This Privacy Notice is provided, in compliance with articles. 13 and 14 of the EU Regulation n.  679/2016, to the users (hereinafter: “Users” or “User”) of the website www.mrla.it (hereinafter: “Site”) – owned by the Associate Law Firm Marcheselli e Roberto (which is the owner of the Processing of personal data, hereinafter: “Data Controller”) – or to those who purchase the products offered on the Site itself (hereinafter: “Customers” or “Customer”), giving their consent for a specific purpose. This information is intended to describe how the Site is managed with reference to the processing of personal data and to allow Site Users to know the purposes and methods of use of personal data by the Data Controller in the event of their provision. 

The Information is provided only for this Site and not for other websites owned by third parties, which can be accessed via links on the web pages of the Site and / or in the newsletters. Please read the privacy and cookie information of these third-party sites in relation to the processing of personal data carried out by them.

1. HOLDER OF THE PROCESSING OF PERSONAL DATA

The Data Controller of Users ‘and / or Customers’ personal data pursuant to this Privacy Policy is the Marcheselli & Roberto Legali Associati Firm based in via Tiziano 21 in Milan.

2. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The Data Controller specifies that, pursuant to and for the purposes of the Regulation, the processing of personal data of individuals takes place in compliance with the law and is based on principles of correctness, lawfulness, transparency and protection of confidentiality and fundamental rights.

3. CATEGORIES OF DATA COLLECTED AND USED BY THE DATA CONTROLLER

If you consult the Site, use the search services or register for one of the services offered by the Site, the Data Controller collects the following categories of personal data:

3.1. Personal data provided by the User and / or by the Customer

Personal data are those shared with the Data Controller, including those sent through the “Contacts – Request advice” section of the Site as well as those provided to the Firm while using the services, including the information entered by the Client on the platform during the Product purchase procedure.

Specifically, the Data Controller may acquire the following personal data:

– In the event of contact with the User and / or the Customer by e-mail, also through the “Contacts – Request a consultation” section of the Site: personal data such as name and surname, date of birth, tax code, number telephone number (where necessary), e-mail address provided by the User and / or Customer and also possibly information relating to school education or professional information, such as profession.

– In the event that the User and / or the Customer signs up for personalized marketing services (“Newsletter”): personal data (including name, surname and e-mail address), the way in which the site is accessed web, including IP address, online identifiers and browser details. Browsing behaviors or personal interests may also be provided. 

Please note that some of this information may be collected automatically in accordance with the provisions of paragraph 3.2.

The aforementioned personal data, when requested, are necessary for an adequate execution of the contract between the Data Controller and the User and / or the Customer and to allow the Data Controller to fulfill its legal obligations, except in the case in to which the consent of the interested party is the legal basis for the processing and for the legitimate interest of the Data Controller. Without these personal data,   the Data Controller may not be able to provide all the requested services

3.2. Personal data collected automatically by the Site, communications sent by the Data Controller and / or by third parties

The Data Controller collects information relating to visits to the Site and use of the Site, including the device and browser used, the IP address or domain names of the computers connected to the Site, the URI (Uniform Resource Identifier) ​​addresses of the requests made, the time of the request, the date and time of the visit, the duration of the visit, the referral site and the navigation path on the Site relating to the visit and interactions on the Site itself, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment of the User and / or of the Customer.

For more information on the purposes for which the Data Controller collects and uses this information, see paragraph 10 on Cookies of this Privacy Policy.                                   “Information relating to Cookies”. Note that personal information can also be linked to cookies, eg. to collect information on how to use the Site and the services offered therein.

The Data Controller could proceed to the automatic collection of some personal data of the User and / or the Customer, also to understand how the User and / or the Customer interacts with the communication material sent to him by the same Data Controller, for example e-mail, including the actions it performs in relation to the communications themselves, for example clicks on the links in the text of the e-mail, the duration and frequency of interactions with the e-mail itself.

To the extent permitted by applicable law, the automatic collection of the User’s and / or Customer’s personal data may also take place in the event that the Data Controller receives additional information relating to the User and / or the Customer, such as tracking information. of fraud and warnings from third party service providers and / or partners for their fraud prevention activities.

4.PURPOSE AND LEGAL BASES FOR COLLECTING PERSONAL DATA 

The Data Controller uses personal data to provide the services requested by the User and / or the Customer, send communications, report important changes to the Site and present content, promotions and offers that the Data Controller deems may be of interest to the User and / or for the Customer.

The personal data provided by Users through the use of the Site will be processed with their consent, for the purposes described below:

4.1 Provision of services accessible through the Site or the request or purchase of the services offered through the website www.mrla.it and also to allow the User / Customer to request information through the “Contact – Request a consultation” section of the site and at Data Controller to respond to related requests. 

Specifically to allow the Data Controller to   maintain  the contractual relationship established with the User and / or Customer for the supply of the requested Product and / or Service, if necessary also through any possible integration and / or modification requested by the User and / or the Customer and also for further information of the activities, events and other initiatives organized or carried out by the Data Controller or for the management and processing of questions and requests for interaction  by the User and / or Customer with the Data Controller and the subjects related to the latter’s organization. 

For the achievement of this purpose, the legal basis that justifies the corresponding data processing is the pursuit of the Data Controller’s interest in fulfilling a contract and for the execution of a service or measures connected to a contract and / or to a service.

4.2 Provision of the newsletter service. To achieve this purpose, the provision of data is not mandatory, and the legal basis that legitimizes the corresponding data processing is the express consent of the User and / or Customer. It is noted that any consent given by the User and / or Customer may always be revoked in the manner referred to in paragraph 8 below. If the User and / or Customer has not given consent or has subsequently revoked it, they will not receive the aforementioned newsletter;

4.3 Carrying out activities for marketing purposes, including the segmentation of Users, the promotion of the services provided, initiatives and activities, including by sending advertising material, commercial communications, carrying out market research, both through traditional communication tools (such as traditional mail) or remote communication tools (such as e-mail, chat, telephone, SMS and other remote communication tools). To achieve this purpose, the provision of data is not mandatory, and the legal basis that legitimizes the corresponding data processing is the consent expressed by the User and / or Customer, which can always be revoked in the manner referred to in the following paragraph. 8. The Data Controller, if the User and / or Customer has not given consent or has subsequently revoked it, will not be able to carry out the aforementioned marketing purpose.

4.4 Carrying out profiling activities in order to make promotional activities focused on the needs, habits and interests of the User and / or Customer as well as for carrying out preparatory and / or functional activities for the correct execution of such promotional initiatives, also by analyzing the types of services purchased on the Site. To achieve this purpose, the provision of data is not mandatory and the legal basis that legitimizes the corresponding data processing is the consent expressed by the User and / or Customer, which can always be revoked in the manner referred to in paragraph 8 below. The Data Controller, if the User and / or Customer has not given consent or has subsequently revoked it, will not be able to carry out the aforementioned profiling purpose towards the User / Customer;

4.5 Carrying out additional statistical analyzes and aggregative behavior on anonymous groups or to analyze the behavior of identifiable subjects, in order to analyze how the Site, the services provided therein are used and verify the performance of the related activity. The legal basis that justifies the corresponding processing of User and / or Customer data is the pursuit of the legitimate interest of the Data Controller or to improve the Site, its features and the services offered there.

4.6 Security of the Site and the systems used by the Data Controller to maintain the security of the Site and the systems used by the Data Controller for the provision of services and to prevent and identify any fraud, security incidents and / or other crimes. The legal basis that justifies the corresponding processing of User and / or Customer data is the pursuit of the legitimate interest of the Data Controller or to ensure the security of the Site and systems.

4.7 Compliance with legal obligations or orders from public authorities, in relation to the data provided by the User and / or  Customer.

 The legal basis that justifies this purpose is the fulfillment of a legal obligation. Consequently, the processing of the aforementioned data is mandatory, it being understood that it is data provided by the User / Customer for the fulfillment of one of the previous purposes.

4.8 Verification of compliance and legal actions necessary to ascertain compliance with the General Conditions of Sale and for the assessment, exercise or defense of a right in court.

5. COMMUNICATION OF PROCESSED DATA

The Data Controller shares personal data, for the purposes described in this Privacy Notice, with the following categories of recipients:

– its employees and / or authorized collaborators who provide assistance and consultancy services in the areas of administration, legal consultancy, IT systems, as well as to the personnel in charge of maintenance of the network and hardware and software equipment of the Data Controller;

– the competent authorities, if required by the legislation in force;

– the competent authorities and third-party authorities in charge of law enforcement, if this is necessary in order to apply the General Conditions of Sale as well as protect and defend the rights or property of the Data Controller or the rights and property of third parties;

– third parties who receive the data (eg business consultants, professionals in the provision of tax verification services, “due diligence” or qualified to estimate the value and capabilities of the business), if necessary in relation to sales of the activities or assets of the Data Controller (eventuality in which the data will be communicated to the consultants of the Data Controller and to the consultants of any potential buyer and will be transferred to the new owners);

It should be noted that the personal data collected may also be processed by subjects or categories of subjects acting as Data Processors pursuant to art. 28 of the EU Regulation no. 679/2016 or who are authorized to process data pursuant to art. 29 of the EU Regulation no. 679/2016 679/2016.

Lastly, it should be noted that the Data Controller for some services may communicate the data to companies that collaborate or use the services of the Data Controller with the sole intention of providing the services requested by the User and / or Customer. In these cases, the companies are autonomous owners of the processing of personal data, therefore the Data Controller is not responsible for their processing by them. Furthermore, the Data Controller is not responsible for the contents and compliance with the legislation on the protection of personal data by sites not managed by the same.

The complete list of subjects to whom personal data may be disclosed is available at the registered office of the Data Controller and can be requested by writing to: info@mrla.it

6. DATA TRANSFER

The Data are processed at the operational headquarters of the Data Controller. For further information, you can contact the Data Controller at the addresses indicated in paragraph 9. The Data may be processed by natural persons and / or legal entities operating on behalf of the Data Controller and by virtue of specific contractual obligations and based in EU or non-EU member countries. In the event that the Data is transferred outside the European Economic Area (EEA), the Data Controller will take all appropriate contractual measures to ensure adequate data protection. 

If the User wishes further details relating to the safeguard measures put in place, it is possible to contact the Data Controller by writing to: info@mrla.it

7. METHOD OF TREATMENT AND STORAGE OF PERSONAL DATA

The Data Controller ensures that personal data will be processed in full compliance with EU Regulation no. 679/2016, through manual, computerized or telematic systems and, where necessary, in paper format and will be stored in the database of the Data Controller, protecting the privacy and rights of the User and / or the Customer through the adoption of appropriate technical measures and organizational to ensure a level of security appropriate to the risk. The processing can also be carried out through automated tools designed to store, manage and transmit the data.

The data collected and processed will be protected with physical and logical methods such as to minimize the risks of unauthorized access, dissemination, loss and destruction of data, pursuant to art. 25 and 32 of EU Regulation no. 679/2016.

It is noted that pursuant to art. 7 paragraph 3 of the EU Regulation no. 679/2016, the interested party has the right to obtain the revocation of consent to the processing of personal data at any time.

If a request for cancellation is not received by the Data Controller, the personal data will be kept by the latter for as long as necessary to achieve the purposes and perform the activities described in this Privacy Policy, or as otherwise communicated to the User and / or to the Customer, or for the time allowed by the applicable legislation.

The information relating to the retention period of personal data by the Data Controller is specified below:

– Data relating to purchases made on the Site (name and surname, address, contact information, etc.): Retention terms 10 years from the date of purchase.

– Contractual documents: Retention terms 10 years from the date of purchase.

– Credit card data in clear text: Retention terms not kept.

– Financial / transaction information: Retention terms 10 years from the completion of the financial transaction.

– Data relating to verifications for the detection of fraudulent transactions (anti-fraud): Retention terms 5 years from the rejection of the transaction.

– Data used for marketing purposes (data subject to the consent of the User and / or the Customer and used for marketing activities towards them): Retention period 5 years starting from the granting or renewal of consent by the User and / or Customer through interaction with marketing communications.

The following retention terms apply to personal data collected through tags:

– Technical cookies: Maximum storage term of 3 years, starting from the date of navigation on the Site.

– Non-technical cookies: Maximum storage term of 1 year, starting from the date of consent of the interested party.

8.  RIGHTS TO DATA PROTECTION AND METHOD OF EXERCISING THE SAME 

The User and / or Customer has the possibility to exercise at any time the rights guaranteed by articles 15 to 22 of EU Regulation no. 679/2016 by contacting the Data Controller by e-mail at the address: info@mrla.it.

In particular, the User and / or Customer may exercise the following rights:

– Right of access: receive confirmation of the existence of personal data, access their content and obtain a copy.

– Right of rectification: to update, rectify and / or correct personal data.

– Right to cancellation / right to be forgotten and right to limitation: request the deletion of data or the limitation of data that have been processed in violation of the law, including those that do not need to be archived for the purposes for which the data are been collected or processed; if the personal data have been made public, the User also has the right to request the deletion of personal data and the adoption of reasonable measures, including technical ones, to inform the other data controllers who are processing the personal data of the request for delete any link, copy or reproduction of such personal data.

– Right to data portability: to receive in a simple and machine-readable format a copy of the personal data provided to the Data Controller for the purposes of a contract or with the User’s consent and to ask to transfer such personal data to another data controller.

– Right to withdraw consent: in the event that the Data Controller depends on the User’s consent, the latter will always have the possibility to withdraw this consent, although the Data Controller may have other legal bases for the processing of the aforementioned data for other purposes.

– Right to object, exercisable at any time: right to object at any time to the processing of personal data in certain circumstances (in particular in cases where it is not necessary to process the data to meet contractual or legal requirements), or if the Law Firm you use this data for direct marketing activities.

– Right not to be subjected to a decision based solely on automated processing, including profiling: it is always possible to request that a manual decision-making process be carried out, express one’s opinion or contest decisions based solely on automated processing, including profiling, if such decisions produce legal or other similar effects.

– Right to lodge a complaint with the Privacy Guarantor as supervisory authority for the protection of personal data, if you believe that your personal information has been handled incorrectly.

9. CONTACT DETAILS OF THE DATA CONTROLLER

The contact details of the Data Controller referred to above are:

Marcheselli & Roberto Legali Associati Firm based in via Tiziano 21 in Milan.

10. INFORMATION RELATING TO COOKIES

For any information relating to cookies, please refer to the appropriate Cookie Policy.

11. UPDATE AND PREVIOUS VERSIONS OF THIS PRIVACY NOTICE

The Data Controller reserves the right to make changes to this Policy Information at any time by giving notice to Users and / or Customers on this page. Therefore, the Data Controller reserves the right to modify this Privacy Notice at any time in accordance with this paragraph. If the Data Controller makes changes to this Privacy Notice, it will publish the revised Privacy Notice on the Site and insert the “last updated” date at the bottom of this Privacy Notice.

Privacy Notice updated to October 2022