This information is provided pursuant to Section 13 of (EU) Regulation no. 2016/679 (hereinafter “GDPR”).
1. Data Controller
The Data Controller is Nctm Studio Legale (the “Data Controller”), with registered office in Via Agnello 12, 20121 Milan, tel. (+39) 02 725 511, e-mail: firstname.lastname@example.org. The updated list of any data processors is available at the offices of the Data Controller.
Nctm Studio Legale works also abroad through or in collaboration with Nctm LLP, with offices in St. Michael’s House, 1 George Yard, Lombard Street, EC3V 9DF, London (UK), Nctm Association d’Avocats, with offices in Avenue de la Joyeuse Entrée 1, 1040 Bruxelles (BE), Solve Studio Legale, Piazzetta Guastalla 10, 20122 Milan and Nctm Studio Legale – Shanghai branch, Room 40102 Hong Kong New World Tower, no. 300 Middle Huaihai Road (CN). Said entities may act as data processors of Nctm Studio Legale or, as the case may be, as autonomous data controllers for the same purposes and on the same terms and conditions of this information notice. Therefore, any reference to Nctm Studio Legale or to the Data Controller shall be automatically considered as reference to said entities, as the case may be.
2. Where and how data are processed
Data relating to the web services of this Site, as well as data collected by Nctm Studio Legale for any other reason pursuant to this information notice, are processed at the offices of the Data Controller and are handled by internal technical personnel, specifically appointed in writing as Person in charge of the processing, pursuant to the GDPR and/or by personnel outside the Data Controller’s organisation, duly appointed, in writing, as Processor, pursuant to Section 28 of the GDPR.
All personal data are processed both in paper format and, mainly, in electronic format. Data will be stored in a form that allows the identification of the user only for the time strictly necessary to achieve the purposes for which they were originally collected and, in a any case, within the limits provided by law. Specific security measures are observed to prevent the loss of data, their unlawful or improper use and unauthorised accesses to the data, in compliance with the provisions of the GDPR.
In order to assure that personal data are always accurate, updated, complete and pertinent, Data Subjects are kindly requested to report any changes therein to the following e-mail address: email@example.com.
3. Purposes of the processing
Personal data are processed by the Data Controller for the following purposes:
a) within the limits and only for the purposes to provide services accessible via the Site as well as to allow users to be acquainted with and examine in depth the activities, events and other, institutional and training, initiatives organised and carried out by the Data Controller;
b) to manage and develop, with regard to the previous point, questions and requests for interaction with Nctm, its professionals and entities within the organisation of the Data Controller;
c) to offer a platform of scientific insights, through the contributions proposed by Nctm; to manage the registration and authentication of those who are authorised to access the reserved areas of the Site;
d) based on the Data Subject’s consent, to send – also by email via automated systems – communications containing information on the Data Controller and the activity organised by the Data Controller (such as invitations to conventions and events in general, including activities to manage the participation therein), as well as updates and/or legal/professional or promotional information material, such as, by way of example, ongoing training sessions, newsletters, legal alerts, cultural initiatives, presentations, in-depth analyses and updates on subjects concerning the activities carried out by the Data Controller, including profiling of Data Subjects for such purposes, in order to direct, improve or customise the initiatives of Nctm Studio Legale taking into account the specific requirements or specific interests of Data Subjects;
e) even without the Data Subject’s consent within the limits permitted by the GDPR, to send – also by email via automated systems – communications under letter d) above to Data Subjects who are already clients of the Data Controller with regard to professional activities similar to those already provided to them by the Data Controller.
The carrying out of the activities under letters a), b) and c) above does not require the Data Subject’s consent, being the services or performances, in most cases, carried out at the direct request of the parties concerned pursuant to Section 6, paragraph 1.
The processing of Data for the purposes under letter e) above does not require the consent of the client, as Data Subject, being it necessary for the legitimate interest pursued by the Data Controller, pursuant to Section 6, paragraph 1, letter f) of the GDPR.
The processing of personal data for the purposes under letter d) above requires the Data Subject’s consent pursuant to Section 6, paragraph 1, letter a) of the GDPR.
4. Provision of data and consequences in case of failure to provide data
The provision of personal data for the above purposes is optional and the failure to provide said data will have the only consequence to prevent the Data Controller from managing and processing the Data Subject’s requests or from sending the communications mentioned above.
5. Types of data processed
i. Navigation data
IT systems and software procedures set up for the correct functioning of this Site collect, during their normal operation, certain personal data, which are transmitted in the context of the use of Internet communication protocols.
Said data are not collected in order to be associated with identified persons, but may, on account of their nature, allow users to be identified through processing and associations with other data held by third parties.
This category of data includes IP addresses or the domain names of computers used by persons accessing the Site, URIs (Uniform Resource Identifiers), the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the digital code indicating the state of the server’s response (successful, error, etc.) and other parameters relating to the operating system and to the user’s IT environment.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to verify its correct operation and are deleted immediately after processing. The data may be used to ascertain responsibility in the event of any IT crimes against the Site.
ii. Data provided voluntarily by users or collected from third parties
The optional, explicit and voluntary submission of an email address as well as of the relevant message to the addresses indicated on this Site, as well as the transmission of messages through the published collection forms, results in the collection of the sender’s address and of other personal data that may be included in the request, which are necessary for responding to requests.
Specific summary reports may be shown or displayed, from time to time and when strictly necessary, on the pages of the Site dedicated to particular on-demand services.
In addition to the foregoing, further personal data (such as personal details, data concerning professional activity, position and/or role within the company, contact details such as business and/or private telephone number, e-mail address) provided to the Data Controller or anyway collected by the Data Controller from third parties, will be processed by the Data Controller in compliance with this information notice and within the limits imposed by the GDPR.
6. Recipients and Categories of Recipients
Data will not be circulated or assigned to third parties unless with the consent of the Data Subject. Should disclosure to third party suppliers or partners of Nctm Studio Legale be necessary for organisational or administrative requirements or to support the services provided, the Data Controller shall appoint said entities as processors pursuant to the GDPR.
It is understood that the personal data of Data Subjects may be freely disclosed to third parties, such as the police, whenever this is permitted by the law or required by an order or decision of a competent authority.
7. Transfer of Data to third countries
Data may be transferred to the People’s Republic of China and in particular, but without limitation, to Shanghai at Nctm Studio Legale branch set up there, by virtue of agreements compliant with Section 46.3 of the GDPR.
8. Retention period
Personal data will be retained only as long as strictly necessary to achieve the purposes for which they had been collected and processed. Upon completion of the processing purpose, or in case of exercise of the right to object to the processing or withdrawal of the consent given, the Data Controller will be anyway entitled to further retain, in whole or in part, personal data for the purposes permitted by the GDPR (such as the need to enforce a right in court proceedings). As a rule, personal data will be stored for 2 years from their recording, or for 12 months for profiling purpose, without prejudice to the legitimate interest of the Data Controller pursuant to the GDPR, or any longer period that may be established in the future with reference to cases regulated from time to time by the applicable laws or by the competent authorities.
9. Link to other Websites
The Data Controller does not control and is unable to supervise either the content or data processing policies of third parties’ websites and services, which may be accessed via links contained in the Site. Therefore, Nctm Studio Legale is in no way responsible for data processing carried out through or in relation to said third party’s websites.
10. Rights of the data subjects
10.1 Right of access, erasure, restriction and data portability
Data Subjects have the rights provided for in Sections from 15 to 20 of the GDPR. By way of example, each Data Subject may:
a) obtain confirmation of the processing or non-processing of personal data concerning him or her;
b) if his or her data are being processed, obtain access to personal data and information relating to the processing as well as request a copy of the personal data;
c) obtain the rectification of inaccurate personal data and have incomplete personal data completed;
d) obtain the erasure of personal data concerning him or her where one of the grounds provided for by Section 17 of the GDPR applies;
e) obtain restriction of processing where one of the cases provided for by Section 18 of the GDPR applies;
f) receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and request their transmission to another controller, if technically feasible.
10.2 Right to object
Each Data Subject shall have the right to object at any time to processing of his or her personal data carried out to pursue a legitimate interest of Data Controllers. In case of objection, his or her personal data will no longer be processed, unless legitimate reasons exist for the processing, which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
10.3 Right to withdraw consent
Where personal data are processed based on consent, each Data Subject has a right to withdraw at any time the consent given, without affecting the lawfulness of any processing based on said consent and carried out before the withdrawal. Consent may be withdrawn by writing an email to the address firstname.lastname@example.org.
With reference to the processing of personal data for the purposes under Section 3, letter e) the Data Controller may not ask for the Data Subject’s consent, provided that the latter has been duly informed and has not refused to allow such use, initially or during subsequent communications. Upon collection and in any communication sent for the purposes under this paragraph, the Data Subject will be informed of the possibility to object to the processing at any time, smoothly and free of charge.
10.5 Right to lodge a complaint with a Supervisory Authority.
Every Data Subject has the right to lodge a complaint with a Supervisory Authority if he or she considers that the processing of personal data relating to him or her infringes his or her rights under the GDPR, according to the methods set out on the website of the Supervisory Authority accessible from the following link: www.garanteprivacy.it.