Data Security and Confidentiality

Home / Lo Studio / ESG / Governance / Data Security and Confidentiality

LCG has implemented a privacy management system in compliance with Regulation 2016/679 (GDPR) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.

LCG has defined a Privacy Organisational Chart identifying the internal parties with responsibilities for personal data protection. These measures ensure that access to personal data is restricted to persons authorised by the Data Controller, as well as to third parties duly appointed as Data Processors, upon whom LCG has carried out checks regarding compliance with current privacy regulations.

In addition, LCG provides its employees and collaborators with specific instructions to ensure that their data processing activities comply with applicable regulations and with the provisions of the Privacy Organisational Model.

Similarly, LCG promotes the organisation of training courses on privacy and cybersecurity aimed at training and informing personnel.

In particular, as Data Controller, LCG manages the personal data of all Data Subjects who interact with the firm (Employees, Collaborators, Candidates, Clients, Suppliers, etc.) from the very first contact, in compliance with the principles of lawfulness, fairness and transparency set out in Art. 5 of the Regulation, and always operates in a manner that guarantees the confidentiality and security of information.

To this end, LCG has adopted a Privacy Organisational Model containing practical instructions on how to manage personal data, requests from data subjects, the assessment of processing risks and potential Data Breach events.

LCG has voluntarily implemented a Register of Processing Activities that it carries out as Data Controller and as Data Processor.

LCG has also created specific Privacy Notices for each category of Data Subject, in which the types of data, purposes and in particular the legal bases for processing have been identified in detail. The firm has finally established a direct channel with Data Subjects, who can submit requests for further information and exercise their rights under Arts. 15 et seq. of the Regulation.

Principles governing data processing at LCG

In carrying out every data processing activity, LCG operates in compliance with the following principles established by national and EU legislation:

•    Lawfulness, Fairness and Transparency
Articolo 5, par. 1, lett. a) Reg. UE/679/2016
Cfr. Considerando 39, 40, 44 Reg. UE/679/2016
“I dati personali sono … trattati in modo lecito, corretto e trasparente nei confronti dell’interessato”.

LCG commits to carrying out only lawful processing and ensures transparency of processing activities, particularly with regard to purposes and methods, through the dissemination of easily accessible, comprehensible notices written in clear and simple language.

•    Purpose Limitation
Articolo 5, paragrafo 1, lett. b), Reg. UE/679/2016
Cfr. Considerando 28, 50 e articolo 6, par. 1, lett. b) Reg. UE/679/2016
“I dati personali sono … raccolti per finalità determinate, esplicite e legittime, 
e successivamente trattati in modo che non sia incompatibile con tali finalità; un ulteriore trattamento dei dati personali a fini di archiviazione nel pubblico interesse, di ricerca scientifica o storica o a fini statistici non è, conformemente all’articolo 89, paragrafo 1, considerato incompatibile con le finalità iniziali”.

LCG pre-defines the purposes of each processing activity and collects personal data only where strictly necessary for the pursuit of those purposes.

•    Data Minimisation
Articolo 5, paragrafo 1, lett. c), Reg. UE/679/2016
Cfr. articolo 25, paragrafo 2, Reg. UE/679/2016
“I dati personali sono … adeguati, pertinenti e limitati a quanto necessario rispetto alle finalità per le quali sono trattati”.

LCG collects data that is functional and essential for the purposes for which it is processed. Processing is not carried out in cases where the same purposes can be achieved through anonymous data or other means that render the Data Subject's identity non-determinable.
•    Accuracy — 
Articolo 5, paragrafo 1, lett. d), Reg. UE/679/2016
“I dati personali sono … esatti e, se necessario, aggiornati; devono essere 
adottate tutte le misure ragionevoli per cancellare o rettificare tempestivamente i dati inesatti rispetto alle finalità per le quali sono trattati”.

LCG carries out specific checks to verify the accuracy of data from collection through to deletion, and conducts periodic checks during the processing period to confirm the correctness of originally collected data.

•    Storage Limitation
Articolo 5, paragrafo 1, lett. e), Reg. UE/679/2016
Cfr. Considerando 39 e articolo 89 Reg. UE/679/2016
“I dati personali sono … conservati in una forma che consenta l'identificazione degli interessati per un arco di tempo non superiore al conseguimento delle finalità per le quali sono trattati; i dati personali possono essere conservati per periodi più lunghi a condizione che siano trattati esclusivamente a fini di archiviazione nel pubblico interesse, di ricerca scientifica o storica o a fini statistici, conformemente all'articolo 89, paragrafo 1, fatta salva l'attuazione di misure tecniche e organizzative adeguate richieste dal presente regolamento a tutela dei diritti e delle libertà dell'interessato”.

LCG has defined retention periods for each type of personal data processed in the Privacy Organisational Model. Retention periods have been defined based on the purpose for which the data is processed, as well as in implementation of contractual and regulatory obligations.

•    Integrity and Confidentiality
Articolo 5, paragrafo 1, lett. f), Reg. UE/679/2016
Cfr. Considerando 39 Reg. UE/679/2016
“I dati personali sono … trattati in maniera da garantire un'adeguata sicurezza 
dei dati personali, compresa la protezione, mediante misure tecniche e organizzative adeguate, da trattamenti non autorizzati o illeciti e dalla perdita, dalla distruzione o dal danno accidentali”.

LCG has adopted all technical and organisational measures deemed appropriate to safeguard the correctness of the data collection and management process, and their security and protection against unauthorised intrusions and alterations.

•    Accountability
Articolo 24, Reg. UE/679/2016
Cfr. Considerando 74 Reg. UE/679/2016
“Il Titolare del trattamento dovrebbe essere tenuto a mettere in atto misure adeguate ed efficaci ed essere in grado di dimostrare la conformità delle attività di trattamento al Regolamento, compresa l’efficacia delle misure”.

LCG has implemented a privacy risk management system, identifying risks associated with processing, evaluating those risks in terms of origin, nature, likelihood and severity, and identifying best practices to mitigate risk.

•    Privacy by Design and by Default
Articolo 25, Reg. UE/679/2016
Cfr. Considerando 78 Reg. UE/679/2016
“Il Titolare del trattamento, al fine di dimostrare la conformità con il presente regolamento, dovrebbe adottare politiche interne e attuare misure che soddisfino in particolare i principi della protezione dei dati fin dalla progettazione e della protezione dei dati di default”.

LCG has adopted a procedure whereby privacy officers must be involved whenever it is necessary to adopt a new organisational process or information system, or when new technologies are to be used, so that they may assess the privacy impact of the new process from the design phase, identify any appropriate measures for risk containment and update the Register of Processing Activities.