Lexia Avvocati, as the data controller, according to Article 13 EU Regulation No. 2016/679 (“GDPR”) informs that the data provided by users (the “Data Subjects” or the “User”) through the website www.lexia.it (the “Site”), regardless of the mode and tool used, will be processed in the following manner and for the following purposes.
The Personal Data Controller
The Data Controller of the Personal Data is Lexia Avvocati, with a registered office in 20121 Milan (MI), Via del Lauro 9 and P. IVA 10584260961 (hereinafter, the “Data Controller”).
The Data Controller provides the following e-mail address for any communication:
The Data Controller may designate one or more persons responsible for the processing of Personal Data under Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental, or support activities by adopting all those technical and organizational measures appropriate to protect the rights, freedoms and legitimate interests that are recognized by law to the Data Subjects.
Object of processing
The processing will have, as its object, single operations – or a complex of operations – of processing (such as, by way of example only: collection, recording, organization, storage, processing, communication, modification, selection, use) of the following personal data provided by the Data Subject on the occasion of the use of the services provided by the Data Controller through the Site (the “Personal Data” or the “Data”):
In general, the Data processed are:
(a) Data spontaneously provided by the Data Subject.
The optional, explicit, and voluntary sending of messages (including by electronic mail) to the contact addresses of the Data Controller, the filling in of contact forms and forms, the registration to reserved areas and/or services offered by the Data Controller through the Site (i.e. the requests formulated from time to time by the Data Subject through the Site), entail the acquisition of contact data. Such data (personal details, payment details, interests, and other personal content of the Data Subject) are necessary to fulfill the Data Subject’s requests, as well as any other Personal Data included in correspondence or within the scope of the services accessible through the Site. The following are the Data collected: first name, last name, telephone, email, company, country, address, city, and zip code.
In this case, the Data collected will be processed exclusively to respond to the requests of the Data Subjects, who may be contacted by email, telephone, or through other communication systems, if provided.
The Personal Data spontaneously provided by the Interested Party will be kept for the time needed to satisfy the requests received or for the performance of the services. In any case, Personal Data may be kept for a period not exceeding 10 years after the fulfillment of the requests received from the Data Subject.
(b) Navigation Data
The computer systems and software procedures used to run the Site acquire, in the course of their normal operation, certain Personal Data of the Data Subject whose transmission is implicit in the use of Internet communication protocols, including:
- IP addresses, addresses in URI/URL notation (Uniform Resource Identifier/Locator) of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.);
- other parameters relating to the operating system and computer environment used by the Data Subject.
This information, while by its nature is not intended to be associated with identified subjects, it is associated with other Data held by third parties (e.g. internet service providers), which could allow the identification of the Data Subjects (e.g., IP addresses, domain names of the PCs used, URL addresses of the resources requested, time of the request, numeric code indicating the status of the response given by the server).
The Data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning.
Browsing Data will be kept for the time necessary to carry out the activities of analysis and comparative statistical processing, not exceeding 7 (seven) days. Browsing data are analyzed with analytics 4, retention 14 months.
(c) Cookies and other technologies for reading/storing information on the Data Subject’s terminal.
While browsing the Site, Personal Data may also be collected through the use of cookies. In this regard, please refer to the “Cookie Policy,” available below. [Note: insert a hyperlink to cookie policy].
Legal Basis of Processing
The Data Controller will process the Personal Data by the provisions of the GDPR and the applicable personal data processing legislation under the following legal bases:
- as the User’s Personal Data is necessary to perform the general terms and conditions of services agreed between the User and the Data Controller. This includes the transmission of communications that relate to the use of the Site. In some cases, this may also include the processing of the User’s Personal Data to enable the Data Controller the transmission of suggestions and/or options for using the Site and/or the services offered by the Data Controller, etc…; and/or
- as the User’s Personal Data is necessary for the performance of pre-contractual measures requested by the User from the Data Controller; and/or
- if the User’s Personal Data is subject to profiling, based on the User’s express written consent; and/or if the User’s Personal Data is subject to processing for direct marketing purposes as described below, based on the User’s express written consent; and/or
- where the User has given consent for one or more specific purposes; and/or
- because the User’s Personal Data is necessary for the performance of a task of public interest or the exercise of public authority vested in the Data Controller; and/or
- the processing is necessary for the pursuit of the legitimate interest of the Data Controller or a third party; and/or
- to fulfilling legal obligations to which the Data Controller is subject.
- Where the processing of Personal Data takes place based on a legitimate interest, the Data Controller will process Personal Data to:
- identify and correct errors in the Site or functionality of the Site to be improved through the use of the information such as browser type, operating system, local and language settings, and general activity on the Site, along with any specific feedback provided by the User; and/or
- understand and evaluate how, when, and why Users use the Site to provide, evaluate, improve, and optimize it; and/or
- personalize the experience related to the Site to ensure the most useful, efficient, and pertinent environment possible; and/or
- to define strategic business decisions through the creation of anonymized aggregated Personal Data sets that enable the generation of useful information about patterns or trends of Users.
The processing of Personal Data based on a legitimate interest will take place only where the processing is relevant, appropriate, and limited to what is necessary for collection and processing and related to the Site and/or the services offered by the Data Controller. In this regard, the Data Controller is committed to ensuring that its legitimate interests do not unduly and disproportionately affect the User’s rights and freedoms.
In any case, it is always possible to request the Data Controller to clarify the legal basis of each processing and in particular, to specify whether the processing (i) takes place based on the provisions of the GDPR and the regulations on the processing of personal data applicable from time to time, (ii) is provided for by a contract or necessary to conclude a contract.
Methods of processing
The processing of Personal Data:
- is carried out by using operations indicated in Art. 4, co. 1, no. 2 of the GDPR, namely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of Data;
- is also carried out with the aid of electronic or otherwise automated means. In this regard, please note that the Personal Data processed through the use of electronic or automated means are stored in electronic archives on servers located on German territory (Frankfurt);
- is also carried out through the use of electronic mail or other remote communication techniques.
Purposes of processing
The Personal Data collected may be used for the performance of contractual and pre-contractual obligations and legal obligations as well as for this purpose:
- External processing of payments by credit card, bank transfer, or other means: to process payments from Data Subjects via external platforms that acquire the Payment Data without the Data Controller having access.
Personal Data is disclosed to PayPal (Europe) S.r.l.., Banca Sella (Banca Sella Holding S.p.A.)
- Sending emails or newsletters and mailing list management: to contact the Data Subject with emails containing commercial and promotional information related to the Site and the services offered.
- Personal Data is disclosed to Mailchimp.
- Storage, hosting, and backend infrastructure management to handle the technical infrastructure for storing Data of Data Subjects.
- Personal Data is disclosed to Aruba Business.
- Statistics only with anonymized data: to perform statistical analysis based on aggregate data or data that does not identify the Data Subject.
- Personal Data is disclosed to Google LLC, https://policies.google.com/privacy.
- Monitoring, analysis, and tracking of the behavior of the Data Subject: to monitor and analyze how the Data Subject behaves on the Site.
- Personal data is disclosed to Google LLC https://policies.google.com/privacy;
- LinkedIn Corporation https://www.linkedin.com/legal/privacy-policy;
- Meta Platforms, Inc. https://www.facebook.com/privacy/policy;
- Data Subject Registration and Authentication: to enable the Data Subject to register on the Site to log in and be identified.
- Electronic Invoicing: to generate electronic invoices, communicate to the Interchange System, and store invoices.
Transfer of Personal Data
The management and storage of the Data will take place mainly in Europe, on servers of third-party companies appointed as data processors.
The Data Controller may also provide access to the Site and related services in other countries. In this case, the Data transfer to such countries is strictly limited to the actual need to learn about it. The Data Controller will take the necessary measures to protect the User’s Personal Data and prevent unauthorized access.
If Personal Data is transferred also outside the European Union, the Data Controller ensures the application of the European Commission’s standard contractual clauses to ensure a secure international transfer of Personal Data, by Articles 44, 45, and 46 of the GDPR.
Security Measures
The Data Controller has taken a variety of security measures to protect Data against the risk of loss, misuse, or alteration, consistent with the measures expressed in Article 32 GDPR.
Consequences of not providing Personal Data
Without prejudice to the Data Subject’s right to provide Personal Data to the Data Controller, the provision of Personal Data may be:
- mandatory to provide the services accessible through the Site;
- optional for purposes related to the performance of commercial information and/or marketing of the services provided by the Data Controller; and
- mandatory for purposes related to the fulfillment of obligations under applicable laws and/or regulations, as well as provisions issued by the competent supervisory and/or control authorities/bodies.
Any refusal by the Data Subject to provide Personal Data to the Data Controller may result in the Data Controller’s inability to provide the requested services and make access to the Site available.
In addition, please consider that the revocation of one or more permissions and/or consents not given by the Data Subject may have consequences on the proper functioning and/or the possibility to access and/or use the Site properly and/or provide the services by the Data Controller.
Rights of the Data Subject
The Data Subject may exercise the rights provided for in Chapter III of the GDPR within the limits and under the conditions provided:
- access to the Data (art. 15): the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him/her is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information about the processing (e.g. purposes, categories of Data processed, recipients, transfers outside the EU, implementation of profiling activities, etc.);
- rectification of Data (Art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him/her without undue delay and/or the integration of incomplete Personal Data, including by providing a supplementary statement;
- erasure of Data or “right to be forgotten” (Art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning him/her without undue delay and the Data Controller has thrust without undue delay the Personal Data;
- restriction of processing (Art. 18): the Data Subject has the right to obtain from the Data Controller the restriction of processing;
- portability of Data (Art. 20): the Data Subject has the right to receive in a structured, commonly used and machine-readable format Personal Data concerning him or her that has been provided to a Data Controller and has the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom he or she has provided it;
- objection to processing (Art. 21): the Data Subject has the right to object at any time, based on his or her particular situation, to the processing of Personal Data concerning him or her by Article 6(1)(e) or (f) of the GDPR, including profiling based on these provisions.
Retention of Data
The Personal Data, which is processed for the purposes indicated above, will be kept for the period indicated in point 2 and any case for the time strictly necessary for the aforementioned purposes and by the terms of the law.
At the end of the retention period, the Personal Data will be deleted. Therefore, at the expiration of this period, the right of access, deletion, rectification, and the right to portability of Personal Data can no longer be exercised by the User [Note: confirm whether the data is deleted or anonymized].
Personal Data will be stored using paper and computer files, including portable devices, taking appropriate measures to ensure their security and to limit access to them exclusively to personnel authorized by the Data Controller and within the strict scope of the purposes stated above.
Modalities for the exercise of rights
The Data Subject may at any time exercise the rights by sending:
- an e-mail to privacy@lexia.it
- a registered letter with return receipt to Lexia Avvocati, 20121 Milan (MI), Via del Lauro, 9.
The Data Controller undertakes to provide the Data Subject with information regarding the action taken regarding a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from the receipt of the request itself, extendable up to 3 months only in cases of particular complexity.
Any rectification or deletion or limitation of the processing carried out at the explicit request of the Data Subject (except where this proves impossible or involves a disproportionate effort) will be communicated by the Data Controller to each of the recipients to whom the Personal Data has been transmitted. The Data Controller may inform the Data Subject of the recipient’s contact details if requested.
To exercise the aforementioned rights, as well as for any communication, request, clarification, or report regarding the protection of Personal Data, the Data Subject may send an e-mail to the Data Controller at the following e-mail address: privacy@lexia.it
Right to Complaint
Data Subjects who believe that the processing of Personal Data is taking place in violation of the provisions of the GDPR have the right to lodge a complaint with the Privacy Authority for the Protection of Personal Data (Garante Privacy) by e-mail, at garante@gpdp.it or urp@gpdp.it, by fax 06.696773785, or by mail to the Privacy Authority for the Protection of Personal Data located in Rome (Italy), Piazza Venezia n. 11 – Cap 00187, or by recourse to the Judicial Authority.
Managers and appointees
The updated list of data processors and persons in charge of the processing is kept at the Data Controller’s offices.
Changes to this information notice
This policy is subject to change. We, therefore, recommend that you check this policy regularly and refer to the most up-to-date version.