Privacy & IT Compliance
The correct circulation of data, the related protection through appropriate IT security measures and compliance with national and European regulations have now become top priorities for any economic operator, particularly as a result of the widespread distribution of hi-tech digital tools which allow the use, availability and sharing of data beyond the physical (dematerialisation), time-based (real-time) and jurisdictional (cloud) confines traditionally focused on and regulated by law.
Privacy, understood not only as the right to confidentiality, but rather as the right to data use and protection, a genuinely valuable resource for any company wishing to compete and stand out, also thanks to sophisticated customer data profiling and marketing techniques, has become a crucial element of any policy of company compliance and strategic growth on the reference markets, and a real litmus test of the asset corporate governance of any successful company.
The spread and rapid success of the Internet and e-commerce have transformed simple personal data into information that can generate profit.
The legal services associated with the issue of Privacy and Information Technology include any possible aspect relating to personal data protection, from the preparation of data security contracts, to the drafting of due diligence reports, the drafting of T&C’s for the use of various services provided via the Internet, to assistance in the event of the violation of regulations governing IT security, up to the management of disputes before the competent national and European courts and the Italian Data Protection Authority.
Privacy compliance concerns both the internal dynamics of companies, from the correct compliance in respect of employees also in close relation with the applicable employment regulations (video-surveillance, BYOD, DLP, biometrics, forensic tools, use of sensitive data), and business dynamics, in particular in the marketing sector, profiling, assignment and communication of data, to operations involving the transfer of data abroad, including but not limited to M&A transactions, restructurings and securitisations.
Privacy therefore fully encompasses private law and contracts, administrative law, corporate law, labour law and, increasingly, criminal law (especially white collar crimes and forensic investigations).
In this respect, the most exposed industrial/goods sectors, in which the Office has monitored complex and fundamental transactions regarding the processing of personal data in both the public and private sectors are the following: electronic communications, pharmaceutical, consumer credit and insurance, commercial information brokerage, luxury goods industry, digital value-added, retail, but also traditional heavy industry, handling a number of activities in the areas of direct marketing, biometrics, life sciences, transfer of data abroad using instruments constituting an alternative to consent such as SCC, BCR and SH.
The activity may be of interest to those who, in various capacities and for different purposes, also incidentally, require ad-hoc assistance (e.g. privacy assessment, internal audit activities, assistance during Italian Data Protection Authority investigations) and continuous support (review of internal documents and company processes) such as, for example, the drafting of legal notes for websites and of strategic marketing policies.
Privacy and Personal data protection
In the Privacy and Personal data protection sector, we offer the highest possible level of expertise in the performance of ordinary and extraordinary advisory activities, both in court and out-of-court, providing a genuine, highly specialised and all-round “privacy impact assessment”.
Nctm has dealt with complex and essential transactions regarding the processing of personal data in both the public and private sectors, with particular reference to the following markets; electronic communications, luxury goods industry, digital, retail, consumer credit and insurance, handling a number of activities in the areas of direct marketing, biometrics, life sciences and the transfer of data abroad using instruments constituting an alternative to consent such as SCC, BCR and SH.
Our specially dedicated team, the only one among the international sector leaders to be cited by the most important legal directories, is able to offer the most comprehensive assistance to the major commercial and industrial groups and companies, both Italian and foreign, in relation to numerous activities:
- General compliance;
- Audits of legal compliance, advising, preparation of documents and legal assistance regarding personal data processing;
- Assistance and advisory service regarding complaint/appeal/reporting and inspection and assessment proceedings brought by the Italian Data Protection Authority;
- Assistance and advisory service for the drafting and revision of contracts relating to or entailing the processing of personal data (contracts for the transfer of databases, commercial information, statistical surveys, marketing);
- Assistance and advisory service for the correct fulfilment of legal obligations, with specific reference to the processing of personal data for marketing and commercial communication (marketing using automated systems, telemarketing, spam and soft-spam, e-commerce) purposes, and for profiling objectives; correct identification of roles and responsibilities, arrangement of promotional campaigns, stipulation of contracts for the purchase/sale of databases and information-sharing agreements;
- Assistance and advisory service in the case of a data breach in the relevant sectors (electronic communications and credit sector);
- Assistance and advisory service with particular regard to prize-giving events and the proper configuration of the personal data processing methods;
- Simulation of audits and investigations by the Authorities and on-site assistance in the event of investigations by the Italian Data Protection Authority and/or the Guardia di Finanza (Italian Tax Police);
- Personnel training and refresher courses with specific reference to the relevant legislation in force governing personal data protection.
Information Technology & Cyber Security
Nctm’s expertise in the Information Technology field is characterised by in-depth knowledge of innovation and strategic processes.
Our extensive knowledge of the market in this sector, acquired thanks to a high level of specialisation over the years, enables us to work towards improving the specific business goals of our customers.
With specific reference to the security of IT systems and Cyber Security, we help our customers with matters regarding the protection and secure transmission of data, digital authentication, analysis of IT risks, breach methods and countermeasures, security techniques in web and mobile applications, websites and social networks as well as cloud systems.
Therefore, in the IT field, we offer a complete range of legal services to domestic and international companies, with particular regard to:
- Data protection and Data security;
- Big Data and Open data;
- IT security and Cyber-Security,
- Cloud services;
- Repression of unlawful acts carried out over the internet (phishing, data breach, data theft).
The Internet today represents the largest known public space, a genuine network which envelops and connects the entire planet, where millions of pieces of information are exchanged and circulated faster than you can imagine.
In this regard, our team of specialists can offer all-round support with particular reference to:
- Assistance and advisory service for the correct fulfilment of legal obligations, with specific reference to the processing of personal data within the context of websites and social networks;
- Preparation and updating of the T&C’s and privacy policies of websites, social networks, on-line games and prize competitions, mobile applications;
- Assistance and advisory service for the purposes of compliance of websites with “cookie” legislation;
- Training and refresher courses.
Our team of experts can offer a highly-skilled assistance and advisory service regarding web reputation and on-line identity, with specific reference to both natural persons and legal entities (analysis and monitoring of the on-line reputation of brands, trademarks, products and services), as well as regarding the right to be forgotten and retention on the internet of information already collected.
The new economy and the use of electronic and digital tools like platforms for expansion in global markets and, therefore, the progressive evolution of technology and the web have radically altered the traditional commerce sector in recent years, introducing the new frontier of e-commerce, which today has become a reality.
This has inevitably resulted not only in an accelerated conclusion of commercial transactions at global level, but also in an accentuation of the processes of ‘dematerialisation’ of money transfers (E-payments). In such a context, for some time we have also been witnessing exponential growth in the spread of mobile payment services – i.e. services that allow users to manage goods purchases and payments, whether electronic or physical, via a mobile device – whose use has also helped to broaden the types of products and services that can be used, the target audience that operates in this domain and, not least, the quantity of personal data processed.
So, in this regard, we assist our customers by offering a highly specialised advisory service on a range of aspects relating to electronic trading, E-payments as well as the protection of information and consumers;
- Preparation and revision of contractual forms;
- Assistance, advisory and assessment regarding compliance and legal sustainability of the commercial structure, also through the drafting of independent opinions;
- Verification of the compliance of commercial sites with the applicable legislation, particularly from a consumer protection point of view;
- Management of electronic payment profiles;
- Legal assistance and dispute management;
- Training and refresher courses.
E-Discovery and Forensic Investigation
Thanks to the experience acquired over the years, we offer our customers a highly specialised Forensic Investigation advisory service.
More specifically, we assist our customers with particular regard to the correct personal data processing methods for carrying out defensive investigations or enforcing or defending their rights in court, both during arbitration or conciliation proceedings, including at the administrative phase, and at the preliminary phase before the commencement of any legal proceedings, and in the phase following their settlement.
Nctm Studio Legale has been chosen to coordinate and guide the legal and regulatory part of an ambitious three-year research and innovation project, called My Health My Data, funded by the European Union, as part of the programme HORIZON 2020.
The aim of the project, is defining and implementing a technology platform based on the voluntary sharing of health data, based on a blockchain system and centralized management of permissions for access by the patient, with medical and scientific research purposes.
This operation is unprecedented and far-reaching, which has the ambitious goal to open new avenues for the use of distributed database technology (blockchain) and represent a landmark in the definition of new safety standards in the management health data, especially in view of the new General Regulation on data Protection (GDPR).
Nctm Studio Legale will advise the project with the team of Privacy & IT Compliance department led by Rocco Panetta, with the assistance of Lorenzo Cristofaro.
Rocco Panetta said: “I thank the consortium of the project for allowing us to treat an initiative of such prestige and relief that confirms Nctm as reference counsel for technology and digital market.”
The Consortium for the study and development of the project, led by Lynkeus, in addition to the main actors, hospitals and medical research centers of excellence, such as the Children’s Hospital Child Jesus, and the Deutsches Herzzentrum Berlin, with the participation of companies such as Siemens Healthcare, Gnubilà and HW Communications, research bodies such as Athena RC and the National research Council of universities, including the Haute École de Suisse spécialisée Western and Queen Mary University.
Nctm Studio Legale worked alongside CONAD – Consorzio Nazionale Dettaglianti and the seven big cooperative groups that are members of the same, in the redefinition of marketing and loyalty processes at national level.
Nctm worked with CONAD internal structures in a project that required the analysis of internal procedures, the evaluation of business dynamics and the structuring of the entire contracts and policies architecture necessary to launch new marketing and loyalty campaigns in the consumers area.
This is a new and broad operation that re-designed business areas that are strategic for CONAD.
Nctm Studio Legale advised CONAD with a team led by Rocco Panetta, in cooperation with Lorenzo Cristofaro and Francesco Armaroli.
Rocco Panetta declared: “I wish to thank CONAD for entrusting us with such an important and innovative initiative that, on the one hand, shows the attention to consumers’ requirements and the foresight of CONAD development plans, and on the other hand confirms Nctm as reference legal advisor for marketing projects and for the large-scale retail trade sector.
Nctm Studio Legale, advised A.S. Roma Nuoto, water polo society climbing its way to the top of national and international rankings, in the negotiation and subsequent conclusion of the collaboration agreements with Anđelo Šetka, Croatian multiple prize-winning athlete and one of the champions of the Rio Olympics with a silver medal won together with his national team.
This new agreement is to be placed in the solid relationship of trust between A.S. Roma Nuoto and Nctm Studio Legale, which is indeed advising the company also in the closing of the contracts for the next sport season.
A.S. Roma Nuoto was advised by Nctm with a team led by Rocco Panetta, with the cooperation of Lorenzo Cristofaro.
HERE, an internationally leading company in the supply of high definition digital maps and routing and navigation services, partially owned by AUDI, BMW and Daimler, has just received the green light from the Antitrust Authority for Personal Data Protection to implement innovative procedures of information to the public with regard to the recording of street views.
Confirming its avant-garde approach, not only in the technological sector but also in the compliance sector, the Dutch multinational had submitted to the Garante some proposal improving the rules established by the Authority, in the digital mapping sector, in a basic provision of October 2010.
HERE was assisted by Nctm Studio Legale, with a team led by Rocco Panetta with the cooperation of Lorenzo Cristofaro.
On June 23rd, 2016, after an unprecedented referendum in contemporary history, the United Kingdom has voted to leave the European Union, therefore triggering a two year unilateral exit negotiation period during which the UK shall seek to effectively rethink its global position and its relationship with the EU.
In the meantime, although the effects of the so-called Brexit will still be quite unpredictable, such historical change will definitely impact on the everyday life of millions of European individuals, businesses and public institutions. Even if premature, some preliminary considerations on the consequences of Brexit on some specific sectors can already be discussed.
Purpose of the present Memo is, in fact, to imagine what could be the most likely effect of Brexit on current privacy legislation, on the internet and the digital economy as we know it and, most importantly, on the future entry into force of the new EU Regulation (GDPR) on data protection and free circulation of personal information throughout the continent.
In particular, main focus of this Memo will therefore be on: (i) the subjective consequences of Brexit on data protection enforcement, with special reference to the role of the Information Commissioner’s Office (ICO); (ii) the substantial consequences of the Brexit aftermath on a possible UK exclusion from the One-Stop-Shop mechanism; and (iii) any possible difference which might occur between the GDPR’s new sanction regime and the future UK legal framework on data protection.
- The subjective consequences of the post-Brexit scenario for data protection
The processing and transfer of personal data in the UK is currently regulated by the Data Protection Act of 1998, implementing EU Privacy Directive 95/46/EC, as well as by several other laws addressing the issue of data protection according to relevant EU standards.
Besides Brexit and according to ICO’s spokeperson, it is reasonable to believe that those laws will remain unchanged at least until exit negotiations will have outlined a new status of the UK outside the EU. In fact, as a preliminary note, it can be said that there is no evidence that current national legislation and jurisprudence on privacy and data protection, as drafted in accordance with EU founding treaties and norms, shall in any case lost or “blown away” just because of the fallout of a possible post-Brexit scenario.
Furthermore, this is likely not to affect at all current British legislative standards on privacy and data protection for two main reasons: the first has to do with the UK trying not to lose access to the European Economic Area and the future Digital Single Market; and secondly, because without European data protection tools and guarantees many companies may seriously start considering moving their headquarters from London to neighboring Ireland or even back to the continent.
In this context, the role of a UK national data protection authority may change significantly over time: weakened and resized by the post-Brexit scenario, in fact, from a technical point of view, ICO will not take part in the upcoming series of crucial discussions on the implementation and application of the new GDPR anymore, as well as to those on the definition of the mechanisms regulating the future Digital Single Market.
If put in a position similar to that of an EFTA member (the European Free Trade Association, including Switzerland, Norway, Iceland and Liechtenstein), the UK would not only lose its full membership within Article 29 Working Party but also any possibility to count in the future European Data Protection Board.
Finally then, it has to be said that the weight of the referendum vote and its consequences could affect the uncertainties relevant to future EU – UK negotiation talks but also the role of UK independent authorities as reliable counterparts in the European debate on the future of privacy legislation in the continent and its pros and cons.
- Substantial consequences of Brexit and their legal implications
Among some of the major concerns of the post-Brexit data protection scenario, the functioning of the so-called One-Stop-Shop seems likely to be a top one, especially when considering the absence of any formal recognition to ICO as part of the mechanism as such.
Although the One-Stop-Shop represents a source of general uncertainty for European legislators and national DPA since the first versions of the GDPR, it is still unclear how its scope will extend to the British legal system and whether a simple update of the Data Protection Act 1998 will be sufficient to implement it
Aside of the two-year time granted to Member States for adapting to the entry into force of the GDPR, coincidentally about the same time the UK will have to negotiate their exit strategy from the European Unions, British might be compelled to take a view of data protection partially in contrast with current EU rules and more oriented towards the American “privacy as a commodity” approach. This may in fact change the level of commercial attractiveness the UK will be able to offer to foreign capitals and multinationals from now on and help recovering from a period of possible economic stagnation in the field of digital economy.
However, if making the UK internationally appealing by softening regulatory data protection standards in the area of privacy compliance could become a competitive tool to enhance Britain’s legal and economic system from that of the rest of the EU, the lack of appropriate safeguards and common enforcement rules to counterbalance such possible data security de-regulation could, on the contrary, discourage the arrival of foreign capitals rather than encouraging it.
In particular, as for the implementation of the so-called One-Stop-Shop mechanism, it will probably be necessary that Article 29 Working Party and the Commission take a decision on the role of ICO in this transitional phase and in relation to the talks on its access to the consistency mechanism. On the contraty, any unilateral effort to extend GDPR’s scope also to those countries that are not formally part of the EU (e.g. EFTA members as well as Turkey, the Balkans, and most probably the United Kingdom) would be completely useless.
In this regard, for example, if Britain were not to obtain a status similar to that of Switzerland, which by implementing about 80% of EU legislation and is able to benefit of many of the full membership advantages reserved only to Member States, a feasible legal mechanism for allowing smooth data transfers from and towards the EU shall be re-designed from scratches to adapt to this new situation.
In addition to that, by finding itself on the same level of those “third countries” for which the European legislation always foresees specific authorizations for allowing the transfer of personal data, the UK might either hope for a specific adequacy decisions in its favour – something similar to a “UK Privacy Shield” – or push for a further nationwide adoption of tools such as Binding Corporate Rules and Standard Contractual Clauses.
In this context, the One-Stop-Shop could prove to be a double-edged weapon for UK legislator: on the one hand, Britaing would in fact enjoy greater freedom to regulate data protection and differentiate its national discipline from the narrow margin GDPR is leaving to EU Member States; on the other, however, the risk of increasing the competitive gap with the EU beacause of a different national discipline on data protection might cause deep suffering for thriving UK business sectors such as technology, banking and legal and financial services.
In conclusion, consent, information to data subjects, data breach notifications, privacy impact assessments and all the other major institutions of the current European data protection framework will very unlikely be subject to adjustments or radical changes leading them towards different legislative direction than of the EU at large.
However, while it is certain that the web will continue to speak English throughout the world aside of any post-Brexit scenario whatsoever, multinational companies will have to deeply rethink their role as key players within the future UK legal and economic system. Furthermore, most companies likely exclusion from the mechanisms of the future One-Stop-Shop will necessarily push UK top managers to reassess the convenience of keeping a London headquarter instead of moving to a European-based one for benefiting of a single set of rules for, at least, data protection.
Dublin, Paris, Frankfurt and Milan are among the main pretenders for becoming the new continental financial and legal hubs of the EU, already preparing for hosting former London headquarters of some of the main multinational companies of the world. This is not a possibility anymore but a fact of growing importance for the shift of the balance of economic power from the UK to the EU as well as for the applicability of the new GDPR, therefore it shall all be taken in very serious account as soon as possible.
- Towards a EU – UK “double standard” for data protection sanctions regime?
As mentioned above, the British role in the global debate on the future of data protection is quite likely to be weakened from the current post-Brexit scenario: in particular, UK legislators will probably have to rethink their internal regulatory framework on privacy and data protection according to their future position outside the EU but also, paradoxically, according to the GDPR as well as other Member States.
This, in order not to remain completely isolated from the most important regulatory trends of the continent and following the specific purpose of channeling all national reform efforts into the possibility of accessing the future Digital Single Market and the opportunities of growth and economic development its creation will contribute to spread throughout the EU.
Therefore, UK legislators might want to express a more favorable positions as to the extent of some of the main features of EU data protection rules. In fact, the ability to attract multinationals companies by softening sanctions – also through new and more advantageous corporate tax cuts – and reducing administrative burdens relevant to the One-Stop-Shop mechanism as well as limiting the extra-territorial scope of GDPR’s principle of “one continent, one law”.
The definition of “main establishment”, as elaborated also by the jurisprudence of the European Court of Jusitice, cornerstone of the scope and enforcement measures enshrined by the GDPR, could soon become the first subject of scrutiny in the UK process of re-writing the Data Protection Act according to EU rules but always in compliance to current continental data protection standards.
However, if on the hand it is clear that British will no longer sit at the table with EU decision-makers in Brussels, especially when discussing internet and e-commerce issues, on the other hand, general recognition for their help in building the mechanisms for regulating Europe’s digital economy will still grant them a privileged position in future political and business talks to come.
The economic fallout of Brexit is likely to be more traumatic in the long term: for example, the UK could no longer access neither to European cohesion funding nor to incentives for ultra broadband infrastructures or participating to Horizon 2020 research and development grants. Brexit is not likely to change the history of the Internet as we know it, however the development of the digital economy in the EU and in the rest of the world might be subject to radical changes from this step into the unknown.
In conclusion, the UK will surely try not to further aggravate its positions under the weight of a data protection regulation radically different from that Europe, but soon-to-come strategic decisions for the future of the country will impose a deeper reflection on urgent issues such as: a possible UK version of the Privacy Shield, negotiations for accessing the single market and the TTIP, the European Economic Area and the future the Digital Single Market, the jurisdiction of the European Court of Justice and a lot more coming up next in the field of data protection.
While waiting for further post-Brexit developments, it might be advisable for multinational companies and public administrations alike to keep focused on the real compliance challenges currently represented by the new and complex discipline of the EU General Data Protection Regulation.
- Corriere Comunicazioni, Brexit, Panetta: “Su online e dati UK vorrà rimanere agganciata alla UE”, June 24th, 2016 (link)
- The Privacy Advisor, For privacy pros, Brexit nothing to panic about, June 24th, 2016 (link)
* * * * *
For furher information, legal advice and other more detailed questions on the GDPR and/or relevant compliance issues, please do not hesitate to contact our Team at: firstname.lastname@example.org
Italian port law prohibits a terminal operator from managing multiple areas for the performance of the same activities in one single port. We will first analyse how this prohibition could be amended following the recent 2016 reform.
Then we will look at a recent ruling of the Regional Administrative Court of Tuscany which clarified the obligations imposed on the Public Administration in the event of an expropriation of private areas in Italian ports.
The recent extension of the scope of the General Block Exemption Regulation (2014) to the granting of State aid to EU ports and airports reminds us of two recent judgments of the Court of Justice on State aid in the maritime sector and – in particular – the compensation of public service obligations to undertakings entrusted with the operation of services of general economic interest.
Next, we analyse two judgments from the United Kingdom and Spain concerning the application of two major international conventions in the field of international transport, the Hague-Visby Rules and CMR. The English verdict confirms that the failure to issue a bill of lading is not relevant in excluding the applicability of uniform legislation, whereas the Spanish ruling provides us with a definition of “default equivalent to wilful misconduct” for the purpose of excluding the limitation of carrier’s liability.
Moreover, the Italian Court of Cassation has issued two interesting decisions on transport matters. The Italian Supreme Court denied the holder of the bill of lading the right to act against a carrier for damage to the goods due to the lack of endorsement of the bill of lading by the receiver to the order of the holder, and considered an “exchange of containers” as a case of gross negligence of a road carrier.
Finally, let us analyse a decision of the Tax Court of Rome on IRESA, the noise emission tax in Italian airports. This ruling, in view of the fact that the Lazio Region disregarded the principles and aims set out in the national and European regulations concerning the use of the tax revenue, concluded for the disapplication of the IRESA as provided by the current regional legislation.
There’s a fair European wind blowing
Probably the most important outcome of the French election is not so much the actual electoral defeat of the National Front but the decision of that party to remove from its policy programme the idea of withdrawing from the Euro and promoting a referendum on Frexit. In other words, those parties which have based their political offer to the electorate on the negative impact of globalization and the hard impact of immigration, no longer see the solution as the break-up of the EU.
The same in happening in the Netherlands and even in the UK where the May government is promoting the need to address the negative aspects of globalization and migration in a substantive manner and not long saying that Brexit itself is the answer.
This is a window of opportunity that the EU must embrace. The underlying issues of migration and globalization must be addressed. But if they are addressed in a satisfactory manner the EU itself is not being challenged. There is a recognition in France and in the Netherlands, and even in Germany given the results in the recent Lander elections among the vast majority of the electorate that the EU remains a valid project and that the solutions are best found within its remit.
If Macron and Merkel can get together with the Italy and Spain, much can be done. From an insider’s point of view the only possible hiccup in catching this favourable wind is the capacity of the Commission to recognize it.
Alitalia insolvency: second round
By a decree of the Italian Ministry of Economic Development (MISE) on 2 May 2017 the extraordinary administration procedure set forth by legislative decree No. 347/2003 (“Legge Marzano”) was started for Alitalia Società Aerea Italiana S.p.A., which has also been declared insolvent by the Court of Civitavecchia on 11 May 2017.
Can the Court amend the concordato preventivo proposal upon confirmation?
The Court of Cassation with the decision of 3 April 2017, No. 8632 ruled that the confirmation order of the Bankruptcy Court can be appealed, even when there were no oppositions to confirmation, if the Court unilaterally amended the proposal approved by the creditors.
Is the bank liable for damages suffered by the insolvent company following directors’ reckless resort to credit lines ?
The decision of the Supreme Court of 20 April 2017, No. 9983 confirms that the bank can be held jointly liable with the directors towards the company, on different grounds from those making the bank accountable to individual creditors.
Grounds for ineligibility or forfeiture of statutory auditors who are members of an association of professionals
Pursuant to Article 2399, letter c), of the Italian Civil Code, statutory auditors whose patrimonial relationships with the company or its subsidiaries may affect their independence cannot be appointed and, if appointed, cease from their office. It has been questioned whether the case whereby a statutory auditor is a member of an association of professionals providing consultancy services to the same company reflects the case provided for by the law. Although the answer to the question was generally affirmative, doubts still remain as to the criteria adopted by the Supreme Court in order to determine the cases in which the independence of a statutory auditor can be actually considered as compromised.
The scope of the delegation of management in limited liability companies (s.r.l.): content and limits
By decision no. 25085 of 7 December 2016, the Supreme Court established the legitimacy of a general delegation of management, by the board of directors to individual managing directors with the power to act separately, to the extent that it is not aimed at excluding the exercise of a concurrent managing power by the managing body.
Data processing for marketing purposes: the protection of legal entities
By order No. 4 of 12 January 2017, the Italian Data Protection Authority set out the discipline on personal data processing for marketing purposes, finding the unlawfulness of both the processing of data collected through forms available on websites and the processing of data (namely, telephone numbers) autonomously collected on the Web.
Administrative liability of entities under Legislative Decree No. 231/2001 within groups of companies
Liability can be found, under Legislative Decree No. 31 of 2001, on the part of a holding company for offences committed in connection with the activities of its subsidiaries, provided that a) the person acting on behalf of the holding company acts in concert with the person committing the offence on behalf of the controlled entity; and b) the holding company appears to have obtained a concrete advantage from, or pursued an actual interest by way of, the offence committed in the context of the subsidiary’s activity.
The liability of non-executive directors and the duty to act in an informed way
According to decision no. 17441, of 31 August 2016, of the First Division of the Supreme Civil Court, the liability of directors without management power cannot originate from a general failure to supervise – that would be identified in the facts as a strict liability – but must be attributed to the breach of the duty to act in an informed way, on the basis of both information to be released by executive directors and information that non-executive directors can gather on their own initiative. Therefore, the determination of the prerequisites for the liability of delegating directors fits in a context accentuating the distinction between the duties imposed on managing directors and those typical of non-executive directors.
Considerations regarding the possibility to waive the termination effect of a notice to perform
Judgment No. 4205 of 3 March 2016 of the Supreme Court, Second Division, gives us the opportunity to provide a brief overview of the different opinions expressed by courts and legal commentators regarding the possibility to waive the termination effect of a notice to perform.
Validity of the shareolders’ agreements which provide a preventive waiver of the liability action against the directors when taken at the conclusion of the mandate
With the decision of 28th September 2015, No. 19193, the Court of Rome stated the validity of the shareholders’ agreement clauses which provide that the “incoming” shareholders undertake not to bring the liability action against the “outgoing” directors or not to vote for it in the general meeting.
The Supreme Court’s overruling: the banking and finance agreement signed exclusively by the client is null and void
The Supreme Court decides again the issue of the validity of the so called “single signature” agreements, i.e. the copy of banking and finance agreements, kept in the bank’s archives, bearing the client’s signature and not the bank’s one. The Supreme Court holds that these agreements are null and void, thus unenforceable vis à vis the account holder.
Purchase of shares of a general partnership: can the mistake on the value of the share be legitimately qualified as an essential mistake?
The Tribunal of Milan has stated that, as a rule – also with reference to the purchase of shares of a general partnership – the contract can be avoided, upon application of a party, for an essential mistake, only if the contract contains an explicit guarantee on the value of the assets and on the quality of the goods of the company (a guarantee that, according to the Tribunal, the contract at hand lacked).
The new rules regarding the proceedings before the Supreme Court (Decree Law n. 168/2016, converted into Law n. 197/2016)
With another “late summer intervention”, the legislator intervened once more as a matter of urgency to modify the code of civil procedure, with particular reference to the rules regarding the proceedings before the Supreme court: on August 31, 2016, Decree Law n. 168/2016 was published, entitled “Urgent measures for the resolution of disputes before the Supreme Court and for the efficiency of the judicial offices” (“D.L. 168/2016”).
The joined chambers of the court of cassation on the qualification and challenge of the non-final award and of the partial award
“An award that partially decides on the merits of a dispute, immediately challengeable pursuant to art. 827, paragraph 3 of the code of civil procedure, is both that of a generic condemnation pursuant to art. 278 of the code of civil procedure, and the award that decides one or some of the questions of the case, without defining the entire proceedings; instead, the awards that decide preliminary issues are not immediately challengeable.”