PRIVACY POLICY FOR THE PROCESSING OF PERSONAL DATA
Introduction
This privacy policy for the processing of personal data (hereinafter the “Privacy Policy”) is provided pursuant to Article 13 of EU Regulation 679/2016 (General Data Protection Regulation – hereinafter, “GDPR“).
The Policy is provided to users/visitors who interact with the official website of NPA – law firm with headquarters at Via Larga no. 16, Milan (MI), accessible at www.npassociati.it (hereinafter, the “Website“) and describes in detail how and and for what purposes the personal data of users/visitors will be processed during navigation on the Website and the use of the various features and services available within it.
For the purposes of this Privacy Policy, the user/visitor of the Website and its related features/services, as the data subject to whom the processed personal data refer, is hereinafter identified as the “User.”
1. Data Controller
The Data Controller is NPA – law firm, headquartered at Via Larga no. 16, Milan (MI) (hereinafter, Controller“).
It is possible to contact the Controller for questions, requests, or clarifications regarding this Privacy Policy or in general regarding the processing of personal data, at the following contact details:
- segreteria@npassociati.com (indicating “privacy” in the subject line).
2. Categories of personal data
The Controller processes the following categories of personal data during navigation on the Website and the use of its features/services:
- a) information and data related to navigation on the Website and the devices used by the User to navigate the Website and use its features and services;
- b) information and data provided by filling out the form available under the “Contact Us” section on the Website (for example, but not limited to: name and surname, email for possible responses, as well as the content of the transmitted information or requests);
- c) information and data communicated by the User through sending emails to the addresses of the Controller indicated on the Website (for example, but not limited to, name, surname, email address for possible responses, as well as the content of the transmitted information or requests).
The personal data in category a) are automatically collected by the Controller during navigation on the Website. These data are not collected and processed to be associated with identified physical subjects; however, by their very nature, they could, through processing and integration with other data, allow the identification of physical persons. The personal data in categories b) and c) are provided directly and voluntarily by the User.
3. Consequence of failure to provide personal data
The processing of personal data in category a) is necessary for the Controller to ensure the best possible browsing experience for the User, and to provide all the features and services offered through the Website. It is, however, possible to limit the processing of such personal data through the use of certain functionalities provided by the Website or by the User’s device or browsing application. In such cases, navigation on the Website may be limited, and some of its features/services may be inaccessible.
4. Purposes of the processing of personal data and legal bases
The User’s personal data will be processed for the following purposes and according to the following legal bases.
Purposes | Legal Basis |
1. To allow navigation on the Website, access its pages and sections, and use its functions and services |
Processing necessary for the purposes of the legitimate interests pursued by the Controller (Art. 6(1)(f) GDPR): to enable Users to register on the Website and access the services offered through it |
2. 1. To enable the Controller to respond to requests from administrative, judicial, or public security authorities (e.g., pursuant to Art. 210 of the Civil Procedure Code and Art. 248 of the Criminal Procedure Code) |
Processing is necessary for compliance with a legal obligation to which the controller is subject; (art. 6, par. 1 lett (c) GDPR) |
3. To respond to your contact requests or information transmission via interaction with the Website |
Processing necessary for the purposes of the legitimate interests pursued by the Controller (art. 6(i)(f) GDPR): to address the User’s requests |
4. 1. To allow the Controller to establish, exercise, or defend their rights in judicial or extrajudicial proceedings, or in the context of disputes or controversies |
Processing necessary for the purposes of the legitimate interests pursued by the Controller (art. 6(i)(f) GDPR) |
5. To monitor the proper functioning of the Website for maintenance and updates, and to provide a better browsing experience |
Processing necessary for the purposes of the legitimate interests pursued by the Controlle (art. 6(i)(f) GDPR): to enable Users to register on the Website and access the services offered through it |
6. 1. To analyze User behaviors and preferences to improve the experience on the Website and the commercial information presented, making it more aligned withUser interests, and to offer personalized contents | Processing necessary for the purposes of the legitimate interests pursued by the Controller (art. 6, par. 1 lett. (f) GDPR) |
5. Categories of recipients of the personal data
To fulfill the purposes outlined above, Users’ personal data will also be processed by third parties other than the Controller. These parties will process Users’ personal data either on behalf of the Controller (i.e., as data processors) or as independent data controllers, following specific instructions from the Controller.
Specifically, the following categories of recipients will process personal data:
- a) Service providers necessary for the proper functioning of the Website and its functions/services (e.g., ICT service providers, hosting service providers, software and application providers);
- b) Judicial, administrative, and/or public security authorities, in accordance with legal provisions;
- c) Consultants appointed by the Controller;
- d) Communication and marketing service providers.
6. Transfer of personal data outside the European Economic Area
Personal data are not transferred outside the European Economic Area.
7. 1. Retention period of the personal data
The personal data of Users will be retained for a variable period depending on the type and purposes of the processing. The retention periods for personal data are as follows:
- a) Data related to navigation on the Website and/or the devices used, unless used for the determination of responsibility in the event of crimes affecting the Website or third parties, will be retained for no more than 7 (seven) days;
- b) Data and information related to contacts between the User and the Controller: will be retained for the time necessary to provide the services requested by the User.
8. Rights of the data subject
If, at the end of the period mentioned above, personal data need to be processed for specific purposes (e.g., to protect the Controller’s rights in the context of a dispute), they will be retained until those purposes are fulfilled (e.g., until the dispute is resolved). At the end of the specified retention periods, the User’s personal data will be deleted or otherwise made unintelligible by the Controller.
The following rights are also guaranteed:
- a) The right to withdraw consent given for the transmission of cookies on the device during navigation on the Website, as more specifically described in the Cookie Policy;
- b) The right to obtain from the Controller the rectification of inaccurate personal data, or the completion of incomplete personal data, pursuant to Article 16 GDPR;
- c) The right to obtain from the Controller the erasure of personal data, pursuant to Article 17 GDPR;
- d) The right to obtain from the Controller the restriction of processing, pursuant to Article 18 GDPR;
- e) within the limits provided by the regulations, the right to obtain from the Controller the portability of personal data processed based on consent or contractual basis pursuant to Article 6(1)( a) and ( b) GDPR; in exercising this right, the Controller will provide all data acquired, based on consent or contractual obligation, in a structured and interoperable format; where technically possible, such personal data may also be transferred, in the same manner, to third parties selected by the User and indicated with a specific request;
- f) the right to object to the processing of personal data pursuant to Article 21 GDPR, unless the Controller demonstrates, upon receiving a request in this regard, the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Requests for the above rights should be addressed to the contact details provided.
The Controller will respond to requests without undue delay.
9. Changes and updates to the Privacy Policy
If this Privacy Policy is modified or updated, the Controller will make every reasonable effort to inform the data subjects of such changes (e.g., through specific communications – in the form of banners or similar tools – on the homepage of the Website)