Latest update: June 2023
PRIVACY NOTICE
This privacy policy (“Policy”), provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 General Data Protection Regulation (“Regulation” or “GDPR”), describes the processing of your personal data carried out by emlex – Eva Maschietto Massimo Maggiore (“emlex”, the “Law Firm”, “we”, “us”, “our”) as data controller.
- Data controller
For the purposes of this Policy and the processing operations herein described, the data controller (Article 4(7) GDPR) is emlex – Eva Maschietto Massimo Maggiore, represented by each of its Partners shareholders, with registered office in Via Santo Spirito 3, 20121, Milan.
- What personal data we process and legal basis of the processing
In the performance of its professional activities, the Law Firm may process various categories of personal data relating to the data subjects indicated in this paragraph.
- Data related to candidates for job positions within the Law Firm
- Data processed
The Law Firm may process the following personal data relating to persons applying for job positions within the Law Firm, both as professionals and employees (the “Candidates”), by contacting the Law Firm through the appropriate form on the website www.emlex.it (the “Website”) or through other channels (e.g. following advertisements published on the dedicated page of a Bar Association):
- Personal identifiable information (e.g. name, surname, date of birth, residence);
- Contact details (e.g. telephone number, e-mail address, postal address);
- Personal picture/portrait;
- Data relating to the candidate’s qualifications, training and professional career;
- Any information (including income or wealth situation, as well as special categories of data) that Candidates will provide to the Law Firm when submitting their application or during the selection process.
- Purposes of the processing
The Law Firm will process the personal data of the Candidates in order to assess whether their profiles are in line with the Firm’s needs, as well as to make selections in this regard among the various Candidates and to finalize the possible recruitment and/or inclusion within the Law Firm.
- Legal bases of the processing
The legal basis on which the processing of Candidates’ personal data by the Law Firm is based is the need to perform a contract to which the data subject is party as well as to take steps at the request of the data subject prior to entering into a contract. In the event that, at the time of the application or during the subsequent selection process, a Candidate provides the Law Firm with special categories of data pursuant to Article 9 GDPR, the relevant legal basis will be the consent of the data subject.
- Source of data
emlex will receive the personal data of its Candidates directly from the Candidates – either in the context of specific selection procedure or through spontaneous applications – or through third parties such as Universities, Professional Associations, recruitment companies and other similar entities. This data may, among other things, be collected during the ordinary professional activities of the Law Firm or thanks to contacts established during events, seminars, conferences, in particular through the exchange of business cards.
- Storage period
As a general rule, the personal data of each Candidate will not be stored for more than 12 months after the end of the specific selection process for which he/she applied for, except in the case of the establishment of an employment relationship and/or collaboration with the Law Firm. With the specific consent of the Candidate, the Law Firm may extend the above storage period.
The Law Firm may also extend the storage period of Candidates’ personal data where this is necessary to comply with a legal obligation or to defend a right of its own before a judicial, administrative or other authority.
- Data relating to Clients or prospects of the Law Firm
- Data processed
Within its professional activities, the Law Firm may process the following categories of personal data relating both to clients and prospects natural persons, as well as to employees, collaborators, representatives or contact persons of the Firm’s clients or of prospects that qualify as legal persons (hereinafter referred to as “Clients” and “Clients’ Contacts” respectively):
- Personal identifiable information (e.g. name, surname, date of birth, residence);
- Contact details (e.g. telephone number, e-mail address, postal address);
- Data relating to economic situation;
- Data relating tocriminal convictions and offences, to the extent that its processing is necessary for the proper performance of the professional duties conferred to the Law Firm or to comply with legal obligations;
- Special categories of personal data pursuant to Article 9 GDPR;
- Any other personal data provided to the Law Firm by a Client and the processing of which is necessary for the proper performance of the professional duties assigned to the Law Firm or to comply with a legal obligation to which the Law Firm is subject.
- Purposes of the processing
The processing of Clients’ personal data is aimed at the proper performance of the professional duties assigned to the Law Firm and, where necessary, to comply with legal obligations to which the Law Firm is subject, including the know-your-customer obligations provided for by applicable legislation against money laundering and terrorist financing.
- Legal basis of the processing
The legal basis on which the processing of Clients’ personal data by the Law Firm is based is the need to perform a contract to which the data subject is party as well as to take steps at the request of the data subject prior to entering into a contract. For Clients’ Contacts, the legal basis is the legitimate interest of the Law Firm for the performance of the duties assigned by each Client for which the data subject works.
With regard to the processing of personal data relating to criminal convictions and crimes of Clients, the relevant processing is based on the need to comply with legal obligations to which the Law Firm is subject, including the know-your-customer obligations provided for by the applicable legislation against money laundering and terrorist financing.
The processing of special categories of personal data provided by the data subjects may be based either on the consent of the data subjects or on the need to ascertain, exercise or defend a right before a competent court. This is without prejudice to the case in which the data subject has made his or her data manifestly public.
- Source of data
The Law Firm will receive the personal data of its Clients directly from the Clients or through the Clients’ Contacts. This data may, among other things, be collected during the ordinary professional activities of the Law Firm or thanks to contacts established during events, seminars, conferences, in particular through the exchange of business cards.
- Storage period
The Law Firm will store the personal data of its Clients for the period strictly necessary for purposes for which such data has been collected. Namely, the Law Firm will store the data of Clients who contact the Law Firm for extra-judicial consulting activities for a maximum of 10 years after the end of the professional relationship established with the Law Firm.
The Law Firm will retain the personal data of Clients to whom it provides assistance in court for the entire duration of the relevant proceedings and, at the end of the proceedings, for as long as necessary for the performance of ancillary activities (e.g. lodging appeals, starting enforcing proceedings, etc.).
The Law Firm may extend the storage period of Clients’ personal data where this is necessary to comply with a legal obligation or to defend a right of its own before a judicial, administrative or other authority.
- Data relating to Clients’s counterparties or to third parties in judicial and extra-judicial matters
- Data processed
Within its professional activities, the Law Firm may process the following categories of personal data relating both to any counterparties of the Clients and/or third parties in judicial or extra-judicial matters, as natural persons, as well as to employees, collaborators, representatives or contact persons of the counterparty that qualify as legal person (hereinafter referred to as “Counterparties” and “Third Parties”):
- Personal identifiable information (e.g. name, surname, date of birth, residence);
- Contact details (e.g. telephone number, e-mail address, postal address);
- Data relating to the economic situation;
- Data relating tocriminal convictions and offences, to the extent that its processing is necessary for the proper performance of the professional duties conferred to the Law Firm or to comply with legal obligations;
- Special categories of personal data pursuant to Article 9 GDPR;
- Any other personal data provided to the Law Firm by a Client and the processing of which is necessary for the proper performance of the professional duties assigned to the Law Firm or to comply with a legal obligation to which the Law Firm is subject.
- Purposes of the processing
The processing of the Counterparties or Third Parties’ personal data is aimed at the proper performance of the professional duties assigned to the Law Firm.
- Legal basis of the processing
The legal basis on which relies the processing of the Counterparties’ or Third Parties’ personal data is the legitimate interest of the Law Firm to the proper fulfill of its professional activities as well as the legitimate interest of its Clients to protect their rights and interest both before or outside judicial authorities.
The processing of any particular categories of personal data of the Counterparties or the Third Parties will be compliant with the obligation of professional secrecy – as set forth in Article 13 of the Italian Forensic Code of Ethics – and, in any case, may be based on the need to ascertain, exercise or defend a right in court. This is without prejudice to the case in which the interested party has made their data manifestly public.
- Source of data
The Law Firm normally will receive the personal data of Counterparties or Third Parties from its Clients or through the Clients’ Contacts.
- Storage period
The Law Firm will store the personal data of Counterparties or Third Parties for the period strictly necessary for purposes for which such data has been collected.
Namely, the Law Firm will store the data of Clients’ Counterparties or of Third Parties for extra-judicial consulting activities for a maximum of 10 years after the end of the professional relationship established with the Law Firm.
The Law Firm will retain the personal data of Clients’ Counterparties or of Third Parties in judicial defence for the entire duration of the relevant proceedings and, at the end of the proceedings, for as long as necessary for the performance of ancillary activities (e.g. lodging appeals, starting enforcing proceedings, etc.).
The Law Firm may extend the storage period of Counterparties’ or Third Parties’ personal data where this is necessary to comply with a legal obligation or to defend a right of its own before a judicial, administrative or other authority.
- Data relating to suppliers of the Law Firm
- Data processed
In the performance of its professional activities, the Law Firm may process the following categories of personal data referring both to natural persons suppliers and to employees, collaborators, representatives or referents of legal entities of the Firm (hereinafter referred to as “Suppliers” and “Suppliers’ Contacts” respectively):
- Personal identifiable information (e.g. name, surname, date of birth, residence);
- Contact details (e.g. telephone number, e-mail address, postal address);
- Any other personal data provided to the Law Firm by a supplier and the processing of which is necessary for the proper performance of the contract entered into by the Law Firm and the supplier or to comply with a legal obligation to which the Law Firm is subject.
- Purpose of the processing
The processing of the personal data of the Suppliers and the Referents of the Suppliers is carried out to manage the existing contractual relationships between the Law Firm and its suppliers.
- Legal basis of the processing
The legal basis on which the processing of Suppliers’ personal data by the Law Firm is based is the need to perform a contract to which the data subject is party as well as to take steps at the request of the data subject prior to entering into a contract. For the Suppliers’ Contacts, the legal basis is the legitimate interest of the Law Firm for the performance of the contract entered into by the Law Firm with each supplier for which the data subject works.
- Source of data
The Law Firm normally receives the personal data of its Suppliers or of the Referents of the Suppliers directly from them, during the course of its ordinary professional activities or contacts established during events, seminars, conventions, in particular through the exchange of business cards.
- Storage period
The Law Firm will store the personal data of its Suppliers or of the Referents of the Suppliers up to a maximum of 10 years after the end of the contractual relationship with each relevant Supplier. The Law Firm may extend that storage period where this is necessary to comply with a legal obligation or to defend a right of its own before a judicial, administrative or other authority.
- Data collected through the use of the Website
When you visit our Website, we may collect the following navigation data, which will be properly anonymized by the Law Firm:
- technical information including: IP address, information on the device, browser and software you use:
- information on the navigation on the Website including: URL of pages browsed and the activities carried out on these pages, (e.g. products viewed and eventually purchased), date and time of access, duration of access and clickstream.
This information is collected to ensure the best functioning, management, and maintenance of the Website as well as the in order to ensure you a safe experience on the Website and to ascertain the liability in case of any breach of cybersecurity. In addition, we analyse this information –also as aggregated data – in order to obtain statistics on the performance of the Website.
You are completely free to provide your navigation data, e.g.by uninstalling the cookies through the relevant settings of your browser. However, the refusal to provide the information necessary for purpose of navigation may make activities strictly related to navigation, and therefore even access and navigation on our Website, impossible.
We will store these data as long as they are necessary for the purpose for which they are collected.
Navigation data are collected with the use of cookies. In order to understand how cookies work in particular or how to enable or disable them, please see our cookie policy.
- Processing for direct marketing purpose
- Data processed
In addition to process personal data of data subjects for the purposes described in the paragraphs I, II, III and IV above, the Law Firm may process the following categories of personal data to carry out direct marketing activities aimed at promoting its services and professional activities:
- Personal identifiable information (e.g. name, surname, date of birth, residence);
- Contact details (e.g. telephone number, e-mail address, postal address);
- Social networks addresses/pages (e.g. LinkedIN)
- Data relating to the candidate’s qualifications, training and professional career.
- Purpose of the processing
The processing of personal data described in this section is aimed at the performance, by the Law Firm, of direct marketing activities that may be carried out through promotional communications via e-mail or social media sent to contacts held for this purpose by the Law Firm.
- Legal bases of the processing
The processing of personal data for direct marketing purpose activities relies on consent of the data subjects, if they are not Clients of the Law Firm. The circumstance that a data subject deposits, leaves or hands his/her business card to representatives or collaborators of the Law Firm during events (such as conferences, seminars or other networking events) at which the Law Firm is present will be considered by the Law Firm “clear affirmative action” equivalent to a written statement of consent.
For what concerns processing of data of Clients or Clients’ Contacts, the relevant legal basis shall be the legitimate interest of the Law Firm to the promotion of its activities.
- Source of data and consequences of failure to provide data
The Law Firm directly collects the personal data of the contacts it uses for direct marketing activities. The provision of personal data by the data subjects is optional. Refusal to provide personal data, as well as to give consent to the processing, where required, will also make it impossible for the Law Firm to send promotional communications regarding its services and activities.
- Storage period
The personal data processed by the Law Firm for the performance of direct marketing activities will be kept for a maximum period of 60 (sixty) months from the time they are obtained or, if later, from the last interaction. The Law Firm may extend the mentioned storage period where this is necessary to comply with a legal obligation or to defend a right before a judicial, administrative or other authority.
- To whom we disclose personal data of the data subjects
The Law Firm is a law firm and, as such, its professionals and collaborators are subject to professional secrecy from which it follows, therefore, a substantial limitation to the disclosure to third parties of the personal data of its Clients.
Therefore, the personal data of the data subjects may only be disclosed to third parties as judicial or administrative authorities where this is necessary to fulfil a legal obligation to which the Law Firm is subject or to defend a right of the Law Firm before a judicial, administrative or other authority.
To ensure that the processing of the personal data of data subjects is as accurate as possible, the Law Firm has appointed a number of data processors to whom the personal data of data subjects may be disclosed. These persons have been selected among professionals who guarantee the implementation of appropriate technical and organizational measures, so that the processing will always be carried out in compliance with the applicable legislation and guaranteeing the protection of the rights of the data subjects.
- How we protect personal data of the data subjects
Personal data of the data subjects are collected, elaborated, transferred and stored by using appropriate security measures (physical, logical and organisational) to protect them from possible breaches (such as destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access to such personal data) and to ensure that processing is carried out only for the purposes described in this Policy.
- What are the data subjects’ rights and how they can exercise them?
If certain conditions are met, the GDPR grants the data subjects the following rights in relation to their personal data that the Law Firm processes:
- Access: data subjects can obtain information about the processing of their personal data and a copy of that personal data;
- Rectification: if data subjects believe that their personal data is inaccurate or incomplete, they may request that such data be corrected or modified by following their instructions;
- Erasure (so-called “right to be forgotten”): except in cases provided for by applicable law, data subjects have the right to request the erasure of their personal data, when: (i) the data are no longer necessary for the purposes for which they were collected and processed; (ii) the data subjects withdraw their consent where consent is the legal basis of the processing; (iii) data subjects object to the processing carried out to achieve other purposes and there are no overriding legitimate grounds to continue with the processing; (iv) personal data are processed unlawfully; (v) the erasure is required by law;
- Limitation: data subjects may request the limitation of the processing of their personal data pursuant to Article 18 GDPR;
- Object: in pursuant to Article 21 GDPR, data subjects have the right to object to the processing of their personal data at any time in relation to their particular situation. Upon receipt of the object, LAW FIRM will continue with the processing only if there are legitimate and compelling reasons that can be demonstrated to prevail over rights, interests and freedoms of the data subjects. Right to object to the processing of personal data for direct marketing purposes is absolute and can be exercised at any time;
- Withdrawal of consent: if the processing of their personal data is based on consent, data subjects have the right to withdraw their consent at any time;
- Data portability: where the processing is based on consent, data subjects have the right to receive in a structured format, commonly used and readable by automatic device the personal data they have provided us and, where technically feasible, to the secure transmission of their personal data to another data controller.
- How to contact us
To exercise their rights, and for any question or clarification on how their personal data is processed and used in accordance with this Notice, data subjects may contact emlex by mail info@emlex.it.
- Protection of data subjects’ rights
In order to protect their rights and their personal data, data subjects may at any time decide to lodge a complaint with the competent supervisory authority, i.e. the Garante per la protezione dei dati personali (tel. +39 06.696771, e-mail address: garante@gpdp.it or urp@gpdp.it) or to take action before the competent national courts.
- Changes to this notice
We reserve the right to update this Policy at any time. For this purpose, we quote the last update date at the beginning of this Policy.
Any change that substantially affects the processing of data subjects’ personal data will be communicated to the data subjects through the appropriate channels, always in such a way as to ensure that the data subjects have effective knowledge of the modality of processing, with the aim to guarantee the full transparency of the processing itself and full and adequate protection of data subjects’ rights.