In accordance with Regulation (EU) 2016/679 (the “GDPR”), “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”, we, Ichino-Brugnatelli e Associati Law Firm, an association of lawyers with registered office in Milan, at 31, via Lorenzo Mascheroni, whose tax code and VAT number is 04628580153, in our capacity as Data Controller (the “Firm” or the “Controller”), together with the individual Partners of the Firm (whose name list available at Firm’s site, pursuant to Articles. 13 and 14 of the GDPR we hereby inform you that some of your personal data, including those belonging to the particular categories referred to in Articles 9 or 10 of the GDPR, may be processed after being collected either directly from you (as “Data Subject”), even verbally, or from people authorized by you or from third parties (“Data” and “Processing”)

• Processed Data and their sources
We will process the Data only to the extent necessary to fulfil precise purposes related to the assignment received by you, the conclusion, performance or termination of a contract with you/the entity or organization in whose interest you act, and/or the communication of activities carried out by the Firm. The Data may include, without limitation, biographical, contact, fiscal, social contribution-related, welfare, tax, employment, banking information (“personal data”), as well as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data, data relating to Data Subject’s health, sex life or sexual orientation (“special categories of personal data”), and also data relating to criminal convictions and offences or the related security measures (“judicial data”).
The Data may be collected from a variety of sources: most of the Data are provided – either orally or in writing – directly by you or by persons authorized by you for this purpose (for example: labour consultants, accountants, previously contacted lawyers, etc..); other Data may be obtained by the Firm by accessing sources and/or databases indicated by the Data Subject or other sources and/or public databases or to which the Firm has independent access; other Data may also be disclosed to the Firm by third parties, such as, for example, consultants and attorneys.

• Processing purposes and legal bases
In any case, the Data will be processed for the following purposes (the “Purposes”):
(i) For the conclusion, performance or termination of a contract with you or the entity or organization in whose interest you act, including invoicing requirements. Data will be processed in compliance with article 6 paragraph 1 letter b) of the GDPR, based on the way the contractual relationship is to be developed, to fulfil obligations under the law pursuant to article 6 paragraph 1 letter c) of the GDPR or based on your consent pursuant to article 6 paragraph 1 letter a) of the GDPR.
In any case, it is agreed that the Firm will be allowed to use your personal Data to achieve an interest of its own under the law, in the ways and within the boundaries referred to by article 6 paragraph 1 letter f) of the GDPR.
Data provision is required to the extent that is necessary under the legal and contractual obligations related to the agreement between us, and therefore any refusal to provide them or opposition to subsequent processing may determine the impossibility of the Firm to execute the said agreement.
(ii) Furthermore, the processing of your Personal Data (and, in particular, your name, surname, home address and e-mail address) may be used for information, training and promotional purposes of the Firm, such as Firm newsletter subscription or training event invitations. In this sense, the processing is entirely optional and will take place exclusively within the limits of the existence of a legitimate interest of the Firm under Article 6, paragraph 1, letter f) of the GDPR and as long as you provide your consent in accordance with Article 6, paragraph 1, letter a) of the GDPR..

• The subjects involved in Data Processing and Communication
The processing will be performed directly by the Firm or by individual professionals of the Firm, as Controllers or joint controllers: the recipients of your Personal Data may also include other authorized persons, such as collaborators within the Firm, office staff and employees dedicated to specific functions related to the management of the Firm, who are constantly identified, properly trained and made aware of the limits imposed by the GDPR.
In processing your data, the Firm may also avail of vendors such as companies specializing in the provision of IT services in the field of electronic communications, including management of personal data and databases, storing, invoicing and accounting, who will be appointed Data Processors for this purpose under Article 28 of the GDPR. The full list of the Data Processors appointed by the Firm pursuant to article 28 of the GDPR is always available and can be requested by sending an e-mail to
Without prejudice to the communications and disclosures made in compliance with strict obligations under the law and EU regulations, the Data may be communicated in Italy to the following categories of subjects:
– banking institutions;
– debt collection companies;
– credit insurance companies;
– computer consultancy firm;
– marketing agencies;
– individuals, companies, associations or firms that provide services or activities of assistance and consultancy to our Firm, with particular reference, without limitation, to matters in accounting, administrative, tax and financial matters.
Where it is necessary to involve a third party professional in the assignment of consultancy and/or assistance and/or representation given by the Data Subject to the Firm/individual professionals of the Firm, the collaboration between the said third party and the Firm may only be started subject to previous consent given by the Data Subject, and the third party shall act, together with the Firm, as Data Controller or Data Processor pursuant to article 28 of the GDPR..
If a Data Processing Officer (“DPO”) is appointed by the Firm, the identification data of the same will be disclosed and published, supplementing this information notice.

• Data Retention
The Data will be processed in Italy by the Firm or at the places where the individual Processors are located. Processing by Processors established in non-European countries is not foreseen. The Firm will process the Data for the entire duration of the assignment and until it ends.
Subsequently, the data will be stored, in compliance with the law, for a period of 10 years after the end of the assignment, after which the Firm will anonymize and/or delete all personal data of the Data Subject, except in case the Data need to be retained for a longer period where this is necessary for purposes of judicial defense of the Firm and/or individual professionals (judicial exception).

• Data Subject Rights and their exercise
In accordance with articles 13, paragraph 2, letters (b) and (d), 15, 16, 17, 18, 20, and 21 of the GDPR, please be informed that, as Data Subject, you are entitled at any time:
(i) to access the collected Personal Data and request any updating, rectification, integration, cancellation, and to oppose to or restrict their processing;
(ii) to revoke the consent given under Article 6 paragraph 1 letter a) of the GDPR, if the consent is a legal basis of the processing, without prejudice to the lawfulness of the processing based on the consent given before its revocation;
(iii) to lodge a complaint with the Authority for the protection of personal data, following the procedures and indications published on the official website of the Authority at
The exercise of these rights is not subject to any formal requirement and is free of charge.
To this end, you may contact the Firm and, specifically, our Privacy Contact at the following email address:
In the event of a request for limitation of the processing of the Data provided, opposition to their processing, cancellation of the same, or revocation of consent, the Data Controller may reserve the right to retain certain data of the Data Subject to the extent that such data are necessary for the «execution of the contract», for «fulfilling obligations under the law» or for the protection of «the rights of a natural or legal person» under the law.

Last update – June 2018
Studio legale Ichino Brugnatelli e Associati