EU VAT Solutions
+39 02 86912130 [email protected]
Article 13 & 14 GDPR · Italian Privacy Code

Privacy Policy

This notice describes how CiDATax SRL processes personal data of website visitors, prospective clients, clients and other stakeholders, in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Codice Privacy) as amended by Legislative Decree 101/2018.

Last updated: 30 May 2026 Effective: 30 May 2026 Version: 1.0 Document language: English (Italian version available on request)

01.Data controller

The data controller (titolare del trattamento) is:

CiDATax SRL (società a socio unico)
Sede legale: Via Luigi Russolo 7/9, 20138 Milano (MI), Italia
P.IVA / Codice Fiscale: 14563450965
REA: MI 2791958
PEC: [email protected]
Email: [email protected]
Telephone: +39 02 86912130

CiDATax SRL is subject to the direction and coordination of AVASK Global Compliance Ltd (Kew Road Parkshot 5, Richmond, Surrey, United Kingdom), pursuant to Articles 2497 and following of the Italian Civil Code.

A Data Protection Officer (DPO) has not been formally appointed at the date of this notice, as CiDATax SRL is not required to designate one under Article 37 GDPR. Privacy enquiries should be sent to the contact details above and will be handled by the responsible internal officer.

02.Categories of personal data we process

We process the following categories of personal data, depending on your interaction with us:

  • Identification and contact data: name, surname, business email address, business telephone number, company name, role/title, country.
  • Commercial information: estimated turnover range, products and services of interest, target markets, source of enquiry.
  • Communication content: the content of messages you send us, attachments, meeting notes.
  • Technical data: IP address, browser type and version, operating system, referring URL, pages visited, session duration, time-zone, generic location at city level (via IP).
  • Cookie and analytics data: anonymised behavioural data collected by analytics cookies where you consent. See our Cookie Policy for details.

We do not knowingly collect special categories of personal data (Article 9 GDPR) through this website. If you spontaneously include sensitive information in a message to us, we will process it only to respond and will delete it as soon as the response is completed.

03.Purposes of processing and legal bases

We process your personal data for the following specific purposes, each on a distinct legal basis under Article 6 GDPR:

Purpose Legal basis Retention
Responding to enquiries submitted via our contact form, email or telephone Art. 6(1)(b) GDPR – pre-contractual measures at your request 24 months from last contact
Provision of professional services under engagement letter Art. 6(1)(b) GDPR – performance of contract 10 years from end of engagement (Italian fiscal & civil law requirements)
Compliance with Italian tax, accounting and anti-money-laundering obligations Art. 6(1)(c) GDPR – legal obligation 10 years (Art. 22 DPR 600/1973, Art. 2220 c.c.)
Sending the CiDATax weekly briefing newsletter Art. 6(1)(a) GDPR – your consent, revocable at any time Until consent withdrawn
Strictly necessary technical operation of the website Art. 6(1)(f) GDPR – legitimate interest in operating a functional website Session-based (see Cookie Policy)
Anonymised analytics to improve website performance Art. 6(1)(a) GDPR – your consent via cookie banner 26 months maximum
Defence in legal proceedings, complaint handling Art. 6(1)(f) GDPR – legitimate interest in protecting our rights Term of applicable limitation period

04.Sources of personal data

We collect personal data primarily directly from you, through:

  • The contact form on this website;
  • Emails, telephone calls and meetings you initiate;
  • Information you provide during onboarding for our services;
  • Cookies and similar technologies, where you consent (see Cookie Policy).

In limited circumstances we may collect or verify your personal data from publicly available sources (Camera di Commercio registers, EU VIES VAT verification, official tax administration databases) where this is required to perform our services or comply with legal obligations.

05.Recipients of personal data

Your personal data may be shared with the following categories of recipients, each acting as data processor or autonomous data controller:

  • Group companies: AVASK Global Compliance Ltd and other entities within the AVASK Group, for coordinated service delivery and group reporting.
  • Italian tax authorities: Agenzia delle Entrate, Agenzia delle Dogane, INPS, where required by law in the performance of our services.
  • Foreign tax authorities: where you have engaged us to act before them as your fiscal representative or agent.
  • Professional advisors: external counsel, auditors, accountants engaged on a specific matter on a need-to-know basis.
  • Technology service providers: hosting providers, email service, CRM platform, all bound by written data processing agreements under Article 28 GDPR.
  • Producer Responsibility Organisations and competent authorities, where you have engaged us for EPR registration and reporting.

We do not sell or rent personal data, and we do not share it for marketing purposes with any third party.

06.Transfers outside the European Economic Area

Some of our service providers, and our parent company AVASK Global Compliance Ltd, are established in the United Kingdom. The United Kingdom is currently covered by an adequacy decision of the European Commission (Decision 2021/1772), so transfers to the UK do not require additional safeguards.

For any other transfer outside the EEA where no adequacy decision applies, we rely on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) supplemented by transfer impact assessments where required by the Schrems II framework.

You may request a copy of the safeguards in place for any specific transfer by contacting us at [email protected].

07.Retention periods

We retain personal data for no longer than necessary to fulfil the purposes for which it was collected, as specified in the table at section 03. After the retention period expires, data is securely deleted or anonymised.

Italian record-keeping requirements Italian fiscal and civil law (Article 22 DPR 600/1973, Article 2220 Codice Civile) requires retention of accounting documents, fiscal records and supporting evidence for ten years from the end of the relevant fiscal period. This legal obligation overrides shorter retention preferences where applicable.

08.Your rights as a data subject

Under Articles 15 to 22 GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15) – obtain confirmation of whether we process your data and a copy of it.
  • Right to rectification (Art. 16) – correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) – request deletion in defined circumstances, subject to legal retention obligations.
  • Right to restriction (Art. 18) – limit our processing in defined circumstances.
  • Right to data portability (Art. 20) – receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) – object to processing based on legitimate interest, and at any time to direct marketing.
  • Right to withdraw consent (Art. 7(3)) – withdraw consent at any time where consent is the legal basis, without affecting the lawfulness of prior processing.

To exercise any of these rights, write to us at [email protected] or via PEC at [email protected]. We will respond within one month of receipt of your request, extendable by two further months for complex cases.

Right to lodge a complaint You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it), or with the supervisory authority of your country of residence.

09.Automated decision-making and profiling

We do not use your personal data for fully automated decision-making that produces legal effects on you or similarly significantly affects you (Article 22 GDPR). Where AI-augmented tools assist our advisors in document review, classification or initial analysis, the final assessment and any decision is always taken by a qualified human professional.

10.Security measures

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with Article 32 GDPR. These include:

  • Encryption of data in transit (TLS 1.3) and at rest where stored on cloud services;
  • Role-based access control with least-privilege principles;
  • Multi-factor authentication for all staff accessing client data;
  • Written data processing agreements with all service providers;
  • Internal data-breach response procedures with 72-hour notification to the Garante where required by Article 33 GDPR;
  • Regular staff training on data protection and information security;
  • Physical security of premises housing client documentation.

11.Changes to this privacy notice

We may update this privacy notice from time to time to reflect changes in our practices, regulatory requirements or in response to specific events. Material changes will be notified through a prominent banner on this website and, where you are an active client or newsletter subscriber, by email. The "Last updated" date at the top of this notice indicates when it was last revised.

12.Contact us

For any question about this privacy notice or about how we process your personal data:

CiDATax SRL – Privacy & Data Protection
Via Luigi Russolo 7/9, 20138 Milano (MI), Italia

Email: [email protected]
PEC (certified email): [email protected]
Telephone: +39 02 86912130