Pursuant to Article 13 of EU Regulation 2016/679 – GDPR, as supplemented by Article 13 of Italian Law No. 132 of 23 September 2025 on Artificial Intelligence.
With this notice, provided pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and, where applicable, pursuant to Article 13 of Italian Law No. 132 of 23 September 2025 on Artificial Intelligence (General Data Protection Regulation – GDPR), the Studio Legale Grompe Redaelli e Associati (hereinafter, the “Firm”) informs the data subject regarding the methods of processing their personal data within the context of the existing professional relationship.
Data ControllerThe Data Controller is the Studio Legale Grompe Redaelli e Associati (the Firm), with registered office at Corso Italia No. 8, 20122 Milan (MI), email address: privacy@studiogra.it.
The Firm has not appointed a Data Protection Officer (DPO), as the conditions set forth in Article 37 of the GDPR do not apply. For any questions regarding the processing of personal data, please contact the Firm at the email address provided above.
Personal Data ProcessedWithin the scope of the professional relationship, the Firm will process, as applicable, the following categories of personal data (Data) relating to the data subject (Data Subject) or, where applicable, to third parties represented by the Data Subject or with whom the Data Subject collaborates, whose data are provided to the Firm (Third Parties Represented by You):
– “general data”: personal details, identification information, contact details, banking information, and tax information;
– data relating to the Data Subject’s employment or collaboration relationship;
– any other personal data related to the performance of the professional mandate and contractual obligations with the Firm.
Where the nature of the professional engagement requires the processing of special categories of data pursuant to Art. 9 of the GDPR (e.g., data relating to health, ethnic origin, religious beliefs, or judicial or criminal proceedings), such data will be processed only to the extent strictly necessary for the exercise or defense of a legal claim in court, pursuant to Art. 9(2)(f) of the GDPR, or upon the explicit request and consent of the Data Subject.
In the event that the Data Subject provides the Firm with personal data of third parties represented by you (e.g., employees, collaborators, or members of corporate bodies), we invite you to provide or communicate this privacy notice to such individuals before transmitting their data.
Purposes of processing and legal basesPurpose I – Performance of the professional relationship and compliance with legal obligations
The Data will be processed for the following purposes:
– fulfillment of contractual, administrative, accounting, and tax obligations arising from the professional relationship with the Firm (legal basis: Art. 6(1)(b) of the GDPR – performance of a contract to which the Data Subject is a party);
– compliance with legal obligations to which the Firm is subject, including anti-money laundering, tax, and professional regulations (legal basis: Article 6(1)(c) of the GDPR – compliance with a legal obligation).
The provision of Data for the purposes set forth in Purpose I is necessary: any refusal or partial objection to the processing does not allow the Firm to establish or fully execute the professional relationship.
Purpose II – Communication and promotion of the Firm’s activities
Subject to the Data Subject’s express consent, the Data will be processed for:
– sending newsletters, updates on regulatory and case law developments, and information on events and seminars organized by the Firm (legal basis: Article 6(1)(a) of the GDPR – consent of the Data Subject).
The provision of Data for Purpose II is optional. Consent may be withdrawn at any time, without prejudice to the lawfulness of the processing carried out prior to withdrawal, by sending a notice to privacy@studiogra.it.
Methods of ProcessingThe Data has been collected, or will be collected, directly from the Data Subject, or has been or will be obtained in the context of professional relationships with the Third Parties you represent.
The processing will be carried out using manual, paper-based, and electronic tools, with or without the aid of automated processes, through systems suitable for securely storing, managing, and transmitting the Data. The processing includes all necessary operations, including the communication of the Data to the parties indicated in point 5.
The Firm excludes any profiling activities and any decision-making processes based exclusively on the automated processing of Data (Art. 22 GDPR). The possible use of artificial intelligence tools as professional support instruments does not constitute automated decision-making within the meaning of the aforementioned Art. 22 GDPR, as the final assessment always remains with the Firm’s legal professionals.
The measures adopted are suitable for ensuring the security and confidentiality of the Data, in compliance with the technical and organizational measures referred to in Art. 32 GDPR.
Use of Artificial Intelligence SystemsIn the course of its professional activities, the Firm may use artificial intelligence systems (hereinafter, “AI Tools”) as support instruments for activities such as legal research, document analysis, and assisted drafting. Pursuant to Article 13 of Italian Law No. 132 of 23 September 2025, the use of AI Tools is exclusively auxiliary in nature: intellectual work, critical assessment, and professional responsibility remain with the Firm’s legal professionals, who review and supervise the outputs produced by AI Tools before using them in the context of the engagement.
Where personal Data is processed through AI Tools, such processing is carried out in compliance with Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 2024/1689 (EU AI Act). The Firm adopts appropriate contractual and technical measures to ensure that personal Data is not used to train or improve providers’ AI models, unless the Data Subject’s explicit consent has been obtained or a specific contractual arrangement provides otherwise.
The Firm verifies that any AI Tools it adopts do not qualify as high-risk AI systems under Annex III of Regulation (EU) 2024/1689. In any event, no individual decision based solely on automated processing that produces legal effects or significantly affects the Data Subject is taken (Art. 22 GDPR). A list of the principal AI Tools in use and their respective providers may be requested by writing to privacy@studiogra.it.
Disclosure of Data and Data ProcessorsThe Data will be processed by the Firm’s professionals and employees authorized to process it pursuant to Art. 29 of the GDPR, who operate in accordance with the instructions provided regarding data protection and confidentiality.
The Data may be disclosed to service providers that the Firm has appointed or will appoint as Data Processors pursuant to Art. 28 of the GDPR and that offer sufficient guarantees of processing in compliance with applicable provisions. The updated list of Data Processors may be requested by writing to privacy@studiogra.it.
The Data will not be disclosed. However, it may be disclosed, within the limits provided by law, to judicial and supervisory authorities, public bodies, and agencies, in compliance with legal obligations or in execution of official orders.
Transfer of Data to Third CountriesData processing generally takes place on servers located at the Firm or, via cloud services, on servers of service providers that may be located both within and outside the European Economic Area (EEA).
In cases where Data is transferred to third countries not covered by an adequacy decision of the European Commission, the transfer is carried out in accordance with the appropriate safeguards provided for in Article 46 of the GDPR, in particular through Standard Contractual Clauses (SCCs) adopted by the European Commission’s decision of June 4, 2021 (2021/914/EU), or through other transfer mechanisms compliant with the GDPR as applicable from time to time. Further information on the safeguards adopted may be requested at privacy@studiogra.it.
Data Retention PeriodData processed for the purposes set forth in Purpose I will be retained for the entire duration of the professional relationship with the Firm and, following its termination, for a period corresponding to the statute of limitations established by applicable law and, in any case, for a period of no less than ten years, in accordance with the record-keeping obligations provided for in Article 2220 of the Italian Civil Code.
Data processed for the purposes set forth in Purpose II will be retained until the Data Subject revokes consent, subject to the retention obligation for any purposes of legal defense.
Rights of the Data SubjectThe Data Subject and, where applicable, the Third Parties you represent may exercise the following rights recognized by the GDPR with respect to the Firm:
|
“right of access”: |
to obtain confirmation at any time as to whether or not Data is being processed and, if so, to receive information regarding such processing (Art. 15 GDPR); |
|
“right to rectification”: |
to obtain, without undue delay, the rectification of inaccurate Data or its completion (Art. 16 GDPR); |
|
“right to erasure”: |
to have the Data erased without undue delay, in the cases provided for in Art. 17 GDPR; |
|
“right to restriction”: |
to have processing restricted to storage only, in the cases provided for in Art. 18 of the GDPR; |
|
“right to data portability”: |
to receive the Data in a structured, commonly used, and machine-readable format, and to have the Data transmitted to another data controller designated by you, where technically feasible (Article 20 of the GDPR); |
|
“right to object”: |
to object at any time to the processing of the Data for reasons related to your particular situation (Article 21 of the GDPR); |
|
“right to withdraw consent”: |
to withdraw at any time any consent given for Purpose II, without this affecting the lawfulness of the processing carried out prior to the withdrawal (Art. 7, para. 3, GDPR). The withdrawal may be sent to privacy@studiogra.it. |
To exercise the rights listed above, the Data Subject may send a written request to the email addressprivacy@studiogra.it .
The Firm will generally respond within thirty days of receiving the request; this period may be extended by an additional two months in the event of complex or numerous requests, provided the Data Subject is notified within the first month (Art. 12, para. 3, GDPR).
The Data Subject also has the right to lodge a complaint with the competent supervisory authority. In Italy, the competent authority is the Italian Data Protection Authority, located at Piazza Venezia n. 11, 00187 Rome – www.garanteprivacy.it.