This notice is provided pursuant to Article 13 of (EU) Regulation no. 2016/679 (hereinafter “GDPR”) and describes the processing of personal data available to SZA Studio Legale (“SZA”) through the entrustment of the professional engagement (“Engagement“) by the client (“Client“).

Data controller

The Data Controller is SZA with registered office in Milan, Corso Italia 13.

Joint Controller is also the SZA professional to whom the Engagement has been specifically entrusted. If you have any questions about the processing of your personal data, you may contact the Data Controller by writing to

Purposes of personal data processing

The processing of personal data is aimed at the proper and complete execution of the Engagement, both in and out of court. Client data are also processed in order to:

  • fulfill tax and accounting regulations
  • comply with the obligations of the professional, required by current legislation

Personal data may be processed through both in hard copy and in digital (including portable devices) and will be processed in a manner strictly necessary for the pursuit of the above purposes.

Legal basis of personal data processing

SZA processes personal data lawfully if the processing:

  • is necessary for the performance of the Engagement, or of a contract to which the Client is a party, or the performance of pre-contractual measures
  • Is necessary to fulfill a legal obligation of the Controller
  • is necessary for the pursuit of the legitimate interests of the Controller, unless the Client’s interests prevail (e.g., sending newsletters, invitations to conferences and roundtables for regulatory updates, invitations to events organized by SZA, without prejudice to the Client’s right not to receive such information).

Conferral of personal data

With respect to personal data related to the performance of the Engagement or related to the fulfilment of a regulatory obligation (e.g., obligations related to the keeping of accounting and tax records), refusal to provide such data prevents the fulfilment of the Engagement.

Data retention

The Client’s personal data processed for the purposes stated above shall be retained for the period of the duration of the contract, and they will be retained for as long as is subject to retention requirements for tax purposes or for other purposes required by law or regulation.

Communication of data

The Client’s personal data may be disclosed to:

  1. consultants and accountants or other lawyers who provide functional services for the above purposes
  2. banking and insurance institutions that provide functional services for the purposes indicated above
  3. entities that process data in execution of specific legal obligations
  4. judicial or administrative authorities for the fulfilment of legal obligations.

Profiling and dissemination of personal data

The Client’s personal data are not subject to dissemination or any fully automated decision-making process, including profiling.

Rights of data subjects

The rights granted to the Client by the GDPR including:

  • request access to personal data, rectification of inaccurate data or supplementation of incomplete data; deletion of personal data concerning him/her (upon the occurrence of one of the conditions indicated in Article 17(1) of the GDPR and subject to the exceptions provided for in paragraph 3 of the same article), restriction of the processing of personal data (upon the occurrence of one of the cases indicated in Article 18(1) of the GDPR)
  • request and obtain – in cases where the legal basis of the processing is a contract or consent, and the processing is carried out by automated means – their personal data in a structured, machine-readable format, also for the purpose of communicating them to another data controller (so-called right to personal data portability)
  • object, at any time, to the processing of personal data in case of particular situations
  • withdraw the consent at any time, limited to cases where the processing is based on consent for one or more specific purposes and involves common personal data (e.g., date and place of birth or place of residence), or particular categories of data (e.g., data revealing racial origin, political opinions, religious beliefs, health status, or sex life). Processing based on consent and carried out prior to withdrawal, retains, however, its lawfulness.
  • file a complaint with a supervisory authority (Data Protection Authority –