Privacy Policy


pursuant to Article 13 of EU Regulation 2016/679 (GDPR)

Pursuant to EU Regulation 2016/679, this page describes the methods for processing the personal data of users who consult the website:

  1. Identity and contact details of the Data Controller

The Data Controller is NEXTA società tra avvocati S.r.l. (hereinafter also referred to as “the Data Controller”) with VAT no. 10503900960 and registered office in Milan at Via U. Visconti di Modrone 7.

The Data Controller can be contacted by email at, or by phone on 02/50041265.

  1. Data subject to processing

We process the personal data provided (directly or indirectly) while using the website or following contact that you establish with NEXTA (e.g. via email, phone, etc.)

In particular, we process:

  • personal identification data (by way of example only: first name, surname, business name, address, tax code, VAT number, email address, phone number – hereinafter “personal data” or just “data”);
  • browsing data that is not directly provided and whose transmission is linked to the use of internet communication protocols. This category of data includes the IP addresses or domain names of the computers or mobile devices used when connecting to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the data relating to the current (approximate) position of the device you are using, and other parameters relating to your operating system and IT environment. This data is only used for statistical information (and is therefore anonymous) and to check the correct functioning of the site, but could also be used to ascertain responsibility in the case of hypothetical computer crimes against the site;
  • data collected using cookies or similar technologies: for more information, it is advisable to consult the Cookie Policy available on this site.
  1. Purpose and legal basis of the processing

The personal data provided will be processed exclusively for the following purposes:

  1. To check the correct functioning of the services offered through the site.
  2. To manage the receipt of messages sent to Nexta’s contact addresses, including through the contact form available on the site, and therefore the processing of all personal data included in such communications.
  3. To perform the mandate/consultancy (constituting the legal basis of the processing)
  4. To fulfil the obligations established by law, regulations, EU legislation and other provisions issued by authorities invested by the law and by supervisory and control bodies (e.g. obligations related to invoicing, accounting and tax records).

The processing of personal data for the purposes referred to in a) b) c) d) does not require your express consent, as per Article 6 b) – f) of the GDPR.

  1. Compulsory or optional nature of data provision and the consequences of any refusal to provide personal data

The data requested for the purposes referred to in a) b) c) d) must be provided to allow requests sent by the user to be processed, to follow up on any mandate given and, subsequently, to fulfil the legal obligations incumbent on the Data Controller. Therefore your refusal, even partial, to provide such data will make it impossible for the Data Controller to establish and manage the relationship itself and to provide the requested service.

  1. Methods of data processing

Your personal data is processed using the methods indicated in Article 4 of the Privacy Code and Article 4, no. 2 of the GDPR, more precisely: collection, recording, organisation, storage, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of data. The processing of the data will be based on the principles of correctness, lawfulness and transparency, and may also involve automated methods designed to store, manage and transmit it. Suitable tools will be used to ensure safety and confidentiality by means of appropriate procedures that avoid the risk of loss, unauthorised access, illicit use and dissemination.

The processing is carried out directly by the Data Controller’s organisation and/or by its specifically appointed and instructed persons, except as provided for in point 6 below.

  1. Communication, dissemination and transfer

The personal data may be disclosed, within the limits strictly inherent to the aforementioned obligations, duties and purposes and in compliance with relevant current legislation, to the following categories of entities:

  1. entities to which such communication must be made in order to fulfil or demand the fulfilment of specific obligations provided for by laws, regulations and/or EU legislation;
  2. to the banking institutions that the Data Controller uses for payment transactions, as well as to those persons operating within them, for the sole purposes of administrative and accounting management and for confirmation concerning the fulfilment of payments;
  3. external natural and/or legal persons, professionals the Data Controller uses for advice or assistance in carrying out its professional activity, in particular: lawyers, auditors, tax consultants, accountants, supervisory bodies, certification bodies, shippers, IT and security consultants, etc. These entities, where foreseen, will operate as external Data Processors and will receive precise instructions from the Data Controller on the processing methods pursuant to Article 28 of the GDPR;

The complete and updated list of Data Processors external to the Data Controller’s organisation can be consulted by sending a request to the Data Controller by email to:


The management and storage of personal data will take place on the Data Controller’s servers located within the European Union. The data will not be transferred outside the European Union.

In any case, it is understood that if it becomes necessary to transfer the location of the servers, in Italy and/or the EU and/or non-EU countries, this movement will always take place in accordance with Articles 45 and following of the GDPR. In this case, however, the Data Controller ensures henceforth that non-EU data transfer will take place in accordance with the applicable legal provisions, if necessary stipulating agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses set forth by the European Commission.

Personal data will not be disseminated in any way.

  1. Retention period for personal data

In compliance with the provisions of Article 5, paragraph 1, e) of EU Regulation 2016/679, the personal data collected will be stored in a form that allows the data subjects to be identified for a period not exceeding the fulfilment of the purposes for which it is processed. In any case, the Data Controller operates in compliance with the principle of minimised data processing.

  1. Browsing data and Cookie Policy

During normal operation, the computer systems and software procedures used to operate this site acquire some personal data that is then transmitted implicitly in the use of internet communication protocols. This information is not collected to be associated with identified data subjects but by its very nature could enable users to be identified through processing and association with data held by third parties. All our activities are governed by strict ethical principles and we are committed to protecting the privacy of all visitors to our website. For this reason, the way we collect and store data is closely linked to the way our website and related services are used.

This website uses technical cookies to ensure that procedures function properly and to improve the user experience of online applications.

Cookies are small text files that sites visited by users send to their devices, where they are stored and then retransmitted to these sites on subsequent visits. So-called “third party” cookies, however, are placed by a website other than the one the user is visiting. This is because every website can include elements (images, maps, sounds, specific links to web pages in other domains, etc.) which are stored on servers other than that of the website visited.

The user can decide whether or not to accept cookies (unnecessary ones) via the banner

More information on the cookies in use are available in the “Cookie Policy” section

  1. Rights of the data subject

All users are entitled to the rights provided for in Articles 15 and following of the GDPR, specifically the rights to:

  1. ask for confirmation of whether or not their personal data exists;
  2. obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data has been or will be communicated and, where possible, the retention period;
  3. obtain the rectification and erasure of the data;
  4. obtain the restriction of the processing;
  5. obtain data portability, i.e. to receive personal data from the Data Controller in a structured, commonly used and machine-readable format and have the right to transmit such data to another Data Controller without hindrance;
  6. object to the processing at any time, including in the case of processing for direct marketing purposes;
  7. object to an automated decision-making process concerning natural persons, including profiling;
  8. ask the Data Controller for access to personal data and to rectify or delete it or to limit data processing concerning the data subject, or to oppose data processing, as well as the right to data portability;
  9. withdraw consent at any time, without affecting the lawfulness of any processing based on consent given prior to revocation;
  10. lodge a complaint with a supervisory authority.

To exercise the rights referred to in Articles 15 and following of the GDPR, and for questions or information regarding the processing of your data and the security measures adopted, you can in any case forward your request to the following address:


This statement may be subject to change. It is therefore advisable to always refer to the most up-to-date version.

Statement updated on 22/12/2020