Privacy Policy


Toffoletto De Luca Tamajo e Soci (hereinafter, also, the «Data Controller»), as data controller wishes to inform you, as Data Subject, pursuant to the applicable law on personal data protection, including the European Regulation 679/2016 concerning the protection of personal data (the «Regulation»), that the personal data provided by you during the establishment of the contractual relationship and during its execution, will be processed in compliance with the legislative and contractual provisions in force for the purposes and with the modalities indicated here below. In some circumstances, some data may also be collected from third parties, where necessary and always in compliance with applicable legislation.

1.     Identity and contacts of the Data Controller 

The Data Controller is Studio Toffoletto De Luca Tamajo e Soci, with registered office in Via Rovello 12, 20121, Milan, certified e-mail address:

2.     Purposes and legal grounds for processing

a)   Personal data will be processed, through IT and paper systems, with the specific purpose of fulfilling the obligations deriving from law and from the engagement - including anti-money laundering regulations pursuant to Legislative Decree February 3, 2006, No. 141 - and to provide the advice and the legal assistance requested to the Data Controller. The data processing for these purposes is needed and any refusal to provide such data implies the impossibility of fulfilling the obligations deriving from law and from the engagement, with the further consequence that it will not be possible to proceed with the engagement. Moreover, even during the performance of the engagement, the request to delete the data needed for the performance of the obligations deriving from the engagement and the law, or the refusal to provide them, determines the impossibility of providing the assistance required.

b)   The data provided may also be used to carry out information and updating activities, by sending newsletters and invitations to seminars and conferences and to carry out marketing activities, by sending communications on products or services offered by the Data Controller and to allow the Data Subject to use the app of Studio Toffoletto De Luca Tamajo and Partners and Law Maps™. The communication of your personal data for these purposes is facultative and not providing them will result only in the impossibility of processing the data for the above mentioned information, updating and marketing purposes.

3.     Data collected and processed 

For the purposes set out in point 2.a., the Data Controller may process:

  •  identification data and contacts communicated by the Data Subject: name and surname or business name, fiscal code or VAT registration, residence or registered office, email address, telephone number;
  • personal data of a judicial nature, relating to judicial proceedings or, in any case to disputes, even of out-of-court nature, in which the Data Subject is involved;
  • data relating to the business organization of the Data Subject and personal data of the Company’s staff, which are necessary for fulfilling the obligations arising from the engagement (advice and legal assistance and/or payroll processing) and thus, by way of mere example: common data (identification data, tax and administrative data referred to the registration of the working time, remuneration data, data related to permits and leaves, judicial data, data relating to judicial proceedings or, in any case, to disputes of any nature); special categories of personal data pursuant to Article 9, Paragraph 1 of the GDPR, which are, by way of example: personal data revealing racial or ethnic origin, political opinions, religious or philosophical convictions, or union membership, genetic data, biometric data intended to identify unambiguously an individual, data relating to the health or sexual life or sexual orientation of a person.

According to Article 6, Paragraph 1, letters b) and c) of the GDPR, the processing of the data provided is lawful as it is necessary for the execution of the existing engagement and to fulfil the legal obligations to which the Data Controller is subject.

Pursuant to Article 9, Paragraph 2, letter f) of the GDPR, the processing of personal data pursuant to Article 9, Paragraph 1, of the GDPR is lawful as necessary to ascertain, exercise or defend a right before the court or whenever the jurisdictional authorities exercise their jurisdictional duties.

For the purposes referred to in point 2.b. above, the Data Controller may process:

  • identification data and contact communicated by the Data Subject: name and surname or business name, fiscal code or VAT registration, residence or registered office, email address, telephone number.

4.     Communication of the data processed

The personal data referred to in Paragraph 3 above will be processed not only by the Data Controller, but also by the following recipients: the Data Controller's employees, collaborators, consultants and professionals, always within the scope of the points 2.a. and 2.b. as set out above and prior designation of the same by the Data Controller, including specific instructions required to comply with the legislation on the protection of personal data with particular reference to safeguard aspects.

The data provided will not be disclosed. However, they may be subject, where necessary, to the mandatory communications required by the Regulation referred to in paragraph 2.a. above and may also be disclosed to parties external to the Data Controller, such as organizations organizing conferences, within the purposes mentioned in point 2.b. above.

5.     Data transfer

The management and storage of personal data will take place on servers located within the European Union and managed by the Data Controller. Currently the servers are located in Italy.

The data will not be transferred to outside the European Union. In any case it is understood that the Data Controller, if necessary, will have the right to move the server location to another country of the European Union and/or to non-EU countries. In this case, the Data Controller hereby ensures that the transfer of non-EU data will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided for European Commission.

6.     Data retention period

The data provided for the purposes referred to in paragraph 2.a. above will be retained for the entire duration of the contractual relationship. After the termination of the contractual relationship, in order to safeguard the Data Controllers’ rights, the data will be retained - in a manner in which they will be available only if necessary - for a period of time equal to the statute of limitation period of any rights you may claim against the Data Controller. This period changes depending on the kind of data and on any act interrupting or suspending such period.

In case you give your consent to the data processing for the purposes set out at point 2.b. such data will be retained for a maximum period of 24 months from the data collection.

Once these terms of retention have expired, the data collected will be deleted from any IT and/or paper support.

7.     Rights of the Data Subject

With reference to the data processing above, the Data Subject may exercise the rights provided by the applicable law concerning personal data protection, including the rights to:

  • obtain confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information (right of access);
  • update, modify and/or correct his/her personal data (right to rectification);
  • ask for the erasure or the limitation of the processing of the data processed against the law, including those for which storage is not required by the purposes for which data were collected or otherwise processed (right to erasure and right to restriction of processing);
  • object to the processing of data based on legitimate interest (right of object);
  • revoke the consent, if provided, without prejudice to the lawfulness of the data processed on the basis of the consent given before the revocation;
  • raise a claim in front of the Supervisory authority in case of violation of the rules concerning personal data protection;
  • receive an electronic copy of the data related to him/her that the Employee provided during the employment contract (e.g., data related to salary and internal mobility services) and ask that such data are transferred to another data controller (right to data portability).

In order to exercise the rights above the Data Subject can contact the Data Controller at any time, sending his/her request via registered post to the following address: Via Rovello 12, 20121, Milan, or via registered mail to the following address:, or sending an e-mail to the following address:

8.     Processing of the data relating to individuals other than the Data Subject connected with its organization and the existing contract

When processing the personal data you communicated to us, the Data Controller and the other subjects as per clause 4 above, may occasionally also process data, mainly identification data and contact details, relating to other individuals who are part of your business organization. If so, you declare, under your own responsibility, that you showed the content of this notice to such individuals and that they fully understand and accepted it, if needed. Also, you undertake to inform the Data Controller on any update relating to such data.