Privacy & IT Compliance

The correct circulation of data, the related protection through appropriate IT security measures and compliance with national and European regulations have now become top priorities for any economic operator, particularly as a result of the widespread distribution of hi-tech digital tools which allow the use, availability and sharing of data beyond the physical (dematerialisation), time-based (real-time) and jurisdictional (cloud) confines traditionally focused on and regulated by law.

Privacy, understood not only as the right to confidentiality, but rather as the right to data use and protection, a genuinely valuable resource for any company wishing to compete and stand out, also thanks to sophisticated customer data profiling and marketing techniques, has become a crucial element of any policy of company compliance and strategic growth on the reference markets, and a real litmus test of the asset corporate governance of any successful company.

The spread and rapid success of the Internet and e-commerce have transformed simple personal data into information that can generate profit.

The legal services associated with the issue of Privacy and Information Technology include any possible aspect relating to personal data protection, from the preparation of data security contracts, to the drafting of due diligence reports, the drafting of T&C’s for the use of various services provided via the Internet, to assistance in the event of the violation of regulations governing IT security, up to the management of disputes before the competent national and European courts and the Italian Data Protection Authority.

Privacy compliance concerns both the internal dynamics of companies, from the correct compliance in respect of employees also in close relation with the applicable employment regulations (video-surveillance, BYOD, DLP, biometrics, forensic tools, use of sensitive data), and business dynamics, in particular in the marketing sector, profiling, assignment and communication of data, to operations involving the transfer of data abroad, including but not limited to M&A transactions, restructurings and securitisations.

Privacy therefore fully encompasses private law and contracts, administrative law, corporate law, labour law and, increasingly, criminal law (especially white collar crimes and forensic investigations).

In this respect, the most exposed industrial/goods sectors, in which the Office has monitored complex and fundamental transactions regarding the processing of personal data in both the public and private sectors are the following: electronic communications, pharmaceutical, consumer credit and insurance, commercial information brokerage, luxury goods industry, digital value-added, retail, but also traditional heavy industry, handling a number of activities in the areas of direct marketing, biometrics, life sciences, transfer of data abroad using instruments constituting an alternative to consent such as SCC, BCR and SH.

The activity may be of interest to those who, in various capacities and for different purposes, also incidentally, require ad-hoc assistance (e.g. privacy assessment, internal audit activities, assistance during Italian Data Protection Authority investigations) and continuous support (review of internal documents and company processes) such as, for example, the drafting of legal notes for websites and of strategic marketing policies.


Privacy and Personal data protection

In the Privacy and Personal data protection sector, we offer the highest possible level of expertise in the performance of ordinary and extraordinary advisory activities, both in court and out-of-court, providing a genuine, highly specialised and all-round “privacy impact assessment”.

Nctm has dealt with complex and essential transactions regarding the processing of personal data in both the public and private sectors, with particular reference to the following markets; electronic communications, luxury goods industry, digital, retail, consumer credit and insurance, handling a number of activities in the areas of direct marketing, biometrics, life sciences and the transfer of data abroad using instruments constituting an alternative to consent such as SCC, BCR and SH.

Our specially dedicated team, the only one among the international sector leaders to be cited by the most important legal directories, is able to offer the most comprehensive assistance to the major commercial and industrial groups and companies, both Italian and foreign, in relation to numerous activities:

  • General compliance;
  • Audits of legal compliance, advising, preparation of documents and legal assistance regarding personal data processing;
  • Assistance and advisory service regarding complaint/appeal/reporting and inspection and assessment proceedings brought by the Italian Data Protection Authority;
  • Assistance and advisory service for the drafting and revision of contracts relating to or entailing the processing of personal data (contracts for the transfer of databases, commercial information, statistical surveys, marketing);
  • Assistance and advisory service for the correct fulfilment of legal obligations, with specific reference to the processing of personal data for marketing and commercial communication (marketing using automated systems, telemarketing, spam and soft-spam, e-commerce) purposes, and for profiling objectives; correct identification of roles and responsibilities, arrangement of promotional campaigns, stipulation of contracts for the purchase/sale of databases and information-sharing agreements;
  • Assistance and advisory service in the case of a data breach in the relevant sectors (electronic communications and credit sector);
  • Assistance and advisory service with particular regard to prize-giving events and the proper configuration of the personal data processing methods;
  • Simulation of audits and investigations by the Authorities and on-site assistance in the event of investigations by the Italian Data Protection Authority and/or the Guardia di Finanza (Italian Tax Police);
  • Personnel training and refresher courses with specific reference to the relevant legislation in force governing personal data protection.


Information Technology & Cyber Security

Nctm’s expertise in the Information Technology field is characterised by in-depth knowledge of innovation and strategic processes.

Our extensive knowledge of the market in this sector, acquired thanks to a high level of specialisation over the years, enables us to work towards improving the specific business goals of our customers.

With specific reference to the security of IT systems and Cyber Security, we help our customers with matters regarding the protection and secure transmission of data, digital authentication, analysis of IT risks, breach methods and countermeasures, security techniques in web and mobile applications, websites and social networks as well as cloud systems.

Therefore, in the IT field, we offer a complete range of legal services to domestic and international companies, with particular regard to:

  • Data protection and Data security;
  • Big Data and Open data;
  • IT security and Cyber-Security,
  • Cloud services;
  • Repression of unlawful acts carried out over the internet (phishing, data breach, data theft).



The Internet today represents the largest known public space, a genuine network which envelops and connects the entire planet, where millions of pieces of information are exchanged and circulated faster than you can imagine.

In this regard, our team of specialists can offer all-round support with particular reference to:

  • Assistance and advisory service for the correct fulfilment of legal obligations, with specific reference to the processing of personal data within the context of websites and social networks;
  • Preparation and updating of the T&C’s and privacy policies of websites, social networks, on-line games and prize competitions, mobile applications;
  • Assistance and advisory service for the purposes of compliance of websites with “cookie” legislation;
  • Training and refresher courses.


Web Reputation

Our team of experts can offer a highly-skilled assistance and advisory service regarding web reputation and on-line identity, with specific reference to both natural persons and legal entities (analysis and monitoring of the on-line reputation of brands, trademarks, products and services), as well as regarding the right to be forgotten and retention on the internet of information already collected.

E-Commerce, E&M-Payment

The new economy and the use of electronic and digital tools like platforms for expansion in global markets and, therefore, the progressive evolution of technology and the web have radically altered the traditional commerce sector in recent years, introducing the new frontier of e-commerce, which today has become a reality.

This has inevitably resulted not only in an accelerated conclusion of commercial transactions at global level, but also in an accentuation of the processes of ‘dematerialisation’ of money transfers (E-payments). In such a context, for some time we have also been witnessing exponential growth in the spread of mobile payment services – i.e. services that allow users to manage goods purchases and payments, whether electronic or physical, via a mobile device – whose use has also helped to broaden the types of products and services that can be used, the target audience that operates in this domain and, not least, the quantity of personal data processed.

So, in this regard, we assist our customers by offering a highly specialised advisory service on a range of aspects relating to electronic trading, E-payments as well as the protection of information and consumers;

  • Preparation and revision of contractual forms;
  • Assistance, advisory and assessment regarding compliance and legal sustainability of the commercial structure, also through the drafting of independent opinions;
  • Verification of the compliance of commercial sites with the applicable legislation, particularly from a consumer protection point of view;
  • Management of electronic payment profiles;
  • Legal assistance and dispute management;
  • Training and refresher courses.

E-Discovery and Forensic Investigation

Thanks to the experience acquired over the years, we offer our customers a highly specialised Forensic Investigation advisory service.

More specifically, we assist our customers with particular regard to the correct personal data processing methods for carrying out defensive investigations or enforcing or defending their rights in court, both during arbitration or conciliation proceedings, including at the administrative phase, and at the preliminary phase before the commencement of any legal proceedings, and in the phase following their settlement.

  • Articles
  • Newsletter

On June 23rd, 2016, after an unprecedented referendum in contemporary history, the United Kingdom has voted to leave the European Union, therefore triggering a two year unilateral exit negotiation period during which the UK shall seek to effectively rethink its global position and its relationship with the EU.


In the meantime, although the effects of the so-called Brexit will still be quite unpredictable, such historical change will definitely impact on the everyday life of millions of European individuals, businesses and public institutions. Even if premature, some preliminary considerations on the consequences of Brexit on some specific sectors can already be discussed.


Purpose of the present Memo is, in fact, to imagine what could be the most likely effect of Brexit on current privacy legislation, on the internet and the digital economy as we know it and, most importantly, on the future entry into force of the new EU Regulation (GDPR) on data protection and free circulation of personal information throughout the continent.


In particular, main focus of this Memo will therefore be on: (i) the subjective consequences of Brexit on data protection enforcement, with special reference to the role of the Information Commissioner’s Office (ICO); (ii) the substantial consequences of the Brexit aftermath on a possible UK exclusion from the One-Stop-Shop mechanism; and (iii) any possible difference which might occur between the GDPR’s new sanction regime and the future UK legal framework on data protection.





  • The subjective consequences of the post-Brexit scenario for data protection


The processing and transfer of personal data in the UK is currently regulated by the Data Protection Act of 1998, implementing EU Privacy Directive 95/46/EC, as well as by several other laws addressing the issue of data protection according to relevant EU standards.


Besides Brexit and according to ICO’s spokeperson, it is reasonable to believe that those laws will remain unchanged at least until exit negotiations will have outlined a new status of the UK outside the EU. In fact, as a preliminary note, it can be said that there is no evidence that current national legislation and jurisprudence on privacy and data protection, as drafted in accordance with EU founding treaties and norms, shall in any case lost or “blown away” just because of the fallout of a possible post-Brexit scenario.


Furthermore, this is likely not to affect at all current British legislative standards on privacy and data protection for two main reasons: the first has to do with the UK trying not to lose access to the European Economic Area and the future Digital Single Market; and secondly, because without European data protection tools and guarantees many companies may seriously start considering moving their headquarters from London to neighboring Ireland or even back to the continent.


In this context, the role of a UK national data protection authority may change significantly over time: weakened and resized by the post-Brexit scenario, in fact, from a technical point of view, ICO will not take part in the upcoming series of crucial discussions on the implementation and application of the new GDPR anymore, as well as to those on the definition of the mechanisms regulating the future Digital Single Market.


If put in a position similar to that of an EFTA member (the European Free Trade Association, including Switzerland, Norway, Iceland and Liechtenstein), the UK would not only lose its full membership within Article 29 Working Party but also any possibility to count in the future European Data Protection Board.


Finally then, it has to be said that the weight of the referendum vote and its consequences could affect the uncertainties relevant to future EU – UK negotiation talks but also the role of UK independent authorities as reliable counterparts in the European debate on the future of privacy legislation in the continent and its pros and cons.


  • Substantial consequences of Brexit and their legal implications


Among some of the major concerns of the post-Brexit data protection scenario, the functioning of the so-called One-Stop-Shop seems likely to be a top one, especially when considering the absence of any formal recognition to ICO as part of the mechanism as such.


Although the One-Stop-Shop represents a source of general uncertainty for European legislators and national DPA since the first versions of the GDPR, it is still unclear how its scope will extend to the British legal system and whether a simple update of the Data Protection Act 1998 will be sufficient to implement it


Aside of the two-year time granted to Member States for adapting to the entry into force of the GDPR, coincidentally about the same time the UK will have to negotiate their exit strategy from the European Unions, British might be compelled to take a view of data protection partially in contrast with current EU rules and more oriented towards the American “privacy as a commodity” approach. This may in fact change the level of commercial attractiveness the UK will be able to offer to foreign capitals and multinationals from now on and help recovering from a period of possible economic stagnation in the field of digital economy.


However, if making the UK internationally appealing by softening regulatory data protection standards in the area of privacy compliance could become a competitive tool to enhance Britain’s legal and economic system from that of the rest of the EU, the lack of appropriate safeguards and common enforcement rules to counterbalance such possible data security de-regulation could, on the contrary, discourage the arrival of foreign capitals rather than encouraging it.


In particular, as for the implementation of the so-called One-Stop-Shop mechanism, it will probably be necessary that Article 29 Working Party and the Commission take a decision on the role of ICO in this transitional phase and in relation to the talks on its access to the consistency mechanism. On the contraty, any unilateral effort to extend GDPR’s scope also to those countries that are not formally part of the EU (e.g. EFTA members as well as Turkey, the Balkans, and most probably the United Kingdom) would be completely useless.


In this regard, for example, if Britain were not to obtain a status similar to that of Switzerland, which by implementing about 80% of EU legislation and is able to benefit of many of the full membership advantages reserved only to Member States, a feasible legal mechanism for allowing smooth data transfers from and towards the EU shall be re-designed from scratches to adapt to this new situation.



In addition to that, by finding itself on the same level of those “third countries” for which the European legislation always foresees specific authorizations for allowing the transfer of personal data, the UK might either hope for a specific adequacy decisions in its favour – something similar to a “UK Privacy Shield” – or push for a further nationwide adoption of tools such as Binding Corporate Rules and Standard Contractual Clauses.


In this context, the One-Stop-Shop could prove to be a double-edged weapon for UK legislator: on the one hand, Britaing would in fact enjoy greater freedom to regulate data protection and differentiate its national discipline from the narrow margin GDPR is leaving to EU Member States; on the other, however, the risk of increasing the competitive gap with the EU beacause of a different national discipline on data protection might cause deep suffering for thriving UK business sectors such as technology, banking and legal and financial services.


In conclusion, consent, information to data subjects, data breach notifications, privacy impact assessments and all the other major institutions of the current European data protection framework will very unlikely be subject to adjustments or radical changes leading them towards different legislative direction than of the EU at large.


However, while it is certain that the web will continue to speak English throughout the world aside of any post-Brexit scenario whatsoever, multinational companies will have to deeply rethink their role as key players within the future UK legal and economic system. Furthermore, most companies likely exclusion from the mechanisms of the future One-Stop-Shop will necessarily push UK top managers to reassess the convenience of keeping a London headquarter instead of moving to a European-based one for benefiting of a single set of rules for, at least, data protection.


Dublin, Paris, Frankfurt and Milan are among the main pretenders for becoming the new continental financial and legal hubs of the EU, already preparing for hosting former London headquarters of some of the main multinational companies of the world. This is not a possibility anymore but a fact of growing importance for the shift of the balance of economic power from the UK to the EU as well as for the applicability of the new GDPR, therefore it shall all be taken in very serious account as soon as possible.


  • Towards a EU – UK “double standard” for data protection sanctions regime?


As mentioned above, the British role in the global debate on the future of data protection is quite likely to be weakened from the current post-Brexit scenario: in particular, UK legislators will probably have to rethink their internal regulatory framework on privacy and data protection according to their future position outside the EU but also, paradoxically, according to the GDPR as well as other Member States.


This, in order not to remain completely isolated from the most important regulatory trends of the continent and following the specific purpose of channeling all national reform efforts into the possibility of accessing the future Digital Single Market and the opportunities of growth and economic development its creation will contribute to spread throughout the EU.


Therefore, UK legislators might want to express a more favorable positions as to the extent of some of the main features of EU data protection rules. In fact, the ability to attract multinationals companies by softening sanctions – also through new and more advantageous corporate tax cuts – and reducing administrative burdens relevant to the One-Stop-Shop mechanism as well as limiting the extra-territorial scope of GDPR’s principle of “one continent, one law”.


The definition of “main establishment”, as elaborated also by the jurisprudence of the European Court of Jusitice, cornerstone of the scope and enforcement measures enshrined by the GDPR, could soon become the first subject of scrutiny in the UK process of re-writing the Data Protection Act according to EU rules but always in compliance to current continental data protection standards.


However, if on the hand it is clear that British will no longer sit at the table with EU decision-makers in Brussels, especially when discussing internet and e-commerce issues, on the other hand, general recognition for their help in building the mechanisms for regulating Europe’s digital economy will still grant them a privileged position in future political and business talks to come.


The economic fallout of Brexit is likely to be more traumatic in the long term: for example, the UK could no longer access neither to European cohesion funding nor to incentives for ultra broadband infrastructures or participating to Horizon 2020 research and development grants. Brexit is not likely to change the history of the Internet as we know it, however the development of the digital economy in the EU and in the rest of the world might be subject to radical changes from this step into the unknown.


In conclusion, the UK will surely try not to further aggravate its positions under the weight of a data protection regulation radically different from that Europe, but soon-to-come strategic decisions for the future of the country will impose a deeper reflection on urgent issues such as: a possible UK version of the Privacy Shield, negotiations for accessing the single market and the TTIP, the European Economic Area and the future the Digital Single Market, the jurisdiction of the European Court of Justice and a lot more coming up next in the field of data protection.


While waiting for further post-Brexit developments, it might be advisable for multinational companies and public administrations alike to keep focused on the real compliance challenges currently represented by the new and complex discipline of the EU General Data Protection Regulation.


Quick reading:


  • Corriere Comunicazioni, Brexit, Panetta: “Su online e dati UK vorrà rimanere agganciata alla UE”, June 24th, 2016 (link)


  • The Privacy Advisor, For privacy pros, Brexit nothing to panic about, June 24th, 2016 (link)

*   *   *   *   *

For furher information, legal advice and other more detailed questions on the GDPR and/or relevant compliance issues, please do not hesitate to contact our Team at:

Europe Must Go On 

The 60th anniversary of the Treaty of Rome sees the EU much changed from its early origins. We have moved from an economic community to a Union based on civil and human rights and the values common to the peoples of Europe. It has been, and is, a great success.


However it is clear that the Union is not without its troubles on this important anniversary. The Brexit negotiations are about to start. There are nationalist and decentralizing tendencies in many Member States and important elections in Germany and France. There are real problems of immigration and the absence of, or the uneven distribution of, economic growth.


These problems should not daunt us. Our fathers in the integration process faced greater problems. They sought to make peace and to make an institution to guarantee peace from the ashes of the most destructive of European wars.


What we must do is face up to our problems and resolve them. We have great shoulders to stand on. We have been given the evolving EU treaties, the Single Market, a strong Court of Justice in Luxembourg, good competition law, the rights of citizens, in other words a strong legal framework.


This is no time for faintheartedness. We must move on with courage and ensure that the Union is with us for more than another 60 years.

In this issue, we analyse a decision of the Italian Consiglio di Stato according to which the publication of applications for renewal of existing maritime port concessions in the EU Official Journal is not required. Any third party wishing to submit competing bids is however guaranteed by the possibility of preventively inquiring about the expiry of a concession as well as by the investigation conducted by the Port Authority (today Port System Authority), which must comply with the principle of selecting the tenderer offering the «best guarantees for a profitable use of the concession».

We then examine the differences in Italian law between a contract of carriage and a procurement contract for the supply of carriage services. It is important to properly classify the type of contract, and here we explain why.

Let us then examine two recent judgments of the Italian Regional Administrative Courts. The first one is on the possible ways of awarding a maritime concession. The second one relates to the applicability of the Italian Public Procurement Code to the management of intermodal freight terminals, the unavoidable consequences of which are summarised here.

In light of the forthcoming entry into force of the IMO Convention for the Control and Management of Ships’ Ballast Water and Sediments, we look at the impact it is expected to have on the shipping sector. One of the major problems is that, to date, there are no clear indications on how to make ships compliant with the new standards. Moreover, there are countries who have more stringent regulations than the IMO Convention. The risk is therefore to invest in equipment that can be deemed unsuitable at a later stage.

A recent ruling of the Italian Supreme Court allows us to briefly discuss the issue of non-payment of insurance premiums and consequent suspension of cover. The Supreme Court confirmed that insurance coverage applies if an insured event occurs within the «grace period», regardless of whether the next premium instalment is paid.

Concerning airports, the Italian Supreme Court opened the door to possibly finding liability on the part of ENAC (the Authority supervising airport activities and air transport in Italy) in case of airplane damage caused by poor maintenance of taxiways.

Finally, we conclude with our usual review of the news from the world of maritime and port labour. The most important news is about the renewal, in Italy, of the National Collective Bargaining Agreement for shipping agencies’ executives, which brought some improvement to the current situation.

We want to thank our colleagues at Nctm Brussels’s office for their contributions highlighting the most significant actions taken by EU institutions in the international shipping and trade sector.

You will also find a list of our events taking place at our Milan and Rome offices, in addition to the usual update on our firm’s activities over the past two months.

According to the Court of Cassation a concordato plan not describing in detail how it can be implemented is not feasible
The Court of Cassation (decision No. 4915 of 27 February 2017) lowered the threshold allowing the Bankruptcy Court to review the feasibility of the concordato preventivo proposal.

Does a concordato proposal need to assign all future earnings to the creditors ?
The Court of Florence (November 2, 2016) confirmed that the debtor can retain part of his assets, with a view to support the company’s recovery and in derogation to principles of liability of the debtor

Cram down pursuant to Art. 182-septies of the Italian Bankruptcy Law, if the agreement is more convenient for the bank than bankruptcy liquidation
A ruling of the Court of Padua of 31 December 2016 is compared with few other known Court decisions regarding the extension of the effects of a debt restructuring agreement to dissenting financial creditors



In this issue, we explore the new “Project Review” rule provided for by Article 202 of Italian Legislative Decree No. 50/2016, which allows the State to revoke funding previously granted for projects which – upon later and more in-depth review – are found no longer to meet the cost benefit ratio. What will the impact of this new rule be on port infrastructure projects in Italy? Are we at the beginning of a new era? We come back to the Italian port reform issue, this time to examine the ordinance power vested in the President of the Port System Authority. Analysing a judgment of the Regional Administrative Court of Liguria, we note how case law anticipated the reform when recognising the ordinance power of the President of the Port Authority even in the absence of an express statutory provision. We then deal with the need for prior review by the EU Commission of State funding projects involving upgrade works on EU ports. On 23 January 2017 the new EU Regulation on port governance was approved. We give a first insight on the main issues covered by the Regulation: financial transparency and the provision of port services. We examine the request to amend Directive 2009/13/EC, aimed at delivering better working conditions to seafarers in accordance with the amendments made in 2014 to the Maritime Labour Convention (MLC / 2014). We also provide some updates on maritime employment agencies. We then focus on a recent decision of the European Commission on State aid, which further helps improve the general understanding of the criteria to be met in order for State aid in port and airport matters to be deemed compatible with EU law. Finally, we draw our attention to an interesting decision of the Consiglio di Stato regarding the interruption of airport handling services, which is forbidden when deemed detrimental to the public interest in operation of scheduled air transport services.] We want to thank our colleagues at Nctm Brussels’s office for their contributions highlighting the most significant actions taken by EU institutions in the international shipping and trade sector. You will also find a list of our events taking place at our Milan and Rome offices, in addition to the usual update on our firm’s activities over the past two months.

As we settle into 2017 the drama of Brexit and Trump seem to have eased somewhat. While the drama might have lifted it doesn’t mean that the complexities that these two phenomena have introduced and are introducing into the practice of law have gone away. In fact, the more we reflect on what needs to be done to achieve Brexit the less clear the situation is. This week President Trump will outline what he means by the Wall and taxes on imports of goods. From a WTO law point of view it can only be disruptive and even destructive. The drama might have gone but the work is only beginning. In this issue we have a range of contributions covering how the Russian constitutional court has reacted to the European Court of Human Rights rulings in favour of the owners of Yukos, the OECD’s review of its own bribery rules, the EU’s new proposed ePrivacy Regulation, how the European Court of Auditors confirms our understanding of the responsibilities and obligations of Port Authorities in relation to concessionaires. We explain the new Italian Save the Banks decree and show how the EU Commission has a strong role in every step of the process and look at how the Commission proposes disciplining insurance distribution agents.

Log in with your credentials

Forgot your details?