privacy by default: the Controller, from the time of determining the means of processing and then, at the moment of Processing, shall implement appropriate technical and organisational measures in order to comply with legal requirements;
  • privacy by design: the Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only the Data which are necessary for each specific purpose are processed.


The Controller is Associazione Professionale Buttignon Zotti Milan & Co. (hereinafter the “Firm”), with office in Largo Europa 12, Padova (Italy), the partners of which are Prof Fabio Buttignon, Antonio Zotti and Giulia Milan.
The Controller can be contacted via the following email address info@bzm-advisory.com and phone number +39 049 650118.


When browsing this website, no data are collected other than those voluntarily entered by the User in the contact forms.


A request can be sent to the Firm using the Contact Form where the User is asked to enter their name, email address and the reason for the request.


A job application can be sent using the Form on the careers page where the User is asked to enter their name, surname, email, phone number and attach their CV.
Each Form contains specific information on the processing of the related Data.
The User may also contact the Firm using the contact details provided on the website (phone number, email, etc.).
With regard to cookies, please read the special section.
Data provided will be processed solely in order to respond to the request sent by the User. In the event a professional relationship is established, further information on this subject will be provided.


Common Data are processed for the purposes listed above. The legal basis for the Processing is Article 6(1)(b) of the GDPR, namely Processing that is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.


With regard to the purposes listed above, Data will be processed for 6 months after the last contact. If, on the other hand, the agreement is ended, the Data will be included in the documents relating to the professional relationship and will be kept in accordance with the policy subsequently provided.


Providing Data is optional. Failure to provide this Data may make it impossible to respond to requests.


The Controller has adopted the technical and organisational security measures required by the regulations in force.
The Data Subject may, ask for a copy of the “General outline of the security measures in use” at any time.
In addition, an analysis of the risks relating to the Processing operations carried out has also been performed, in which the relevant risks as well as the protection measures adopted to eliminate or reduce them were identified for each processing method.


In addition to the Controller, Data will be processed by:

  • the Persons Processing Data who are employed by the Controller;
  • the independent Processors or Controllers belonging to the following categories: suppliers of IT services.

The Data are not disseminated, i.e. they will not be disclosed to unspecified persons.
The identification data of the system administrator can be obtained by simple request (oral or written) to the Controller via the contact details given above.


Data may also be transferred abroad by the Processors. The transfer will be carried out in compliance with the rules set out in the GDPR and, in particular, with the safeguards set out in Articles 45 (Transfer on the basis of an adequacy decision) and 46(2)(c) (standard protection clauses adopted by the Commission) of the GDPR. The Data Subject may request further information on this point from the Controller.


The Data Subject may exercise their rights by contacting the Controller at any time either by email to info@bzm-advisory.com or by phone +39 049 650118.
The Data Subject has the right to:

  • receive information relating to the Processing of their Data in a concise, intelligible and easily accessible form, in clear and plain language and in written form (Article 12 GDPR);
  • receive the information requested from the Controller without undue delay and in any event within one month of the request, unless otherwise provided for by law, free of charge except in cases where a reasonable fee can be charged (Article 12 GDPR);
  • be informed about the Processing of the Data at the time the Data are obtained (Article 13 GDPR) or within a reasonable period and, in any case, at the latest within one month or at the latest at the time of the first communication (Article 14 GDPR);
  • obtain confirmation from the Controller as to whether or not Processing is taking place and to obtain access to the Data pursuant to Article 15 GDPR and to have a copy of the Data being processed;
  • withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal where the processing is based on Article 6(1)(a) or Article 9(2)(a);
  • obtain from the Controller the rectification of inaccurate Data and the completion of incomplete Data without undue delay (Article 16 GDPR);
  • obtain from the Controller the erasure of Data without undue delay under the conditions and in the cases provided by Article 17 GDPR;
  • obtain from the Controller restriction of Processing pursuant to and for the purposes of Article 18 GDPR;
  • receive the Data provided to the Controller in a structured, commonly used and machine-readable (computer) format and to transmit those Data to another controller in the methods and cases referred to in Article 20 GDPR;
  • not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly him or her, barring the exceptions provided for in Article 22 GDPR;
  • lodge a complaint with the supervisory authority in the Member State of his or her habitual residence, place of work or place where the violation occurred (Article 77 GDPR); the supervisory authority in Italy is the Garante per la Protezione dei Dati Personali (Data Protection Authority) with headquarters in Piazza Venezia 11, 00187 Rome; if he or she believes that the Processing violates the law;
  • bring an action before a judicial authority against the Controller or the Processor if he or she considers that his or her rights under the law have been violated (Article 79 GDPR). The action may be brought before the courts of the Member State in which the Controller or the Processor has an establishment or of the State in which the Data Subject is habitually resident.


Under Article 21 GDPR, the Data Subject has the right to object on grounds relating to his or her particular situation at any time to processing of personal data based on the following legal grounds:

  • Article 6(1)(e) of the GDPR the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Article 6(1)(f) of the GDPR the Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Including profiling on the basis of these provisions.
The Controller shall refrain from further processing unless it can demonstrate that legitimate and compelling grounds exist for continuing processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where the Data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing, including profiling, insofar as it is related to such direct marketing. In this case, the Data are no longer processed for that purpose.