Oneline Education and Application of EU GDPR

Online Education

In present days, education programs, especially while provided at university and post-degree level, are increasingly more international.

Universities, business schools and other education institutions are now frequently offering masters and other study programs all over the world, not necessarily having schools and premises in every country where courses are offered.

Often, education is in fact provided partially or solely online, through distance learning programs. This is a huge opportunity for students to have access to international programs without having to relocate and for education institutions to expand their reach.

Applying for a distance learning education program implies that the prospective student provides the education institution with personal information concerning him or her. A huge quantity of personal data are therefore processed in this context (e.g. name, address, email, phone number, academic history, etc.), which raises the question of which regulation applies to the protection of such personal data, and in particular, for our purposes, in which cases the European Regulation 2016/679 (General Data Protection Regulation – “GDPR”) applies.

Territorial scope of the GDPR

The scope of territorial application of the GDPR is set out in Article 3 which provides that the regulation applies:

  1. to the processing of personal data in the context of the activities of an establishment of the controller or of the processor in the European Union, regardless of whether the processing takes place in the European Union or not; and
  2. to the processing of personal data of data subjects who are in the European Union by a controller or a processor not established in the European Union, where the processing activities are related to:
  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the European Union.

The terms in bold are clarified below:

  • controller” is the subject determining the purposes and means of the processing of personal data while the “processor” is the subject processing personal data on behalf of the controller;
  • establishment” implies the effective and real exercise of activity through stable arrangements (g. branches or subsidiaries);
  • “who are in the EU” it will be up to future case law to interpret its scope, however we can reasonably foresee interpretation as residency or domicile of a data subject in the EU;
  • offering goods or services” is more than mere access to a website or email address, but might be evidenced: by the use of a language or of a currency generally used in a EU Member State with the possibility of ordering goods/services there; by the use of advertising targeting an audience in the EU (for instance paying a search engine to facilitate access by those within a EU Member State); by the use of a top-level domain name other than that of the state in which the company is established (g. or, etc.;
  • monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes or to provide online behavioural based advertising.

Examples of possible application of the GDPR

In light of the territorial scope of the GDPR, herein below few examples of possible application or non-application of the GDPR to education institutions processing personal data possibly also through distance learning systems.



Application of the GDPR to data processing carried out by the organization


Italian university providing courses in Italy, also online, both to EU and non-EU students


UK university providing summer courses in the premises of a local academic institution in France both to EU and non-EU students


Chinese university providing courses in its premises in China also to EU students


Chinese university providing online courses also to students resident in the EU


Chinese school providing language courses in premises located in Germany to German and other EU students


US university providing online masters also to EU students resident in the EU


Australian business school providing online MBA to Chinese students No

US online education platform processing data of EU students for profiling purposes



 GDPR compliance program

In order to comply with the GDPR, should it be applicable, education institutions will need to take numerous steps. The aim of this short paper is not to provide an exhaustive checklist of all the controller’s GDPR compliance activities, but to raise awareness as to the activities required, which can be summarized as follows:

  • designating people in charge for addressing privacy matters within the organization;
  • designating a Data Protection Officer (DPO), while requested under Article 37 of the GDPR (g. the processing is carried out by a public body or the processing operations require regular and systematic monitoring of data subjects on a large scale) or while considered useful by the organization;
  • drafting an adequate set of privacy policies on the basis of the different processing activities and of the different data subjects (g. resident students, foreign students, clients and suppliers, etc.);
  • defining data retention periods for each processing purpose;
  • collecting from data subjects the consent to the processing of their personal data while there are no other possible/appropriate legal basis for processing (g. a contractual obligation, a legitimate interest, etc.) – the consent of the student’s parents is necessary if the student is below the age of 16 years;
  • preparing and constantly updating a record of processing activities (necessary, under Article 30 of the GDPR, only in case the education organization employs more than 250 persons);
  • implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
  • carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data, should Article 35 of the GDPR be applicable (g. in the event that the systematic evaluation of personal aspects based on automated processing, including profiling);
  • preparing training programs for the organization’s employees involved in processing operations;
  • creating a procedure for data breach management;
  • drafting data controller/data processor agreements where processing is carried out on behalf of the education institution by a data processor;
  • adopting appropriate safeguards for transferring personal data outside the EU, as provided by Article 46 of the GDPR.

Additional obligations provided by national law

The GDPR is directly applicable in all EU Member States, however the national laws of each EU Member State may provide for specifications and restrictions of European rules.

For example, specifically with regard to the matter at hand, Italian law on data protection (so called “Privacy Code”, Legislative Decree No. 196/2003), as recently amended by  Legislative Decree No. 101/2018 aimed at harmonizing Italian law with the GDPR, provides the following specific rule on the processing of students’ personal data: in order to facilitate education and the access to employment, also abroad, national education institutions, including private schools and universities, may – upon students’ explicit requests – communicate to third parties, also online, students’ data relating to marks and education results and other personal data, excluding however special categories of data (e.g. data concerning health, political opinions, religious beliefs, etc.) and data relating to criminal convictions.

The above is in any event subject to: (a) the education institution having provided an adequate information notice to the student; and (b) data being processed exclusively for the purposes of facilitating education and the access to employment.


Personal data collected and processed by a university, a school or by any other education institution in the context of its learning programs represent valuable assets: as such, they need to be carefully protected.

A compliance program to the GDPR is certainly a quite substantial commitment for European organizations and for foreign organizations which are subject to the new rules, however these subjects need to be mindful that the business and legal implications deriving from non-compliance with applicable rules may lead to substantial sanctions and to reputational damages.

Milan, 17 September 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 


EU companies – and non-EU companies offering goods or services to EU citizens – which process personal data need to comply with the provisions introduced by the European Regulation 2016/279 (General Data Protection Regulation – “GDPR”) in this respect. Consent of the data subject is a legal basis for data processing but not the only one, and companies will therefore need to carefully evaluate which is the most appropriate legal basis in relation to a certain processing activity.

This note focuses on consent, and in particular consent requirements as set forth   by the GDPR which are numerous.

A key business issue for companies whose data base is a valuable business asset is whether consent to process data obtained before the GDPR became applicable is still a valid ground to process data eg for marketing purposes.  This note will address this issue as well.

Consent as a legal basis for data processing

The GDPR has introduced new requirements in relation to one of the most used basis for lawfully processing personal data: data subject’s consent.

It shall be preliminary noted that, pursuant to Article 6 of the GDPR, processing of personal data is lawful not only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes but also in the event that processing is necessary:

  • for the performance of a contract to which the data subject is party;
  • for compliance with a legal obligation to which the controller[1] is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest;
  • for the purposes of the legitimate interests pursued by the controller.

Before starting any activity that involve processing of personal data, a controller must consider what would be the appropriate lawful ground for the envisaged processing. In general, consent can be an appropriate lawful basis if a data subject is offered the possibility to freely accept or refuse the terms offered.

Consent obtained before GDPR became applicable

According to Recital 171 of the GDPR “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.

In the light of the above, in the event that a company, prior to 25 May 2018 (the date in which the GDPR became applicable), obtained the consent of certain data subjects as requested by the GDPR, it can continue to lawfully process personal data of those data subject. Should that not be the case, the company will need to obtain new consent.

If not obtained in full compliance with the GDPR, consent is an invalid basis for processing, rendering the processing activity unlawful. If, for instance, a company collected only one consent for different processing operations (which is quite common, in practice), this would not be in line with the “granularity” requirement (see paragraph below on this topic).

As it has been outlined by Article 29 Working Party[2], the consent given before the GDPR became applicable by implied form of action is no longer valid, given that the GDPR requires that the consent is given through a “statement or a clear affirmative action” by the data subject. Therefore, for example, consent obtained with a pre-ticked opt-in box would not be valid.

In order to be compliant with the GDPR’s standards, also operations and IT systems may need revision. For instance, mechanisms for data subjects to easily withdraw their consent must now always be available. If existing procedures for managing the obtainment and withdrawal of consent do not meet the GDPR’s standards, controllers will need to refresh their procedures.

In any event, obtaining consent does not diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially with regard to fairness, necessity and proportionality, as well as data quality.

Herein below are the main requirements of consent set forth by the GDPR that companies will need to carefully examine in order to evaluate if existing consents (if any) need to be refreshed.

Consent requirements

Consent must be given by a clear affirmative act establishing a:

  • freely given;
  • specific;
  • informed; and
  • unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.

Where processing is based on consent, the controller must always be able to demonstrate that the data subject has consented to data processing.

Consent should not be considered as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment (withdrawing consent, for instance, must not lead to any costs for the data subject). Consent would not be considered freely given in the event that a certain service required by the subject is subject, for instance, to the subject’s consent to receive direct marketing.

It is interesting to note that in certain relationships that cannot be considered perfectly balanced, like the one between the employer and the employee, it is unlikely that the consent requested to the weakest party will be freely given. In this particular case it is advisable to make recourse to other legal basis for the processing (e.g. the performance of the employment contract and compliance with employer’s legal and fiscal obligations).

For consent to be informed, the data subject should be aware of[3]

  • the identity of the controller;
  • the purposes of the processing for which the personal data are intended;
  • what type of data will be collected and used;
  • the existence of the right to withdraw consent;
  • information about the use of the data for automated decision-making (if relevant);
  • the possible risks of data transfers outside the EU due to absence of an adequacy decision and of appropriate safeguards.

In addition, consent must have a further requirement – i.e. it must be explicit – in the event a data controller is willing:

  • to process special categories of personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, etc.); or
  • to process personal data for profiling purposes.

The consent, in order to be explicit, must be in written form, including by electronic means, for instance by filling in an electronic form, by sending an email or by using an electronic signature. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject cannot be considered as an indication of choice.

Another specific requirement related to consent introduced by the GDPR is that in relation to the offer of information society services to children below the age of 16 years, the consent of the holder parental responsibility  over the child must be given. EU Member States may provide by law for a lower age, provided that such lower age is not below 13 years.

In the event that consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented using a clear and plain language (meaning that it should be easily understandable for the average person and not only for lawyers) and in a manner which is:

  • clearly distinguishable from the other matters; and
  • in an intelligible and easily accessible form.

Data subjects have the right to withdraw their consent at any time and data controller must inform them of that. Withdrawing consent must be as easy as giving consent (e.g. clicking a box online). The withdrawal of consent, in any event, does not affect the lawfulness of processing based on consent before its withdrawal.

It shall be noted that the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively make recourse to the legitimate interest basis in order to justify processing, in case consent is not valid anymore. A data controller must decide before starting data collection what is the applicable lawful basis and must disclose it to the data subject at the time of collection.

Granularity of consent

Recital 43 of the GDPR states that separate consent for different processing operations will be needed wherever appropriate. Mechanisms to collect consent must be granular to satisfy, in particular, two requirements: “free” and “specific”. Granularity of consent means, in few words, that it must be clear to the data subjects what they are consenting to: they must have a choice and be in control of what they choose to receive from data controller. Bundling up consent to various activities into one tick box is not acceptable.

Although the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (recital 47 of the GDPR) – in particular in presence of a contractual relation between data controller and data subject[4] – in most cases a data controller who intends to process personal data for marketing purposes will need to obtain a specific consent from the data subjects.

A controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.

For instance, specific and separate consent should be requested from data subject for:

  • data controller processing personal data for sending newsletters and commercial communications with the purpose of direct marketing (via email, sms, mms, fax, mail, phone, etc.);
  • data controller processing personal data with the purpose of profiling data subject and sending personalized offers;
  • data controller transferring personal data of the data subject to third parties for having them sending newsletters and commercial communications with the purpose of direct marketing;
  • data controller transferring personal data of the data subject to thirdparties for having them profiling data subject and sending personalized offers.

Pursuant to Article 21 of the GDPR, where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the event that the data subject objects to processing for direct marketing purposes, the data controller must no longer process personal data for such purposes.

Data portability

One of the consequences of basing the processing on consent is – among others – that the data subject acquires the right to data portability set forth by Article 20 of the GDPR, that is to say the right to receive his/her personal data provided to the controller in a structured, commonly used and machine-readable format.

At data subject’s discretion, where technically feasible, the data controller who originally collected personal data would have to transmit the data directly to another controller.

Needless to say, the exercise of this right may significantly impact the business of a company based on the commercial use of its customers’ data.

Milan, 17 July 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

[1]The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

[2]Guidelines on Consent under Regulation 2016/679 adopted on 28 November 2017, page 30. Article 29 Working Party was the advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).

[3]As precised by Article 29 Working Party – Guidelines on Consent.

[4]For example, a data controller sends e-mail communications to existing clients in order to promote the data controller’s own or similar products or services (see Opinion 15/2011 of Article 29 Working Party on the definition of consent).

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 

Gli incentivi alle startup e PMI italiane e lo startup hub di KWM Italy

KWM Italy team

[Foto: Partner Stefania Lucchetti (centro), associate Pietro Boccaccini (destra) e Alessandro Morleo (sinistra)]

KWM Italy Startup Hub

Data l’importanza sempre maggiore che le “start-up innovative” e le “PMI innovative” rivestono all’interno del tessuto economico italiano, King & Wood Mallesons Italy (KWM Italy) ha lanciato un nuovo portfolio di assistenza legale denominato KWM Italy Startup Hub.

Questo servizio legale è diretto a solide “start-up innovative” e “PMI innovative” che stanno avviando le proprie attività o che intendono strutturare meglio attività già avviate al fine di un’ulteriore crescita.

Lo Startup Hub è composto da un team specializzato in diritto commerciale, diritto societario e diritto informatico rappresentato dal partner KWM Italy Stefania Lucchetti, che ha oltre due decenni di esperienza nell’assistere aziende tecnologiche e in particolare start-up, dall’associato KWM Italy Pietro Boccaccini e dal praticante KWM Italy Alessandro Morleo.

“Italy’s Startup Act” – L’avvio di start-up e PMI

L’Italia è all’avanguardia nella regolamentazione delle start-up e delle PMI. E’ stato predisposto un ampio quadro normativo a favore di questo tipo di società, senza imporre restrizioni settoriali o legate all’età, come accade di consueto in altre legislazioni nazionali. I nuovi strumenti e le agevolazioni coprono l’intero ciclo di vita dell’impresa innovativa: dalla sua costituzione alle fasi di crescita, sviluppo e maturità.

Il primo atto legislativo su questo tipo di società è rappresentato dal decreto legge 179/2012 (il cosiddetto “Decreto Crescita 2.0”) che può essere opportunamente definito “Italy’s Startup Act”. Il Decreto ha introdotto nell’ordinamento italiano la definizione di nuova impresa innovativa ad alto valore tecnologico, i.e. la “start-up innovativa”.

La policy sulle “start-up innovative” è stata rafforzata negli ultimi anni da diversi interventi legislativi: provvedimenti quali il decreto legge 76/2013 (il cosiddetto “Decreto sul lavoro”) che amplia il bacino di start-up idonee alle misure agevolate, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) che introduce le “PMI innovative” e la legge di bilancio per il 2017 (legge 232/2016), che introduce incentivi e agevolazioni fiscali per questi tipi di società.

Dalla loro introduzione nell’ordinamento italiano e grazie alla costante attenzione del legislatore con numerose e pervasive azioni regolatorie, “start-up innovative” e “PMI innovative” sono cresciute significativamente e oggi non sono più considerate una nicchia di realtà poiché esprimono oltre 2 miliardi di euro di fatturato totale e offrono circa 50 mila posti di lavoro.

“Start-Up innovativa

Da un punto di vista commerciale, una start-up è l’inizio di una qualsiasi iniziativa imprenditoriale finalizzata allo sviluppo di un nuovo business. Secondo la legge italiana (vale a dire il decreto legge 179/2012), per “start-up innovative” si intendono le società di capitali, comprese le cooperative, le cui azioni o quote rappresentative del capitale sociale non sono quotate su un mercato regolamentato né su un sistema di negoziazione multilaterale. Queste imprese devono inoltre soddisfare requisiti imposti dalla legge, e.g. essere di nuova costituzione o essere operative da meno di 5 anni, avere un fatturato annuo inferiore a 5 milioni di Euro, avere come oggetto sociale esclusivo o prevalente lo sviluppo, la produzione e la commercializzazione di beni o servizi innovativi di alto valore tecnologico, ecc.

PMI innovativa

Come suddetto, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) ha introdotto un nuovo tipo di società, i.e. le “PMI innovative”, e ha esteso loro la maggior parte delle agevolazioni previste per le “start-up innovative”. Le “PMI innovative” sono imprese con meno di 250 dipendenti e con un fatturato annuo che non supera i 43 milioni di Euro; inoltre, devono soddisfare altri requisiti, come la costituzione come società di capitale anche in forma cooperativa, le azioni della società non possono essere quotate in un mercato regolamentato, l’ultimo bilancio deve essere certificato da un revisore contabile o da una società di revisione registrati nel registro dei revisori dei conti ecc.

Le “PMI innovative” operano nel campo della tecnologia dell’innovazione, indipendentemente dalla data di costituzione, dall’oggetto sociale e dal livello di maturazione. Il raggiungimento dello status di “PMI innovativa” può rappresentare una naturale prosecuzione del percorso di crescita e rafforzamento di una “start-up innovativa”.

Agevolazioni previste dall’“Italy’s Startup Act”

Le principali agevolazioni accordate alle “start-up innovative” e alle “PMI innovative” dalla normativa italiana sono le seguenti:

  • Costituzione digitale e gratuita: Le “start-up innovative” possono scegliere di redigere l’atto costitutivo (e le sue successive modifiche) per mezzo di un modello standard Il documento può essere firmato utilizzando una firma digitale: i.e. l’intera procedura può essere eseguita online attraverso una piattaforma dedicata e, come ulteriore vantaggio, il suo utilizzo è gratuito. Da notare comunque che tale procedura rimane volontaria: è sempre possibile costituire un S.r.l. per atto notarile, registrandola successivamente nella sezione speciale del Registro;
  • Taglio alle spese: Le “start-up innovative” e le “PMI innovative” sono esonerate dal pagamento dell’imposta di bollo dovuta alla registrazione nella sezione speciale del Registro delle Imprese. Inoltre, le “start-up innovative” sono esentate dal pagamento della quota annuale solitamente dovuta alle Camere di Commercio;
  • Gestione societaria flessibile: Le “start-up innovative” e le “PMI innovative” costituite in forma di S.r.l., sono dotate di alcune particolarità che implicano cambiamenti radicali nella struttura finanziaria della S.r.l. (g. creare categorie di quote con diritti specifici, offrire al pubblico quote di capitale, ecc.) che rendono tali società più simili ad una S.p.A.;
  • Copertura delle perdite: In caso di perdite, mentre le società ordinarie devono ridurre il capitale entro l’esercizio successivo, le “PMI innovative” e le “start-up innovative” possono farlo due esercizi finanziari dopo aver subito le perdite;
  • Disciplina giuslavoristica su misura nelle “start-up innovative“: In generale, le “start-up innovative” sono sottoposte alle disposizioni sui contratti a tempo determinato come stabilite nel “Jobs Act” (decreto legge 81/2015). Pertanto, le “start-up innovative” possono assumere personale con contratto a tempo determinato per un massimo di 36 mesi. Tuttavia, in deroga alle disposizioni del Jobs Act, le “start-up innovative” possono assumere personale con contratti a tempo determinato di qualsiasi durata, anche molto breve, che può essere rinnovato più volte. Dopo i 36 mesi, il contratto può essere rinnovato una sola volta, per un massimo di 12 mesi, per una durata complessiva dunque di 48 mesi. Trascorso questo periodo di 4 anni, il contratto a tempo determinato viene automaticamente convertito in un contratto a tempo indeterminato.  Gli stipendi dovuti ai lavoratori impiegati in “start-up innovative” possono avere una componente variabile legata ad obiettivi e a parametri di produzione in base ad accordi fra le parti (come la produttività del dipendente o la redditività della società ecc.), incluse le “stock option” e i programmi “work-for-equity” (i ricavi derivanti da questi strumenti finanziari – che possono essere utilizzati per pagare anche i lavoratori nelle “PMI innovative” – sono deducibili dalle tasse sia a fini fiscali che contributivi e sono soggetti solo a tassazione sulle plusvalenze);
  • Incentivi fiscali per investire nelle “start-up innovative”: (per le “PMI innovative”, tali incentivi entreranno in vigore dopo l’attuazione di apposito decreto interministeriale, in conformità con la normativa UE in materia di aiuti di Stato): Questa agevolazione prevede per le persone fisiche una detrazione IRPEF pari a 30 % dell’importo investito, fino ad un importo massimo di € 1 milione; per le persone giuridiche il beneficio consiste in una deduzione dall’imponibile IRAP pari al 30% dell’importo investito, fino ad un massimo di € 1,8 milioni. Tali sovvenzioni si applicano sia in caso di investimenti diretti in “start-up innovative” sia in caso di investimenti indiretti tramite altre società, come gli OICR, che investono prevalentemente in “start-up innovative”. Queste misure sono condizionate al mantenimento della partecipazione nella “start-up innovativa” per un minimo di 3 anni;
  • Equity crowdfunding: Le “start-up innovative”, le “PMI innovative” e anche gli OICR e altre società che investono prevalentemente in “start-up innovative” e “PMI innovative” possono raccogliere capitali attraverso portali online Inoltre, la legge di bilancio del 2017 ha avviato il processo per estendere l’applicabilità di questo strumento a tutte le PMI italiane;
  • Accesso diretto, semplificato e gratuito per “start-up innovative” e “PMI innovative” al Fondo di garanzia per Piccole e Medie Imprese: Un fondo statale che facilita l’accesso al credito tramite garanzie sui prestiti bancari. La garanzia copre fino all’80% dei prestiti bancari concessi alle “start-up innovative” e alle “PMI innovative”, fino ad un massimo di 2,5 milioni di Euro, ed è fornito attraverso una procedura semplificata;
  • Fail Fast: Le “start-up innovative” sono esentate dalla procedura standard di fallimento, concordato preventivo e liquidazione coatta amministrativa in caso di una crisi di sovraindebitamento. Di conseguenza, i tempi di liquidazione giudiziale vengono ridotti e gli oneri amministrativi e la stigmatizzazione sociale diminuiscono drasticamente;
  • Conversione in “PMI innovative”: Le “start-up innovative” di successo, diventate aziende “mature” con una notevole esperienza e valore di produzione, le cui attività sono ancora caratterizzate da una componente significativa di innovazione tecnologica, possono transitare nello status di “PMI innovative”. Inoltre, l’Investment Compact ha esteso molte delle agevolazioni conferite alle “start-up innovative” ad una più ampia gamma di società caratterizzate da una spiccata propensione all’innovazione.

Risulta oppurtuno notare che mentre per le “start-up innovative” il legislatore ha stabilito di limitare le agevolazioni ad un massimo di 5 anni dalla data di costituzione della società, per le “PMI innovative”, purché siano soddisfatti i requisiti legali, gli strumenti di sostegno non sono soggetti ad un limite temporale

Ulteriori agevolazioni

Oltre agli strumenti facenti parte del pacchetto normativo originale (“Decreto Crescita 2.0”), il Ministero dello Sviluppo Economico si è impegnato in ulteriori misure per sostenere l’ecosistema dell’innovazione. Tra queste iniziative, meritano di essere menzionate: Smart&Start Italia (uno schema di finanziamento agevolato per “start-up innovative” con sede in Italia), Italia Startup Visa (una nuova procedura accelerata per l’emissione di visti di lavoro autonomo per cittadini non-UE che intendono istituire una “start up innovativa” in Italia) e Italia Startup Hub (una procedura accelerata che estende il programma Visa Startup Italia a cittadini non-UE già in possesso di regolare permesso di soggiorno che intendono soggiornare in Italia oltre la data di scadenza per avviare una “start-up innovativa”).

Infine, due importanti misure applicabili a tutte le imprese italiane sono di particolare interesse per le “start-up innovative” e le “PMI innovative”:

  • Credito d’imposta per la Ricerca e lo Sviluppo: Dal periodo di imposta 2017 fino al 2020, il credito è pari al 50% dei costi annuali incrementali per le attività di R&S, sia intra muros che per le spese extra muros. Il credito d’imposta è riconosciuto fino ad un massimo annuale di € 20 milioni per ciascun periodo di imposta. La base della misura è calcolata rispetto alla media dei costi sostenuti nei 3 periodi fiscali precedenti a quello in corso al 31 dicembre 2016, purché in ciascuno dei periodi fiscali i costi per R&S siano stati pari o superiori a € 30.000;
  • Patent Box: Consiste in sgravi fiscali sui redditi derivanti dall’uso della proprietà intellettuale. Il Patent Box concede alle società un’opzione per escludere dall’imposizione il 50% dei redditi derivanti dallo sfruttamento commerciale di beni immateriali (opere dell’ingegno, brevetti, marchi d’impresa, marchi commerciali).


Dopo l’introduzione delle “start-up innovative” e delle “PMI innovative” all’interno del panorama giuridico italiano, in largo anticipo sui tempi rispetto ad altri Paesi europei, tali realtà hanno dimostrato di essere una leva strategica per lo sviluppo dell’economia del Paese.

Infatti, l’alto tasso di innovazione insito nel DNA di queste nuove forme societarie, può giocare un ruolo fondamentale per rilanciare la crescita e l’occupazione, soprattutto giovanile, dell’Italia.

KWM Italy vuole dunque fornire il proprio contributo in questo entusiasmante settore con l’obiettivo di aiutare le strat-up e le PMI a sviluppare efficacemente o meglio strutturare le loro idee e il loro business.


Artificial Intelligence and Legal Personality

[“In a scenario where an algorithm can take autonomous decision, then who should be responsible for these decisions?” Milan-based corporate lawyer Stefania Lucchetti said]. My interview in Politico’s article on the introduction of a concept of legal personality for artificial intelligence. This conversation has come of age, and while we do not yet have all answers it is very important to start asking the right questions.

Read the article at:

Data Protection as a Corporate Governance Issue



Today we held a round table and seminar at our King & Wood Mallesons office dedicated to data protection during which we discussed the implications of the GDPR from a practical point of view both from the legal side and the technical side.  Aside from the obvious duty to be compliant, my view is that an appropriate data protection structure and responsibility line is not just an IT issue or a legal issue but a it is a corporate governance issue, as it entails serious risk management considerations both from a financial perspective as well as a reputational perspective and therefore each company needs to deploy sufficient investments to ensure adequate compliance.

Boards need to make an essential philosophical switch in accepting that this is a key enterprise risk which needs to be addressed at a board level with adequate resources.

Lack of a proper action can entail heavy sanctions for the company in accordance with the GDPR, with ensuing board responsibilities towards the company (for example in Italy under Art. 2392 of the Italian Civil Code for lack of appropriate action to protect the company).

Stefania Lucchetti as speaker at Forbes Live event on Fintech

On 1st March 2018 Stefania Lucchetti was a speaker at a Forbes Italia ForbesLive event during the Quant International Workshop (quantitative & asset management) in Venice, Italy. The focus of Stefania’s panel was on the future of financial services in the age of Fintech. The topics addressed during the presentation included the legal issues related to blockchain, Artificial Intelligence, digital payments, ICOs and cryptocurrencies.

Stefania Lucchetti introduced her speech by explaining that artificial intelligence, blockchain, cryptocurrencies, ICOs, and big data are referred to as disruptive because they change not just how a product or service is delivered, but the essence of what a product or service is – so much that new regulations need to be created to address them.

Press coverage at:

Venezia forbes 1

foto Stefania forbes italia

Forbes event

Due Diligence: Welcome AI, but Keep the Human Element

The legal market is welcoming (and fearing) the introduction of Artificial Intelligence (AI) in due diligence processes.

AI will liberate junior lawyers from the often tedious (and necessarily error prone) work of cataloguing contract information, and at the same time will take work away from law firms and lawyers.

We are of the idea however that while the cataloguing work (summarizing data about contracts and financial transactions) can well be left to AI, the interpretation of such data needs a human element.

What is the purpose of a due diligence? Prior to entering into a long term relationship, such as an equity or commercial joint venture relationship, it is important for a company to determine that the potential business partner shares its ethical standards and is prepared to follow business practices consistent with its company’s.

The due diligence is not only intended to catalogue data, it has a specific objective: and that is to evaluate potential risk areas and to screen a potential contractual partner, its business relationships and practices, its government relationships as well as its reputation.

At the heart of the due diligence is the attempt to gain a thorough understanding of the structure, background, characteristics, practices and also motivations of the contractual partner.

A company seeking a long term contractual relationship must emerge from the due diligence process satisfied that it wants to do business with the partner on an intensive and long-term basis.

The following key areas are (among others) always of concern in joint ventures and should be a specific focus of due diligence:

  • corporate governance and controllership, including keeping accurate books and records;
  • business contracts and business practices;
  • potential for improper payments, or corrupt business practices;
  • regulatory compliance, including historic compliance with core licensing needs;
  • employment matters;
  • existing or potential litigation;
  • tax compliance; and
  • environmental matters, such as a history of land contamination or pollution.

While a software can catalogue all relevant information for quick and easy access, interpretation can and must be left to an experienced professional.

The phase of desktop review and analysis is essential to depict a preliminary profile of the partner, identify the main areas of risk and potential concern, and define the need and the subsequent perimeter of in-depth examinations.

However, also this apparently more objective and depersonalized phase of work, needs a human element to be planned and executed in the most effective way. Even very accurate and comprehensive corporate information does not tell us how our partner is perceived, its track record, the origins of its business, its network of contacts, its political exposure etc. To this regard, a key component of the desktop phase is represented by a critical analysis of the information that comes from outside what can be considered the perimeter of a standard due diligence process, i.e. from outside the target company. For example, it is important to:

  • Reconstruct the target’s public and media profile, if any, and ascertain if any red flags have been reported, if there have been allegations of wrongdoing or non-transparent behavior, and if the target has never responded to these reports or released any denial. This analysis must include social media open to public, electronic media, national and local press outlets.
  • Look at the target’s track record and try to answer questions such as: what is the origin of the business? Did the company develop in a regular and constant way or was there a sudden growth? Does the company have a long-lasting and deeply rooted presence in a local territory? Are there any previous issues, such as a bankruptcy or frequent and inexplicable changes in the business scope or in the geographic area of activity?
  • Identify and reconstruct the profile of the key individuals involved in the ownership and managerial structure of the target company: their corporate profile beyond the target company, their professional background and career, their media profile, etc. can help a lot in placing the target company in a broader and clearer context and in understanding its modus operandi.
  • Enlarge the scope to map the target’s network of business partners and influential contacts and identify potential areas of risk and concern by answering to questions such as: Is there a strong and potentially risky relationship with the public sector or the political establishment? What is the reputation of our partner’s partners?

Then? Once this critical and analytical phase of desktop study has been performed?  A human needs to go on the ground and meet people. Only human sources can provide insight and add value to assess the actual reputation, integrity and market standing of the target.

AI and standardized procedures provide a very valuable support, especially because they help perform the most mundane and time-consuming part of the due diligence process, which is gathering, processing and indexing the information. But when it comes to analyzing, combining,  cross-checking, understanding and supplementing this information, AI cannot substitute the awareness and the experience of professional figures who know where to look, what to look for, who to look at and how to look beyond.

foto stefania sito web 3 Stefania Lucchetti and Francesca Castelli Francesca Castelli

© 2017. For further information Contact the Authors

Articles may be shared and/or reproduced only in their entirety and with full credit/citation.  This post is for information only and is it is not to be considered legal advice.

Possibilità per l’equity crowdfunding in Italia

English Version

L’equity based crowdfunding è generalmente inteso come un sistema che consente la raccolta di capitale finanziario, di solito attraverso Internet, offrendo in cambio partecipazioni nella società finanziata, generalmente una startup o una piccola media impresa.

In Italia, fin dal 2012, esiste una normativa organica ad hoc (D.L. n. 179 del 18 ottobre 2012, c.d. “Decreto Crescita 2”) per la regolamentazione del fenomeno dell’equity crowdfunding. La normativa, inizialmente, consentiva il ricorso al finanziamento tramite crowdfunding solo alle imprese con la qualifica di start up innovative. Successivi interventi normativi hanno consentito l’accesso al crowdfunding anche alle imprese sociali ma, soprattutto, a tutte le PMI (non solo a quelle innovative). Hanno introdotto anche la possibilità per gli organismi di investimento collettivo del risparmio (OICR) e per le società che investono prevalentemente in start-up/PMI innovative di collocare online i propri capitali tramite i portali di equity crowdfunding.

La normativa, pur presentando alcuni elementi di rigidità, è stata oggetto di notevole evoluzione per adattarsi alle richieste del relativo mercato.

È interessante notare che la raccolta di capitale finanziario attraverso internet ha moltissime analogie con gli Initial Coin Offerings (ICO). Gli ICO hanno avuto negli scorsi mesi, a livello globale, un successo mediatico clamoroso pur incontrando diverse sfortune dal punto di vista regolamentare. Infatti in alcune giurisdizioni questa forma di raccolta di capitali è stata addirittura vietata (per esempio in Cina e Corea del Sud).

L’Initial Coin Offering (ICO) è una forma di raccolta fondi tramite la quale un soggetto colloca sul mercato una sua criptovaluta futura (coin o token) in cambio di una criptovaluta già circolante (come il Bitcoin) per finanziare il proprio progetto, proposto al pubblico solitamente in un white paper. Chi acquista la criptovaluta confida che il business sottostante abbia successo e che la moneta si apprezzi al fine di conseguire un profitto al momento della vendita di tale moneta sul mercato. Gli ICO nel tempo si sono divisi anche a seconda del fatto che il finanziamento porti in cambio un equity token (con partecipazione alla società emittente) o un utility token (moneta con funzioni secondarie che solitamente consente di ottenere dei vantaggi sulla stessa piattaforma finanziata).

Considerato l’analogo obiettivo di ICO e equity crowfunding – entrambi sistemi di raccolta di capitale di rischio per start up e piccole imprese al di fuori dei mercati regolamentati – e data la totale mancanza in Italia, alla data attuale, di una disciplina volta a regolare le ICO, ci siamo chiesti se la legge italiana sul crowfunding, qui di seguito brevemente descritta, potrebbe essere uno strumento potenzialmente utile per fornire un quadro normativo entro il quale ricondurre gli ICO.

Normativa italiana sul crowdfunding

Portali di equity crowdfunding

Il “portale” è la piattaforma online che ha come finalità esclusiva la facilitazione della raccolta di capitali di rischio da parte degli offerenti. Il portale si concretizza in un sito web che assolve al ruolo di mediatore tra la società emittente e il finanziatore. L’offerta al pubblico degli strumenti finanziari può essere effettuata esclusivamente attraverso uno o più portali registrati e regolamentati.

Il gestore del portale assicura che, per ciascuna campagna di raccolta, l’importo necessario al perfezionamento degli ordini sia disponibile nel conto vincolato destinato all’offerente acceso presso le banche e le imprese di investimento a cui sono trasmessi gli ordini.

Secondary trading

La sottoscrizione e la successiva alienazione di quote rappresentative del capitale della società emittente può essere effettuata per il tramite di intermediari abilitati alla prestazione di servizi di investimento che effettuano la sottoscrizione delle quote in nome proprio e per conto dei sottoscrittori o degli acquirenti che abbiano aderito all’offerta tramite portale.

Disciplina societaria

Le operazioni di crowdfunding vengono effettuate mediante pubblicazione di specifiche offerte sul sito del portale, la “vetrina online” attraverso la quale l’emittente offre agli investitori “strumenti di capitale di rischio”, i.e. azioni o quote fornite di diritti particolari.

Il finanziamento avviene a fronte dell’assegnazione agli investitori di quote o azioni fornite di diritti particolari che rendano “desiderabile” l’investimento. La prassi è quella di approvare un aumento di capitale con l’esclusione del diritto di opzione per i soci esistenti.

Cross border crowdfunding

La normativa italiana sul crowdfunding si applica solo alle società residenti in Italia o in uno degli Stati membri dell’Unione europea o in Stati aderenti all’Accordo sullo spazio economico europeo, purché abbiano una sede produttiva o una filiale in Italia.

La Commissione Europea ha intenzione di presentare, entro i primi mesi del 2018, una proposta per regolamentare il crowdfunding. A tal fine è stata aperta una consultazione pubblica che verte principalmente su due temi:

  1. il cross-border crowdfunding, che consiste nello svolgimento di attività di crowdfunding al di fuori dei confini della propria nazione di appartenenza, senza chiedere una specifica autorizzazione in ciascun paese europeo; e
  2. la realizzazione di un efficace quadro comune in materia di gestione del rischio per gli investimenti nelle campagne di crowdfunding.

La normativa italiana sull’equity crowdfunding, in ogni caso, non limita l’accesso ai portali italiani a società straniere. Il requisito del possesso di un codice fiscale italiano, precedentemente previsto per la registrazione su un portale di equity crowdfunding, a seguito di un recentissimo intervento normativo è venuto meno per i soggetti non residenti in Italia, rendendo quindi più agevole l’accesso a tali operatori al mercato italiano.


La normativa italiana sul crowdfunding potrebbe essere una piattaforma utile per creare delle forme di ICO regolamentate. Il vero nodo della questione è quello della gestione delle criptovalute, inclusa la possibilità di creare conti vincolati nei quali vengono tracciati gli scambi di criptovaluta collegandosi alla piattaforma blockchain. Questo avrebbe il beneficio aggiuntivo di facilitare il dialogo tra le banche e le piattaforme blockchain aiutando la realtà italiana ad un passaggio accelerato nell’offerta Fintech. Le problematiche fiscali e regolatorie legate allo scambio di criptovalute devono chiaramente essere valutate.

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini and foto Alessandro Alessandro Morleo

© 2018. Per ulteriori informazioni, Contatta gli Autori

Gli articoli possono essere condivisi e/o riprodotti solo nella loro interezza e con adeguata citazione.  Questa pubblicazione è a mero scopo informativo e non deve essere considerata un parere legale.


Possibilities for equity crowdfunding in Italy

You may also read this publication on the King & Wood Mallesons website

Equity based crowdfunding, generally speaking, is a system that enables investors to fund a company, generally a start-up or a small to medium sized enterprise, in return for equity, usually through the internet.

A comprehensive piece of legislation was approved in Italy in 2012 (D.L. no. 179 of 18 October 2012, so-called “Decreto Crescita 2”) aimed at regulating the equity crowdfunding phenomenon. This law, at first, allowed access to crowdfunding only to companies qualified as innovative start-ups. Subsequent regulatory interventions allowed crowdfunding access also to social enterprises but, above all, to all SMEs (not just the innovative SMEs). They also introduced the possibility to undertake collective investment (i.e. Italian OICR), and for companies investing mainly in innovative start-ups/SMEs to place their capital online through the equity crowdfunding portals.

Although this legislation still presents some elements of rigidity, it has evolved significantly in order to adapt to market requests.

It’s interesting to note that the collection of financial capital through the internet presents many similarities with Initial Coin Offerings (ICO). ICOs have had resounding worldwide media success in the last few months, even though they encountered some regulatory misfortunes. In fact, in some jurisdictions this kind of capital raising has been prohibited (for example in China and South Korea).

An Initial Coin Offering (ICO) is a type of crowdfunding through which an entity places on the market a future cryptocurrency (coin or token) in return for a cryptocurrency already existing (such as Bitcoin) to finance its project, usually described to the public in a white paper. Those who adhere to the ICO and purchase a cryptocurrency bank on the hope that the underlying business will be successful and that the cryptocurrency will appreciate, in order to obtain a profit when the currency is later sold on the market. In ICOs the funding could also be exchanged for an equity token (holding an interest in the issuing company) or a utility token (currency with secondary functions that usually allows benefits to be obtained on the platform financed).

Given the analogous purpose of ICO and equity crowdfunding – both being systems for collecting risk capital for start-ups and small businesses outside regulated markets – and given the total lack in Italy, as of today, of specific regulation dedicated to ICOs, we considered whether the Italian crowdfunding law, briefly described below, could be a potentially useful tool to provide a regulatory framework also for ICOs.

Italian crowdfunding legislation

Equity crowdfunding portals

The “portal” is the online platform which has as its exclusive purpose the facilitation of the collection of risk capital by the investors. The portal is a website with the role of a mediator between the issuing company and the investor. The offer of the financial instruments to the public can be carried out exclusively through one or more registered and regulated portals.

The portal’s manager ensures that, for each raising campaign, the amount necessary for completing the order is available in the account dedicated to the investor opened in the banks and in the investment firms to which the orders are communicated.

Secondary trading

The subscription and the subsequent disposal of shares representing the capital of the issuing company may be carried out through intermediaries authorized to provide investment services purchasing the shares in their own name and on behalf of investors or buyers who adhered to the raising campaign through the portal.

Corporate characteristics

Crowdfunding campaigns are carried out publishing specific offers on website portals, the “online shop window”, through which the issuing company offers a “risk capital instrument” to investors, i.e. quotas or shares having specific rights.

The investment takes place against the investor’s assignment of quotas or shares with special rights that make the investment “desirable”. The practice is to approve a capital increase excluding the option right for existing shareholders.

Cross border crowdfunding

Italian law regulating crowdfunding applies exclusively to companies with registered office in Italy or in a European Union country or in a country party to the Agreement on the European Economic Area, as long as they have a production site or a branch in Italy.

The European Commission has expressed its intention to submit a proposal concerning EU framework on crowd and peer to peer finance during the first months of 2018. To this end, a public consultation was launched focusing mainly on two themes:

  1. cross-border crowdfunding, which consists of carrying out crowdfunding activities outside the country’s borders, without requesting specific authorization in each European country; and
  2. implementation of an effective common risk management framework to mitigate the risks relating to investments in crowdfunding campaigns.

The Italian legislation on equity crowdfunding, in any event, does not prevent foreign companies from accessing the Italian portals. The condition of having an Italian fiscal code, previously required for the registration on an equity crowdfunding portal, further to a very recent regulatory intervention, is no longer required for foreign residents, therefore making easier for these operators the access the Italian market.


Italian crowdfunding legislation could be a useful platform and starting point to think about ICO regulation. The key issue is the regulation and management of cryptocurrencies, including the possibility of creating restricted accounts in which the transfers of cryptocurrencies are tracked via the blockchain platform. This would have the added benefit of facilitating the dialogue between the banking industry and blockchain technology helping Italian operators accelerate their Fintech presence. Tax and regulatory issues related to cryptocurrencies of course need to be assessed.

cropped-foto-stefania-sito-web-3.jpgStefania Lucchetti , foto pietroPietro Boccaccini and foto AlessandroAlessandro Morleo

© 2018. For further information Contact the Authors

Articles may be shared and/or reproduced only in their entirety and with full credit/citation.  This post is for information only and is it is not to be considered legal advice.

Versione in lingua italiana