Privacy notice for the users of the website

Pursuant to the legislation applicable to protection of personal data (“Privacy Legislation”), including EU Regulation 2016/679 (“GDPR”), Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (“Privacy Code”), Morri Rossetti e Associati – Studio Legale e Tributario (hereinafter, the “Law Firm”, or the “Data Controller”), as data controller, provides users (hereinafter the “Users” or, in the singular, the “User”) of the website www.morrirossetti.it (the “Website”), that will process their personal data collected through the Website itself in the modalities and for the purposes described in this privacy notice (the “Notice”).

The User, by browsing the Website, acknowledges that he/she has read and understood the contents of this Notice.

1. Data Controller and Data Protection Officer

The Data Controller is Morri Rossetti e Associati – Studio Legale e Tributario with registered office in Milan, Piazza Eleonora Duse no. 2, 20122, fiscal code no. 04110250968 to be contacted at the following number +39 02 760 7971 or at the following e-mail address: info.privacy@morrirossetti.it.

The Data Protection Officer, domiciled at the Law Firm, can be contacted at the following e-mail address: dpo.privacy@morrirossetti.it.

2. Processed personal data through the Website

The Law Firm will process exclusively the following types of personal data of Users who browse and interact with the web services of the Website and, in particular:

  1. Personal data collected implicitly while a User is browsing the Website
    The computer systems, cookie technology and software procedures that are used to run the Website collect, during their normal functioning, certain data whose transmission is implicit when using the Internet. This kind of information is not acquired for purposes directly linked to identifiable data subjects but could, due to its nature, be processed and aggregated with the data held by third parties, in such a way as to make User identification possible.
    This category of data includes, for example, the IP addresses or the domain names of the computers used by the Users who connect to the Website, the pages visited by the Users within the Website, the domain names and addresses of the websites from which the User accessed to the Website (through referrals), the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used in submitting the request to the web server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server, and other settings relating to the type of browser (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and computer environment of the User.
    These data are also collected by means of cookie technology, namely text files and numbers that are installed while browsing a website, in the memory of the device (PC, smartphone or tablet) connected to the Internet through the browser application installed therein. For further details regarding the cookies used on the Website, we invite the Users to read the Cookie Policy available at the following link: https://morrirossetti.it/en/privacy-cookie.html.
  2. Personal data directly provided by the User in the context of the communication with the Law Firm
    These data are provided directly by the User to the Law Firm (such as, but not limited to: name, last name, e-mail address, any personal data of the sender contained in e-mail communications or attachments thereto, etc.), following the sending of an e-mail or other communication to the Law Firm's contacts as indicated on the Website as well as following the subscription to the newsletter service and/or to the mailing lists of specific industries.

3. Purposes and legal basis of the processing

Personal data provided (indirectly or directly) by the User will be processed by the Data Controller for the following purposes (the “Purposes”):

  1. to fulfil legal, accounting and tax obligations to which the Law Firm is subject. In this case, the legal basis for the processing is the legal obligation to which the Data Controller is subject, pursuant to Article 6(1)(c) of the GDPR;
  2. to allow Users to browse the Website. In this case, the legal basis for the processing is the Data Controller’s legitimate interest, pursuant to Article 6(1)(f) of the GDPR, to: (i) inform the User, through the contents of the Website, and to promote with them the Law Firm's professional context, the activities carried out, the services offered by the Law Firm and the Law Firm's publications; (ii) improve the quality and the structure of the Website, as well as to create new services, functionalities and/or features thereof; and (iii) interact with the User that is interested to Law Firm’s services, through the contact details published on the Website;
  3. to carry out the maintenance and technical assistance necessary to ensure the proper functioning of the Website and the services connected to it. In this case, the legal basis for the processing is the Data Controller’s legitimate interest, pursuant to Article 6(1)(f) of the GDPR, to: (i) prevent the occurrence of fraud or other crimes through the use of the Website; (ii) improve the quality and the structure of the Website, as well as to create new services, functionalities and/or features of the Website; (iii) for the management and processing of statistical surveys on the use of the Website (after personal data anonymization);
  4. to enable the Law Firm to exercise its rights in court and suppress unlawful conduct. In this case, the legal basis for the processing is the Data Controller’s legitimate interest, pursuant to Article 6(1)(f) of the GDPR, to: (i) prevent the occurrence of fraud or other crimes through the use of the Website; (ii) for the management of the Data Controller or a third party's litigation in court;
  5. to enable the Law Firm, following the User's subscription to the Law Firm’s newsletter service and/or to the mailing lists of specific industries, to send to the User purely informative and/or informational communications by e-mail regarding the Law Firm's activities and professional services, publications by the Law Firm's professionals and, in general, public interest’s legal news, as well as regarding any event invitations and/or conferences organized and/or otherwise supported by the Law Firm, also in collaboration with third parties, or where the Law Firm's professionals are appointed as speakers. In this case, the legal basis for the processing is the performance of a contract and any pre-contractual measures taken at the request of the User, pursuant to Article 6(1)(b) of the GDPR, as well as in the Data Controller’s legitimate interest to provide constant updates regarding relevant news in the field of interest of its clients or potential clients, pursuant to Article 6(1)(f) of the GDPR;
  6. to enable the Law Firm to send to the User any communications by e-mail regarding activities, initiatives and/or services proposed by the Law Firm for marketing purposes and/or other advertising or promotional material, other than the communications with purely informative and informational nature referred to in the above letter (e). In this case, the legal basis for the processing is the consent of the data subject, pursuant to Article 6(1)(a) of the GDPR.

If the legal basis for the processing is the legitimate interest of the Data Controller, the Law Firm ensures that it has first carried out an assessment to ensure that its legitimate interest does not override the interests or the fundamental rights and freedoms of the Users, taking into account the reasonable expectations of the Users in relation to the specific processing activity carried out.

Users may request further information on the above assessment by sending an email to: info.privacy@morrirossetti.it.

The Data Controller also informs the User that he/she has the possibility to: (i) withdraw, at any time, any consent given, it being understood that the withdrawal of consent does not affect the lawfulness for the processing based on consent given prior to withdrawal; (ii) object, at any time, for the processing of his/her personal data on the basis of the Law Firm’s legitimate interests.

In particular, in the event that the User, in the future, wish to stop receiving any communications send by the Law Firm with informative and informational purposes and/or for marketing purposes, he/she can unsubscribe from the mailing list, by selecting "Unsubscribe" link, at the bottom of the email communications.

In the event that the Law Firm decides to process the personal data collected for any other purposes inconsistent with the purposes for which the personal data were originally collected or authorized, the Law Firm will inform the User in advance and, where required, the Data Controller will gather his/her consent for such processing activity, if needed.

4. Nature of the provision of personal data

The provision of the personal data implicitly provided by the User occurs automatically by browsing the Website. Therefore, if the User does not intend to provide any personal data by browsing the Website, please do not visit this Website, do not otherwise use this Website, do not send any request or communication through the Website, or do not provide your consent when such option is offered to you pursuant to the Privacy Legislation.

The provision of the personal data directly provided by the User is optional. However, failure to provide such personal data could lead to the impossibility for the User to receive replies to communications sent by the User to the Law Firm.

The provision of the personal data directly provided by the User in order to receive the newsletters is necessary to finalize the subscription to, and take advantage of, the newsletter service or the mailing list of the specific industries. However, failure to provide such personal data, in whole or in part, could lead to the impossibility for the User to receive the Law Firm’s newsletter or communications regarding the specific industries.

The provision of personal data directly provided by the User for the receipt of marketing communications is necessary to receive such communications. However, failure to provide such personal data, in whole or in part, could lead to the impossibility for the User to receive marketing communications from the Law Firm.

5. Means of the processing

In relation to the mentioned Data Controller’s Purposes, the processing of personal data may consist in the activities indicated in Article 4(1)(2) of the GDPR, namely: collection, recording, organization, storage, consultation, processing, disclosure by transmission or otherwise making available, restriction, erasure and destruction of personal data.

The processing may be carried out using automated tools, with logic strictly related to the Purposes and, in any case, with means that ensure compliance with the requirements and prescriptions of confidentiality and security, and with the specific obligations provided in the law, applicable from time to time.

6. Access and communication of personal data

User‘ personal data will be processed by the Law Firm’s staff, specifically designated as authorized persons for the processing.

Even without the explicit consent of the User, the Law Firm may disclose the User's personal data for the Purposes indicated in the above Sections 3 to Law Firm’s supervisory and/or control bodies, judicial authorities and to any other entities to which the disclosure is required by law for the fulfillment of the said Purposes, acting as autonomous data controllers.

Furthermore, the Law Firm may assign certain operations of processing of personal data carried out for the Purposes referred to in the above Sections 3 to categories of recipients, expressly appointed by the Law Firm, if necessary, as data processors, including but not limited to:

  • the Website’s technical service providers;
  • the hosting providers offering services for hosting the Website.

The complete and updated list of data processors and authorized persons of User‘s personal data is kept at the registered office of the Law Firm and can be consulted in the manner set forth in the following Section.

Users‘ personal data will not be disclosed to the public or to undefined persons.

7. Extra UE data transfer

The processing and storage of Users’ personal data will take place on servers of the Law Firm located within the European Union and/or third-party companies duly appointed as data processors.

Any transfer of Users’ personal data outside the European Union may take place only under the terms and with the guarantees provided for by the Privacy Legislation and, in particular, in accordance with Articles 44 - 49 of the GDPR.

8. Data retention period

The personal data collected for the Purposes referred to in Section 3, letter (b) and (c) will be processed and retained for the duration of browsing and, when the browser is closed, in any case, no longer than 24 months after their collection.

The personal data collected for the Purposes referred to in Section 3, letter (a) and (d) will be stored only for as long as is strictly necessary to achieve the Purposes for which they were collected and, in any case, no longer than 10 years after their collection.

The personal data collected for the Purposes referred to in Section 3, letter (e) and (f) will be stored only for as long as is strictly necessary to achieve the Purpose for which they were collected and, in any case, no longer than 24 months after their collection.

At the end of the retention periods, the personal data will be erased, unless there are further legitimate interests of the Law Firm and/or further legal obligations that make it necessary, after minimization, to retain them.

9. Users’ Rights

The User, as data subject, in accordance with the law, will always have the right to withdraw at any time his/her consent, where given, as well as to exercise, at any time, the following rights:

  1. the “right of access” i.e. the right to obtain confirmation as to whether or not personal data concerning the User are being processed and the communication of such data in an intelligible form;
  2. the “right to rectification” i.e. the right to request the rectification or, if interested, the integration of personal data;
  3. the “right to erasure” i.e. the right to request the erasure or the anonymization of personal data that have been processed unlawfully, including data whose storage is unnecessary for the Purposes for which they were collected or further processed;
  4. the “right to restriction of processing” i.e. the right to obtain from the Data Controller the limitation of the processing in certain cases provided for under the Privacy Legislation;
  5. the right to request the Data Controller to indicate the recipients to whom it has notified any rectification or erasure or restriction of processing (carried out in accordance with Articles 16, 17 and 18 GDPR, in fulfillment of the notification obligation unless this proves impossible or involves disproportionate effort);
  6. the “right to data portability” i.e. the right to receive (or transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
  7. the “right to object”, i.e. the right to object, in whole or in part:
    1. the processing of personal data carried out by the Data Controller for its own legitimate interest;
    2. the processing of personal data carried out by the Data Controller for direct marketing or profiling purposes.

In the above cases, where necessary, the Data Controller will inform the third parties to whom the User‘s personal data have been disclosed of the his/her exercise of rights, unless it is not possible or is too onerous and, in any case, in accordance with the provisions of the Privacy Legislation.

If the legal basis for the processing is the consent, the User has the possibility to withdraw, at any time, the consent given, it being understood that the withdrawal of consent does not affect the lawfulness for the processing based on consent given prior to withdrawal.

10. Exercise of rights and complaints to the Italian Data Protection Authority

The User is entitled to exercise his/her rights at any time in the following manner:

  • by e-mail, to the address: info.privacy@morrirossetti.it;
  • by sending a letter to the address of the registered office of Morri Rossetti e Associati: Piazza Eleonora Duse 2, 2011, Milan.

The Data Controller hereby informs the User that, pursuant to the Privacy Legislation, he/she has the right to lodge a complaint with the competent supervisory authority (in particular in the Member State of User’s habitual residence, place of work or place of the alleged breach), if he/she is of the opinion that his/her personal data are being processed in a way that would lead to breaches of the GDPR.

In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union Supervisory Authority are available at the following link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Lastly, should the User wish to lodge a complaint with the Supervisory Authority having competence for the Italian territory (i.e. “Autorità Garante per la protezione dei dati personali”), the same can use the complaint form available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.

Updated on October 27, 2022