The European Commission decision of the 12 July 2016 related to the adequacy of the protection provided by the EU-US PrivacyShield should be considered invalid.
In the 2015, with the “Schrems I” judgment, the decision (EU) 2000/520 (the “Safe Harbour Decision”) by which the Commission stated that the United States ensured an adequate level of protection was declared invalid. After this judgement Mr. Schrems reformulated his complaint from which a new proceeding in front of the Court of Justice taken place in order to find out if the decision (EU) 2010/87 related to the standard data protection clauses and the decision(EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S.Privacy Shield adopted by the Commission after the Schrems I judgement were valid.
Today the European Court of Justice confirmed the validity of the decision (EU)2010/87 related to the standard data protection clauses but the Court stated also that the decision (EU) 2016/1250 adopted pursuant to art. 45 of the GDPR is invalid in the light of the Charter of Fundamental Rights of the European Union.
Indeed, the Court has clarified that:
• the assessment of the level of protection required in a transfer to a third country must take into consideration both the contractual clauses agreed between the data exporter placed in the EU and the recipient of the transfer placed in the third country and, pursuant to article 45, par. 2 of the GDPR, the relevant aspects of the legal system of that third country, with regards to any access by the public authorities of such third country to the data transferred;
• the US provisions do not grant data subjects enforceable rights before the Courts against the US authorities and the Ombudsperson mechanism referred to in that decision does not ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services;
• the competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country if the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by GDPR cannot be granted by other means.
As a consequence, the decision (EU) 2016/1250 is not compliant with the GDPR provisions and it is in breach with the provisions of the Charter of Fundamental Rights because it does not guarantee the respect for private and family life, personal data protection and the right to effective judicial protection.
For all this reasons, the transfer of personal data from a data controller or data processor placed in the EU towards a recipient placed in the US cannot longer be made on the basis of the presence of the recipient on the Privacy Shield list but it is necessary to invoke the other guaranties set forth by articles 46 (appropriate safeguard), 47 (Binding corporate rules) and 49 (derogations) of the GDPR.
Companies must put their attention toward the signing (in many cases it is not automatic) of the standard clauses proposed by the service providers and the social platforms and the supply of proper information to the data subjects, taking into account the guarantee adopted and the legal basis grounding the processing of the personal data.
(Judgmentin Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems)
There are only a few days left to 21 April 2019, the date by which, pursuant to Regulation (EU) 2016/425, all the personal protective equipments (PPEs) covered by a certificate of conformity issued under Directive 89/686/EEC can be placed on the market. Only if such condition is met, the PPEs can be made available on the market up to 21 April 2023 or to the date of expiry of the related EC certificate, if earlier.
Please note that "placing on the market" means the first making available of a PPE on the Union market and that "making available" means any supply of a PPE for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge. Under certain circumstances, offering the PPEs on the Internet may be conidered "making available" on the market and, if the first, "placing" on the market.
Morevoer, Regulation (EU) 2016/425 provides a new and broader definition of manufacturer including those economic operators that market PPEs under their name or trademarks even if the PPEs have been supplied by a third party. As a consequnce, the economic operator placing on the market PPEs under its name will be subject to the obligations set forth under art. 8 Regulation (EU) 2016/425 (such as, for example, issuing the declaration of conformity).
Avv. Lorenzo Princivalle
What happen to the policies of data trasfer to UK in case of no-deal Brexit? The EDPB provides a brief note with some instructions.
In brief, the transfer shoul follow the options provided by the GDPR;
1) standard clauses (EEA controller to UK controller: 2 sets are available 2001/497/EC and 2004/915/EC - EEA controller to UK processor 2010/87/EU)
2) Binding Corporate Rules (You can apply for the authorization or you may still rely on these BCRs authorised under the former Directive 95/46/EC which remain valid under the GDPR)
3) Codes of conduct and certification mechanisms (guidelines are work in progress)
4) Derogation under art. 49 GDPR
- where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer;
- where the transfer is necessary for the performance or the conclusion of a contract between the individual and the controller or the contract is concluded in the interest of the individual;
- if the data transfer is necessary for important reasons of public interest;
- if the data transfer is necessary for the purposes of compelling legitimate interests ofthe organisation.
You can find the note here: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf
Pursuant to the Sec. 30 of the EU Regulation 679/2016 (GDPR) some controllers whose data processing activity meets some conditions, shall maintain a written record, in electronic form, of the data processing activities under their responsibility. In particular, the record should include the following information:
- the purposes of processing and relevant legal grounds;
- a description of the data subjects’ categories and of the personal data categories;
- the recipients’categories to whom the data are communicated;
- the transfers of personal data to a third country or an international organisation;
- the time-limits of the processing activity (i.e. for contractual purposes 10 years,pursuant to the Sec. 2220 of the Italian civil code);
- a general description of the technical and organisational security measures referred to in Sec.32 GDPR (the Italian Data Protection Authority specifies that the list of the measures under Sec.32 is not exhaustive of the measures that any controller can apply on the basis if the characteristics of its processing activity).
The Record may include any other peace of information useful to describe the processing activity and to demonstrate controller’s compliance with the principle of accountability. The records shall be regularly kept up-to-date in writing, including any electronic form, and must specify the starting date and the date of the last update. The record must be available to the supervisory authority on request.
Yesterday, the Italian Data Protection Authority issued some FAQs to clarify the application of such duty which seems to expand the application of such obligation to further categories of controllers than those provided by the Regulation.
According to the GDPR, the duty applies to the following:
- enterprises and/or organisations employing at least 250 employees;
- any controller or processor whose processing activity could endanger data subject’s rights and freedom;
- any controller or processor processing personal data not occasionally (regularly).
- any controller or processor who processes special categories of personal (art. 9 GDPR),or data relating to criminal convictions and offences.
The Italian Data Protection Authority in the FAQ lastly published offers some example of entities that should be subject to the mentioned duty:
- commercial activities, public places or artisan activities with at least 1 employee (bars, restaurants, shops, retailers, workshops) and/or managing medical data (as hairdressers, opticians, tattoo artists, beautician);
- freelancers,who at least employ 1 person and/or manage medical data and or manage data related to criminal convictions and offences (as lawyers, accountants, doctors, notaries, chemists);
- associations, foundations and committees processing special categories of personal data,or/and manage personal data related to criminal convictions and offences
- condos, if they process special categories of personal data (such as resolutions against architectural barriers etc.).
In the opinion of our lawyers keeping the register is always strongly suggested to provide an up-to-date overview of the processing activities undertaken in any organisation and to improve the company’s accountability on data protection, therefore the template provided by the Authority should be enriched with some items. Any process of GDPR’compliance should start from the analysis of any processing activity, the list of the addresses of such personal data, the measures of securities existing to protect such data, the map of any place where such data are collected and stored.
Please referto the following link for any further information about the mentioned FAQs: https://www.garanteprivacy.it/home/faq/registro-delle-attivita-di-trattamento
The Bank of Italy has issued the list of the most representative services linked to a payment account, pursuant to DIRECTIVE 2014/92/EU on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features.
Payment services providers shall adopt the standardised terminolgy in both pre-contractual and contractual information no later than January 31, 2019.
On 8 March 2018 the European Commission announced the new Fintech (technology-enabled innovation in financial services) Action Plan, aimed at developing the fintech industry in the European Union.
The Commission outlined 8 main actions that will lead to significant intervention later this year and in 2019:
1) clear and converging licensing requirements for FinTech firms;
2) common standards and interoperable solutions for FinTech;
3) enable innovative business models to scale-up across the EU through innovation facilitators;
4) technology-neutrality Suitability Review;
5) removing obstacles to the use of cloud services;
6) EU Public Blockchain initiative;
7) building capacity and knowledge in an EU FinTech Lab;
8) strengthening the cyber resilience of the EU Financial Sector.
Princivalle Apruzzi Danielli Law Firm, that deals with both banking law and IT law, will keep monitoring the area and post new bits of information as soon as they will be available.
Today 6 February 2018 the European Parliament passed a Regulation to end geo-blocking with the aim of grating people access to goods and services on the same terms all over the Europe, regardless of where they are connecting from.
The Regulation bans any unjustified restriction to retail sales used by the web-site based on nationality, residence or place of connection.
Country redirect policies, impossibility to register on a website due to the residence, limit to currencies or means of payment represent barriers that prevents users from freely shop online the site they prefer; therefore, they are considered a way of discrimination.
The new rules will apply to several goods and services, such as furniture and electronics, online services such as cloud services or website hosting, entertainment services.
According to the art. 3 of the Regulation, the prohibition shall not apply if “the blocking or limitation of access, or the redirection is necessary in order to ensure compliance with a legal requirement laid down in Union law, or in the laws of a Member State in accordance with Union law, to which the trader’s activities are subject.” Nevertheless, in order to be compliant with the Regulation the traders must provide “a clear and specific explanation to customers regarding the reasons why the blocking or limitation of access, or the redirection is necessary in order to ensure such compliance. That explanation shall be given in the language of the online interface that the customer initially sought to access.”
For the first time in Italy the Supreme Court (Criminal Section Sec. 5 No. 54946/2016 Sentenza_Cassazione_54946_27_dicembre_2016) held an internet service provider liable for the illegal contents hosted in a web site.
With the decision issued on 14 July 2016 the Italian Supreme Court (“Corte di Cassazione”) upheld a decision of the Court of Appeal in Brescia (Lombardia Region) and ruled that the applicant (the legal representative of a company managing the web site “agenziacalcio.it”) was liable for the crime of defamation due to a defamatory comment reported by a user (Mr Danilo Filippini) against Mr Carlo Tavecchio (the Chairman of the Italian Football Federation) in the web site.
This decision has been considered a milestone from the experts in internet law because, according to the E-Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ‘Directive on electronic commerce’) implemented in Italy by the Legislative Decree no.70/2003 Member States shall ensure that the service provider is not liable for the information stored (transmitted/hosted) at the request of a recipient of the service, provided that some conditions are met. The mere conduit (transmitting), caching and hosting information provided by a recipient are considered core business of the service provided and where the internet service provider (ISP) is not involved in the creation or selection of the illegal content they should benefit from the exemption regime provided by the Directive. To this purpose, the “passive role” of the service provider made the difference in several cases before the European Courts (see Lafesse v. MySpace Court of Paris 2007). Moreover, in order to protect the fundamental right of the freedom of expression, no general duty to monitor may be imposed on ISPs in accordance with the relevant provisions under the E-commerce Directive.
However, the internet service providers (ISPs) can only benefit from the limited liability regime when they expeditiously remove or block access to illegal content as soon as they either “have actual knowledge” or “are aware of facts or circumstances” regarding such illegal content.
According to the facts mentioned in the decision of the Supreme Court, in this case the internet service provider has been informed of the illegal content by a separate email sent to the legal representative (while he was on holiday with no access to the email account for the attorney defending the ISP).
In the light of the above, the decision of the Supreme Court could not be considered a revolution where it is still crucial to adequately determine the liability of the providers according to the facts and circumstances of the case considering that, the E-Commerce Directive does not define what should be considered as “actual knowledge” or “awareness”. Consequently, it is left to the courts to determine which level of knowledge or awareness could be required. The Italian Supreme Court took a step into this direction.
Princivalle Apruzzi Danielli – Law Firm assisted a leading Italian industrial group, sponsor in the transaction, in the negotiation of a facility agreement, on a project finance basis, of 6 biogas plants, worth euro 26.1 millions. The transaction has been followed by the senior partners Lorenzo Princivalle and Valentina Apruzzi.
We are delighted to inform that the Princivalle Apruzzi Danielli’s new website is online.
The website has been enriched and revised following clean and modern design patterns, which should enable users to find information more easily.
We hope you like it!
Princivalle Apruzzi Danielli has recently assisted an Italian industrial group in purchasing from an Italian bank a share quota in an limited company.
The transaction, executed just before the winter holiday period, involved also the termination of the shareholders’ agreement in force.
Princivalle Apruzzi Danielli assisted, with its senior partners Lorenzo Princivalle and Valentina Apruzzi, in december 2014 a client based in Hungary in the acquisition of its Italian distributor.
Generally speaking, most foreign citizens are allowed to set up a business in Italy. We will limit this paper to the case of foreign companies willing to start operating in Italy.
Basically, there are three ways by which such aim can be reached: either (a) opening a branch office or (b) incorporating a subsidiary company or (c) purchasing an existing company.
(a) Branch office
In order to start operating in Italy, a company based abroad could simply open a branch office. Once the premises have been found, the company is required to appear, through its legal representatives or an attorney, before a notary in Italy in order to sign a deed of incorporation of the branch.
Several pieces of information must be included in the deed: name of the company, registered office, name and address of the branch office, person in charge of the branch office, etc.
A copy of the company’s articles of association must be attached to the deed (the copy must be stamped with the apostille, translated in Italian and sworn in court). Satisfactory evidence of the powers of the representatives/attorneys must be provided to the notary.
Then the notary will file the deed to the relevant company register office (called in Italy “Registro delle Imprese”, a register held by the Camera di Commercio). Company register fees and taxes are to be paid.
(b) Subsidiary company
The first step is defining the kind of company that suits most the needs of the parent: a public company or a limited company are the most commonly used kinds.
Then the articles of association must be drawn up in the form that, in accordance with the law, suits the needs of the business. Share capital amount, registered office, directors and, in some circumstances, auditors have to be defined at this stage.
Once again, in order to incorporate the company, a notary is needed: he or she will witness the memorandum of association that will be signed as a deed by the parent’s company representatives or by their attorneys. Satisfactory evidence of the powers of the representatives/attorneys must be provided to the notary. Then the notary will file the memorandum of association and the articles of association to the company register.
(c) Purchasing a company
Finally, purchasing the share capital of an existing company can be an option. In this case, after a due diligence process, aimed at evaluating the target company as well as at highlighting any critical aspect/risk of the acquisition, lawyers draft a sale and purchase agreement that has to be negotiated by the purchaser and the seller and their lawyers. This step can take time, depending on the value of the transaction and its complexity.
After the contract has been negotiated in its final text, normally, the parties sign it before a notary as a deed. Once again, satisfactory evidence of the powers of the representatives/attorneys of the parties must be provided to the notary.
Lorenzo Princivalle – Avvocato (Italy) & Solicitor (England and Wales, non practising)
Partner at Princivalle Apruzzi Danielli Law Firm
Via Santo Stefano 50
I-40125 Bologna
T. +39 0510930400
DISCLAIMER: This summary is intended for general information purposes only. It is not to be considered accurate, updates, complete or a legal opinion. It is neither an offer nor a binding lawyer / client contract or relationship.
Business clients dealing with international trade frequently asked us whether an independent bank guarantee issued under the URDG 758 (the ICC Uniform Rules for Demand Guarantees 2010) is valid, binding and enforceable under the Italian law or not and, if not, whether and how it can be amended in order to ensure it is valid, binding and enforceable as an independent bank guarantee under the Italian law.
Any major transaction nowadays does not take place without this kind of guaranty support. The principal feature of this kind of guarantee is its autonomy from the principal contract of the transaction.
The guarantee is a contract between a guarantor/bank and the beneficiary and underneath there is always a contractual relationship (the “principal” or “underlying” contract) between a creditor and a debtor which includes the obligation of providing a guarantee in favor of the creditor in case of debtor’s default in performing its obligations.
Its purpose is to indemnify the beneficiary from the possible default of the debtor in the underlying relationship: the beneficiary’s right to claim the payment is to be determined only with reference to the guarantee and the bank has to pay with no right to remedies arising out from the underlying contract.
The most used is the “first demand” guarantee which entitles the beneficiary to receive the payment from the bank when the conditions of the guarantee are met, without any proof of the debtor’s default.
In general terms, according to the Italian statutory law and Italian Courts’ rulings, an independent guarantee issued under the URDG 758 will be considered a valid, binding and enforceable independent guarantee, provided that it includes a clause binding the guarantor to pay any amount demanded under the guaranty notwithstanding any contestation concerning the underlying contract and by which it waives the right to require exhaustion of remedies against the debtor, any right to withhold performance, any right of retention, any right of avoidance, any right to offset, and the right to assert any other claims which the debtor or any third party may have under the principal contract or in connection with it or on any other grounds (such clause being known as “senza eccezioni”).
Anyway, a deep analysis of the text guarantee is always recommended.
DISCLAIMER: This summary is intended for general information purposes only. It is not to be considered accurate, updates, complete or a legal opinion. It is neither an offer nor a binding lawyer / client contract or relationship.
Princivalle Apruzzi Danielli Law Firm, with Lorenzo Princivalle and Valentina Apruzzi, has recently assisted a foreign client in forming a limited liability company under the Italian law and in the negotiation for the sale of the whole quota to a leading German industrial group.
We are delighted to inform that from 20th January 2014 Princivalle Apruzzi Danielli – Law Firm will be moving to the new and more confortable office in 50, Via Santo Stefano, always right in the centre of Bologna.
One of the services we offer concerns debt collection in Italy and abroad. In fact, nowadays, always more and more companies cannot avoid facing the threat of unpaid invoices which obliges them to spend time and energy in long procedures in order to recover the due payment.
Thus, since its start, our law firm has been developing an increasing experience in the field of bad debt collection. We currently represent our clients throughout the procedural steps required to obtain their payment, giving them the most appropriate legal support.
With specific regard to the Italian civil procedure, we should start by outlining a distinction between 1) the pre-judicial phase and 2) the following, but merely optional or, sometimes even unnecessary, judicial one.
Pre-judicial phase
Firstly, after a complete and in-depth study of the documents offered by the creditor, a warning letter should be sent to the debtor, formally inviting him/her to pay the outstanding amount within a deadline (normally around 15 days).
After receiving the warning letter the debtor could pay or start a negotiation to arrange an alternative way to write the debt off. Upon request, we can assist the creditor during the negotiation.
Judicial phase
If neither settlement nor payment by the debtor has been achieved by the end of the pre-judicial phase, the subsequent action generally consists in filing a request to the court for the issuance of a summary order (called “Decreto Ingiuntivo”) against the debtor for the payment of the debt, in addition to interest accrued and legal expenses. Please, note that Italian lawyers can act only by way of a specific power of attorney granted by the client which, in case of foreigner clients, should be legalized by a notary public and provided with apostille (if applicable). According to the Italian law, in order to file said application, the debt must be already payable, identified/identifiable and proved in writing. A court fee, depending from the amount of the debt, must be paid in advance.
The court will normally issue the order in a short time, usually a few weeks. The injunction will carry the order to the debtor to pay the sum indicated in the request within 40 days or file an opposition (which is, technically, a claim against the creditor) by which an ordinary proceeding will be started. Should the 40 day-term expire, the payment injunction, whether not opposed and not even performed by the debtor, will be final and executable.
Should the debtor fail to pay, an enforcement procedure needs to be started against the debtor.
DISCLAIMER: This summary is intended for general information purposes only. It is not to be considered accurate, updates, complete or a legal opinion. It is neither an offer nor a binding lawyer / client contract or relationship.
Every day, more and more companies and startups choose to move their offices to the London district widely known as the Silicon Roundabout or Tech City.
State of the art infrastructure, networking opportunities, favourable taxation make glittering London extremely attractive for hi-tech bussinesses.
Our law firm can assist you in moving or starting up your company in the UK.
For more information, please contact: info@pa-lex.com o +39 0510930400
Princivalle Apruzzi Danielli has recently expanded its network with the fellow law firm B&M Law llp, based in London.
In our aim, this will be the first step of our network growth.
Princivalle Apruzzi Danielli, following the recent qualification as solicitors (non practising) achieved by the partners Lorenzo Princivalle and Valentina Apruzzi, strengthens its relationship with the UK in order to better assist clients whose economic interests are shared between Italy and Britain.
Princivalle Apruzzi Danielli may be regarded as a true anglo-italian law firm, both for its excellent relationships with English law firms and for the skills of its professionals.
The law firm may assist clients in conveyancing and property matters, company incorporation and litigation both in Italy and the UK.
Princivalle Apruzzi Danielli is proud to announce that it has been admitted as a corporate member of the British Chamber of Commerce for Italy.