Information pursuant to art. 13 and 14 of the European Regulation 679/2016 (GDPR)
The following information is provided pursuant to Article 13 of the European Regulation (EU) 2016/679 (hereinafter the “GDPR”) and refers to the processing of personal data carried out by LEONELLI & PARTNERS STUDIO LEGALE ASSOCIATO (hereinafter the “Firm”), for the performance of the activities necessary for the execution of the mandates conferred.
1) Data controller and personal data protection officer
The Data Controller is the Firm, in the person of Claudio Marcello Leonelli, Donatella Capizzi Maitan and Claudia Bordin, attorneys at law, domiciled in Milan, Via Besana no. 8.
The Data Controller may be contacted by email at firstname.lastname@example.org.
The Firm has not appointed a personal data protection officer (DPO).
2) Data processed and processing methods
For the purposes described below, the Firm processes the common personal data, belonging to special categories (pursuant to art. 9 GDPR) and judicial data – provided directly or indirectly, including through collaborators or employees, by clients (and their referents) – of the following categories of subjects (hereinafter the “Personal Data“):
(i) customers who are natural persons;
(ii) limited to personal and contact data, natural persons acting as contact persons for customers;
(iii) other persons in contact with the Firm in connection with the performance of the mandate.
(all collectively referred to as the “Data Subjects“).
Personal Data shall be temporarily stored in the Data Controller’s databases and shall be processed by means of both manual and computerized tools exclusively by persons authorized and specifically instructed to do so and shall in any case be processed in the manner strictly necessary to fulfil the purposes indicated below.
3) Purposes of the processing and legal bases
|PURPOSE OF PROCESSING||LEGAL BASES OF PROCESSING|
|1 – To carry out the professional assignment received as well as service communications||Performance of a contract to which the data subject is party, or of pre-contractual measures taken at the request of the data subject or the pursuit of the customer’s legitimate interest in defending his rights *|
|2 – To fulfil obligations under applicable legislation, including tax, accounting and ethical obligations||Fulfilment of a legal obligation to which the Firm is bound|
|3 – To assert and defend the Firm’s rights, including through out-of-court initiatives and third parties||Pursuit of the Firm’s legitimate interest in defending its rights *|
|4 – To keep the Firm’s historical archive||Pursuit of the Firm’s legitimate interest in the preservation and development of its know-how *|
* Data processing activities will be limited to what is strictly necessary for the pursuit of the stated purpose
4) Consequences of non-disclosure of personal data
All the Personal Data requested by the Firm are necessary for the pursuit of purposes 1 and 2. Consequently, failure to provide such data prevents the regular execution of the mandate received or the completion of the contractual relationship itself.
5) Data Retention
The Personal Data strictly necessary for the establishment and management of the professional mandate will be retained for its entire duration and for a period of 10 years and six months after its termination, in order to comply with the retention obligations to which professionals are subject and to ensure the Firm’s right of defence with reference to possible future disputes in judicial or administrative proceedings.
All data whose processing is necessary in connection with legal or tax obligations shall be retained for the duration of the law and, in order to ensure the Law Firm’s right of defence in respect of possible future litigation in judicial or administrative proceedings, for a period equal to the limitation period for the relevant actions, increased by a prudential period of six months.
These periods may be extended in cases where retention for a later period is required in connection with litigation, requests by competent authorities or under applicable law.
At the end of the indicated retention periods, relating to purposes 1), 2) and 3), the documents necessary to maintain the Firm’s historical archive will be filed in electronic format, including only the Personal Data inseparable from the aforementioned documents. This archive is kept separate from the archive in use and is accessible only to the Data Controller.
For the purpose 4), Personal Data shall be kept until the data subject exercises his/her right to object.
6) Communication of Personal Data
For the purposes described above, Personal Data may be communicated to
1) the Data Controller’s authorised processors (employees and collaborators);
2) consultants, accountants or other lawyers who provide functional services for the purposes indicated above;
3) banks and insurance companies that provide functional services for the purposes indicated above;
4) subjects who process the data in execution of specific legal obligations;
5) judicial or administrative authorities, for the fulfilment of legal obligations;
6) suppliers of IT services, who act as data processors for the Firm.
Only the category of recipients is indicated, as the relevant list is subject to updates and revisions. In any case, Data Subjects may obtain an updated list of recipients by contacting the Firm directly at the above-mentioned e-mail address.
Personal Data shall be temporarily stored in the Data Controller’s databases and shall be processed by means of both manual and computerized tools exclusively by authorized and specifically trained persons.
7) Rights of Interested Parties
Each Data Subject has the right:
- to lodge a complaint, pursuant to Article 77 of the GDPR, with the national supervisory authority of the European Union member state in which he or she has his or her habitual residence or place of work or where the alleged violation of his or her right has occurred; in the event that such state is Italy, the person to whom he or she may turn is the Italian Data Protection Authority;
- to object at any time, for reasons related to his/her particular situation, to the processing of his/her data for the purpose indicated in paragraph 3, nos. 3 and 4, as well as no. 1 if applicable.
In addition, each of the Data Subjects may at any time and free of charge exercise the following rights vis-à-vis the Data Controller, if the circumstances apply:
- Right of access: allows to obtain from the Data Controller confirmation as to whether or not personal data concerning the User are being processed and, if so, to obtain access to the Personal Data;
- Right of rectification: allows the User to obtain the rectification/integration of inaccurate/incomplete Personal Data;
- Right to cancellation: allows the User to obtain, in the cases provided for by the legislation, the cancellation of the processed Personal Data;
- Right to restriction of processing: allows the user to obtain, in the cases provided for by the legislation, the restriction (i.e. the marking of personal data stored with the aim of limiting their processing in the future) of the processing of personal data processed;
- Right to data portability: allows to receive in a structured, commonly used and machine-readable format, in the cases provided for by the legislation and limited to the data provided by the Customer to the Controller, the personal data processed and similarly the right to transmit such data to another data controller.