Privacy Policy

Sustainability Law a website owned by Andreea Iordache, lawyer and consultant, VAT number 04034280166, as Data Controller (hereinafter “Data Controller”) inform the Users that, in accordance with EU Regulation 2016/679 ("GDPR") and the national legislation on data protection currently in force, their personal data will be processed in the manner and for the purposes indicated below:

1) Subject of data processing

1.1. The Data Controller processes the personal data of the Registered User (hereinafter “User”) in particular name, surname, e-mail address, telephone number, IP address, etc. (hereinafter "Personal data") provided while browsing the website https://www.esg-law.net/en Sustainability Law (hereinafter “Website”).

2) Purposes and legal basis of the processing

The data will be processed for the following purposes:

2.1. Without prior consent, for the following service purposes:

a) the fulfilment of contractual and/or pre-contractual obligations and commitments: management of registration and/or validation requests; management of navigation on the Website.

b) the fulfilment by the Data Controller of the obligations provided by laws, regulations or imposed by the Authorities.

c) the pursuit of a legitimate interest by the Data Controller, or for the management and maintenance of the Website; the prevention and identification of fraudulent activities or harmful events for the Website; the exercise of the rights of the Data Controller.

2.2. Only with the consent of the Users for the following marketing purposes:

a) to allow the Data Controller to send by e-mail address communicated by the User when registering, communications and materials, with promotional, advertising content, including by e-mail, SMS or other messages, newsletters and/or multimedia services related to the services offered by the Owner.

3) Purposes and mode of data treatment

3.1. The processing of personal data is carried out - electronically - through operations of collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, access and communication, suspension, cancellation, and destruction of data.

3.2. In particular, the use of the Website provided by the Data Controller involves the processing of data in the following ways:

a) Management of e-mail communications: the Data Controller uses the Hostinger services to manage a database of e-mail contacts, telephone contacts or any other type, in order to communicate with the Users.

b) The above services may also allow the Data Controller to collect data relating to the date and time of display of messages by Users and its interactions with them, such as clicking on mail attachments. For more information, we recommend that you check the privacy policy of the respective services available on the web portal https://www.hostinger.com/legal/privacy-policy.

c) Hosting and back-end infrastructure: the Owner uses the services of web portal https://www.hostinger.com/legal/privacy-policy which host data and files allow the Website to function, to provide them with specific functionality. These services use servers located geographically in different places, making it difficult to determine the exact place where personal data are stored. For more information about this, we recommend that you check the privacy policy of the respective services.

d) User Device: the Website can save the unique identification code of the devices with which the User logs in, for statistical purposes or to keep the expressed preferences.

4) Retention of data

4.1. The Data Controller processes the data of the User for the time necessary to satisfy the purposes indicated above, and in any case for the period necessary for the management of the service offered (or for a maximum period of 5 years) or for a maximum period of 2 years from collection for marketing purposes.

4.2. However, and in addition to the above specified, the Data Controller may retain the personal data of the User for longer periods of time, for example where this is required for tax purposes, or where such data are necessary to confirm the existence of a legal right or contract. In this case, the User’s personal data will be stored and maintained for the period imposed by the applicable legislation, or for the duration of the limitation periods. When the User’s personal data are no longer needed, they will be deleted or anonymized.

Access to data

5.1. The data of the User may be accessible, for the purposes indicated above, to:

a) employees and / or collaborators of the Data Controller, in their capacity as data processors and / or internal contacts and / or system administrators.

b) third-party companies or other entities (eg., IT assistance, consultants, suppliers, banking institutions, external consultants, etc.) that carry out outsourcing activities for the Data Controller, as Data Processors as provided for in Article 27 GDPR.

5) Data communication

6.1. The personal data may also be communicated, even without prior consent and for the purposes indicated above, to control bodies, police, or judicial authorities, upon their explicit request, who will treat them as independent data controllers for institutional and / or legal purposes during investigations and checks. The data may also be communicated to third parties (e.g. partners, professionals, agents, etc.) as independent data controllers for the performance of activities instrumental to the aforementioned purposes.

6) Provision of personal data

8.1. The provision of personal data is essential for the achievement of service purposes. If the Users decide not to provide their data, the Data Controller will not be able to execute its requests relating to the use of the Website and to provide the services offered.

8.2. The provision of data for further marketing purposes is discretionary, and the lack of consent does not prevent the User from using the services of the Data Controller. If the Users decides not to provide their data, will not be able to receive news about the initiatives of the Data Controller.

7) Rights of the User

9.1. The Data Controller inform the User, in the absence of limitations provided by law, they are entitled to:

a) obtain confirmation of the existence or otherwise of personal data concerning him, even if not yet recorded, and their communication in an understandable way;

b) obtain the indication and, if necessary, the copy of: a) source and category of personal data; b) logic applied in the case of processing carried out by electronic means; c) purposes and methods of processing; d) the identification references of the Data Controller and the Data Processors; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them, in particular if the recipients are non-EU countries or international organizations; e) the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period; f) the existence of an automated decision-making process; and, in this case, information on the logic involved, meaning and consequences for the User;

c) obtain, without undue delay, the update, rectification or integration of incomplete data; exercise the right to withdraw consent at any time, easily and without hindrance, using, if possible, the same means used to provide consent;

d) obtain the deletion or oblivion of data: processed in violation of the law; no longer necessary in relation to the purposes for which they were collected or subsequently processed; for which the consent on which the processing is based has been revoked and there is no other legal basis for the processing; for which there has been opposition to the processing and there are no legitimate imperative reasons for the processing; in compliance with a legal obligation.

e) the Data Controller may refuse to delete data when processing is necessary: to exercise the right to freedom of expression and information; in compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of public authority; for reasons of public interest; for the achievement of objectives in the public interest, scientific or historical research or statistics; for making legal claims;

f) obtain the restriction of processing data when: the accuracy of personal data is contested; the processing is unlawful and the User opposes the deletion of personal data; the data are requested by the Registered User and/or the Business User for the exercise of legal actions; waiting to verify if the legitimate interests of the Data Controller prevail over those of the User;

g) receive, where the processing is carried out by automated means, in a structured, commonly used and legible format, personal data concerning him in order to transmit them to another data controller or, where technically possible, to obtain direct transmission to another Data Controller;

h) oppose, in whole or in part: for legitimate reasons to the processing of personal data concerning him, even if pertinent to the purpose of data collection; the processing of personal data concerning him for the purpose of sending advertising material or for market research or commercial communication, by means of automated call systems without the intervention of an operator, e-mail and / or traditional marketing methods by telephone and / or paper mail; submit a complaint on data protection to the competent supervisory authority.

9.2. In the cases mentioned above, where necessary, the Data Controller shall communicate any exercise of the rights of the User to each third party to which the personal data have been communicated, except in specific cases such as, for example, if this proves impossible or involves a disproportionate effort.

9.3. The Users also have the right to lodge a complaint with the Data
Protection Authority if they believe that the processing of their personal data is in breach of a law in force. As known in Italy the Data Protection Authority is responsible of the personal data protection (https://www.garanteprivacy.it/ ).

8) Methods od data processing

10.1. The Registered User will be able to exercise his rights at any time by sending a registered letter with acknowledgement of receipt at the registered office of the Data Controller or by sending an e-mail to privacy@esg-law.net.

9) Consent to the processing of data for marketing purposes

The Data Controller, only with the specific consent of the Registered User, may send newsletters, commercial communications and/or advertising material on products or services offered by the Data Controller by e-mail, through the services Hostinger referred to in point 3.2. b), paper mail, sms and/or telephone contacts, for marketing purposes and in the manner provided in the privacy policy.

10) Changes to this Privacy Policy

The Data Controller may occasionally make changes to this Privacy Policy, for example to perform the necessary updates with respect to new regulatory provisions, technical requirements, or good commercial practices in this regard. If substantial changes are made, it will be the responsibility of the Data Controller to ensure due information. Any change in this policy will take effect from the date of publication on the Website.

Date of last revision: 11/12/2023