Privacy Policy | Cutugno Law Firm Rome

Introduction

This Privacy Policy describes how Cutugno Studio Legale collects, uses, and protects the personal data of users visiting the website www.studiolegalecutugno.it, in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree No. 196/2003 (Privacy Code), as subsequently amended.

The protection of personal data is a matter of the highest priority for the Firm, also in consideration of the ethical obligations and duties of confidentiality and professional secrecy inherent to the practice of law.

1. Data Controller

Avv. Davis Eros Cutugno

Principal Office and registered address:
- Via Candia, 89 - 00192 Rome RM, Italy
Secondary Office:
- Via XXIV Maggio, 108 - 89034 Bovalino RC, Italy

Contact details:
Email: info@studiolegalecutugno.it
Telephone: +39 06 8390 4884 (Rome, Italy) / +39 0964 66 228 (Bovalino, Italy)

VAT No.: IT02260520800
Bar Registration: Rome Bar Association

Data Controller: Avv. Davis Eros Cutugno

The Data Controller has not appointed a Data Protection Officer (DPO). In the absence of a designated Data Protection Officer, any request concerning the processing of personal data may be addressed directly to the Data Controller at the contact details provided above. Written communications may be sent by registered letter with return receipt solely to the Firm's principal office at Via Candia, 89 – 00192 Rome RM, Italy.

The Data Controller undertakes to process personal data in full compliance with applicable legislation and with the principles of fairness, lawfulness, transparency, and in observance of the professional secrecy that characterises the legal profession.

2. Categories of Data Processed

2.1 Data Voluntarily Provided by the User

The website collects personal data exclusively when the user voluntarily provides them through the designated contact form. The data required for submitting an enquiry are classified as follows:

Mandatory data:
- First name;
- Surname;
- Email address;
- Message text.

Optional data:
- Telephone number;
- Subject of the enquiry.

The provision of data indicated as mandatory is necessary to process and respond to the enquiry; failure to provide such data will prevent the Firm from fulfilling the request.

The user is responsible for the accuracy and currency of the data provided. It is prohibited to communicate personal data of third parties without their prior consent.

2.2 Browsing Data

During normal website browsing, statistical data is collected in aggregate and anonymous form, including:

- Number of visitors;
- Pages visited;
- Time spent on the website;
- General geographic origin (at city/region level only), which, where detected, is merely an approximate estimate and is not used to identify the user;
- Device used (desktop, mobile, tablet).

These data do not allow the personal identification of the user and are used exclusively for statistical purposes and to improve the functioning of the website.

2.3 Technical Security Data

To protect the contact form from improper use and to ensure the security of communications, and more generally to protect the website from automated or malicious activity, the website employs automated verification technologies that do not entail the collection of identifiable personal data, but only of technical data strictly necessary to prevent abuse and ensure the security of the website.

3. Purposes and Legal Basis of Processing

Personal data are processed for the following purposes:

a) Management of Contact Enquiries

Purpose: to respond to enquiries submitted through the contact form and to provide the information requested.

Legal basis: consent of the data subject (Art. 6(1)(a) GDPR), expressed through the submission of the contact form.

Provision of data: voluntary; however, failure to provide the data indicated as mandatory will prevent the Firm from processing the enquiry.

b) Management of Professional Relations

Purpose: the possible establishment and management of a professional relationship arising from the contact enquiry, including related administrative, accounting, and tax obligations.

Legal basis: performance of pre-contractual measures taken at the request of the data subject or performance of a contract (Art. 6(1)(b) GDPR).

Provision of data: necessary for the performance of the professional relationship, should one be established.

c) Legal Obligations

Purpose: compliance with obligations imposed by law, regulations, European Union legislation, or orders of competent Authorities. By way of example, compliance with obligations arising from:

- The Code of Conduct for Italian Lawyers (Codice Deontologico Forense);
- Anti-money laundering legislation (Italian Legislative Decree No. 231/2007);
- Tax and accounting obligations;
- Document retention obligations.

Legal basis: legal obligation (Art. 6(1)(c) GDPR).

Provision of data: mandatory by law.

d) Defence of Rights

Purpose: the establishment, exercise, or defence of a right or interest in judicial or extrajudicial proceedings, as well as the management of requests for legal opinions.

Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR).

e) Website Improvement

Purpose: aggregate statistical analysis to understand how the website is used and to improve its functioning.

Legal basis: legitimate interest of the Data Controller (Art. 6(1)(f) GDPR). Data are collected in anonymous and aggregate form.

4. Methods of Processing

Personal data are processed by means of electronic, digital, and manual instruments, following procedures strictly related to the stated purposes and, in any event, in a manner that ensures the security and confidentiality of the data.

The processing of personal data consists of the following operations:

- Collection;
- Recording and organisation;
- Storage;
- Consultation;
- Processing and use;
- Disclosure (where applicable);
- Erasure.

The Firm processes data with particular regard to confidentiality, also in consideration of the duties of secrecy and confidentiality inherent to the legal profession. Where the user's enquiry results in the establishment of a professional relationship, communications between lawyer and client are protected by the principles and rules governing professional privilege.

Access to data is permitted only to the Data Controller and, where necessary, to expressly authorised persons and/or service providers acting as data processors pursuant to Art. 28 GDPR, within the limits of their respective duties. No automated processing or decision-making processes based exclusively on automated systems are envisaged.

5. Retention Period

Personal data are retained for the time strictly necessary to fulfil the purposes for which they were collected:

a) Contact Enquiries

Data provided through the contact form will be retained for the time strictly necessary to process the enquiry and, in any event, for a maximum period of 12 months from receipt, unless a professional relationship is established or retention is required for the defence of rights.

b) Professional Relationships

Where a professional relationship is established, data are retained for:

- the duration of the professional relationship;
- for the subsequent period following the conclusion of the relationship, for the time necessary to fulfil legal or regulatory obligations (tax, accounting, ethical, etc.).

c) Statistical Data

Browsing data in aggregate and anonymised form may be retained for extended periods, as they do not allow the identification of the user. Upon expiry of the retention period, personal data will be erased or irreversibly anonymised.

6. Recipients of Data

Personal data are not subject to public disclosure.

6.1 Disclosure to Third Parties

Personal data may be disclosed, exclusively for the purposes indicated above, in compliance with legal obligations or in the performance of any professional engagement, solely to the following categories of recipients:

a) Data Processors

Providers of technical services necessary for the operation of the website, the management of electronic communications, and protection against unauthorised access. Such parties act as data processors in accordance with the Data Controller's instructions and in full compliance with the GDPR.

b) Public Authorities

Judicial authorities, law enforcement agencies, tax authorities, and other Public Authorities, where disclosure is required by law or necessary for the protection of the Data Controller's rights.

c) Consultants and Collaborators

Professionals (accountants, labour consultants, expert witnesses, technical consultants, lawyers, collaborators, etc.), for the purposes of the Data Controller's legal assistance or the protection of its rights, in compliance with professional confidentiality obligations.

No personal data are disclosed to third parties for commercial or marketing purposes.

7. Transfer of Data Outside the EU

No transfer of data to servers located in countries outside the European Union is envisaged. Should any such transfer become necessary, it will be carried out in compliance with Articles 44 et seq. of the GDPR and with appropriate safeguards.

8. Cookies and Similar Technologies

8.1 Cookies Used

This website uses only technical cookies necessary for the proper functioning of the website itself. No profiling or tracking cookies are used.

Technical cookies do not require user consent as they are strictly necessary to provide the requested service.

8.2 Local Storage

The user's browser may store locally the language preference selected (Italian/English), solely for the purpose of improving the browsing experience. This information is stored exclusively on the user's device, solely to remember the user's choice; it is not transmitted to external servers and is not used for profiling or tracking purposes.

8.3 Detailed Information

For complete and detailed information on the cookies used by this website, including how to disable them, please refer to the Cookie Policy available on this website.

9. Rights of the Data Subject

As a data subject, the user is entitled to exercise the following rights under Articles 15–22 of the GDPR:

a) Right of Access (Art. 15 GDPR)

To obtain from the Data Controller confirmation as to whether personal data concerning the user are being processed and, where that is the case, to obtain access to such data and the following information:

- Purposes of the processing
- Categories of data processed
- Recipients of the data
- Retention period
- Existence of the data subject's rights

b) Right to Rectification (Art. 16 GDPR)

To obtain the rectification of inaccurate personal data and the completion of incomplete data.

c) Right to Erasure (Art. 17 GDPR – "Right to Be Forgotten")

To obtain the erasure of personal data in the following circumstances:

- The data are no longer necessary for the purposes for which they were collected
- The data subject withdraws consent
- The data have been unlawfully processed
- Erasure is required by law

The right to erasure does not apply where processing is necessary for:

- Compliance with a legal obligation
- The establishment, exercise, or defence of legal claims

d) Right to Restriction of Processing (Art. 18 GDPR)

To obtain the restriction of processing where:

- The data subject contests the accuracy of the data
- The processing is unlawful but the data subject opposes erasure
- The data are necessary for the establishment, exercise, or defence of legal claims
- Verification of the grounds for objection to processing is pending

e) Right to Data Portability (Art. 20 GDPR)

To receive personal data in a structured, commonly used, and machine-readable format and to transmit such data to another data controller.

f) Right to Object (Art. 21 GDPR)

To object to the processing of personal data where processing is based on the legitimate interest of the Data Controller, on grounds relating to the data subject's particular situation.

g) Withdrawal of Consent (Art. 7(3) GDPR)

To withdraw consent at any time, without affecting the lawfulness of processing based on consent given prior to its withdrawal.

h) Right to Lodge a Complaint with a Supervisory Authority

To lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) if the data subject considers that the processing infringes the GDPR.

Garante per la Protezione dei Dati Personali
Piazza Venezia, 11 - 00187 Rome
Tel: +39 06 696771
Email: garante@gpdp.it
PEC: protocollo@pec.gpdp.it
Web: www.garanteprivacy.it

9.1 How to Exercise Your Rights

To exercise their rights, the data subject may:

- Send an email to: info@studiolegalecutugno.it
- Alternatively, send a registered letter with return receipt to the Firm's principal office at Via Candia, 89 – 00192 Rome RM, Italy.

The Data Controller will respond to the request without undue delay and, in any event, within one month of receipt. This period may be extended by a further two months where the request is of particular complexity.

Responses are provided free of charge. In the case of manifestly unfounded or excessive requests, the Data Controller may charge a reasonable fee or decline to act on the request.

10. Data Security

The Data Controller adopts appropriate technical and organisational measures to ensure a level of security commensurate with the risk, in accordance with Article 32 of the GDPR.

10.1 Technical Measures

- Encryption of communications via HTTPS/TLS protocol
- Anti-spam and anti-bot protection systems for online forms
- Protection against cyber attacks (Cross-Site Request Forgery, SQL Injection, etc.)
- Periodic data backups
- Secure authentication systems

10.2 Organisational Measures

- Access to personal data restricted to the Data Controller only
- Documented procedures for handling data subject requests
- Ongoing training in personal data protection
- Observance of professional secrecy as required by the legal profession
- Periodic review of security measures in place

In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, the Data Controller will notify the Italian Data Protection Authority within 72 hours and, where appropriate, the affected data subjects.

11. Amendments to this Privacy Policy

This Privacy Policy may be amended or updated periodically, including in consideration of regulatory or organisational changes.

Any material amendments will be communicated to users through a notice published on the website. The date of the most recent update is indicated at the top of this page.

Users are advised to review this page regularly for any updates. Continued use of the website following the publication of any amendments constitutes acceptance of the updated Privacy Policy.

12. Contact and Enquiries

For any enquiry regarding this Privacy Policy, to exercise the rights provided for under the GDPR, or to obtain clarification on the processing of personal data, the Data Controller may be contacted at the following details:

Avv. Davis Eros Cutugno
Email: info@studiolegalecutugno.it
Telephone: +39 06 8390 4884 (Rome, Italy) / +39 0964 66 228 (Bovalino, Italy)

Written communications may be sent by registered letter with return receipt solely to the Firm's principal office at Via Candia, 89 – 00192 Rome RM, Italy.

VAT No.: IT02260520800
Bar Registration: Rome Bar Association

Last updated: February 2026