Nadia Martini

Attorney at Law (Italy)
Associate Partner
Phone: +39 (02) 6328841

Thanks to our specialized professionals certified as Privacy Officers and European Auditors according to the international standard ISO / IEC 17024: 2008 and the ISDP 10003: 2015 model, Rödl & Partner provides customized services concerning Data Protection at an international level. Indeed, thanks to an international team of experienced professionals in Data Protection and IT law, Rödl & Partner provides highly qualified assistance in 64 countries in order to help the client to approach, adapt and comply with local regulations and the new European Privacy Regulation No. 2016/679.

Choosing Rödl & Partner, the client will be assigned to one of the professionals of our International Data Protection Team who identifies its needs and requirements and assure a 360° worldwide management of its situation. The head of the Italian Data Protection Department is Nadia Martini, Attorney, Associate Partner in Rödl & Partner Italy and certified Data Privacy Officer. She, with her ten years' experience in Data Protection and IT Law, will listen and answer to the client’s needs and requests.

More specifically, the Data Protection Department offers expert consultancy regarding Privacy and Data Protection as well as assistance to Italian and foreign clients in litigation issues in front of Italian and European Courts (General Courts, Courts of Appeal, the Court of Cassation, ordinary sections or specialized business sections) and Data Protection Authorities. Moreover, the Dept. offers assistance in drafting and reviewing contracts.

Specifically, concerning activities related to Privacy & Data Protection, Rödl & Partner provides:

  • Consultancy on the applicable national and international law and the development of the appropriate solution for the client which allows it a safe realization of the processing and its business;
  • Consulting and support on any request addressed to the Data Protection Authority (e.g. notification, authorization, prior check, etc.);
  • Advice on data transfer operations in extra-UE countries through the study and the analysis of the security measures required by the Authority or, otherwise, agreed between the countries involved (e.g., Binding Corporate Rules, Standard Contractual Clauses and Privacy Shield);
  • Drafting of advices and opinions on issues related to data collection and security measures;
  • Drafting and implementation of privacy notices and policies addressed to different categories of parties involved (clients, patients, suppliers, Internet users, employees, etc.) and customized in order to reply to the client’s requests as well as to the features required by the relevant national and European regulations;
  • Counseling and assistance on web issues concerning marketing, profiling and users’ web monitoring with the consequent drafting and adoption of adequate Privacy and Cookie Policies;
  • Assistance on tech issues such as profiling, e-commerce, CRM, social media, geolocalization,  supervisory, targeting, targeted advertising, online behavioral advertising and feasibility study;
  • In the specific health sector, consultancy regarding e-health, telemedicine, smart and health devices;
  • Consultancy regarding the management of issues related to employees’ Data Protection through the adoption of specific procedures on the use of company instruments such as emails and technological tools, which have to be adequate and comply with the related provisions and sector regulations, including the Workers’ Statute;
  • Drafting of agreements and external and internal processors’ and system administrators’ designations;
  • Training for employees through courses, events, seminars and meetings.

In addition, with the adoption of the new Data Protection European Regulation No. 2016/679 which entered into force on 25 May  2016, for the moment in conjunction with the national legislation, and which will be effective from 25 May 2018, our Data Protection Department has designed the solution for companies in order to conform themselves to the legal framework. Our solution is composed by the Privacy Assessment phase and the Remediation and Implementation one.

The Privacy Assessment includes:

a)     The Data mapping: the mapping of data, sources and uses;

b)     The Documental Assessment: the analysis of all the privacy documents and procedures;

c)     The Verbal Assessment: the interviews of the main functions at the companies’ premises (e.g. Administration, CEO, IT in particular) in order to verify the processed data (e.g. the ID data of employees, clients, suppliers, web users), the data processing thereof (e.g. storage, use, transmission etc.) and the purposes (e.g. contract management, labour relationship, marketing, profiling etc.), and processing modalities;

d)     The System Assessment: the analysis of all the IT systems and security measures adopted;

e)     The Risk Assessment: the analysis of the risks for data security and individuals’ rights and freedoms;

f)      The Impact Assessment (Privacy Impact Assessment): the analysis of  processing’s impact on the individuals’ rights and freedoms;

g)     The Measures: the identification of the adequate technical and organizational measures in order to minimize the risks; 

h)     The drafting of a Final Report in which will be highlighted the potential non conformities with the Italian (Legislative Decree 196/2003) and EU (Regulation 679/2016) regulatory framework on data protection and the respective corrective actions that shall be adopted by the company and the institutions in order to comply to applicable legislation, improve and render the procedures more efficient.

At the end of the steps below, our team will follow the client in the Remediation and Implementation phase for the adoption of corrective and implementing measures.

The Remediation and following Implementation phase includes:

a)     The review of all privacy documents and procedures that the Privacy Assessment revealed to be modified: e.g. update of Privacy and Cookie Policy, drafting and/or update of designations, registers and company policy, procedures and systems;

b)     The update and implementation of adequate technical and organizational measures as highlighted in the Privacy Assessment: e.g. adoption of IT measures, Privacy By Default & By Design; Data Protection Officer (DPO) designation;

c)     The assistance in the implementation of self-control instruments, tools and software, for the self-assessment activity in order to periodically and independently review the adequacy of adopted measures and procedures;

d)     The assistance in the adoption of Certifications, Codes of Conduct and the more suitable Insurance Policy for the specific case;

e)     The organization of training and updating courses for employees, professionals, C Level and DPO.

The adoption of the new European Regulation is an opportunity to seize in order to fully rethink the client’s Privacy, giving him the correct economic, ethical and reputational value, distinguishing the client’s company from its competitors and giving more value to its own data and therefore to its business.