[Last updated: 10/10/2025]
As of 25 May 2018, Regulation (EU) 2016/679 – GDPR entered into force, governing the protection of natural persons with regard to the processing of personal data. This notice explains, in a clear, transparent and concise way, how the Law Firm of Avv. Roberto Forlani (hereinafter, simply “the Firm”) collects, uses, stores and protects your personal data.
The purpose is to enable you to understand which data are processed, for what purposes, under which security safeguards, and which rights you may exercise. In the following sections you will also find the key definitions needed to understand what is meant by “personal data” and “processing”.
To help you better understand this notice, we set out below, in simple terms, two key GDPR definitions:
🔹 Personal Data: Any information that makes it possible to identify a natural person, directly or indirectly. Personal Data include, for example: first and last name, date and place of birth; address, telephone number, e-mail address, tax code; banking and payment details; website browsing data; and information contained in CVs. In short, any information that allows a person to be identified or identifiable is considered Personal Data.
🔹 Processing: Any operation performed on Personal Data, including by electronic means. This includes, by way of example: collection and recording, organisation and storage, consultation and use, disclosure to third parties, erasure or destruction. Processing must always comply with the principles of lawfulness, fairness and transparency set out in the GDPR.
The Data Controller of Personal Data is the Law Firm of Avv. Roberto Forlani, which determines the purposes and means of processing your data.
📍 Controller’s contact details: Avv. Roberto Forlani, Via Flaminia 134/N – 47923 Rimini (RN) – Italy
✉️ E-mail: rf@forlaniconsulting.eu, 📬 PEC (certified e-mail): roberto.forlani@ordineavvocatirimini.it
Tel. +39 0541 857674
The Data Controller is responsible for ensuring that all processing activities comply with Regulation (EU) 2016/679 (GDPR) and with any other applicable legislation on personal data protection.
The Firm may collect your Personal Data in various circumstances, depending on the nature of the relationship with you and the purposes of the processing.
| Occasion of Collection | Examples of Data Collected | Main Purpose |
|---|---|---|
| ⚖️ Conclusion or management of a professional engagement | Identification data, contact details, banking details | Performance of the contract |
| 📝 Pre-contractual phases (e.g. request for a quotation) | Contact details, content of the request | Management of pre-contractual requests |
| 📧 Sending e-mails or messages to the indicated addresses (e.g. via website or letterhead) | E-mail address, data included in the communication | Responding to and following up on received communications |
| 🌐 Completion of contact forms on the website | Name, e-mail address, content of the message | Management of requests and contacts |
| 📄 Spontaneous submission of curriculum vitae (CV) | Data contained in the CV (e.g. experience, qualifications) | Candidate assessment and selection |
| 🍪 Browsing the website www.forlanilegal.eu (via cookies) | Technical browsing data, IP address, preferences | Operation of the website and management of cookie preferences👉 Further information is available in our Cookie Policy |
The Firm processes Personal Data with the utmost attention to security, confidentiality and protection of information, in compliance with Articles 5 and 32 of the GDPR.
⚙️ Processing methods
Personal Data are processed primarily by means of IT and electronic tools and, only in limited cases, on paper-based media. All processing activities are carried out in compliance with the principles of lawfulness, fairness, data minimisation and storage limitation, for the period strictly necessary to achieve the purposes for which the data are collected.
📍 Place of storage
Personal Data are stored at the Firm’s premises, located at Via Flaminia 134/N – 47923 Rimini (RN), Italy, and, for security and backup purposes, on portable IT media directly controlled by the Controller and protected by passwords. Appropriate technical and organisational measures are implemented to prevent unauthorised access, loss, destruction or unlawful disclosure of data.
Among the electronic processing tools used, the Firm employs an internally developed management platform, dedicated to the collection, organisation and archiving of information relating to clients, assigned matters, and the tracking of activities performed and professional services rendered. The system is accessible exclusively to authorised personnel, protected by personal credentials, and hosted on an infrastructure compliant with the security and confidentiality requirements set out in Regulation (EU) 2016/679 (GDPR).
The Firm adopts appropriate technical and organisational measures to ensure the security of the Personal Data processed, preventing unauthorised access, alteration, accidental loss or processing not aligned with the stated purposes.
Such measures are periodically reviewed and updated in line with regulatory, technological and organisational developments.
| Protection Area | Measures Implemented | Purpose |
|---|---|---|
| 💻 IT security | Antivirus systems, firewalls and secure connections (HTTPS/TLS); regular software updates | Prevent unauthorised access and protect data integrity |
| 🔐 Access management | Individual authentication for each user; limitation of access privileges to authorised personnel only | Ensure that data are accessible solely to duly instructed and authorised persons |
| 💾 Data retention and storage | Automated backups on servers located within the EU; emergency recovery procedures | Ensure availability and resilience of IT systems |
| 🏢 Organisational security | Appointment of Data Processors; operational instructions to collaborators; confidentiality agreements | Ensure compliance with internal procedures and protection of confidentiality |
| 📁 Protection of paper-based data | Storage in locked premises accessible only to authorised personnel | Prevent loss or unauthorised access to physical files |
| 🎓 Staff training | Periodic training sessions on GDPR, confidentiality and cybersecurity | Strengthen staff awareness and accountability |
| 🔍 Monitoring and audit | Periodic review of internal processes and external service providers | Ensure ongoing compliance with data protection policies |
◆ Internal contact person responsible for request management
In order to ensure proper and traceable handling of requests, the Firm has identified an internal privacy contact person responsible for receiving and managing data subject requests. At present, no Data Protection Officer (DPO) has been appointed, as such appointment is not mandatory in view of the nature of the processing activities carried out.
◆ External Data Processors
The Firm may engage qualified external entities, appointed as Data Processors pursuant to Article 28 GDPR, for specific activities such as accounting and tax management, maintenance of IT systems and servers, e-mail services or cloud storage, technical assistance, or specialised consultancy in the field of data protection.
An up-to-date list of Data Processors is available upon written request to the Controller’s e-mail address.
◆ Authorised personnel and internal collaborators
Collaborators, trainees and employees of the Firm process Personal Data strictly on the basis of the Controller’s instructions, in accordance with Articles 29 and 32 GDPR, and are duly trained and bound by confidentiality obligations.
| Purpose of Processing | Practical Examples | Legal Basis (Art. 6 GDPR) | Nature of the Provision |
|---|---|---|---|
| ⚖️ Management of professional relationships | Conclusion and performance of engagements, client records management, accounting and invoicing | b) Performance of a contract or pre-contractual measures; c) Compliance with legal and professional obligations | Mandatory |
| 🛡️ Protection of rights and regulatory compliance | Legal defence, responses to authority requests, prevention of fraud or money laundering | f) Legitimate interest of the Controller; c) Legal obligation | Mandatory |
| 💬 Management of communications | Responding to requests via e-mail or contact forms | b) Pre-contractual measures at the data subject’s request; f) Legitimate interest in proper communication management | Optional |
| 📩 Provision of information and newsletters | Updates on Firm activities and regulatory developments | f) Legitimate interest of the Controller; a) Explicit consent (voluntary subscription) | Optional |
| 🤖 Use of Artificial Intelligence (AI) systems | Document analysis, legal research, organisational and internal support activities | b) Performance of the professional engagement; f) Legitimate interest in organisational efficiency | Mandatory (within the scope of the engagement) |
Pursuant to Article 13 of Law No. 132 of 23 September 2025, it is hereby informed that, in the course of performing the professional engagement entrusted—both in judicial and out-of-court contexts—tools based on Artificial Intelligence (AI) technologies may be used, where deemed appropriate, exclusively for instrumental and support purposes related to professional activities.
By way of example, the AI tools used may include advanced solutions such as ChatGPT, AI-assisted analysis platforms, or other similar tools for assisted text generation and content analysis, limited to internal support activities only.
Such use shall always take place in full compliance with Regulation (EU) 2016/679 (GDPR), applicable national data protection legislation, and the ethical and deontological principles governing the legal profession, with the objective of ensuring the highest level of confidentiality of the information processed.
In particular, AI systems may be used, by way of example and without limitation, for activities such as: document and organisational management within the Firm; conducting statutory and case-law research; preliminary document analysis; drafting internal outlines and working summaries.
It is expressly understood that any content generated or assisted by such tools shall always be subject to critical assessment and thorough verification by the appointed lawyer, both during the drafting phase and during source verification, prior to any professional use.
| Type of Data | Purpose of the Provision | Mandatory Nature | Consequences of Failure to Provide |
|---|---|---|---|
| 📄 Contractual and identification data | Conclusion and performance of professional engagements | Mandatory | Impossibility to establish or manage the professional relationship |
| 🧾 Tax and accounting data | Compliance with legal and tax/professional obligations | Mandatory | Impossibility to issue accounting documents or comply with legal obligations |
| 📞 Contact data (e-mail, telephone, forms) | Informational communications or responses to requests | Optional | It may not be possible to receive feedback or the requested information |
| 📩 Data for newsletters or updates | Informational communications on Firm news, calls and activities | Optional (subject to consent or legitimate interest) | No consequences, except failure to receive communications |
| 📣 Data for publications or testimonials | Publication on the website or social media of results or feedback | Optional (subject to consent) | No consequences; names or results will not be published |
| Category of Recipient | Who Is Included | Purpose of the Disclosure | Legal Basis (Art. 6 GDPR) | Recipient’s Role |
|---|---|---|---|---|
| 👥 Collaborators and internal staff | Lawyers, trainees, employees and collaborators of the Firm | Performance of the engagement, organisational and administrative management | b) Performance of a contract; f) Legitimate interest of the Controller | Authorised persons / internal data processors |
| 📑 External consultants and service providers | Professional firms, tax consultants, IT consultants, maintenance companies or cloud service providers | Administrative, accounting, management and technical support | f) Legitimate interest; c) Legal obligation | External Data Processors (Art. 28 GDPR) |
| 🏛️ Public bodies and supervisory authorities | Judicial authorities, law enforcement agencies, supervisory bodies, professional orders | Legal, deontological and defence obligations in judicial proceedings | c) Legal obligation; f) Legitimate interest | Independent Data Controllers |
| 🏦 Credit institutions and insurance companies | Banks, insurance companies, credit management entities | Payments, insurance coverage and debt recovery | b) Performance of a contract; f) Legitimate interest | Independent Data Controllers |
| 🌐 Technology and web hosting providers | E-mail service providers, cloud platforms, website hosting services | Management and security of IT data and website operations | f) Legitimate interest; c) IT security obligation | External Data Processors |
| Scope of Storage and Transfer | Physical or Virtual Location of Data | Purpose of Processing or Service | Safeguards Applied |
|---|---|---|---|
| 🇪🇺 Within the European Union | Servers and archives located at the Rimini office and European cloud providers | Data storage and ordinary management of professional activities | Data stored within the EU in accordance with the Firm’s technical and organisational measures |
| 🌐 Non-EU cloud service providers | Servers located in third countries (e.g. USA, United Kingdom, Switzerland) | Backup, e-mail services, document management, communication platforms or AI tools | Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions where available |
| 🤝 Collaboration and communication platforms | Digital services for document management or AI, potentially including non-EU components | Secure management and archiving of communications and working drafts | Contractual agreements including security clauses and GDPR compliance commitments |
| 🔒 Occasional transfers | Third countries not covered by an adequacy decision | Performance of specific client engagements or international consultancy activities | Ad hoc contractual safeguards (Art. 46(2)(c) GDPR) and client authorisation |
| Type of Personal Data | Purpose of Processing | Retention Period | Deletion or Anonymisation Criteria |
|---|---|---|---|
| ⚖️ Clients’ contractual and identification data | Management of the engagement; performance of legal and tax obligations | Duration of the contractual relationship + 11 years after termination | Automatic deletion upon expiry of the statutory limitation period; possible extension for defence in legal proceedings |
| 🧾 Tax and accounting data | Issuance and retention of invoices; tax compliance | 11 years from accounting registration | Deletion or separate archiving after the statutory retention period |
| 📩 Contact and communication data – e-mail/forms | Management of requests and correspondence | 12 months from completion of the request or last contact | Automatic deletion or periodic anonymisation |
| 📄 Data contained in curricula (CVs) | Assessment of applications and selection of collaborators | 6 months from receipt (unless consent to extension is provided) | Deletion or anonymisation upon expiry |
| 📬 Data for newsletters and informational updates | Sending non-commercial communications and regulatory updates | Until withdrawal of consent or objection (opt-out) | Immediate deletion following the unsubscribe request |
| 📣 Data for publications/testimonials | Dissemination of results or references on website/social media | Until withdrawal of consent | Immediate deletion upon request of the data subject |
| 🛡️ Data relating to disputes or legal defence | Protection of rights in judicial or out-of-court proceedings | Until expiry of limitation periods (generally 10 years) | Deletion or secure archiving after final closure of the proceedings |
| 🤖 Data processed through AI tools | Professional support activities (drafts, analysis, research) | Strictly necessary time for processing and verification of the output | Immediate deletion of temporary files upon completion of the activity |
| Right | What You Can Do | Controller’s Response Time | How to Exercise the Right | Legal Basis |
|---|---|---|---|---|
| 🔍 Right of access | Ascertain whether your data are being processed and obtain a copy of the main information (origin, purposes, categories, recipients, retention periods) | Within 30 days, extendable by a further 60 days in complex cases | Request by e-mail or PEC to the Controller | Art. 15 GDPR |
| ✏️ Right to rectification | Request the correction or updating of inaccurate or incomplete data | Within 30 days | E-mail or PEC indicating the data to be updated | Art. 16 GDPR |
| ❌ Right to erasure (right to be forgotten) | Obtain the deletion of data when they are no longer necessary, consent has been withdrawn, or processing is unlawful | Within 30 days | Written request (e-mail or PEC) | Art. 17 GDPR |
| ⏸️ Right to restriction of processing | Temporarily block the use of data in the event of a dispute or verification | Within 30 days | Reasoned written request | Art. 18 GDPR |
| 🔄 Right to data portability | Receive data in a readable electronic format or request their transfer to another controller | Within 30 days | Specify the format and the recipient of the transfer | Art. 20 GDPR |
| 🚫 Right to object | Object to processing based on legitimate interest or for informational purposes | Immediate interruption, unless overriding grounds exist | E-mail or PEC; “unsubscribe” link for newsletters | Art. 21 GDPR |
| 🔁 Right to withdraw consent | Withdraw consent at any time, without affecting the lawfulness of prior processing | Immediate | E-mail or PEC to the Controller | Art. 7(3) GDPR |
| 🛡️ Right to lodge a complaint with the Supervisory Authority | Report any violations or irregularities in the processing of data | No time limits (may be exercised at any time) | Italian Data Protection Authority – www.garanteprivacy.it | Art. 77 GDPR |
The exercise of your rights is simple, free of charge and does not require any formalities.
You may contact the Data Controller at any time, clearly indicating:
Where necessary, the Firm may request additional information to verify your identity, solely for the purpose of ensuring that the request is made by the data subject concerned.
The Data Controller will respond within 30 days of receipt of the request. In the case of complex or numerous requests, this period may be extended by up to 60 days, with a reasoned notice to the data subject. Where the request is manifestly unfounded or excessive, the Data Controller may request a reasonable fee.