Studio Bandera Legale – Societario – Tributario (hereinafter also “Studio”) in its capacity as Data Controller, wishes to provide the following specific information regarding the way in which this site is managed with reference to the processing of personal data of the users who consult it. It is also a disclosure made pursuant to Art. 13 of the EU Regulation 2016/679 “GDPR” (hereinafter the “Privacy Regulations”), in view of the “Guidelines 5/2020 on Consent under Regulation (EU) 2016/679”.


Studio Bandera Legale – Societario – Tributario is the Data Controller of data related to the use of the site, with registered office in Via Carlo Maria Martini 1, 20122, Milan; P.Iva 03631650987; email:


The Data Controller has appointed a Data Protection Officer (“DPO” or “DPO”), who can be contacted at


The types of data and information collected and processed by the firm are:

– Browsing data (collected automatically);

– Data provided by the user voluntarily;

– Data collected through the use of cookies.


The computer systems and software procedures used to operate the site acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.

This is information that is not collected in order to be associated with identified data subjects, but which by its very nature could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes IP addresses or domain names of computers used by users connecting to the Internet site, and other parameters related to the user’s operating system and computing environment.
These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to check its correct functioning and are kept for the period strictly necessary for statistical analysis.
The data could be used to ascertain liability in case of hypothetical computer crimes against the Site.


The optional, explicit and voluntary sending of personal data by the user, necessary for the provision of the requested service.

If you decide to send a message to the e-mail addresses provided, we inform you that this action constitutes the unequivocal behavior by which you consent to the processing of your data and in particular your e-mail address as well as any other personal data contained in the text message, for the time necessary to handle your request.

If you decide to contact the telephone or fax numbers, we inform you that this action constitutes the unequivocal behavior by which you consent to the processing of your data and in particular your telephone or fax number, as well as any other personal data that you communicate verbally or in the fax, for the time necessary to handle your request.


Personal data will be processed for the following purposes:

  1. purposes inherent in the provision of the requested services (e.g., contacts; newsletters);

  2. purposes inherent in the submission of a job application (work with us)

  3. defensive purposes in case of abuse in the use of the site or attempted fraud;

  4. Purpose of ensuring proper navigation within the site;


The Controller processes your data:

    • purpose 1): the data subject has consented to the processing of his or her personal data for one or more specific purposes, by conduct that clearly indicates in this context that the data subject has agreed to the proposed processing (Art. 6(1)(a) GDPR and Recital 32 GDPR);

    • purpose 2): the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request (Art. 6(1)(b) GDPR);

    • purpose 3): legitimate interest of the Owner to defend against abuse or fraud in the use of the site (art 6, par. 1, lett. f, GDPR);

    • purpose 4): Holder’s interest in the site functioning properly (art 122, paragraph 1, Legislative Decree 196/2003).

In relation to purpose 3), we inform you that the Data Controller, from the perspective of balancing its own interests and those of the data subjects- given Recital 49 of the GDPR- considered that the interests or rights and freedoms of the data subjects did not prevail.


Except as specified for navigation data, users are free to provide their own personal data. However, failure to provide them may result in the inability to obtain what has been requested.


Personal data are processed, including by automated means, for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent data loss, illegal or incorrect use, and unauthorized access. The Firm uses hosting providers that guarantee the highest standards of security, having regard to the type of personal data processed.


The Data are processed at the operational headquarters of the Data Controller and at any other place where the parties involved in the processing are located. Data are not transferred to countries outside the EEA.


The data collected may be transferred or communicated to other companies for activities closely related and instrumental to the operation of the service, such as the management of the computer system. The personal data provided by users who submit requests for information material (brochures, informational material, etc.) to be sent to them are used for the sole purpose of performing the service or provision requested and are communicated to third parties only if this is necessary for that purpose (companies that provide enveloping, labeling, shipping services). Outside of these cases, personal data will not be disclosed or granted to anyone, unless contractually stipulated or authorized by the subjects. In this sense, personal data could be transmitted to third parties, but only and exclusively in case: (a) there is explicit consent to share data with third parties; (b) there is a need to share information with third parties in order to provide the requested service; (c) this is necessary to comply with requests from the Judicial or Public Security Authorities. No data from the web service is disseminated.


You have the right to exercise your rights under Articles 12 et seq. of EU Regulation 2016/679 at any time, namely:

  1. Of access to personal data;

  2. to obtain the correction or deletion of the same or the restriction of the processing of personal data concerning him or her;

  3. To object to the processing;

  4. Right to data portability;

  5. Right to withdraw consent.

To exercise the aforementioned rights, make a report, or receive information on how personal data is processed, requests can be made by writing to the Data Controller or DPO at the addresses indicated in this Privacy Policy.

We remind you that you also have the right to file a complaint with the supervisory authority (Privacy Guarantor).


Information not contained in this policy

Further information in relation to the processing of Personal Data may be requested at any time from the Data Controller using the contact details.

Changes to these Privacy Policies

The Owner periodically reviews its privacy and security policy and, where appropriate, revises it in relation to regulatory, organizational, or technology-driven changes. If policies are changed, the new version will be posted on this page of the website.

If the changes affect processing whose legal basis is consent, the Owner will collect the User’s consent, if necessary.