Privacy compliance

Privacy compliance: when an expert advisor is worth more than gold

Since the late 1990s we have been providing legal assistance and consultancy on data protection issues. We have been dealing with this matter since long before the introduction of the GDPR (2016). 

Our services range from adapting the organizational structure to the privacy regulation, to assisting legal disputes before the Italian DPA and also before the Courts.

Indeed, with the entry into force of the General Data Protection Regulation (EU) 2016/679, the protection of personal data has taken on a greater relevance and complexity.

The Italian Privacy Code (Legislative Decree no. 196/2003) systematically listed the measures to be taken for proper processing, whereas the GDPR only sets out the principles that the Data controller must follow, so that he can autonomously find the best solutions to ensure the highest possible protection.

The described activity requires a significant effort because a customized intervention is needed, due to the fact that each company has its own needs and particularities. Therefore, only after an examination of the concrete situation, will it be possible to find the most suitable solutions, with the aim to adapt the specific situation of the company to the regulatory requirements

First of all, Privacy Training

The GDPR recognizes the fundamental importance of training for those who process personal data, because only through knowledge of the subject matter, is it possible to implement correct behavior and react consciously in the event of emergencies.

Therefore, training courses represent a real security measure for the correct processing of data.

At Studio Turini we have gained considerable experience in organizing and providing training courses on Privacy. All our training programmes are structured according to the Client’s needs and are directed to all professional categories, from managers to freelancers. Targeted courses are also included for different company figures, with the possibility of defining course delivery methods and knowledge verification sessions. 


GDPR requires careful business organization

The GDPR requires the adoption of all necessary measures to ensure compliance with the Regulation. Companies have their own organizational and structural characteristics – these are not always up to the task of ensuring adequate protection of processed personal data. 

At Studio Turini, we guarantee assistance and expertise to deal with each stage of Privacy compliance in the best possible way, from the analysis of the current situation to the drafting of all the documents (type of processed data, data controller, adopted anonymisation procedures, etc.), aimed at correct privacy management. 

We take care of every aspect of the company’s privacy compliance, including the drafting of information policies for each data processing carried out and the drafting of contracts with data processors. In addition, we carry out all activities to verify the correct implementation of the measures adopted through specific audits. 

The aim is to combine the requirements imposed by European legislation with the particularities of each business model.

Data protection is not a static process, but a dynamic one, so that each reality must necessarily adapt its privacy management processes to all those changes introduced in the corporate structure that involve personal data.

Indeed, the processing of personal data concerns the entire organisation of the owner because it interacts with every business segment and with all the tools, especially IT tools, that are used.

The GDPR compliance of Internet sites

The website is the showcase of the owner’s business activity, in other words the visit card par excellence, but also an important vehicle of information and personal data.

The Italian Data Protection Authority has pronounced several times over the years on the processing of data on the Internet. Every technological development is followed by a pronouncement on the GDPR compliance of the new IT tools. 

The contents of the Italian DPA measures evolve just as the means by which personal data can be processed evolve. For instance, over the years, the Italian DPA has ruled several times on the subject of cookies, redefining the obligations for the use of cookies linked to websites.The company’s website must therefore be carefully analyzed according to its function.

Touchpoints: the contact points through which a website collects information

Every choice made by the owner of a website must be evaluated from a technical, commercial and also legal point of view, taking care to implement it in compliance with European privacy legislation. 

Just think about a simple newsletter subscription form or a contact form in the ‘work with us’ section of a website, through which candidates can send their curriculum vitae. These are data collection tools that require an appropriate Privacy Policy, which can only be rendered after examining the flow, use, modalities and time of storage of that information. 

Moreover, even a simple informative website must comply with privacy regulations if it collects or processes personal data. 

Unfortunately, it is often thought that, in order to be privacy compliant, it is sufficient to publish on the website a privacy policy copied from others and simply ‘readjusted’. However, copy/paste operations from other sites are not sufficient and, on the contrary, it could even expose the owner to a serious risk of objections or sanctions. 

The Privacy Compliance of a website, as well as the drafting of the relevant privacy policy, always requires in depth evaluations. Only a professional expert in the field can indicate and realize the appropriate solutions for the specific case

GDPR-compliant apps

The development of mobile applications (Apps) always involves the processing of personal data.

Apps require personal data from their users. Often processing of personal data takes place on a widespread basis due to the close interaction of the app with the operating system, which allows access to more data than a traditional browser. 

Applications are able to collect large amounts of data from the user’s device and to process them to provide new and innovative services.

It is therefore necessary to set up proper personal data processing from the very beginning, following the principles of privacy by design and by default. Indeed, the GDPR requires the protection of data from the moment in which a new product or service is designed and by default. 

There must always be a proactive attitude of the data controller in determining the technical and organizational measures to adopt in order to ensure adequate protection of personal data. 

We assist the Client right from the preliminary ‘planning’ phase, because it is essential to determine from the very beginning the risks involved in the data processing and to determine the necessary measures to adopt in order to implement the data protection provisions and principles. 

After a preliminary analysis, we assist the Client in the preparation of all the management documents and information necessary to be able to place the App on the market safely and without infringing the involved rights. 

Privacy Consultancy is essential for every company

Privacy consultancy is essential for every company because it involves several business aspects such as facing disputes, audit by the Italian DPA or legal action promoted by a person who claims the infringement of his/her rights. 

In all these cases, it is necessary to contact a professional expert in the field of personal data processing to obtain the right advice and avoid an irreparable compromission of the situation. 

However, consultancy is even more important as a preventive measure, to avoid actions or disputes that may be costly.       

Every choice concerning the processing of personal data must be well balanced and assessed in light of the fundamental principles established in EU Regulation 679/2016 of minimisation, limitation, lawfulness, fairness, transparency, accuracy, integrity and confidentiality.

Even after the entire organization has been adapted, the use of new technologies or the identification of a new processing may require a new analysis of the measures already adopted or that have to be adopted. Experience and expertise allow us to assist the Client for every need and to support him/her in every decision whenever personal data are involved.

We offer our consultancy: 

  • in the preliminary evaluation phase of a project.      
  • in the privacy compliance of the entire company.     
  • in the privacy compliance of a single process.     
  • in the examination of specific situations or in the resolution of particular critical issues.

We provide legal support and defense in the event of administrative actions, such as the Complaint to the Italian DPA or the defense of the Client in the context of any investigations launched by the competent Authority.

We also assist Clients in judicial proceedings, both in an active sense – as promoters of actions against third parties – and in the defensive phase – when it is necessary to resist a contestation or a claim for compensation.

Privacy Audits? Not just a formality

Audits should be systematically scheduled, in order to verify and be able to prove to the Control Authority that the organizational structure performs a constant monitoring process of the procedures adopted, internal changes and technological evolution

The scheduling of audits is not only relevant for the management of personal data, but also for the purposes of the law on the administrative liability of institutions. 

Audits, including inspections, may be carried out by the owner. It is often advisable to entrust it to an external specialist, who is familiar with the legislation on personal data processing and who objectively evaluates the internal procedures. 

The verification of the adopted measures involves both the internal organization of the company (internal audit) and the organization through external professionals acting as Data Processors (external audit).

The internal audit is carried out within the organization and it is part of the internal control system. It represents one of the tools used to check that activities are carried out correctly and to verify that procedures are observed and adequate. 

External audits, on the other hand, are carried out outside the company, i.e. by third parties to whom a part of the processing has been delegated, and it may be of two types.

The first type, and also the strictest one, includes those audits that are carried out before a relationship for the service provision is established.

In fact, before choosing a supplier who will process data on our behalf, it is necessary to verify that it meets the requirements and guarantees set out in the GDPR, both to protect company’s and partners’ data, and to avoid sanctions. 

The second type of Audit takes place after the assignment has been conferred and it is aimed at verifying the correct fulfillment of the contract instructions as well as the compliance with the privacy regulation. 

At the end of the Audits, it is possible to determine the ‘conformity’ or ‘nonconformity’ of the concrete processing with regard to the chosen organizational model. After that, indications can be given to establish the best possible level of compliance. 

Privacy compliance and facsimile: no thanks!

Too often, privacy compliance is downplayed and dealt with superficially by using facsimiles or templates. 

In the light of the above, it is clear that privacy cannot be ‘standardized’. Each complying procedure is different from the other, so each company will be assisted directly and specifically by Studio Turini in order to realize a customized adaptation.

Contact Us

    We are equipped with a specialized software for the management of patents, design, trademark, copyright's portfolios" Battista Software Project" - Studio Brevetti Turini s.r.l. Project co-financed under Tuscany POR FESR 2014-2020

    PORCreO Regione Toscana