Privacy Notice on the Processing of Personal Data
pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018
Data Controller
The Data Controller is Della Vecchia Marrocco Associati Studio Legale, with registered office at Via Vincenzo Bellini 20, Rome, Tax Code/VAT No. 18411071006, represented by Roberto Della Vecchia.
You may contact us by e-mail at info@dvma.it or by certified e-mail (PEC) at dvma@legalmail.it.
In the text below, we will refer to ourselves simply as “the Firm”.
Who This Privacy Notice Applies To
This privacy notice concerns two distinct channels through which the Firm collects personal data.
The first concerns the website and digital contacts: it applies to anyone visiting our website, requesting informational materials, or submitting an application.
The second concerns professional engagements: it applies to all natural persons whose personal data are received by the Firm within the scope of professional relationships established with the Firm. This category includes contact persons, legal representatives, directors, employees, and collaborators of clients — primarily companies — our clients’ counterparties and their advisors to the extent necessary for the management of the proceedings, as well as third parties whose data is communicated to us by the client in the performance of our engagement.
This notice is also provided pursuant to Article 14 GDPR to persons who have not provided their data directly to us, but whose data have been communicated to us by the client within the scope of the engagement.
It should be noted that the GDPR protects natural persons only: even where the client is a legal entity, the Firm processes the personal data of the natural persons acting on its behalf or involved in matters relating to the engagement.
What Data We Process
Data Collected Through the Website
When you visit our website, the IT systems automatically acquire certain browsing data — IP addresses, browser type, operating system, pages visited, duration of the visit — the transmission of which is implicit in the use of Internet protocols.
If you contact us through the website, we collect the data voluntarily provided by you: name, surname, e-mail address, telephone number, and the content of your request. Individuals requesting informational materials provide their e-mail address and communication preferences. Applicants submitting job applications provide their resume and educational and professional information.
Data Collected Within the Scope of Professional Engagements
During the engagement, we process broader categories of data. First of all, identification and contact details of the client’s corporate representatives and counterparties: name, surname, role, e-mail address, telephone number, address, and certified e-mail address (PEC). We also process tax and corporate data such as tax code, VAT number, notarial deeds, and company register extracts, as well as documents relating to the engagement — correspondence, legal and factual information necessary for the professional services — and relevant financial and accounting data such as bank statements, contracts, invoices, and accounting documentation.
Where necessary for legal defense in judicial proceedings, and only in the cases permitted under Article 2-octies of Legislative Decree No. 196/2003, we may also process judicial data. Finally, only where strictly necessary for the provision of the services — for example health data in employment disputes or data relating to criminal proceedings — we may process special categories of personal data (“sensitive data”), in compliance with the enhanced conditions set out in Articles 2-sexies and 2-septies of Legislative Decree No. 196/2003 and the corresponding GDPR provisions.
Data relating to professional engagements may originate directly from the data subject, from the client granting the mandate, from public sources (registers, institutional databases, court filings), from judicial or administrative authorities, or from third parties involved in the proceedings.
Purposes and Legal Bases for Processing Your Data
Processing is lawful only where at least one of the legal bases provided under Article 6 GDPR applies. Below we explain the purposes pursued and the corresponding legal basis.
Processing Related to the Website
Requests for contact and legal advice received through forms or other digital channels are handled on the basis of Article 6(1)(b) GDPR, as they concern pre-contractual measures taken at the request of the data subject. The technical operation of the website, cybersecurity, and prevention of cybercrime are based on the legitimate interest of the Data Controller pursuant to Article 6(1)(f) GDPR. The sending of newsletters, legal updates, and informational communications takes place exclusively on the basis of the data subject’s consent, which may be withdrawn at any time pursuant to Article 6(1)(a) GDPR. The assessment of applications for professional positions is based on the pre-contractual measures referred to in point (b), supplemented, for unsolicited CVs, by Article 111-bis of Legislative Decree No. 196/2003.
Processing Related to Professional Engagements
The performance of the professional engagement — including management of the mandate, drafting of documents, judicial and extrajudicial assistance, legal advice, negotiation, arbitration, and alternative dispute resolution procedures — is based on the performance of a contract pursuant to Article 6(1)(b) GDPR.
In order to comply with legal obligations binding upon us — anti-money laundering laws (Legislative Decree No. 231/2007), tax and accounting obligations, professional obligations towards the National Bar Council (CNF) and the competent Bar Association — processing is based on Article 6(1)(c) GDPR.
Legal defense in judicial proceedings and the protection of rights, including the filing of documents in proceedings where we act in the interest of the client, are based on the legitimate interest of the Data Controller or the client pursuant to Article 6(1)(f) GDPR, together with Article 2-octies of Legislative Decree No. 196/2003 for judicial data. Administrative and accounting management — invoicing, payments, file archiving — is based on points (b) and (c) of the same Article. Operational management and cybersecurity are based on the legitimate interest of the Data Controller pursuant to point (f). Finally, the sending of legal newsletters, circulars, and regulatory updates to clients who have provided consent is based on Article 6(1)(a) GDPR, with the right to withdraw consent at any time.
Where the professional engagement requires the processing of special categories of data — health, genetic, biometric data, data relating to sexual orientation, political opinions, or religious beliefs — the legal basis is Article 9(2)(f) GDPR (processing necessary for the establishment, exercise, or defense of legal claims), supplemented by Articles 2-sexies and 2-septies of Legislative Decree No. 196/2003. In employment law matters, Article 9(2)(b) GDPR may also apply.
Browsing data may be used to ascertain liability in the event of hypothetical cybercrimes against the website, and the relevant processing is based on Article 6(1)(f) GDPR.
Principles Governing Our Processing Activities
All processing carried out by the Firm complies with the six fundamental principles set out in Article 5 GDPR. We process your data lawfully, fairly, and transparently, on the basis of a legitimate legal ground. We collect data for specified purposes and do not use them for purposes incompatible with those originally intended. We collect only strictly necessary data, limiting internal access according to the need-to-know principle. We update data where they prove inaccurate or incomplete. We retain them only for the period strictly necessary and adopt appropriate technical and organizational measures to prevent unauthorized access, loss, or destruction.
The Data Controller is responsible for compliance with all these principles and may prove compliance — pursuant to the accountability principle under Article 5(2) GDPR — through the adoption of internal policies.
With Whom We Share Your Data
Personal data may be disclosed, within the limits strictly necessary for the purposes indicated above, to the following categories of recipients: employees and collaborators of the Firm, authorized to process data within the scope of their duties; external professionals and consultants — co-counsel, technical consultants, notaries, translators, accountants — appointed, where applicable, as data processors pursuant to Article 28 GDPR; counterparties and their legal counsel, solely within the limits imposed by the engagement and the proceedings; judicial and administrative authorities pursuant to legal obligations or in the performance of the mandate; IT and cloud service providers, appointed as data processors under agreements compliant with Article 28 GDPR; professional bodies and the National Bar Council (CNF) where required by professional regulations; banks and insurance companies strictly to the extent necessary for the performance of the engagement.
Data are not disclosed to unspecified persons nor transferred to third parties for commercial purposes.
International Transfers and Cloud Services
Cloud Services with Servers Located in the European Union
The Firm uses cloud services for file management, e-mail, and document archiving. The servers hosting the data are located within the European Union: in this case, no transfer to third countries within the meaning of the GDPR occurs, since EU legislation applies uniformly in all Member States. Cloud providers guarantee the adoption of appropriate security measures pursuant to Article 28 GDPR, compliance with the principles of privacy by design and privacy by default under Article 25 GDPR, and the prohibition on using data for their own purposes, including the training of artificial intelligence systems.
Possible Transfers Outside the European Union
No systematic transfer of data to third countries is currently envisaged. However, within the framework of specific engagements — assistance in international arbitration proceedings, relationships with foreign correspondent law firms, cross-border corporate matters — it may become necessary to transfer data outside the EU. In such cases, transfers shall take place exclusively where an adequacy decision has been adopted by the European Commission for the destination country, or through appropriate safeguards such as the Standard Contractual Clauses adopted by the Commission or Binding Corporate Rules, or on the basis of one of the derogations under Article 49 GDPR — including transfers necessary for the establishment, exercise, or defense of legal claims. Where practicable, the data subject shall be informed in advance of any extra-EU transfer specifically connected with their engagement.
Professional Secrecy
The processing of personal data is carried out in full compliance with legal professional privilege and the ethical obligations binding lawyers under the legal profession framework. Data acquired within the scope of the mandate are processed confidentially and are not disclosed beyond what is strictly necessary for the performance of the engagement. Employees and collaborators of the Firm who become aware of personal data in the course of their duties are likewise bound by confidentiality obligations.
Data Retention Periods
We retain personal data only for the period strictly necessary to achieve the purposes for which they were collected, in accordance with Article 5(1)(e) GDPR.
Data processed for the performance of the engagement and for legal defense in judicial proceedings are retained for the entire duration of the engagement and subsequently for the ordinary statutory limitation period of ten years, unless longer retention periods are required by specific laws or professional obligations. Data subject to anti-money laundering obligations are retained for ten years following termination of the professional relationship pursuant to Legislative Decree No. 231/2007. Data necessary for tax and accounting obligations are retained for ten years from the recording of the relevant transactions. Data processed for the protection of legal rights are retained for the period necessary to conclude the proceedings, including any appeals.
Access logs and data relating to operational management and cybersecurity are retained for no longer than 12 months from their recording, unless required for the management of an ongoing incident or related judicial or administrative proceedings, in which case retention is extended until their conclusion.
Newsletter subscribers’ e-mail addresses are retained until consent is withdrawn.
Upon expiry of each retention period, data are deleted or irreversibly anonymized.
Security Measures We Adopt
We adopt appropriate technical and organizational measures to ensure the security of personal data pursuant to Article 5(1)(f) GDPR. In particular: access to data is limited to authorized personnel through individual credentials; password management policies and multi-factor authentication are applied; regular backups are performed with restoration testing; agreements with cloud providers include verifiable security obligations; we maintain data breach management procedures, including notification to the Italian Data Protection Authority within 72 hours where required under Article 33 GDPR and communication to data subjects in the cases provided for by Article 34 GDPR.
The Firm exclusively adopts document-sharing systems with controlled and traceable access.
Your Rights
Pursuant to Articles 15–21 GDPR, you have the right to exercise a number of rights in relation to the processing of your personal data.
You may access your data and obtain confirmation as to whether processing concerning you is taking place, free of charge and with a response within 30 days (Article 15 GDPR). You may request rectification where data are inaccurate or incomplete (Article 16 GDPR). In the cases provided for by law, you may request deletion — the so-called right to oblivion — for example where data are no longer necessary in relation to the purposes for which they were collected or where you withdraw consent, subject to balancing against other rights such as legal obligations, defense in judicial proceedings, and professional secrecy (Article 17 GDPR). You may also request restriction of processing in certain circumstances, such as where you contest the accuracy of the data or await verification of an overriding interest (Article 18 GDPR).
Where processing is based on consent or a contract and carried out by automated means, you have the right to data portability: you may receive your data in a structured, commonly used, and machine-readable format — for example a .csv file — and transmit them directly to another controller (Article 20 GDPR). You may object to processing based on legitimate interest unless compelling legitimate grounds prevail on the part of the Data Controller (Article 21 GDPR). Where processing is based on your consent, you may withdraw such consent at any time without affecting the lawfulness of processing carried out before withdrawal (Article 7 GDPR). Finally, you may lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it), without prejudice to any other remedies.
Limitations in the Professional Context
The exercise of certain rights — particularly deletion and portability — may be restricted or deferred to the extent necessary for the defense of legal claims, compliance with legal obligations, or protection of professional secrecy pursuant to Article 2-undecies of Legislative Decree No. 196/2003 and Article 23 GDPR.
To exercise your rights, you may contact us at dvma@legalmail.it. We will respond within 30 days of receipt; where particular complexity arises, we will inform you within the same period of the new deadline.
Data of Third Parties Communicated by the Client
Within the scope of a professional engagement, the client — typically a company — may communicate to us personal data relating to its employees, directors, suppliers, counterparties, or other third parties. In such cases, the client is required to have fulfilled the information obligations towards such persons pursuant to Articles 13 and 14 GDPR and to ensure that the disclosure to the Firm has a lawful legal basis. The Firm shall process such data exclusively within the scope of the engagement received and shall inform the relevant third parties where reasonably practicable and where this does not prejudice the mandate, pursuant to Article 14 GDPR. For data received within judicial or arbitral proceedings, information to third parties may be provided in the forms and within the timeframes established by the applicable procedural rules.
Automated Decision-Making Processes
The Firm does not carry out processing based solely on automated decision-making, including profiling, producing legal effects concerning the data subject or similarly significantly affecting them (Article 22 GDPR).
Updates to This Privacy Notice
This privacy notice may be updated in the event of relevant legal, organizational, or technological changes. The current version is always available on the Firm’s website and, upon request, at its offices.
Version: 1.0 — Date: 20 April 2026
This privacy notice has been drafted in compliance with Articles 13 and 14 GDPR, the principles set out in Article 5 GDPR, and the supplementary provisions of Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018.