SLS Avvocati (hereinafter also referred to as the “Law Firm”), with registered office in Corso Vittorio Emanuele II 15, 20122 – Milan (MI), Italy, in its capacity as Data Controller under Italian Legislative Decree 196/2003 and pursuant to EU Regulation 679/2016, recognises the importance of personal data confidentiality and protection as fundamental rights of the individual. Therefore, our first objective is to process data according to the strictest principles of lawfulness, fairness, purpose and storage limitation, minimisation, accuracy, integrity and at the same time ensure maximum transparency on the procedures and security measures adopted.
In light of the above, and in fulfillment of legal obligations, we issue the following information, provided pursuant to Art. 13 of EU Regulation 679/2016 (hereinafter the “GDPR”).
INFORMATION PURSUANT TO ART. 13 of the GDPR
The Data Controller is the law firm SLS Avvocati, in the person of Mr Natale Maria Sala (hereinafter also referred to as the “professional”), with registered office in Corso Vittorio Emanuele II 15, 20122 – Milan (MI), Italy. The Data Controller can be contacted via e-mail [email protected] or via certified e-mail [email protected]
- 2. Scope of data processing
This document describes the methods for managing the website www.slsavvocati.com (hereinafter also referred to as “the “Website”) and processing the data of the Website’s users, as well as processing the data of those who, in their capacity as Clients or other capacity, have contact with or a relationship with the Law Firm or otherwise provide the Law Firm with their data for the purposes and under the additional terms and conditions of this document, or in relation to which SLS Avvocati performs data processing operations.
- 3. Type of data processed
The Law Firm processes the data of data subjects as well as third party data provided by Clients to the extent that such processing is necessary in order to discharge the professional assignments received.
The IT systems and software procedures responsible for the functioning of this Website acquire, during normal operation, certain data, the transmission of which is implicit in the use of Internet communication protocols. Such information is not collected in order to associate it with identified subjects, but by its very nature it could, with the use of processing and association with other data, including data held by third parties, enable users to be identified.
This data category includes the IP addresses or domain names of the computers used by users who connect to the Website, URI identifiers (Uniform Resource Identifiers) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment.
Such data are used only in order to obtain anonymous statistical data on use of the Website and to check that it is working properly and are deleted immediately after processing. Data may be used to ascertain responsibility in the case of hypothetical IT crimes against the Website. This category also includes data processed using cookies, in accordance with § 4 of the policy.
Data voluntarily provided by the user or collected by third parties
The optional, explicit and voluntary sending of an e-mail and its message (including the sending of CVs) to the e-mail addresses indicated on the Website, and the sending of messages through the published collection forms, entails the subsequent acquisition of the sender’s address and any other data entered in the message which are necessary in order to respond to requests, as well as any other data included in the message.
Specific summary information may be recorded or viewed from time to time and where strictly necessary in the webpages prepared for particular on-demand services.
In addition to the above, any further personal data (e.g. personal details, data concerning professional activity, position and company role, contact details such as company and/or personal phone number, e-mail address) provided to the Controller or in any case collected by the Controller from third parties, will be processed in compliance with this document and within the limits laid down by the GDPR.
Cookies are small pieces of data that enable statistics to be gathered on Website use and give an understanding of the browsing experience and needs.
Cookies can be broken down into two kinds:
- “first party” cookies are managed directly by the owner and/or editor of the website visited by the user;
- “third party” cookies are managed by entities not involved with the website visited by the user.
First party cookies
This Website uses technical cookies and browsing or session cookies in particular, which are essential so that the user can navigate the Website normally and use the related services correctly. As these are not saved on the user’s computer, they disappear when the browser is closed.
Third party cookies
The anonymous, aggregate information generated by the cookies on Website use by users will be transmitted and stored on the Google servers in the United States. Google will use this information to track and examine Website use, prepare reports on Website activities for the Website administrators and provide other services related to Website activities and Internet use.
- 5. Place and method of the data processing
The Website is hosted on machines managed by an external company located in Falkenstein (Germany), with the provider Hetzner. Moreover, data is backed up on a server located in Roubaix (France), with the provider OVH.
All data are processed in paper form and, more predominately, in electronic form. Such data are stored in a form that enables the user to be identified only for the time strictly necessary in order to achieve the purposes for which the data were originally collected and, in any case, within the limits of the law.
Specific security measures are observed in order to avoid the loss, unlawful or incorrect use of such data and unauthorised access, in compliance with the provisions of the GDPR.
In order to ensure that the data are always accurate, up-to-date, complete and relevant, we ask data subjects to inform us about any changes that may have occurred to such data by sending an e-mail to [email protected]
- 6. Purpose of the data processing
The purpose of the data processing is the full and proper discharge of the professional assignment received, whether judicial or non-judicial. Data subjects’ data will also be processed in order to:
- fulfil tax and accounting obligations;
- comply with the obligations incumbent on the professional under the regulations in force;
- perform marketing activities and professional and/or cultural training, if specific express consent has been issued, except where the data subjects are already Clients. In this latter case, the above communications can be sent even without consent, within the limits laid down by the GDPR;
- provide services that are accessible through the Website, as well as enable users to learn about and get more information on the activities, events and other institutional and training initiatives organised or provided by the Controller;
- manage and process, in relation to the previous point, applications and requests for interaction with SLS Avvocati, its professionals and subjects related to the Controller’s organisation.
Data may be processed using either paper or electronic archives and only using methods that are strictly necessary in order to carry out the above activities.
- 7. Legal basis of data processing
The Law Firm processes data subjects’ data lawfully, where the processing is:
- necessary in order to discharge the mandate, the contract to which the data subject is a party or to discharge the pre-contractual measures adopted upon request;
- necessary in order to fulfil a legal obligation incumbent on the professional;
- based on the express consent of the data subject (e.g. consent to receive the Law Firm’s newsletter or invitations to events or conferences).
- 8. Consequences of the failure to communicate data
Providing data for the purposes described above is optional and failure to provide such data will make it impossible for the Law Firm to follow through on requests from the users themselves.
- 9. Criteria for data storage
Data subjects’ data will be stored for the duration of the contract or mandate for the professional assignment received and, subsequently, for the time that the professional is subject to obligations to store such data for tax or other purposes, as provided by the law. In particular, with regard to marketing purposes and more specifically the sending of newsletters and/or invitations to cultural or training events, data subjects’ data are stored until consent is withdrawn or until the newsletter or conferencing service is discontinued.
- 10. Links to other websites
The Controller does not check and is not able to supervise the content or the data processing policies of the third party websites that may be accessed via links on the Website. Therefore, SLS Avvocati cannot be held liable in any way for processing performed through or in relation to third party websites.
- 11. Scope of communication, profiling and dissemination of data
Data subjects’ data are not, without express consent, subject to dissemination nor to any fully automated decision-making process, including profiling, except for communications that may be necessary and entail the transfer of data to public bodies, consultants or other persons, including in their capacity as external data processors, in order to comply with legal obligations.
- 12. Rights of the Data Subject
Data subjects, to whom the data refer, may at any time, when the legal conditions are met, exercise the following rights recognised by the GDPR:
- ask and obtain confirmation whether data regarding the data subject are being processed or not;
- if processing is in progress, ask the professional for and obtain access to the data and information related to the processing and to request a copy of the data;
- ask for and obtain rectification of inaccurate data and supplement incomplete data;
- ask for and obtain, when one of the conditions under Art. 17, paragraph 1 of the GDPR is met, erasure of data concerning the data subject;
- ask for and obtain, when one of the cases referred to in Art. 18, paragraph 1 of the GDPR applies, the restriction of processing of the data subject’s data;
- obtain the portability of data concerning the data subject, i.e. to receive such data from the Controller in a structured, commonly used and machine-readable format and request transmission to another Data Controller without hindrance;
- object at any time to data processing, when particular situations occur concerning such data. In the case of objection, data will no longer be subject to processing provided that no compelling legitimate grounds exist for continuing processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims;
- where consent for data processing is required, withdraw consent previously given, limited to cases where processing is based on data subjects’ consent to one or more specific purposes and concerning common data (e.g. place and date of birth or place of residence) or particular categories of data (e.g. data that reveal racial origin, political opinions, religious beliefs, health status or sex life). Processing based on consent and performed before its withdrawal will not be affected and, therefore, the remains lawful. Consent may be withdrawn by sending an e-mail to [email protected];
- lodge a complaint with a supervisory authority (Italian Data Protection Authority) if the data subject believes that their rights under the GDPR have been infringed and in accordance with the methods indicated on the Data Protection Authority’s website garanteprivacy.it
Data may be communicated to third parties who are properly designated “Data Processors” and equipped with the appropriate safeguards under the law.
- 14. Data Protection Officer (“DPO”)
The Law Firm has not appointed a Data Protection Officer.
Last amended on 25/05/2018