This policy is made pursuant to Article 13 of the Regulation (EU) 2016/679 – GDPR for the processing of personal data and in accordance with the Italian provisions contained in the Code regarding the processing of personal data (Legislative Decree 30 June 2003, no. 196 and subsequent amendments) and is aimed at providing the clients of Stigi Stiefel Trulli Studio Legale with full information regarding how their personal data is processed.
1. The Controller
The Controller is the Professional Association Stigi Stiefel Trulli Studio Legale, VAT no. and Tax Code no. 09381781005, represented by its members and legal representatives Michael Louis Stiefel, Andrea Stigi and Tommaso Trulli, based in Rome, Via Fasana No. 21, tel. 0664520925, e-mail firstname.lastname@example.org.
The Controller has not appointed a Data Protection Officer (DPO).
2. Types of personal data processed
The Controller processes personal data acquired in the exercise of its activities for the pursuit of the following purposes and, in particular, for example, it processes:
– common data (such as personal data, telephone contacts, email addresses, tax code);
– highly personal data (such as insurance, banking, tax, income data);
– judicial data (data relating to criminal convictions and offences or related security measures);
– special data referred to in Article 9, par. 1 GDPR (such as trade union membership, religious or philosophical beliefs, political views, racial or ethnic origin, health, life/sexual orientation).
3. Purpose and legal basis of the processing of personal data
The processing of personal data is required for the acquisition of information prior to the conclusion of contracts with the Controller, for the perfection and the implementation of contracts that foresee the provision of the legal services. The legal basis for the processing carried out for this purpose is the performance of the contract to which the person is a party or the implementation of pre-contractual measures (Art 6, par. 1, letter b) – GDPR).
Personal data will also be processed for the carrying out of administrative and accounting obligations, such as the management of accounting and treasury, as well as billing (e.g. verification and registration of invoices), payments, in accordance with current law, or for the implementation of other obligations under laws, regulations and EU legislation. The processing carried out for this purpose is necessary to fulfil a legal obligation to which the Controller is subject (art. 6, par. 1, letter c) – GDPR).
Personal data of representatives or employees may also be processed for these purposes and, in particular, personal, identification and contact data such as tax code, VAT number, home address, addresses for sending correspondence, e-mail address, telephone number and/or mobile phone.
If, for the purposes mentioned above, it is necessary to process particular data referred to in art. 9, par. 1 – GDPR, the legal basis, unless it is the need to ascertain, exercise or defend a right of the Controller in the courts (art. 9, par. 2, letter f), or for the exercise of a specific right of the Person in relation to labour law, social security and social protection (article 9, par. 2, letter b), will always be represented by data subject’s Consent (Article 9, par. 2, letter a) – GDPR).
In this case, the data subject will always have the right to revoke consent at any time without compromising the lawfulness of the processing carried out based on consent provided prior to revocation.
The legal basis for the processing of judicial data(data relating to criminal convictions and offences or related security measures) referred to in Article 10 – GDPR is represented, under art. 2-octies of Legislative Decree 196/2003, by the rules governing the exercise of professional activity and, in particular, by Law 247/2012.
Personal data processed for the above purposes may also be processed by the Controller for the purpose of pursuing its own legitimate interest consisting in the protection of his own rights. In this case, the legal basis for the processing is the need to pursue a legitimate interest of the Controller (Art. 6, par. 1, letter f) – GDPR).
Consequences of refusal to provide personal data: Failure to provide data for the above purposes will make it impossible for the law firm to comply with pre-contract/contractual requests and implement the contract. Failure to provide consent, if requested, or its revocation by the data subject with reference to the processing of the particular data referred to in Article 9, par. 1 – GDPR, will result in the law firm not accepting or continuing the performance of the mandate, resulting in the right to waive the mandate.
3.1 Continued: Processing of personal data in relation to the conduct of defensive investigations and exercise and defence of a right in court – Ethics rules: Annex 1 to Legislative Decree 196/2003.
In accordance with the provisions of the Deontological Rules under Annex 1 to Legislative Decree 196/2003, the processing of personal data for the purpose of conducting defensive investigations and enforcing and defending a right in court, both in the course of proceedings, or in administrative, arbitration or conciliation proceedings, including the preparatory phase for the establishment of a judgment, up to its definition, is carried out, even with non-automated systems, respecting rights, freedoms and dignity of those concerned, according to the principles of purpose, legality, proportionality and minimization, on the basis of a careful substantial and non-formal assessment of the guarantees provided and on the analysis of the quantity and quality of the information used and the possible risks.
4. Dissemination of personal data
No data will be in any way disseminated to third parties or to the press, unless it is deemed appropriate, in order to protect the data subject, even without the consent of the data subject, in accordance with the principles of legality, transparency, fairness and minimization of the data, as well as with the rights and dignity of data subject and third parties, and with any prohibitions of law and the forensic code of ethics.
5. Recipients or categories of recipients of personal data
If necessary, the data provided will be processed only by persons authorized for processing and properly instructed, as well as by Co-Controllers and processors who are linked to the Controller by specific agreements and provide support to the Controller. The data may also be disclosed to third parties (Public Bodies, Police Forces or other Public and Private Entities), but only for the purpose of fulfilling contractual, legal, or EU regulation or regulatory obligations.
6. Transfer to Third Countries
The data are processed in countries belonging to the European Union. If transferred to countries outside the European Union, the data will only be transferred to countries deemed capable of providing an adequate level of protection of personal data, subject to the European Commission’s adequacy assessment, or in the presence of adequate guarantees and provided that the concerned parties have effective rights and means of redress, as required by the current legislation.
7. Retention times
The data provided for the above purposes will be retained for the duration of the contractual relationship and, even once the judicial process or related mandate report is extinguished, acts and documents relating to the subject of defence or defensive investigations may be retained, in original or in copy and also in electronic format, if it is necessary in relation to possible other defensive needs of the assisted party or for the investigation, exercise and defence of a right of the Controller for no longer than the time of the possible lapsing of such rights, without prejudice to their use in anonymous form for scientific purposes.
The data can also be kept even after the legal process or its mandate has been completed to fulfil a regulatory obligation, including in tax and crime-fighting matters; in this instance, only the personal data effectively needed to fulfil the same obligation will be retained.
After this term, the Controller takes technical and organizational measures to ensure that the data is no longer available.
8. Rights of the Concerned Parties
In relation to the processing described in this Notice, the concerned party, as required by European Regulation 679/2016, may exercise the rights enshrined in Articles 15 to 21 and, in particular, the right to ask the Controller for access to personal data, the correction or deletion of the personal data, as well as the limitation of the processing that concerns her or him. The concerned party may also object to the processing for legitimate reasons, as well as exercise the right to data portability.
For the exercise any of these rights, the concerned party may make his or her requests to the Controller by any means deemed appropriate and, in any case, by contacting the Controller as follows: Telephone: 39 06 6452 0925; e-mail: email@example.com; Via Fasana No. 21 – 00195 – Rome, Italy.
The concerned party also has the right to complain to an oversight authority, particularly in the Member State where he or she usually resides, works, or, in the place where the alleged breach occurred, which in Italy corresponds to the Guarantee Authority for the Protection of Personal Data, Piazza Venezia No. 11 – 00187, Rome (RM) – mail: firstname.lastname@example.org – mail pec: email@example.com, whose references are also found on the website: www.garanteprivacy.it, or to bring the matter before the appropriate Court (art. 79 of the Regulation).
Last update, Rome, 12.04.2020
Stigi Stiefel Trulli Studio Legale