Information notice pursuant to Article 13 of Regulation (EU) 2016/679



  This information is provided pursuant to and for the purposes of Regulation (EU) No 2016/679 (general data protection regulation, hereinafter the "GDPR"), with regard to the processing by Jenny.Avvocati Studio Legale Associato (hereinafter, the "Firm" or "Jenny.Avvocati"), of the personal data of employees/collaborators/directors (the "Data Subjects") of private legal entities or other entities that have a relationship with the Firm as clients (including potential clients), suppliers (including potential suppliers), consultants or otherwise (the "Relationship").   This statement does not refer to the processing of personal data of clients being natural persons.  
  1. Identity and contact details of the data controller
    • The data controller is Jenny.Avvocati Studio Legale Associato, with registered office in via Durini 27, 20122 Milan, Italy, tax code and VAT number 12908840155.
    • The data controller can be contacted also via email at the address mail@jenny.it.
 
  1. Purpose of processing operations and legal bases
    • The purposes for which the personal data of the Data Subject will be processed by the Firm are listed below, specifying the legal basis applicable to each of them.
  • The data of the Data Subject shall be processed for the purpose of communication with the Data Subject within the scope of the negotiation, stipulation, renewal, management, performance and termination of the Relationship, as well as of the management of tax and legal obligations relating to the Relationship, and of the management of any disputes. Such processing is lawful since necessary for the pursuit of Jenny.Avvocati’s legitimate interest in communicating through the Data Subject with the entity which is the counterpart in the Relationship, as well as the latter’s interest in the Firm interacting with the Data Subject within the scope of the Relationship.
  • The Data Subject’s data may be processed for the management and performance of the obligations of adequate verification of the customer and retention of data as provided by Legislative Decree no. 231/07 and other applicable laws and regulations, where the Data Subject holds a position that is relevant for the purposes of such rules and regulations; the processing is lawful since necessary for the compliance with a legal obligation.
  • The Data Subject’s data shall be processed to carry out promotional and/or marketing activities
    1. for the sending of information communications on legislative and/or case law news, and/or news relating to the Firm and its activities and organisation;
    2. which consist of market research conducted by companies or entities that publish printed or electronic publications that promote law firms (e.g. Legal500, Chambers), through interviews with persons indicated by the Firm (e.g. client contact persons and other professionals).
The processing for promotional and/or marketing purposes is lawful to the extent necessary to pursue the legitimate interest of the Firm to obtain new professional retainers and promote its business and its image with clients or potential clients, with modalities consistent with the common practice in the law firm sector, and not being such interest detrimental to the rights and interests of the Data Subject.
  • Lastly, Data Subject’s data (including data and metadata processed in the context of the exchange of electronic correspondence) are processed by the Firm (or by persons specifically appointed who process data on behalf of the Firm, such as for instance providers of maintenance services for hardware and software) in the context of more general operations on the IT systems of Jenny.Avvocati aimed at the secure storage of data, and in particular through back-up operations and storage in data centres and differentiated archives. Such processing is lawful since necessary to pursue the legitimate interest of the Firm in the security of its IT systems and paper archives, and such interest does not breach the fundamental rights and freedoms of the Data Subjects.
  • The provision of personal data by the Data Subject is mandatory for the purposes indicated in points 2.1(a), 2.1(b) and 2.2. A refusal by the Data Subject to provide the data, albeit lawful, may prevent the communication with the Data Subject.
   
  1. Modalities of processing
    • Data are processed with the aid of IT and paper media in the manner necessary to pursue the purposes for which they were collected.
    • The processing of data is carried out using procedures that protect their confidentiality and will consist of its collection, recording, organisation, storage, interrogation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction, including the combination of two or more of the above activities. The data will also be processed with IT and electronic tools and stored with the adoption of appropriate security measures in accordance with the provisions of current laws and regulations, in order to reduce the risk of data destruction or loss, also accidental, unauthorized access, or processing not authorised or not in accordance with the purposes of collection. The security measures will be adapted over time in accordance with the law and with technical developments in the sector.
    • The data processors appointed by the Firm and the employees and collaborators authorised to process data will be given adequate instructions, with particular reference to the adoption of adequate security measures, in order to ensure the confidentiality and security of the data. In any case, only those personal data necessary for the performance of their specific tasks will be disclosed to them.
   
  1. Recipients of personal data
    • The data processing activities may entail the communication of data to third parties (other than employees and collaborators of Jenny.Avvocati in charge of the processing), which where necessary are appointed as data controllers pursuant to Article 28 of the GDPR.
    • The disclosure to third parties of Data Subject’s personal data may take place for all the purposes mentioned point 2. More precisely:
    • for the purposes of communication with the Data Subject and management of tax and legal obligations and the management of any disputes relating to the Relationship, the data may be disclosed to clients, potential clients, counterparts and/or their lawyers or consultants, subjects operating in the judiciary, arbitration panels and judicial bodies, other professionals, consultants, suppliers, contacts of the Firm, companies or associations that provide to Jenny.Avvocati IT, archiving or other services, credit institutions, public bodies and authorities, social security and/or insurance institutions.
    • to fulfil specific obligations under the law and other binding provisions, the data may be disclosed to other professionals, consultants, public bodies and authorities, companies that provide Jenny.Avvocati with IT, archiving or other services;
    • for promotion and/or marketing purposes, data may be disclosed to companies which manage publications (including online) relating to the legal market, associations or bodies promoting the exchange of legal services, networks to which the Firm belongs;
    • in order to ensure the security of the Firm’s IT systems and archives, data may be disclosed to consultants and companies which manage the IT system of Jenny.Avvocati and provide services to Jenny.Avvocati;
and in the abovementioned cases data may be disclosed to companies that manage communication and/or electronic document transmission services and, in general, to all the subjects to whom disclosure is necessary in order to pursue the abovementioned purposes or is in any case requested by the Data Subject.
  • The personal data provided will not be subject to dissemination.
  • The recipients of personal data are all located within the European Economic Area (EEA), except in the cases mentioned in point 5 below.
 
  1. Cross-border data transfers
    • The data of the Data Subject may be transferred to countries outside the European Economic Area, for which there is an adequacy decision of the European Commission pursuant to Article 45 of the GDPR, and within the limits of such adequacy decision.
    • In particular, for the purposes referred to in point 2.2, the Firm uses, in part, backup services provided by Google LLC and document sharing and sending services provided by Dropbox Inc. Google LLC and Dropbox Inc. are based in the United States of America, a country that does not offer an adequate level of protection of personal data. The conformity of the data processing at hand with the laws and regulations in force in Italy is in any case ensured, as such companies have the certification of participation in the EU-US Privacy Shield Framework for their services. As confirmed by Decision 2016/1250 adopted on 12 July 2016 by the European Commission, the United States of America ensures an adequate level of protection for personal data transferred under the “shield” from the European Union to US organisations.
    • Limited to the purpose referred to in points 2.1(a) and 2.1(c), if the Data Subject has to be put in contact with a third party, in the context of the Relationship, and such third party is located in a country that does not belong to the European Economic Area and for which there is no adequacy decision nor appropriate safeguards, the transfer may take place only subject to the Data Subject’s consent.
 
  1. Data retention period
    • The identity and contact data of the Data Subject will be stored in the management database of the Firm for the entire duration of the Relationship and shall be deleted or anonymized at the end of the tenth calendar year following the cessation, for any reason, of the Relationship (or, in the event that there are more Relationships, at the last cessation).
    • The Firm will store in its archives the personal data of the Data Subject contained in correspondence and in paper and electronic documents exchanged with the Data Subject in the context of a Relationship, for a maximum period of 10 years from the end of the calendar year in which the Report ceased. After this period, the paper documents will be destroyed and the electronic documents will be deleted from the archives.
    • The data processed for the purpose referred to in point 2.1(b) will be stored in the anti-money laundering archive of the Firm for the entire duration of the Relationship and shall be erased or anonymized at the end of the tenth calendar year following the cessation, for any reason, of the Relationship (or, in the event that there are more Relationships, at the last cessation).
    • The Firm will keep a copy of the communications referred to in point 2.1(c) for a period of 5 (five) years.
    • In all the above cases, it should be noted that the back-up copies of the archives of the Firm are stored for a maximum period of 10 years.
 
  1. Data Subject’s rights
    • The Data Subject can exercise the following rights vis-à-vis the Firm:
 
  1. right to access:
The Data Subject may ask, at any time, which data concerning him/her are being processed by Jenny.Avvocati, the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom data are disclosed, the period of retention or the criteria used to determine this period and their origin if the data are not collected from the Data Subject.  
  1. right to rectification:
The Data Subject may request the rectification of inaccurate data or, taking into account the purposes of the processing, the completion of incomplete personal data, as provided for by Article 16 of the GDPR.  
  1. right to erasure and right to be forgotten:
The Data Subject may request the erasure of data processed by Jenny.Avvocati in the cases provided for by Article 17 of the GDPR, e.g. when personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Jenny.Avvocati, however, will not proceed with the cancellation of the data if the processing is necessary to comply with a legal obligation to which Jenny.Avvocati is subject (e.g. keeping of accounting records) or if it is necessary for establishing, exercising or defending a right in court.  
  1. right to restriction of processing:
The Data Subject may request that data processing be restricted, in the cases provided for by Article 18 GDPR, for example when the data subject contests the accuracy of personal data, for the period necessary for Jenny.Avvocati to verify the accuracy of such data.  
  1. right to object:
The Data Subject has the right to object, at any time, to the processing of data, including profiling, which takes place on the basis of the legitimate interest; this right is however provided only for reasons related to the particular situation of the data subject, who must declare them. In case of objection, Jenny.Avvocati may continue the processing if it demonstrates the existence of compelling legitimate grounds (i) to proceed with the processing that prevail over the interests, rights and freedoms of the Data Subject or (ii) to establish, exercise or defend a right in court.  
  1. right to lodge a complaint:
The Data Subject who believes that the processing of data carried out by Jenny.Avvocati breaches the applicable legislation on the protection of personal data has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).   For the exercise of its rights, each Data Subject may contact Jenny.Avvocati at the following address: via Durini 27, 20122 Milano, or via email: mail@jenny.it.