Privacy Policy for the Processing of Personal Data on the Website www.privacylegalnetwork.com
LEXIA, as the data controller, informs you pursuant to Article 13 of EU Regulation No. 2016/679 (“GDPR“) and applicable data protection laws represented by Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 and subsequent amendments (hereinafter, “Privacy Code“), as well as any further regulations issued by the Data Protection Authority (e.g., decisions, guidelines, general authorizations, etc.) (hereinafter, “Privacy Regulations“), that the data provided through the website www.privacylegalnetwork.com (the “Site“), regardless of the method and tool used, will be processed in the manner and for the purposes outlined below.
This policy applies to the personal data that LEXIA collects from you as a user of the Site (the “Site User” or “Data Subject“).
This policy applies to the Site as a whole and not to other sites, pages, or online services accessible through hyperlinks that may be published or present on the Site but refer to resources external to the domain of the Data Controller that may be accessed by the Data Subject.
1. Data controller
The data controller is LEXIA (Fiscal Code and VAT no. 12511320967), with its registered office via del Lauro no. 9, 20121 Milan (Italy) (hereinafter, the “Data Controller” or the “Company“).
The Data Controller provides the following email address for all communications: privacy@lexia.it.
The Data Controller may designate one or more data processors under Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental, or supporting activities, adopting all appropriate technical and organizational measures to protect the rights, freedoms, and legitimate interests recognized by law to the Data Subjects.
2. Description of processing
The processing will involve individual operations or a complex of operations of the following personal data provided by the Data Subject while using the services provided by the Data Controller through the Site
Data provided by the Site User through the “Contact Us” form on the Site:
Full name, phone number, email address, and additional data voluntarily provided by the Site User through the contact form.-Respond to Site User’s requests, who may be contacted via the provided email address or phone number.-Execution of pre-contractual measures adopted at the request of the Site User (Article 6, paragraph 1, letter b of the GDPR).-For as long as necessary to fulfil the Site User’s requests. In any case, this data may not be kept for a period longer than ten (10) years from the fulfilment of the Site User’s requests.
In case of litigation, the Data may be retained until the expiry of the time limit for ordinary appeal.
-Exercising the rights of the Data Controller, e.g. to exercise a right in court.-Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f of the GDPR).-
Site Users’ browsing data:
● information on the device used (e.g. mobile network system, unique device identifiers), hardware and browser settings, Google Analytics, IP address;
● web pages visited, duration of visit, interactions with the page (e.g. scrolling, clicks, etc.), date and time of visits;
other parameters relating to the operating system and computer environment used by the data subject.-Monitoring of the Site’s functionality, also for the improvement of the user experience and security.-Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f of the GDPR).-For two (2) years.
-Providing the services available on the Site.-Execution of a contract to which the Site User is a party or execution of pre-contractual measures adopted at the request of the Site User (Article 6, paragraph 1, letter b of the GDPR).-For the time necessary to manage the Site User’s request, no more than five (5) years, except for any need for verification by the competent authorities.
Cookies and other technologies for reading/storing information on the User’s terminal Site.-Please refer to the ‘Cookie Policy’ for the Site, available at link: [●].
Please note that, with reference to browsing data, the information collected, while not intended to be associated with identified individuals, by its nature, if associated with other Data held by third parties (e.g. internet service providers), could allow the identification of the Data Subjects (e.g. IP addresses, domain names of the PCs used, URL addresses of the resources requested, the time of the request, numeric code relating to the status of the response given by the server).
3. Processing Methods
The processing of Personal Data:
(a) Is carried out through the operations listed in Article 4, paragraph 1, point 2 of the GDPR, specifically: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion, and destruction of Data;
(b) Is also performed with the assistance of electronic or otherwise automated means;
(c) Is carried out also by means of email or other remote communication techniques.
4. Transfer of Personal Data
The management and storage of the Data will be carried out on servers of third-party companies duly appointed as data processors located in the United Kingdom, a third country that ensures an adequate level of protection of personal data transferred within the scope of the GDPR, in accordance with the adequacy decision (EU) 2021/1772 of June 28, 2021, adopted under Article 45 of the GDPR by EU Commission, extended by the subsequent implementing decision (EU) 2025/1226 of June 24, 2025.
The Data Controller may provide access to the Site and the services described therein in other countries, in which case the transfer of Data to these countries is strictly limited to the actual need to be aware of it. The Data Controller will adopt the necessary measures to protect the Personal Data of Data Subjects and prevent unauthorized access.
If Personal Data is transferred to other systems used by the Data Controller and/or third-party companies duly appointed as data processors, even outside the European Economic Area, the Data Controller guarantees the application of the standard contractual clauses of the European Commission to ensure the secure international transfer of personal data, in accordance with Articles 44, 45, and 46 of the GDPR.
In any case, the Data Subject may request further information regarding the transfer of Personal Data by writing to the email address: privacy@lexia.it.
5. Security Measures
The Data Controller has adopted various security measures to protect the Data against the risk of loss, misuse, or alteration, in accordance with the measures specified in Article 32 of the GDPR. Processing is carried out using computer and/or telematic tools, with organizational methods and logics strictly related to the purposes outlined above.
6. Consequences of Failing to Provide Personal Data
Without prejudice to the Data Subject’s discretion to provide Personal Data to the Data Controller, the provision of Personal Data may be:
(a) Mandatory for the provision of services accessible through the Site and for purposes related to the fulfillment of obligations under applicable laws and/or regulations, as well as provisions issued by the competent authorities/supervisory and/or control bodies;
(b) Voluntary concerning data voluntarily provided by the Data Subject for the purposes of receiving the informational newsletter.
The refusal by the Data Subject to provide Personal Data to the Data Controller may result in the Data Controller’s inability to provide the requested services and make the Site accessible.
Additionally, please note that the revocation of one or more consents may have consequences on the correct functioning and/or the ability to access and/or use the Site properly and/or the services provided by the Data Controller.
7. Data retention and deletion
The retention period for Personal Data is indicated in the table in section 2 above.
After the retention period expires, Personal Data will be deleted. Therefore, once the retention period ends, the Data Subject’s right to access, delete, rectify, and the right to data portability will no longer be exercisable.
Personal Data will be stored in computer archives, including portable devices, adopting measures to ensure their security and limit access exclusively to personnel authorized by the Data Controller and within the strict scope of the purposes indicated above.
8. Who We Can Share Personal Data With
For the purposes outlined above, Personal Data may be made accessible or communicated to:
(a) Employees and collaborators of the Data Controller, in their capacity as authorized personnel for processing, within the scope of their duties and in accordance with the instructions received. These individuals are also subject to confidentiality and privacy obligations;
(b) Third-party entities performing outsourcing activities on behalf of the Data Controller whose activities are related, instrumental, or supportive to those of the Data Controller (e.g., management software providers);
(c) Public and/or private entities, physical and/or legal persons (such as, by way of example, legal, administrative, and tax consulting firms, pension and welfare funds, judicial offices, chambers of commerce), when communication is necessary or functional to the proper fulfillment of contractual obligations assumed, as well as obligations deriving from the law;
(d) Entities (including Public Authorities) with access to Personal Data under legal or administrative orders.
In any case, the collected Personal Data will not be subject to disclosure.
9. Rights of the Data Subject
The Data Subject may exercise the rights provided in Chapter III of the GDPR, within the limits and conditions set forth therein:
(a) Access to Data (Article 15): The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not Personal Data concerning them is being processed, and, in such a case, to obtain access to the Personal Data in a commonly used electronic format and some information about the processing (e.g., purpose, categories of data processed, recipients, transfers outside the EU, profiling activities, etc.);
(b) Rectification of Data (Article 16): The Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning them without undue delay and/or the completion of incomplete Personal Data, even by providing an additional statement;
(c) Deletion of Data or “Right to be Forgotten” (Article 17): The Data Subject has the right to obtain the deletion of Personal Data concerning them without undue delay, and the Data Controller has the obligation to delete the Personal Data without undue delay;
(d) Limitation of Processing (Article 18): The Data Subject has the right to obtain the limitation of processing from the Data Controller;
(e) Data Portability (Article 20): The Data Subject has the right to receive Personal Data concerning them in a structured, commonly used, and machine-readable format
and the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom they provided the data;
(f) Revocation of Consent (Article 7, paragraph 3): The Data Subject has the right to revoke their consent at any time. Revocation of consent does not affect the lawfulness of processing based on consent before its withdrawal.
10. Right to Object to Processing
Pursuant to Article 21, paragraph 1 of the GDPR, the Data Subject has the right to object at any time, for reasons related to their particular situation, to the processing of Personal Data concerning them under Article 6, paragraph 1, letters e) or f) of the GDPR, i.e., when the processing is based on the performance of a task in the public interest or the legitimate interest of the Data Controller, including profiling based on such provisions, by contacting the details provided in Article 11 below.
11. How to Exercise the Rights
The Data Subject may exercise their rights at any time by sending:
(a) An email to the address: privacy@lexia.it.
(b) A registered letter to LEXIA, to its registered office at via del Lauro no. 9, 20121 Milan (Italy).
The Data Controller commits to providing the Data Subject with information about actions taken regarding a request to exercise their rights without undue delay, and in any case, within 30 (thirty) days from the receipt of the request. This period may be extended up to 3 (three) months in cases of particular complexity.
Any rectifications, deletions, or limitations of processing carried out upon explicit request by the Data Subject, unless it is impossible or involves disproportionate effort, will be communicated by the Data Controller to each recipient to whom the Personal Data has been disclosed. The Data Controller may inform the Data Subject of the recipients’ references, if requested.
12. Right to Lodge a Complaint
Data subjects who believe that the processing of personal data occurs in violation of the GDPR have the right to lodge a complaint with the Data Protection Authority: i) by email to the address garante@gpdp.it or urp@gpdp.it; ii) by fax to the number 06.696773785; or iii) by post to the registered office in Rome (Italy), Piazza Venezia n. 11 – Zip Code 00187, or alternatively, by bringing an action before the judicial authority.
13. Data Processor and Persons Authorized
The updated list of data processors and authorized personnel is kept at the Data Controller’s office.
14. Modification
This policy may be modified and/or updated at any time. If the Data Controller intends to process Personal Data for purposes other than those specified in this Privacy Policy, they commit to providing adequate information regarding these additional purposes before such processing, and to carry out such further processing in compliance with the applicable law, collecting the specific consent of the Data Subject where necessary.
Last update: December 2025