Privacy Policy

  1. Introduction

This Privacy Policy of Clovers S.ta. a r.l., with registered office in Milan at Via Savona 19/A, VAT No. 10147340961, email: info@clovers.law (hereinafter “the Firm” or “Data Controller”), is drafted in accordance with EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 (Privacy Code), as subsequently amended by Legislative Decree 101/2018.

The Regulation and the Code ensure that the processing of personal data is carried out in a manner that respects the fundamental rights and freedoms of natural persons, with particular regard to privacy, personal identity, and the right to the protection of personal data, in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.

"Personal data," as defined in Article 4 of the GDPR, means "any information relating to an identified or identifiable natural person ('data subject'); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity."

This Privacy Policy applies exclusively to personal data collected through the website https://www.clovers.law/ and to the Firm’s professional activities. It does not apply to any other websites owned by third parties that may be accessed via links on the Site.

2. Data Controller and Contact Information

  • Data Controller: Clovers S.ta. a r.l.

  • Registered office: Via Savona 19/A, 20144 Milan

  • Email: info@clovers.law

  • Phone: +390258100944

  • Certified Email: cloversstarl@pec.it

The Data Controller is the entity that, pursuant to Article 4 of the GDPR, "determines the purposes and means of the processing of personal data."

The Company has not appointed a Data Protection Officer (DPO) because, based on the analysis conducted, the conditions set forth in Article 37 of Regulation (EU) 2016/679 are not met.

In particular, the Company does not engage in processing activities that require the regular and systematic monitoring of data subjects on a large scale, nor does it, as a core business activity, process special categories of personal data or data relating to criminal convictions and offenses on a large scale.

The Company retains the right to appoint a DPO should the methods or nature of the processing activities change in the future.

3. Categories of Data Collected and Methods of Collection

The Firm collects the following categories of personal data:

3.1 Browsing data

Data collected automatically while browsing the site, including IP addresses, browser type, operating system, pages visited, and duration of the visit, as set forth in the specific Cookie Policy available at https://www.clovers.law/cookies-privacy-policy.

3.2 Data provided voluntarily

Identifying information: first name, last name, company name

Contact information: email address, phone number, mailing address

Professional information: job title, industry, employer

Content of communications: requests, legal inquiries, and documents attached via the form on the “Contacts” page or through the Acuity Scheduling app

3.3 Data related to applications

For job or collaboration opportunities: resume, educational and professional background, references.

3.4 Information regarding professional activity

In the course of its professional activities, the Firm may process personal data of clients and counterparties, including any special categories of data, when strictly necessary for the provision of legal services.

4. Purposes of Processing and Legal Basis

The personal data collected by the Firm is processed for various purposes, each of which is based on a specific legal basis provided for in Regulation (EU) 2016/679 (GDPR).

4.1 Purposes necessary for the provision of services (Art. 6, para. 1, subpara. b of the GDPR)

  • We process your data primarily to provide the services you have requested. Specifically, the data is used to:

  • handle contact and consultation requests received through the website or other communication channels,

  • provide the requested legal services,

  • to fulfill the obligations arising from any professional assignments or contracts,

  • handle correspondence and professional relations with the data subject.

    4.2 Purposes related to legal obligations (Art. 6, para. 1, subpara. c of the GDPR)

Certain data must be processed to comply with legal obligations to which the Firm is subject. This includes:

  • compliance with tax and accounting obligations,

  • the retention of documentation for the periods specified by current regulations,

  • compliance with the ethical and professional obligations to which attorneys are subject,

  • the disclosure of data to the competent authorities, where required by law.

4.3 Purposes based on the Firm’s legitimate interests (Art. 6(1)(f) of the GDPR)

  • In some cases, the processing of personal data is necessary to protect the Firm’s legitimate interests, while always respecting the fundamental rights and freedoms of the data subject. To this end, the data may be processed for:

  • ensure cybersecurity and the protection of the website,

  • manage or prevent any disputes,

  • defend the firm's rights in court or out of court,

  • improve the quality of the services we offer, taking into account the feedback we have received.

4.4 Purposes based on the user’s consent (Art. 6, para. 1, subpar. a of the GDPR)

Subject to your free and informed consent, your data may be used for optional activities, such as:

  • sending newsletters and updates,

  • direct marketing initiatives and promotion of the firm's services,

  • sending invitations to events, webinars, and seminars organized by the Firm or by selected partners,

  • profiling activities, aimed at personalizing communications based on the user’s interests.

5. Voluntary Nature of the Contribution

The provision of personal data is:

  • This information is required to provide the requested legal services and to comply with legal obligations. Failure to provide this information will make it impossible to provide the requested service.

  • Optional for marketing and promotional communications. Failure to provide consent does not affect your ability to receive legal services, but it prevents us from sending you promotional communications.

  • Optional for non-essential browsing data, which is handled in accordance with the preferences specified in the Cookie Policy.

6. Methods of Processing

Personal data is processed using automated and non-automated means, in accordance with organizational procedures and logic strictly related to the purposes indicated. The Firm implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • encryption of sensitive data

  • access controls and authentication

  • Regular and secure backups

  • staff training

  • security incident management procedures

7. Communication and Dissemination of Data

7.1 Required Notice

The data may be disclosed to:

  • The firm’s staff and consultants, who are duly authorized and trained

  • Judicial and administrative authorities, where required by law

  • Professional associations for compliance with ethical standards

  • Technical consultants and expert witnesses in legal proceedings

  • Service providers (IT, accounting, insurance) acting as data processors

7.2 Data Controllers

The Firm uses external service providers for specific activities, who have been designated as data processors pursuant to Article 28 of the GDPR, including:

  • IT and hosting service provider

  • email services

  • cloud storage services

  • tax consultants and accountants

    8. International Transfers

Any transfers of personal data to third countries or international organizations are carried out in accordance with the safeguards provided for in Articles 44–49 of the GDPR, through:

  • European Commission adequacy decisions

  • standard contractual terms approved by the Commission

  • binding corporate rules

  • approved certifications

9. Retention Period

Personal data is retained for no longer than is strictly necessary to fulfill the purposes for which it was collected, in accordance with the principle of data minimization:

  • Data for legal services: duration of the professional relationship plus 10 years following its conclusion (standard statute of limitations)

  • Data for tax purposes: 10 years from the termination of the employment relationship

  • Data for marketing purposes: until consent is withdrawn, and in any case no later than 24 months after the last interaction

  • browsing data: as specified in the Cookie Policy

  • Resume: 12 months from receipt, unless consent is given for inclusion in the database.

10. Rights of Data Subjects

In accordance with Articles 15 and following of Regulation (EU) 2016/679 (GDPR), every individual has the right to exercise a number of rights regarding the processing of their personal data. Specifically:

  • Right of access. The data subject has the right to know whether the Firm processes personal data concerning him or her. If so, he or she may obtain access to such data, as well as information regarding the purposes of the processing, the categories of data processed, the recipients, and the retention period (Art. 15 GDPR).

  • Right to rectification. If personal data is inaccurate or incomplete, the data subject may request that it be corrected or supplemented so that the information remains up-to-date and accurate (Art. 16 of the GDPR).

  • Right to erasure. In the cases provided for by law, the data subject has the right to request the erasure of their personal data, for example if the data is no longer necessary for the purposes for which it was collected or if consent is withdrawn (Art. 17 GDPR). This right is also known as the “right to be forgotten.”

  • Right to restriction of processing. The data subject may request that the processing of their data be restricted, for example, if they contest the accuracy of the data or pending verification of an overriding interest (Art. 18 GDPR). In such cases, the data will be retained but may not be used except under certain circumstances provided for by law.

    10.2 Right to object and data portability

Right to object

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her that is based on a legitimate interest of the controller (Art. 21 GDPR). In such a case, the Firm will cease processing, unless there are compelling legitimate grounds for continuing, such as for the establishment, exercise, or defense of legal claims.

Right to data portability

If the processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format (such as a .csv file) and, if they so wish, to transmit those data directly to another controller, without any hindrance from the Firm (Art. 20 GDPR).

Right to withdraw consent

Where processing is based on the data subject’s consent, the data subject may withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal (Art. 7 of the GDPR). Consent may be withdrawn using the same method by which it was initially provided.

10.3 Operating Procedures

These rights may be exercised by:

  • Email: info@clovers.law

  • Certified Mail with Return Receipt: Clovers Law Firm , 19/A Via Savona, 20144 Milan

  • Certified Email: clovers@pec.it

The Firm will respond within one month of receiving the request; this period may be extended by an additional two months in cases of particular complexity.

11. Complaints to the Supervisory Authority

The data subject has the right to file a complaint with the Data Protection Authority:

  • Website: www.gpdp.it

  • Email: garante@gpdp.it

  • Address: Piazza di Monte Citorio, 121 - 00186 Rome

  • Phone: 06-69677-1

12. Automated Decision-Making and Profiling

The Firm does not engage in processing activities based solely on automated decision-making, including profiling, that produce legal effects or significantly affect the data subject.

13. Data Breaches

In the event of a personal data breach that poses a high risk to the rights and freedoms of data subjects, the Firm will notify the breach within 72 hours of its discovery, in accordance with the procedures set forth in Articles 33–34 of the GDPR.

14. Record of Processing Activities

The Firm maintains a record of processing activities in accordance with Article 30 of the GDPR, which is available for inspection by the supervisory authority.

15. Updates to the Privacy Policy

This Privacy Policy may be amended to reflect regulatory or organizational changes. Substantial changes will be communicated via:

  • Publication on the website with changes highlighted

  • Direct communication with data subjects when required by law

  • Request for renewed consent when necessary

  • Last updated: June 20, 2025

16. Specific Information for Categories of Data Subjects

16.1 Customers and prospective customers

The processing of data in the context of professional relationships is also governed by professional secrecy and the rules of professional conduct for lawyers. As clarified by the Supreme Court, the processing of personal data in a judicial context is not subject to the obligation to provide information or to obtain prior consent, provided that the data pertains to business matters and legal disputes.

16.2 Suppliers and contractors

The data is processed for the purpose of managing the contractual relationship and for related tax and administrative obligations.

16.3 Website visitors

As established by case law, the obligation to provide information regarding the processing of personal data collected through a website must be specifically made available to users who access the site via the internet.

17. Final Provisions

This Privacy Policy forms an integral part of the website’s Terms and Conditions of Use and the Firm’s service agreements. For any questions or additional information, please contact the Firm at the addresses listed above.