Oneline Education and Application of EU GDPR

Online Education

In present days, education programs, especially while provided at university and post-degree level, are increasingly more international.

Universities, business schools and other education institutions are now frequently offering masters and other study programs all over the world, not necessarily having schools and premises in every country where courses are offered.

Often, education is in fact provided partially or solely online, through distance learning programs. This is a huge opportunity for students to have access to international programs without having to relocate and for education institutions to expand their reach.

Applying for a distance learning education program implies that the prospective student provides the education institution with personal information concerning him or her. A huge quantity of personal data are therefore processed in this context (e.g. name, address, email, phone number, academic history, etc.), which raises the question of which regulation applies to the protection of such personal data, and in particular, for our purposes, in which cases the European Regulation 2016/679 (General Data Protection Regulation – “GDPR”) applies.

Territorial scope of the GDPR

The scope of territorial application of the GDPR is set out in Article 3 which provides that the regulation applies:

  1. to the processing of personal data in the context of the activities of an establishment of the controller or of the processor in the European Union, regardless of whether the processing takes place in the European Union or not; and
  2. to the processing of personal data of data subjects who are in the European Union by a controller or a processor not established in the European Union, where the processing activities are related to:
  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the European Union.

The terms in bold are clarified below:

  • controller” is the subject determining the purposes and means of the processing of personal data while the “processor” is the subject processing personal data on behalf of the controller;
  • establishment” implies the effective and real exercise of activity through stable arrangements (g. branches or subsidiaries);
  • “who are in the EU” it will be up to future case law to interpret its scope, however we can reasonably foresee interpretation as residency or domicile of a data subject in the EU;
  • offering goods or services” is more than mere access to a website or email address, but might be evidenced: by the use of a language or of a currency generally used in a EU Member State with the possibility of ordering goods/services there; by the use of advertising targeting an audience in the EU (for instance paying a search engine to facilitate access by those within a EU Member State); by the use of a top-level domain name other than that of the state in which the company is established (g. or, etc.;
  • monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes or to provide online behavioural based advertising.

Examples of possible application of the GDPR

In light of the territorial scope of the GDPR, herein below few examples of possible application or non-application of the GDPR to education institutions processing personal data possibly also through distance learning systems.



Application of the GDPR to data processing carried out by the organization


Italian university providing courses in Italy, also online, both to EU and non-EU students


UK university providing summer courses in the premises of a local academic institution in France both to EU and non-EU students


Chinese university providing courses in its premises in China also to EU students


Chinese university providing online courses also to students resident in the EU


Chinese school providing language courses in premises located in Germany to German and other EU students


US university providing online masters also to EU students resident in the EU


Australian business school providing online MBA to Chinese students No

US online education platform processing data of EU students for profiling purposes



 GDPR compliance program

In order to comply with the GDPR, should it be applicable, education institutions will need to take numerous steps. The aim of this short paper is not to provide an exhaustive checklist of all the controller’s GDPR compliance activities, but to raise awareness as to the activities required, which can be summarized as follows:

  • designating people in charge for addressing privacy matters within the organization;
  • designating a Data Protection Officer (DPO), while requested under Article 37 of the GDPR (g. the processing is carried out by a public body or the processing operations require regular and systematic monitoring of data subjects on a large scale) or while considered useful by the organization;
  • drafting an adequate set of privacy policies on the basis of the different processing activities and of the different data subjects (g. resident students, foreign students, clients and suppliers, etc.);
  • defining data retention periods for each processing purpose;
  • collecting from data subjects the consent to the processing of their personal data while there are no other possible/appropriate legal basis for processing (g. a contractual obligation, a legitimate interest, etc.) – the consent of the student’s parents is necessary if the student is below the age of 16 years;
  • preparing and constantly updating a record of processing activities (necessary, under Article 30 of the GDPR, only in case the education organization employs more than 250 persons);
  • implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
  • carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data, should Article 35 of the GDPR be applicable (g. in the event that the systematic evaluation of personal aspects based on automated processing, including profiling);
  • preparing training programs for the organization’s employees involved in processing operations;
  • creating a procedure for data breach management;
  • drafting data controller/data processor agreements where processing is carried out on behalf of the education institution by a data processor;
  • adopting appropriate safeguards for transferring personal data outside the EU, as provided by Article 46 of the GDPR.

Additional obligations provided by national law

The GDPR is directly applicable in all EU Member States, however the national laws of each EU Member State may provide for specifications and restrictions of European rules.

For example, specifically with regard to the matter at hand, Italian law on data protection (so called “Privacy Code”, Legislative Decree No. 196/2003), as recently amended by  Legislative Decree No. 101/2018 aimed at harmonizing Italian law with the GDPR, provides the following specific rule on the processing of students’ personal data: in order to facilitate education and the access to employment, also abroad, national education institutions, including private schools and universities, may – upon students’ explicit requests – communicate to third parties, also online, students’ data relating to marks and education results and other personal data, excluding however special categories of data (e.g. data concerning health, political opinions, religious beliefs, etc.) and data relating to criminal convictions.

The above is in any event subject to: (a) the education institution having provided an adequate information notice to the student; and (b) data being processed exclusively for the purposes of facilitating education and the access to employment.


Personal data collected and processed by a university, a school or by any other education institution in the context of its learning programs represent valuable assets: as such, they need to be carefully protected.

A compliance program to the GDPR is certainly a quite substantial commitment for European organizations and for foreign organizations which are subject to the new rules, however these subjects need to be mindful that the business and legal implications deriving from non-compliance with applicable rules may lead to substantial sanctions and to reputational damages.

Milan, 17 September 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 

Why Artificial Intelligence Will Need a Legal Personality

The development of robotics and artificial intelligence (AI) is an exciting, relentless reality which is slowly making its way out of science fiction movies and into our mundane world.

Furthermore, people and technology are increasingly interacting at an individual, daily level.  The increased occasions of interaction between human and AI systems have great potential not only for economic growth but also for individual empowerment, as explained also in the January 2017 McKinsey Global Institute report, which interestingly finds as almost every occupation has partial automation potential, however it is individual activities rather than entire occupations that will be highly impacted by automation.  Consequently, it concludes that realizing automation’s full potential requires people and technology to work hand in hand.

This interaction however triggers a complex set of legal risks and concern. Ethical issues are raised as well.

The key legal issues to be addressed with some urgency are human physical safety, liability exposure and privacy/data protection.

Ethical concerns cover dignity and autonomy of human beings and include not only the impact of robots on human life, but also, conversely the impact of the ability for a human body to be repaired (such as with bionic limbs and organs), then enhanced, and ultimately created, by robotics and the subtle boundaries that these procedure may push over time.

The current legal frameworks are by definition not wired to address the complex issues raised by AI. The consequence of this is the need to find a balanced regulatory approach to robotics and AI developments that promotes and supports innovation, while at the same time defining boundaries for the protection of individuals and the human community at large.

In this respect, the European Parliament (“EP”) on 31 May 2016 has issued a draft report on civil law rules on robotics. The report outlines the European Parliament’s main framework and vision on the topic of robotics and AI.

While the report is still speculative and philosophical, it is very interesting – especially where it defines AI, and therefore “smart robots” as machines having the following characteristics:

  • The capacity to acquire autonomy through sensors and/or by exchanging data with its environment (inter-connectivity) and the analysis of those data
  • The capacity to learn through experience and interaction
  • The form of the robot’s physical support
  • The capacity to adapt its behaviours and actions to its environment.

The EP’s report also broadly defines six key regulatory themes which are raised by developments in the area of robotics and AI:

  • rules on ethics;
  • rules on liability;
  • connectivity, intellectual property, and flow of data;
  • standardisation, safety and security;
  • education and employment;
  • institutional coordination and oversight.

The report concludes that implications of these technologies are necessarily cross border and it would therefore be a waste of resources and time for each individual country to set out individual rules, recommending a unified EU regulation.

Truly, the implications are cross border and require a collaborative effort, although it is wise to presume that certain countries will be more open minded and flexible than others in defining the limits of AI autonomy, or more restrictive in setting out its boundaries and it might also be inevitable for certain countries to lead the way in regulating AI and robotics.

The policy areas where, according to the EP’s position, action is necessary as a matter of priority include: the automotive sector, healthcare, and drones.

The Liability Issue

The increased autonomy of robots raises first of all questions regarding their legal responsibility. At this time, robots cannot be held liable per se for acts or omissions that cause damage to other parties as they are a machine and therefore liability rests on the owner or, ultimately, producer.

When pointing out the automotive sector as an urgent area needing regulation, the committee was certainly thinking of self-driving cars, which are already being tested in California and driverless cars trial is set for UK motorways in 2019 and government funding has been dedicated to research on autonomous cars. In September 2016, Germany’s transport minister proposed a bill to provide a legal framework for autonomous vehicles which assigns liability on the manufacturer.

However, in a scenario where a robot can take autonomous decisions, ownership / manufacturing traditional liability chain is insufficient to address the complex issue of a robot’s liability (both contractual liability and non-contractual liability), since it would not correctly identify the party which should bear the burden of providing compensation for the damage caused. This civil liability issue is considered “crucial” by the committee.

Data protection, and intellectual property righs

Other key issues in relation to the developments in robotics are the rules on connectivity, and data protection.  While existing laws on privacy, and use of personal data can be applied to robotics in general, practical applications may require further consideration, eg standards for the concepts of “privacy by design” and “privacy by default”, informed consent, and encryption, as well as use of personal data both of humans and of intelligent robots who interact with humans.

Intellectual property rights are also to be considered if one wants to go as far as to accept that there will be at some point a need to protect the “own intellectual creation” of advanced autonomous robots.

Proposals to address these issues have been to assign to the robots an “electronic” personality.

A Proposal

The EP’s report recommends the EU Commission to explore the implications of all possible legal solutions, including that of creating a specific legal status for robots, so that at least the most sophisticated autonomous robots could be established as having the status of electronic persons with specific rights and obligations, including that of indemnifying any damage they may cause, and applying electronic personality to cases where robots make smart autonomous decisions or otherwise interact with third parties independently.

While this is a good idea, it might take time until it is applicable to all robots as for a robot to have the status of an “electronic person” its autonomous capabilities would need to be particularly enhanced.

Imagining a liability regime where liability would need to be proportionate to the actual level of instructions given to the robot and of its autonomy, so that the greater a robot’s learning capability or autonomy is, the lower other parties’ responsibility should be, taking into account which kind of development the robot has had, which kind of instructions or “education”.

However, it would not be always easy to discern skills resulting from ‘education’ given to a robot from skills depending strictly on its self-learning abilities.  This implies that when trying to identify responsibility, there would be huge grey areas.

A middle-level solution is needed for those situations where a robot is capable of autonomous learning and decisions but apt only to specific uses and not yet sophisticated to the point of being endowed with the status of electronic person, such as might be an autonomous car.

I believe instead that one possible solution to this could be provide each AI a legal personality akin to that currently afforded to corporations.

The benefit of this would be:

– registration/incorporation of the robot

– a head of responsibility, with specific rules and an entity to be considered in terms of liability and insurance

– ability to enter into contracts with each other and with humans with specific responsibilities arising out of the breach of such contracts.

One downside of this is that this type of legal status still requires an owner (a “shareholder”) with limited liability, and this means that the ultimate responsibility, although limited, would not necessarily be placed on the manufacturer, but on the owner, thereby returning to the position of an insufficient protection. However, for example in the case of autonomous cars, the owner of the car could be considered as the holder of the legal entity, with limited liability, having an obligation to ensure the vehicle.

Clearly, the topic still needs to be explored and possible solutions will evolve with time as practical problems arise and AI develops, but I believe that at this time this might be the best solution to put forward to address current concerns related to AI as we know them and understand them.  Ultimately, perhaps, it will be AI itself to propose a solution.

 cropped-foto-stefania-sito-web-3.jpg© Stefania Lucchetti 2017.  For further information Contact the Author

Articles may be shared and/or reproduced only in their entirety and with full credit/citation. 


EU companies – and non-EU companies offering goods or services to EU citizens – which process personal data need to comply with the provisions introduced by the European Regulation 2016/279 (General Data Protection Regulation – “GDPR”) in this respect. Consent of the data subject is a legal basis for data processing but not the only one, and companies will therefore need to carefully evaluate which is the most appropriate legal basis in relation to a certain processing activity.

This note focuses on consent, and in particular consent requirements as set forth   by the GDPR which are numerous.

A key business issue for companies whose data base is a valuable business asset is whether consent to process data obtained before the GDPR became applicable is still a valid ground to process data eg for marketing purposes.  This note will address this issue as well.

Consent as a legal basis for data processing

The GDPR has introduced new requirements in relation to one of the most used basis for lawfully processing personal data: data subject’s consent.

It shall be preliminary noted that, pursuant to Article 6 of the GDPR, processing of personal data is lawful not only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes but also in the event that processing is necessary:

  • for the performance of a contract to which the data subject is party;
  • for compliance with a legal obligation to which the controller[1] is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest;
  • for the purposes of the legitimate interests pursued by the controller.

Before starting any activity that involve processing of personal data, a controller must consider what would be the appropriate lawful ground for the envisaged processing. In general, consent can be an appropriate lawful basis if a data subject is offered the possibility to freely accept or refuse the terms offered.

Consent obtained before GDPR became applicable

According to Recital 171 of the GDPR “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.

In the light of the above, in the event that a company, prior to 25 May 2018 (the date in which the GDPR became applicable), obtained the consent of certain data subjects as requested by the GDPR, it can continue to lawfully process personal data of those data subject. Should that not be the case, the company will need to obtain new consent.

If not obtained in full compliance with the GDPR, consent is an invalid basis for processing, rendering the processing activity unlawful. If, for instance, a company collected only one consent for different processing operations (which is quite common, in practice), this would not be in line with the “granularity” requirement (see paragraph below on this topic).

As it has been outlined by Article 29 Working Party[2], the consent given before the GDPR became applicable by implied form of action is no longer valid, given that the GDPR requires that the consent is given through a “statement or a clear affirmative action” by the data subject. Therefore, for example, consent obtained with a pre-ticked opt-in box would not be valid.

In order to be compliant with the GDPR’s standards, also operations and IT systems may need revision. For instance, mechanisms for data subjects to easily withdraw their consent must now always be available. If existing procedures for managing the obtainment and withdrawal of consent do not meet the GDPR’s standards, controllers will need to refresh their procedures.

In any event, obtaining consent does not diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially with regard to fairness, necessity and proportionality, as well as data quality.

Herein below are the main requirements of consent set forth by the GDPR that companies will need to carefully examine in order to evaluate if existing consents (if any) need to be refreshed.

Consent requirements

Consent must be given by a clear affirmative act establishing a:

  • freely given;
  • specific;
  • informed; and
  • unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.

Where processing is based on consent, the controller must always be able to demonstrate that the data subject has consented to data processing.

Consent should not be considered as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment (withdrawing consent, for instance, must not lead to any costs for the data subject). Consent would not be considered freely given in the event that a certain service required by the subject is subject, for instance, to the subject’s consent to receive direct marketing.

It is interesting to note that in certain relationships that cannot be considered perfectly balanced, like the one between the employer and the employee, it is unlikely that the consent requested to the weakest party will be freely given. In this particular case it is advisable to make recourse to other legal basis for the processing (e.g. the performance of the employment contract and compliance with employer’s legal and fiscal obligations).

For consent to be informed, the data subject should be aware of[3]

  • the identity of the controller;
  • the purposes of the processing for which the personal data are intended;
  • what type of data will be collected and used;
  • the existence of the right to withdraw consent;
  • information about the use of the data for automated decision-making (if relevant);
  • the possible risks of data transfers outside the EU due to absence of an adequacy decision and of appropriate safeguards.

In addition, consent must have a further requirement – i.e. it must be explicit – in the event a data controller is willing:

  • to process special categories of personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, etc.); or
  • to process personal data for profiling purposes.

The consent, in order to be explicit, must be in written form, including by electronic means, for instance by filling in an electronic form, by sending an email or by using an electronic signature. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject cannot be considered as an indication of choice.

Another specific requirement related to consent introduced by the GDPR is that in relation to the offer of information society services to children below the age of 16 years, the consent of the holder parental responsibility  over the child must be given. EU Member States may provide by law for a lower age, provided that such lower age is not below 13 years.

In the event that consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented using a clear and plain language (meaning that it should be easily understandable for the average person and not only for lawyers) and in a manner which is:

  • clearly distinguishable from the other matters; and
  • in an intelligible and easily accessible form.

Data subjects have the right to withdraw their consent at any time and data controller must inform them of that. Withdrawing consent must be as easy as giving consent (e.g. clicking a box online). The withdrawal of consent, in any event, does not affect the lawfulness of processing based on consent before its withdrawal.

It shall be noted that the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively make recourse to the legitimate interest basis in order to justify processing, in case consent is not valid anymore. A data controller must decide before starting data collection what is the applicable lawful basis and must disclose it to the data subject at the time of collection.

Granularity of consent

Recital 43 of the GDPR states that separate consent for different processing operations will be needed wherever appropriate. Mechanisms to collect consent must be granular to satisfy, in particular, two requirements: “free” and “specific”. Granularity of consent means, in few words, that it must be clear to the data subjects what they are consenting to: they must have a choice and be in control of what they choose to receive from data controller. Bundling up consent to various activities into one tick box is not acceptable.

Although the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (recital 47 of the GDPR) – in particular in presence of a contractual relation between data controller and data subject[4] – in most cases a data controller who intends to process personal data for marketing purposes will need to obtain a specific consent from the data subjects.

A controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.

For instance, specific and separate consent should be requested from data subject for:

  • data controller processing personal data for sending newsletters and commercial communications with the purpose of direct marketing (via email, sms, mms, fax, mail, phone, etc.);
  • data controller processing personal data with the purpose of profiling data subject and sending personalized offers;
  • data controller transferring personal data of the data subject to third parties for having them sending newsletters and commercial communications with the purpose of direct marketing;
  • data controller transferring personal data of the data subject to thirdparties for having them profiling data subject and sending personalized offers.

Pursuant to Article 21 of the GDPR, where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the event that the data subject objects to processing for direct marketing purposes, the data controller must no longer process personal data for such purposes.

Data portability

One of the consequences of basing the processing on consent is – among others – that the data subject acquires the right to data portability set forth by Article 20 of the GDPR, that is to say the right to receive his/her personal data provided to the controller in a structured, commonly used and machine-readable format.

At data subject’s discretion, where technically feasible, the data controller who originally collected personal data would have to transmit the data directly to another controller.

Needless to say, the exercise of this right may significantly impact the business of a company based on the commercial use of its customers’ data.

Milan, 17 July 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

[1]The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

[2]Guidelines on Consent under Regulation 2016/679 adopted on 28 November 2017, page 30. Article 29 Working Party was the advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).

[3]As precised by Article 29 Working Party – Guidelines on Consent.

[4]For example, a data controller sends e-mail communications to existing clients in order to promote the data controller’s own or similar products or services (see Opinion 15/2011 of Article 29 Working Party on the definition of consent).

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 

Gli incentivi alle startup e PMI italiane e lo startup hub di KWM Italy

KWM Italy team

[Foto: Partner Stefania Lucchetti (centro), associate Pietro Boccaccini (destra) e Alessandro Morleo (sinistra)]

KWM Italy Startup Hub

Data l’importanza sempre maggiore che le “start-up innovative” e le “PMI innovative” rivestono all’interno del tessuto economico italiano, King & Wood Mallesons Italy (KWM Italy) ha lanciato un nuovo portfolio di assistenza legale denominato KWM Italy Startup Hub.

Questo servizio legale è diretto a solide “start-up innovative” e “PMI innovative” che stanno avviando le proprie attività o che intendono strutturare meglio attività già avviate al fine di un’ulteriore crescita.

Lo Startup Hub è composto da un team specializzato in diritto commerciale, diritto societario e diritto informatico rappresentato dal partner KWM Italy Stefania Lucchetti, che ha oltre due decenni di esperienza nell’assistere aziende tecnologiche e in particolare start-up, dall’associato KWM Italy Pietro Boccaccini e dal praticante KWM Italy Alessandro Morleo.

“Italy’s Startup Act” – L’avvio di start-up e PMI

L’Italia è all’avanguardia nella regolamentazione delle start-up e delle PMI. E’ stato predisposto un ampio quadro normativo a favore di questo tipo di società, senza imporre restrizioni settoriali o legate all’età, come accade di consueto in altre legislazioni nazionali. I nuovi strumenti e le agevolazioni coprono l’intero ciclo di vita dell’impresa innovativa: dalla sua costituzione alle fasi di crescita, sviluppo e maturità.

Il primo atto legislativo su questo tipo di società è rappresentato dal decreto legge 179/2012 (il cosiddetto “Decreto Crescita 2.0”) che può essere opportunamente definito “Italy’s Startup Act”. Il Decreto ha introdotto nell’ordinamento italiano la definizione di nuova impresa innovativa ad alto valore tecnologico, i.e. la “start-up innovativa”.

La policy sulle “start-up innovative” è stata rafforzata negli ultimi anni da diversi interventi legislativi: provvedimenti quali il decreto legge 76/2013 (il cosiddetto “Decreto sul lavoro”) che amplia il bacino di start-up idonee alle misure agevolate, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) che introduce le “PMI innovative” e la legge di bilancio per il 2017 (legge 232/2016), che introduce incentivi e agevolazioni fiscali per questi tipi di società.

Dalla loro introduzione nell’ordinamento italiano e grazie alla costante attenzione del legislatore con numerose e pervasive azioni regolatorie, “start-up innovative” e “PMI innovative” sono cresciute significativamente e oggi non sono più considerate una nicchia di realtà poiché esprimono oltre 2 miliardi di euro di fatturato totale e offrono circa 50 mila posti di lavoro.

“Start-Up innovativa

Da un punto di vista commerciale, una start-up è l’inizio di una qualsiasi iniziativa imprenditoriale finalizzata allo sviluppo di un nuovo business. Secondo la legge italiana (vale a dire il decreto legge 179/2012), per “start-up innovative” si intendono le società di capitali, comprese le cooperative, le cui azioni o quote rappresentative del capitale sociale non sono quotate su un mercato regolamentato né su un sistema di negoziazione multilaterale. Queste imprese devono inoltre soddisfare requisiti imposti dalla legge, e.g. essere di nuova costituzione o essere operative da meno di 5 anni, avere un fatturato annuo inferiore a 5 milioni di Euro, avere come oggetto sociale esclusivo o prevalente lo sviluppo, la produzione e la commercializzazione di beni o servizi innovativi di alto valore tecnologico, ecc.

PMI innovativa

Come suddetto, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) ha introdotto un nuovo tipo di società, i.e. le “PMI innovative”, e ha esteso loro la maggior parte delle agevolazioni previste per le “start-up innovative”. Le “PMI innovative” sono imprese con meno di 250 dipendenti e con un fatturato annuo che non supera i 43 milioni di Euro; inoltre, devono soddisfare altri requisiti, come la costituzione come società di capitale anche in forma cooperativa, le azioni della società non possono essere quotate in un mercato regolamentato, l’ultimo bilancio deve essere certificato da un revisore contabile o da una società di revisione registrati nel registro dei revisori dei conti ecc.

Le “PMI innovative” operano nel campo della tecnologia dell’innovazione, indipendentemente dalla data di costituzione, dall’oggetto sociale e dal livello di maturazione. Il raggiungimento dello status di “PMI innovativa” può rappresentare una naturale prosecuzione del percorso di crescita e rafforzamento di una “start-up innovativa”.

Agevolazioni previste dall’“Italy’s Startup Act”

Le principali agevolazioni accordate alle “start-up innovative” e alle “PMI innovative” dalla normativa italiana sono le seguenti:

  • Costituzione digitale e gratuita: Le “start-up innovative” possono scegliere di redigere l’atto costitutivo (e le sue successive modifiche) per mezzo di un modello standard Il documento può essere firmato utilizzando una firma digitale: i.e. l’intera procedura può essere eseguita online attraverso una piattaforma dedicata e, come ulteriore vantaggio, il suo utilizzo è gratuito. Da notare comunque che tale procedura rimane volontaria: è sempre possibile costituire un S.r.l. per atto notarile, registrandola successivamente nella sezione speciale del Registro;
  • Taglio alle spese: Le “start-up innovative” e le “PMI innovative” sono esonerate dal pagamento dell’imposta di bollo dovuta alla registrazione nella sezione speciale del Registro delle Imprese. Inoltre, le “start-up innovative” sono esentate dal pagamento della quota annuale solitamente dovuta alle Camere di Commercio;
  • Gestione societaria flessibile: Le “start-up innovative” e le “PMI innovative” costituite in forma di S.r.l., sono dotate di alcune particolarità che implicano cambiamenti radicali nella struttura finanziaria della S.r.l. (g. creare categorie di quote con diritti specifici, offrire al pubblico quote di capitale, ecc.) che rendono tali società più simili ad una S.p.A.;
  • Copertura delle perdite: In caso di perdite, mentre le società ordinarie devono ridurre il capitale entro l’esercizio successivo, le “PMI innovative” e le “start-up innovative” possono farlo due esercizi finanziari dopo aver subito le perdite;
  • Disciplina giuslavoristica su misura nelle “start-up innovative“: In generale, le “start-up innovative” sono sottoposte alle disposizioni sui contratti a tempo determinato come stabilite nel “Jobs Act” (decreto legge 81/2015). Pertanto, le “start-up innovative” possono assumere personale con contratto a tempo determinato per un massimo di 36 mesi. Tuttavia, in deroga alle disposizioni del Jobs Act, le “start-up innovative” possono assumere personale con contratti a tempo determinato di qualsiasi durata, anche molto breve, che può essere rinnovato più volte. Dopo i 36 mesi, il contratto può essere rinnovato una sola volta, per un massimo di 12 mesi, per una durata complessiva dunque di 48 mesi. Trascorso questo periodo di 4 anni, il contratto a tempo determinato viene automaticamente convertito in un contratto a tempo indeterminato.  Gli stipendi dovuti ai lavoratori impiegati in “start-up innovative” possono avere una componente variabile legata ad obiettivi e a parametri di produzione in base ad accordi fra le parti (come la produttività del dipendente o la redditività della società ecc.), incluse le “stock option” e i programmi “work-for-equity” (i ricavi derivanti da questi strumenti finanziari – che possono essere utilizzati per pagare anche i lavoratori nelle “PMI innovative” – sono deducibili dalle tasse sia a fini fiscali che contributivi e sono soggetti solo a tassazione sulle plusvalenze);
  • Incentivi fiscali per investire nelle “start-up innovative”: (per le “PMI innovative”, tali incentivi entreranno in vigore dopo l’attuazione di apposito decreto interministeriale, in conformità con la normativa UE in materia di aiuti di Stato): Questa agevolazione prevede per le persone fisiche una detrazione IRPEF pari a 30 % dell’importo investito, fino ad un importo massimo di € 1 milione; per le persone giuridiche il beneficio consiste in una deduzione dall’imponibile IRAP pari al 30% dell’importo investito, fino ad un massimo di € 1,8 milioni. Tali sovvenzioni si applicano sia in caso di investimenti diretti in “start-up innovative” sia in caso di investimenti indiretti tramite altre società, come gli OICR, che investono prevalentemente in “start-up innovative”. Queste misure sono condizionate al mantenimento della partecipazione nella “start-up innovativa” per un minimo di 3 anni;
  • Equity crowdfunding: Le “start-up innovative”, le “PMI innovative” e anche gli OICR e altre società che investono prevalentemente in “start-up innovative” e “PMI innovative” possono raccogliere capitali attraverso portali online Inoltre, la legge di bilancio del 2017 ha avviato il processo per estendere l’applicabilità di questo strumento a tutte le PMI italiane;
  • Accesso diretto, semplificato e gratuito per “start-up innovative” e “PMI innovative” al Fondo di garanzia per Piccole e Medie Imprese: Un fondo statale che facilita l’accesso al credito tramite garanzie sui prestiti bancari. La garanzia copre fino all’80% dei prestiti bancari concessi alle “start-up innovative” e alle “PMI innovative”, fino ad un massimo di 2,5 milioni di Euro, ed è fornito attraverso una procedura semplificata;
  • Fail Fast: Le “start-up innovative” sono esentate dalla procedura standard di fallimento, concordato preventivo e liquidazione coatta amministrativa in caso di una crisi di sovraindebitamento. Di conseguenza, i tempi di liquidazione giudiziale vengono ridotti e gli oneri amministrativi e la stigmatizzazione sociale diminuiscono drasticamente;
  • Conversione in “PMI innovative”: Le “start-up innovative” di successo, diventate aziende “mature” con una notevole esperienza e valore di produzione, le cui attività sono ancora caratterizzate da una componente significativa di innovazione tecnologica, possono transitare nello status di “PMI innovative”. Inoltre, l’Investment Compact ha esteso molte delle agevolazioni conferite alle “start-up innovative” ad una più ampia gamma di società caratterizzate da una spiccata propensione all’innovazione.

Risulta oppurtuno notare che mentre per le “start-up innovative” il legislatore ha stabilito di limitare le agevolazioni ad un massimo di 5 anni dalla data di costituzione della società, per le “PMI innovative”, purché siano soddisfatti i requisiti legali, gli strumenti di sostegno non sono soggetti ad un limite temporale

Ulteriori agevolazioni

Oltre agli strumenti facenti parte del pacchetto normativo originale (“Decreto Crescita 2.0”), il Ministero dello Sviluppo Economico si è impegnato in ulteriori misure per sostenere l’ecosistema dell’innovazione. Tra queste iniziative, meritano di essere menzionate: Smart&Start Italia (uno schema di finanziamento agevolato per “start-up innovative” con sede in Italia), Italia Startup Visa (una nuova procedura accelerata per l’emissione di visti di lavoro autonomo per cittadini non-UE che intendono istituire una “start up innovativa” in Italia) e Italia Startup Hub (una procedura accelerata che estende il programma Visa Startup Italia a cittadini non-UE già in possesso di regolare permesso di soggiorno che intendono soggiornare in Italia oltre la data di scadenza per avviare una “start-up innovativa”).

Infine, due importanti misure applicabili a tutte le imprese italiane sono di particolare interesse per le “start-up innovative” e le “PMI innovative”:

  • Credito d’imposta per la Ricerca e lo Sviluppo: Dal periodo di imposta 2017 fino al 2020, il credito è pari al 50% dei costi annuali incrementali per le attività di R&S, sia intra muros che per le spese extra muros. Il credito d’imposta è riconosciuto fino ad un massimo annuale di € 20 milioni per ciascun periodo di imposta. La base della misura è calcolata rispetto alla media dei costi sostenuti nei 3 periodi fiscali precedenti a quello in corso al 31 dicembre 2016, purché in ciascuno dei periodi fiscali i costi per R&S siano stati pari o superiori a € 30.000;
  • Patent Box: Consiste in sgravi fiscali sui redditi derivanti dall’uso della proprietà intellettuale. Il Patent Box concede alle società un’opzione per escludere dall’imposizione il 50% dei redditi derivanti dallo sfruttamento commerciale di beni immateriali (opere dell’ingegno, brevetti, marchi d’impresa, marchi commerciali).


Dopo l’introduzione delle “start-up innovative” e delle “PMI innovative” all’interno del panorama giuridico italiano, in largo anticipo sui tempi rispetto ad altri Paesi europei, tali realtà hanno dimostrato di essere una leva strategica per lo sviluppo dell’economia del Paese.

Infatti, l’alto tasso di innovazione insito nel DNA di queste nuove forme societarie, può giocare un ruolo fondamentale per rilanciare la crescita e l’occupazione, soprattutto giovanile, dell’Italia.

KWM Italy vuole dunque fornire il proprio contributo in questo entusiasmante settore con l’obiettivo di aiutare le strat-up e le PMI a sviluppare efficacemente o meglio strutturare le loro idee e il loro business.


Artificial Intelligence and Legal Personality

[“In a scenario where an algorithm can take autonomous decision, then who should be responsible for these decisions?” Milan-based corporate lawyer Stefania Lucchetti said]. My interview in Politico’s article on the introduction of a concept of legal personality for artificial intelligence. This conversation has come of age, and while we do not yet have all answers it is very important to start asking the right questions.

Read the article at:

Data Protection as a Corporate Governance Issue



Today we held a round table and seminar at our King & Wood Mallesons office dedicated to data protection during which we discussed the implications of the GDPR from a practical point of view both from the legal side and the technical side.  Aside from the obvious duty to be compliant, my view is that an appropriate data protection structure and responsibility line is not just an IT issue or a legal issue but a it is a corporate governance issue, as it entails serious risk management considerations both from a financial perspective as well as a reputational perspective and therefore each company needs to deploy sufficient investments to ensure adequate compliance.

Boards need to make an essential philosophical switch in accepting that this is a key enterprise risk which needs to be addressed at a board level with adequate resources.

Lack of a proper action can entail heavy sanctions for the company in accordance with the GDPR, with ensuing board responsibilities towards the company (for example in Italy under Art. 2392 of the Italian Civil Code for lack of appropriate action to protect the company).

Stefania Lucchetti as speaker at Forbes Live event on Fintech

On 1st March 2018 Stefania Lucchetti was a speaker at a Forbes Italia ForbesLive event during the Quant International Workshop (quantitative & asset management) in Venice, Italy. The focus of Stefania’s panel was on the future of financial services in the age of Fintech. The topics addressed during the presentation included the legal issues related to blockchain, Artificial Intelligence, digital payments, ICOs and cryptocurrencies.

Stefania Lucchetti introduced her speech by explaining that artificial intelligence, blockchain, cryptocurrencies, ICOs, and big data are referred to as disruptive because they change not just how a product or service is delivered, but the essence of what a product or service is – so much that new regulations need to be created to address them.

Press coverage at:

Venezia forbes 1

foto Stefania forbes italia

Forbes event

Due Diligence: Welcome AI, but Keep the Human Element

The legal market is welcoming (and fearing) the introduction of Artificial Intelligence (AI) in due diligence processes.

AI will liberate junior lawyers from the often tedious (and necessarily error prone) work of cataloguing contract information, and at the same time will take work away from law firms and lawyers.

We are of the idea however that while the cataloguing work (summarizing data about contracts and financial transactions) can well be left to AI, the interpretation of such data needs a human element.

What is the purpose of a due diligence? Prior to entering into a long term relationship, such as an equity or commercial joint venture relationship, it is important for a company to determine that the potential business partner shares its ethical standards and is prepared to follow business practices consistent with its company’s.

The due diligence is not only intended to catalogue data, it has a specific objective: and that is to evaluate potential risk areas and to screen a potential contractual partner, its business relationships and practices, its government relationships as well as its reputation.

At the heart of the due diligence is the attempt to gain a thorough understanding of the structure, background, characteristics, practices and also motivations of the contractual partner.

A company seeking a long term contractual relationship must emerge from the due diligence process satisfied that it wants to do business with the partner on an intensive and long-term basis.

The following key areas are (among others) always of concern in joint ventures and should be a specific focus of due diligence:

  • corporate governance and controllership, including keeping accurate books and records;
  • business contracts and business practices;
  • potential for improper payments, or corrupt business practices;
  • regulatory compliance, including historic compliance with core licensing needs;
  • employment matters;
  • existing or potential litigation;
  • tax compliance; and
  • environmental matters, such as a history of land contamination or pollution.

While a software can catalogue all relevant information for quick and easy access, interpretation can and must be left to an experienced professional.

The phase of desktop review and analysis is essential to depict a preliminary profile of the partner, identify the main areas of risk and potential concern, and define the need and the subsequent perimeter of in-depth examinations.

However, also this apparently more objective and depersonalized phase of work, needs a human element to be planned and executed in the most effective way. Even very accurate and comprehensive corporate information does not tell us how our partner is perceived, its track record, the origins of its business, its network of contacts, its political exposure etc. To this regard, a key component of the desktop phase is represented by a critical analysis of the information that comes from outside what can be considered the perimeter of a standard due diligence process, i.e. from outside the target company. For example, it is important to:

  • Reconstruct the target’s public and media profile, if any, and ascertain if any red flags have been reported, if there have been allegations of wrongdoing or non-transparent behavior, and if the target has never responded to these reports or released any denial. This analysis must include social media open to public, electronic media, national and local press outlets.
  • Look at the target’s track record and try to answer questions such as: what is the origin of the business? Did the company develop in a regular and constant way or was there a sudden growth? Does the company have a long-lasting and deeply rooted presence in a local territory? Are there any previous issues, such as a bankruptcy or frequent and inexplicable changes in the business scope or in the geographic area of activity?
  • Identify and reconstruct the profile of the key individuals involved in the ownership and managerial structure of the target company: their corporate profile beyond the target company, their professional background and career, their media profile, etc. can help a lot in placing the target company in a broader and clearer context and in understanding its modus operandi.
  • Enlarge the scope to map the target’s network of business partners and influential contacts and identify potential areas of risk and concern by answering to questions such as: Is there a strong and potentially risky relationship with the public sector or the political establishment? What is the reputation of our partner’s partners?

Then? Once this critical and analytical phase of desktop study has been performed?  A human needs to go on the ground and meet people. Only human sources can provide insight and add value to assess the actual reputation, integrity and market standing of the target.

AI and standardized procedures provide a very valuable support, especially because they help perform the most mundane and time-consuming part of the due diligence process, which is gathering, processing and indexing the information. But when it comes to analyzing, combining,  cross-checking, understanding and supplementing this information, AI cannot substitute the awareness and the experience of professional figures who know where to look, what to look for, who to look at and how to look beyond.

foto stefania sito web 3 Stefania Lucchetti and Francesca Castelli Francesca Castelli

© 2017. For further information Contact the Authors

Articles may be shared and/or reproduced only in their entirety and with full credit/citation.  This post is for information only and is it is not to be considered legal advice.

AI and Legal Personality – on algorithm produced art

A great piece on Scientific American (see Is Art Created by AI Really Art) on the philosophical implications as well as the economic ones of AI  produced art jokingly raises a provocative question at the end of the article “When an AI-composed song wins the Grammy, who gets the trophy”? This is actually a complex legal issue which over time will need to be addressed. As I already wrote in previous posts, the issue of legal personality for AI, in particular that with deep learning functions, will need to be considered.  This will of course impact primarily (and more urgently) liability issues but at some point more creative expressions will need to be considered as well.

© 2018. For further information Contact the Author

Articles may be shared and/or reproduced only in their entirety and with full credit/citation.  Opinions in this post are personal to the author.


Possibilità per l’equity crowdfunding in Italia

English Version

L’equity based crowdfunding è generalmente inteso come un sistema che consente la raccolta di capitale finanziario, di solito attraverso Internet, offrendo in cambio partecipazioni nella società finanziata, generalmente una startup o una piccola media impresa.

In Italia, fin dal 2012, esiste una normativa organica ad hoc (D.L. n. 179 del 18 ottobre 2012, c.d. “Decreto Crescita 2”) per la regolamentazione del fenomeno dell’equity crowdfunding. La normativa, inizialmente, consentiva il ricorso al finanziamento tramite crowdfunding solo alle imprese con la qualifica di start up innovative. Successivi interventi normativi hanno consentito l’accesso al crowdfunding anche alle imprese sociali ma, soprattutto, a tutte le PMI (non solo a quelle innovative). Hanno introdotto anche la possibilità per gli organismi di investimento collettivo del risparmio (OICR) e per le società che investono prevalentemente in start-up/PMI innovative di collocare online i propri capitali tramite i portali di equity crowdfunding.

La normativa, pur presentando alcuni elementi di rigidità, è stata oggetto di notevole evoluzione per adattarsi alle richieste del relativo mercato.

È interessante notare che la raccolta di capitale finanziario attraverso internet ha moltissime analogie con gli Initial Coin Offerings (ICO). Gli ICO hanno avuto negli scorsi mesi, a livello globale, un successo mediatico clamoroso pur incontrando diverse sfortune dal punto di vista regolamentare. Infatti in alcune giurisdizioni questa forma di raccolta di capitali è stata addirittura vietata (per esempio in Cina e Corea del Sud).

L’Initial Coin Offering (ICO) è una forma di raccolta fondi tramite la quale un soggetto colloca sul mercato una sua criptovaluta futura (coin o token) in cambio di una criptovaluta già circolante (come il Bitcoin) per finanziare il proprio progetto, proposto al pubblico solitamente in un white paper. Chi acquista la criptovaluta confida che il business sottostante abbia successo e che la moneta si apprezzi al fine di conseguire un profitto al momento della vendita di tale moneta sul mercato. Gli ICO nel tempo si sono divisi anche a seconda del fatto che il finanziamento porti in cambio un equity token (con partecipazione alla società emittente) o un utility token (moneta con funzioni secondarie che solitamente consente di ottenere dei vantaggi sulla stessa piattaforma finanziata).

Considerato l’analogo obiettivo di ICO e equity crowfunding – entrambi sistemi di raccolta di capitale di rischio per start up e piccole imprese al di fuori dei mercati regolamentati – e data la totale mancanza in Italia, alla data attuale, di una disciplina volta a regolare le ICO, ci siamo chiesti se la legge italiana sul crowfunding, qui di seguito brevemente descritta, potrebbe essere uno strumento potenzialmente utile per fornire un quadro normativo entro il quale ricondurre gli ICO.

Normativa italiana sul crowdfunding

Portali di equity crowdfunding

Il “portale” è la piattaforma online che ha come finalità esclusiva la facilitazione della raccolta di capitali di rischio da parte degli offerenti. Il portale si concretizza in un sito web che assolve al ruolo di mediatore tra la società emittente e il finanziatore. L’offerta al pubblico degli strumenti finanziari può essere effettuata esclusivamente attraverso uno o più portali registrati e regolamentati.

Il gestore del portale assicura che, per ciascuna campagna di raccolta, l’importo necessario al perfezionamento degli ordini sia disponibile nel conto vincolato destinato all’offerente acceso presso le banche e le imprese di investimento a cui sono trasmessi gli ordini.

Secondary trading

La sottoscrizione e la successiva alienazione di quote rappresentative del capitale della società emittente può essere effettuata per il tramite di intermediari abilitati alla prestazione di servizi di investimento che effettuano la sottoscrizione delle quote in nome proprio e per conto dei sottoscrittori o degli acquirenti che abbiano aderito all’offerta tramite portale.

Disciplina societaria

Le operazioni di crowdfunding vengono effettuate mediante pubblicazione di specifiche offerte sul sito del portale, la “vetrina online” attraverso la quale l’emittente offre agli investitori “strumenti di capitale di rischio”, i.e. azioni o quote fornite di diritti particolari.

Il finanziamento avviene a fronte dell’assegnazione agli investitori di quote o azioni fornite di diritti particolari che rendano “desiderabile” l’investimento. La prassi è quella di approvare un aumento di capitale con l’esclusione del diritto di opzione per i soci esistenti.

Cross border crowdfunding

La normativa italiana sul crowdfunding si applica solo alle società residenti in Italia o in uno degli Stati membri dell’Unione europea o in Stati aderenti all’Accordo sullo spazio economico europeo, purché abbiano una sede produttiva o una filiale in Italia.

La Commissione Europea ha intenzione di presentare, entro i primi mesi del 2018, una proposta per regolamentare il crowdfunding. A tal fine è stata aperta una consultazione pubblica che verte principalmente su due temi:

  1. il cross-border crowdfunding, che consiste nello svolgimento di attività di crowdfunding al di fuori dei confini della propria nazione di appartenenza, senza chiedere una specifica autorizzazione in ciascun paese europeo; e
  2. la realizzazione di un efficace quadro comune in materia di gestione del rischio per gli investimenti nelle campagne di crowdfunding.

La normativa italiana sull’equity crowdfunding, in ogni caso, non limita l’accesso ai portali italiani a società straniere. Il requisito del possesso di un codice fiscale italiano, precedentemente previsto per la registrazione su un portale di equity crowdfunding, a seguito di un recentissimo intervento normativo è venuto meno per i soggetti non residenti in Italia, rendendo quindi più agevole l’accesso a tali operatori al mercato italiano.


La normativa italiana sul crowdfunding potrebbe essere una piattaforma utile per creare delle forme di ICO regolamentate. Il vero nodo della questione è quello della gestione delle criptovalute, inclusa la possibilità di creare conti vincolati nei quali vengono tracciati gli scambi di criptovaluta collegandosi alla piattaforma blockchain. Questo avrebbe il beneficio aggiuntivo di facilitare il dialogo tra le banche e le piattaforme blockchain aiutando la realtà italiana ad un passaggio accelerato nell’offerta Fintech. Le problematiche fiscali e regolatorie legate allo scambio di criptovalute devono chiaramente essere valutate.

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini and foto Alessandro Alessandro Morleo

© 2018. Per ulteriori informazioni, Contatta gli Autori

Gli articoli possono essere condivisi e/o riprodotti solo nella loro interezza e con adeguata citazione.  Questa pubblicazione è a mero scopo informativo e non deve essere considerata un parere legale.