Italian law gives legal value to blockchain and smart contracts

[Versione italiana]

A leap forward has been done by Italian Law No 12/2019 (the “Law”) – published on 11 February 2019 – which completed the conversion procedure of Law Decree No 135/2018, better known as Decreto Semplificazioni. The Law introduces a definition of Distributed Ledger Technologies and Smart Contracts and sets out the legal effects deriving from the adoption of such technologies.

Distributed registers-based technologies (or DLT), including blockchain, are defined by the Law as “technologies and information protocols that use a shared, distributed, replicable, simultaneously accessible, architecturally decentralized registry on a cryptographic basis, such as to allow registration, validation, updating and archiving of data, both in clear and further protected by cryptography, that are verifiable by each participant, are not alterable and not modifiable”.

The Law further sets out which legal effects arise from the adoption of such technologies by stating that that storing a digital document in a DLT shall produce the legal effects of an “electronic time stamp” under Article 41 of Regulation (EU) No 910/2014 on electronic identification (so called eIDAS Regulation), which reads that “an electronic time stamp shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic time stamp”.

Through this reference to the eIDAS regulation, digital documents stored in a distributed ledger technology may be more widely used as evidence in legal proceedings allowing the technology to be put to use as proof in those circumstances where it is fundamental to have proof of date and time of a certain activity.

The Law goes on to define smart contracts as computer programs that operate on distributed registers-based technologies and whose execution automatically binds two or more parties according to the effects predefined by said parties”.  It is also established that smart contracts satisfy the requirement of written form, which is set out by Italian law for certain types of transactions and contracts.

The public agency Agenzia per l’Italia Digitale (AgID) will have to lay down  the technical standards that distributed ledger technologies will have to meet to produce the legal effects described above within 90 days from entry into force of the Law.



Stefania Lucchetti


L’Italia stabilisce il valore legale del blockchain e degli smart contracts

[English Version]

La legge n. 12 del 11 febbraio 2019 “Conversione in legge, con modificazioni, del decreto-legge 14 dicembre 2018, n. 135, recante disposizioni urgenti in materia di sostegno e semplificazione per le imprese e per la pubblica amministrazione. (19G00017)” c.d “Decreto Semplificazioni”  (GU Serie Generale n.36 del 12-02-2019)  è rivoluzionaria per il panorama giuridico italiano ed il suo futuro. 

La legge infatti introduce una definizione di “Tecnologie basate su registri distribuiti” e di  “smart contract” accogliendo queste tecnologie sul piano giuridico.

La legge definisce «tecnologie basate su registri distribuiti» (distributed ledger technologies più comunemente conosciute come blockchain) le tecnologie e i protocolli informatici che usano un registro condiviso, distribuito, replicabile, accessibile simultaneamente, architetturalmente decentralizzato su basi crittografiche, tali da consentire la registrazione, la convalida, l’aggiornamento e l’archiviazione di dati sia in chiaro che ulteriormente protetti da crittografia verificabili da ciascun partecipante, non alterabili e non modificabili.

Definisce inoltre «smart contract» come un programma per elaboratore che opera su tecnologie basate su registri distribuiti e la cui esecuzione vincola automaticamente due o piu’ parti sulla base di effetti predefiniti dalle stesse.  Gli smart contract soddisfano il requisito della forma scritta previa identificazione informatica delle parti interessate, attraverso un processo avente i requisiti fissati dall’Agenzia per l’Italia digitale con linee guida da adottare entro novanta giorni dalla data di entrata in vigore della legge di conversione del presente decreto.

L’aspetto più rivoluzionario della legge consiste quindi nel determinare che gli smart contract soddisfano il requisito della forma scritta.

Un ulteriore aspetto riguarda la previsione che “la memorizzazione di un documento informatico attraverso l’uso di tecnologie basate su registri distribuiti produce gli effetti giuridici della validazione temporale elettronica di cui all’articolo 41 del regolamento (UE) n. 910/2014 del Parlamento europeo e del Consiglio, del 23 luglio 2014″. Essenzialmente dando effetto legale a tali tecnologie: i documenti informatici registrati su registri distribuiti potranno essere usati quali prove risultando utili in quei settori dove può essere fondamentale provare che una data azione è avvenuta ad una certa data ed ora.



Stefania Lucchetti

EU Data Centers and Cross Border Transfers of Personal Data

In the wake of no-deal Brexit headaches, a number of international groups ask for advice on cross border transfers and how to make the best decisions when establishing a data center.

If a company locates its data center in a EU country (ie in perspective, not in the UK), the flow of personal data from the EU to UK (which will be considered after Brexit a “third country”) will be authorized only in presence of an adequacy decision of the European Commission or in presence of other safeguards.

The EU Commission at the moment has stated that if it will deem the UK’s level of personal data protection essentially equivalent to that of the EU, it will make an adequacy decision allowing the transfer of personal data to the UK without restrictions. However, the European Commission has not yet indicated a timetable for this and it also stated that the decision on adequacy cannot be taken until UK is a third country.

If the European Commission does not make an adequacy decision regarding the UK before or at the moment of exit, a legal basis for transfers from EU to UK must be identified. In this respect it must be noted that European Commission has not yet released the new standard contractual clauses (the clauses released under Directive 95/46 can however still be used) and that the binding corporate rules (“BCR”) must be approved by the competent authority and this approval may take some time.

These two instruments (standard contractual clauses and binding corporate rules), which are the most used for cross border transfers, are different and must be used in different contexts, so the specific situation must be assessed.

Setting up a data center in a EU country rather than in the UK (e.g. in Italy) could have some advantages – the most appropriate instrument for cross border data transfers will then have to be assessed.

Milan, 23 January 2019

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.



Stefania Lucchetti

Oneline Education and Application of EU GDPR

Online Education

In present days, education programs, especially while provided at university and post-degree level, are increasingly more international.

Universities, business schools and other education institutions are now frequently offering masters and other study programs all over the world, not necessarily having schools and premises in every country where courses are offered.

Often, education is in fact provided partially or solely online, through distance learning programs. This is a huge opportunity for students to have access to international programs without having to relocate and for education institutions to expand their reach.

Applying for a distance learning education program implies that the prospective student provides the education institution with personal information concerning him or her. A huge quantity of personal data are therefore processed in this context (e.g. name, address, email, phone number, academic history, etc.), which raises the question of which regulation applies to the protection of such personal data, and in particular, for our purposes, in which cases the European Regulation 2016/679 (General Data Protection Regulation – “GDPR”) applies.

Territorial scope of the GDPR

The scope of territorial application of the GDPR is set out in Article 3 which provides that the regulation applies:

  1. to the processing of personal data in the context of the activities of an establishment of the controller or of the processor in the European Union, regardless of whether the processing takes place in the European Union or not; and
  2. to the processing of personal data of data subjects who are in the European Union by a controller or a processor not established in the European Union, where the processing activities are related to:
  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the European Union.

The terms in bold are clarified below:

  • controller” is the subject determining the purposes and means of the processing of personal data while the “processor” is the subject processing personal data on behalf of the controller;
  • establishment” implies the effective and real exercise of activity through stable arrangements (g. branches or subsidiaries);
  • “who are in the EU” it will be up to future case law to interpret its scope, however we can reasonably foresee interpretation as residency or domicile of a data subject in the EU;
  • offering goods or services” is more than mere access to a website or email address, but might be evidenced: by the use of a language or of a currency generally used in a EU Member State with the possibility of ordering goods/services there; by the use of advertising targeting an audience in the EU (for instance paying a search engine to facilitate access by those within a EU Member State); by the use of a top-level domain name other than that of the state in which the company is established (g. or, etc.;
  • monitoring” specifically includes the tracking of individuals online to create profiles, including where this is used to take decisions to analyse/predict personal preferences, behaviours and attitudes or to provide online behavioural based advertising.

Examples of possible application of the GDPR

In light of the territorial scope of the GDPR, herein below few examples of possible application or non-application of the GDPR to education institutions processing personal data possibly also through distance learning systems.



Application of the GDPR to data processing carried out by the organization


Italian university providing courses in Italy, also online, both to EU and non-EU students


UK university providing summer courses in the premises of a local academic institution in France both to EU and non-EU students


Chinese university providing courses in its premises in China also to EU students


Chinese university providing online courses also to students resident in the EU


Chinese school providing language courses in premises located in Germany to German and other EU students


US university providing online masters also to EU students resident in the EU


Australian business school providing online MBA to Chinese students No

US online education platform processing data of EU students for profiling purposes



 GDPR compliance program

In order to comply with the GDPR, should it be applicable, education institutions will need to take numerous steps. The aim of this short paper is not to provide an exhaustive checklist of all the controller’s GDPR compliance activities, but to raise awareness as to the activities required, which can be summarized as follows:

  • designating people in charge for addressing privacy matters within the organization;
  • designating a Data Protection Officer (DPO), while requested under Article 37 of the GDPR (g. the processing is carried out by a public body or the processing operations require regular and systematic monitoring of data subjects on a large scale) or while considered useful by the organization;
  • drafting an adequate set of privacy policies on the basis of the different processing activities and of the different data subjects (g. resident students, foreign students, clients and suppliers, etc.);
  • defining data retention periods for each processing purpose;
  • collecting from data subjects the consent to the processing of their personal data while there are no other possible/appropriate legal basis for processing (g. a contractual obligation, a legitimate interest, etc.) – the consent of the student’s parents is necessary if the student is below the age of 16 years;
  • preparing and constantly updating a record of processing activities (necessary, under Article 30 of the GDPR, only in case the education organization employs more than 250 persons);
  • implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
  • carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data, should Article 35 of the GDPR be applicable (g. in the event that the systematic evaluation of personal aspects based on automated processing, including profiling);
  • preparing training programs for the organization’s employees involved in processing operations;
  • creating a procedure for data breach management;
  • drafting data controller/data processor agreements where processing is carried out on behalf of the education institution by a data processor;
  • adopting appropriate safeguards for transferring personal data outside the EU, as provided by Article 46 of the GDPR.

Additional obligations provided by national law

The GDPR is directly applicable in all EU Member States, however the national laws of each EU Member State may provide for specifications and restrictions of European rules.

For example, specifically with regard to the matter at hand, Italian law on data protection (so called “Privacy Code”, Legislative Decree No. 196/2003), as recently amended by  Legislative Decree No. 101/2018 aimed at harmonizing Italian law with the GDPR, provides the following specific rule on the processing of students’ personal data: in order to facilitate education and the access to employment, also abroad, national education institutions, including private schools and universities, may – upon students’ explicit requests – communicate to third parties, also online, students’ data relating to marks and education results and other personal data, excluding however special categories of data (e.g. data concerning health, political opinions, religious beliefs, etc.) and data relating to criminal convictions.

The above is in any event subject to: (a) the education institution having provided an adequate information notice to the student; and (b) data being processed exclusively for the purposes of facilitating education and the access to employment.


Personal data collected and processed by a university, a school or by any other education institution in the context of its learning programs represent valuable assets: as such, they need to be carefully protected.

A compliance program to the GDPR is certainly a quite substantial commitment for European organizations and for foreign organizations which are subject to the new rules, however these subjects need to be mindful that the business and legal implications deriving from non-compliance with applicable rules may lead to substantial sanctions and to reputational damages.

Milan, 17 September 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 


EU companies – and non-EU companies offering goods or services to EU citizens – which process personal data need to comply with the provisions introduced by the European Regulation 2016/279 (General Data Protection Regulation – “GDPR”) in this respect. Consent of the data subject is a legal basis for data processing but not the only one, and companies will therefore need to carefully evaluate which is the most appropriate legal basis in relation to a certain processing activity.

This note focuses on consent, and in particular consent requirements as set forth   by the GDPR which are numerous.

A key business issue for companies whose data base is a valuable business asset is whether consent to process data obtained before the GDPR became applicable is still a valid ground to process data eg for marketing purposes.  This note will address this issue as well.

Consent as a legal basis for data processing

The GDPR has introduced new requirements in relation to one of the most used basis for lawfully processing personal data: data subject’s consent.

It shall be preliminary noted that, pursuant to Article 6 of the GDPR, processing of personal data is lawful not only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes but also in the event that processing is necessary:

  • for the performance of a contract to which the data subject is party;
  • for compliance with a legal obligation to which the controller[1] is subject;
  • in order to protect the vital interests of the data subject;
  • for the performance of a task carried out in the public interest;
  • for the purposes of the legitimate interests pursued by the controller.

Before starting any activity that involve processing of personal data, a controller must consider what would be the appropriate lawful ground for the envisaged processing. In general, consent can be an appropriate lawful basis if a data subject is offered the possibility to freely accept or refuse the terms offered.

Consent obtained before GDPR became applicable

According to Recital 171 of the GDPR “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.

In the light of the above, in the event that a company, prior to 25 May 2018 (the date in which the GDPR became applicable), obtained the consent of certain data subjects as requested by the GDPR, it can continue to lawfully process personal data of those data subject. Should that not be the case, the company will need to obtain new consent.

If not obtained in full compliance with the GDPR, consent is an invalid basis for processing, rendering the processing activity unlawful. If, for instance, a company collected only one consent for different processing operations (which is quite common, in practice), this would not be in line with the “granularity” requirement (see paragraph below on this topic).

As it has been outlined by Article 29 Working Party[2], the consent given before the GDPR became applicable by implied form of action is no longer valid, given that the GDPR requires that the consent is given through a “statement or a clear affirmative action” by the data subject. Therefore, for example, consent obtained with a pre-ticked opt-in box would not be valid.

In order to be compliant with the GDPR’s standards, also operations and IT systems may need revision. For instance, mechanisms for data subjects to easily withdraw their consent must now always be available. If existing procedures for managing the obtainment and withdrawal of consent do not meet the GDPR’s standards, controllers will need to refresh their procedures.

In any event, obtaining consent does not diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially with regard to fairness, necessity and proportionality, as well as data quality.

Herein below are the main requirements of consent set forth by the GDPR that companies will need to carefully examine in order to evaluate if existing consents (if any) need to be refreshed.

Consent requirements

Consent must be given by a clear affirmative act establishing a:

  • freely given;
  • specific;
  • informed; and
  • unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.

Where processing is based on consent, the controller must always be able to demonstrate that the data subject has consented to data processing.

Consent should not be considered as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment (withdrawing consent, for instance, must not lead to any costs for the data subject). Consent would not be considered freely given in the event that a certain service required by the subject is subject, for instance, to the subject’s consent to receive direct marketing.

It is interesting to note that in certain relationships that cannot be considered perfectly balanced, like the one between the employer and the employee, it is unlikely that the consent requested to the weakest party will be freely given. In this particular case it is advisable to make recourse to other legal basis for the processing (e.g. the performance of the employment contract and compliance with employer’s legal and fiscal obligations).

For consent to be informed, the data subject should be aware of[3]

  • the identity of the controller;
  • the purposes of the processing for which the personal data are intended;
  • what type of data will be collected and used;
  • the existence of the right to withdraw consent;
  • information about the use of the data for automated decision-making (if relevant);
  • the possible risks of data transfers outside the EU due to absence of an adequacy decision and of appropriate safeguards.

In addition, consent must have a further requirement – i.e. it must be explicit – in the event a data controller is willing:

  • to process special categories of personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, etc.); or
  • to process personal data for profiling purposes.

The consent, in order to be explicit, must be in written form, including by electronic means, for instance by filling in an electronic form, by sending an email or by using an electronic signature. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject cannot be considered as an indication of choice.

Another specific requirement related to consent introduced by the GDPR is that in relation to the offer of information society services to children below the age of 16 years, the consent of the holder parental responsibility  over the child must be given. EU Member States may provide by law for a lower age, provided that such lower age is not below 13 years.

In the event that consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented using a clear and plain language (meaning that it should be easily understandable for the average person and not only for lawyers) and in a manner which is:

  • clearly distinguishable from the other matters; and
  • in an intelligible and easily accessible form.

Data subjects have the right to withdraw their consent at any time and data controller must inform them of that. Withdrawing consent must be as easy as giving consent (e.g. clicking a box online). The withdrawal of consent, in any event, does not affect the lawfulness of processing based on consent before its withdrawal.

It shall be noted that the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively make recourse to the legitimate interest basis in order to justify processing, in case consent is not valid anymore. A data controller must decide before starting data collection what is the applicable lawful basis and must disclose it to the data subject at the time of collection.

Granularity of consent

Recital 43 of the GDPR states that separate consent for different processing operations will be needed wherever appropriate. Mechanisms to collect consent must be granular to satisfy, in particular, two requirements: “free” and “specific”. Granularity of consent means, in few words, that it must be clear to the data subjects what they are consenting to: they must have a choice and be in control of what they choose to receive from data controller. Bundling up consent to various activities into one tick box is not acceptable.

Although the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (recital 47 of the GDPR) – in particular in presence of a contractual relation between data controller and data subject[4] – in most cases a data controller who intends to process personal data for marketing purposes will need to obtain a specific consent from the data subjects.

A controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.

For instance, specific and separate consent should be requested from data subject for:

  • data controller processing personal data for sending newsletters and commercial communications with the purpose of direct marketing (via email, sms, mms, fax, mail, phone, etc.);
  • data controller processing personal data with the purpose of profiling data subject and sending personalized offers;
  • data controller transferring personal data of the data subject to third parties for having them sending newsletters and commercial communications with the purpose of direct marketing;
  • data controller transferring personal data of the data subject to thirdparties for having them profiling data subject and sending personalized offers.

Pursuant to Article 21 of the GDPR, where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the event that the data subject objects to processing for direct marketing purposes, the data controller must no longer process personal data for such purposes.

Data portability

One of the consequences of basing the processing on consent is – among others – that the data subject acquires the right to data portability set forth by Article 20 of the GDPR, that is to say the right to receive his/her personal data provided to the controller in a structured, commonly used and machine-readable format.

At data subject’s discretion, where technically feasible, the data controller who originally collected personal data would have to transmit the data directly to another controller.

Needless to say, the exercise of this right may significantly impact the business of a company based on the commercial use of its customers’ data.

Milan, 17 July 2018

This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.

[1]The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

[2]Guidelines on Consent under Regulation 2016/679 adopted on 28 November 2017, page 30. Article 29 Working Party was the advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).

[3]As precised by Article 29 Working Party – Guidelines on Consent.

[4]For example, a data controller sends e-mail communications to existing clients in order to promote the data controller’s own or similar products or services (see Opinion 15/2011 of Article 29 Working Party on the definition of consent).

cropped-foto-stefania-sito-web-3.jpg Stefania Lucchetti  foto pietroPietro Boccaccini 

Gli incentivi alle startup e PMI italiane e lo startup hub di KWM Italy

KWM Italy team

[Foto: Partner Stefania Lucchetti (centro), associate Pietro Boccaccini (destra) e Alessandro Morleo (sinistra)]

KWM Italy Startup Hub

Data l’importanza sempre maggiore che le “start-up innovative” e le “PMI innovative” rivestono all’interno del tessuto economico italiano, King & Wood Mallesons Italy (KWM Italy) ha lanciato un nuovo portfolio di assistenza legale denominato KWM Italy Startup Hub.

Questo servizio legale è diretto a solide “start-up innovative” e “PMI innovative” che stanno avviando le proprie attività o che intendono strutturare meglio attività già avviate al fine di un’ulteriore crescita.

Lo Startup Hub è composto da un team specializzato in diritto commerciale, diritto societario e diritto informatico rappresentato dal partner KWM Italy Stefania Lucchetti, che ha oltre due decenni di esperienza nell’assistere aziende tecnologiche e in particolare start-up, dall’associato KWM Italy Pietro Boccaccini e dal praticante KWM Italy Alessandro Morleo.

“Italy’s Startup Act” – L’avvio di start-up e PMI

L’Italia è all’avanguardia nella regolamentazione delle start-up e delle PMI. E’ stato predisposto un ampio quadro normativo a favore di questo tipo di società, senza imporre restrizioni settoriali o legate all’età, come accade di consueto in altre legislazioni nazionali. I nuovi strumenti e le agevolazioni coprono l’intero ciclo di vita dell’impresa innovativa: dalla sua costituzione alle fasi di crescita, sviluppo e maturità.

Il primo atto legislativo su questo tipo di società è rappresentato dal decreto legge 179/2012 (il cosiddetto “Decreto Crescita 2.0”) che può essere opportunamente definito “Italy’s Startup Act”. Il Decreto ha introdotto nell’ordinamento italiano la definizione di nuova impresa innovativa ad alto valore tecnologico, i.e. la “start-up innovativa”.

La policy sulle “start-up innovative” è stata rafforzata negli ultimi anni da diversi interventi legislativi: provvedimenti quali il decreto legge 76/2013 (il cosiddetto “Decreto sul lavoro”) che amplia il bacino di start-up idonee alle misure agevolate, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) che introduce le “PMI innovative” e la legge di bilancio per il 2017 (legge 232/2016), che introduce incentivi e agevolazioni fiscali per questi tipi di società.

Dalla loro introduzione nell’ordinamento italiano e grazie alla costante attenzione del legislatore con numerose e pervasive azioni regolatorie, “start-up innovative” e “PMI innovative” sono cresciute significativamente e oggi non sono più considerate una nicchia di realtà poiché esprimono oltre 2 miliardi di euro di fatturato totale e offrono circa 50 mila posti di lavoro.

“Start-Up innovativa

Da un punto di vista commerciale, una start-up è l’inizio di una qualsiasi iniziativa imprenditoriale finalizzata allo sviluppo di un nuovo business. Secondo la legge italiana (vale a dire il decreto legge 179/2012), per “start-up innovative” si intendono le società di capitali, comprese le cooperative, le cui azioni o quote rappresentative del capitale sociale non sono quotate su un mercato regolamentato né su un sistema di negoziazione multilaterale. Queste imprese devono inoltre soddisfare requisiti imposti dalla legge, e.g. essere di nuova costituzione o essere operative da meno di 5 anni, avere un fatturato annuo inferiore a 5 milioni di Euro, avere come oggetto sociale esclusivo o prevalente lo sviluppo, la produzione e la commercializzazione di beni o servizi innovativi di alto valore tecnologico, ecc.

PMI innovativa

Come suddetto, il decreto legge 3/2015 (il cosiddetto “Investment Compact”) ha introdotto un nuovo tipo di società, i.e. le “PMI innovative”, e ha esteso loro la maggior parte delle agevolazioni previste per le “start-up innovative”. Le “PMI innovative” sono imprese con meno di 250 dipendenti e con un fatturato annuo che non supera i 43 milioni di Euro; inoltre, devono soddisfare altri requisiti, come la costituzione come società di capitale anche in forma cooperativa, le azioni della società non possono essere quotate in un mercato regolamentato, l’ultimo bilancio deve essere certificato da un revisore contabile o da una società di revisione registrati nel registro dei revisori dei conti ecc.

Le “PMI innovative” operano nel campo della tecnologia dell’innovazione, indipendentemente dalla data di costituzione, dall’oggetto sociale e dal livello di maturazione. Il raggiungimento dello status di “PMI innovativa” può rappresentare una naturale prosecuzione del percorso di crescita e rafforzamento di una “start-up innovativa”.

Agevolazioni previste dall’“Italy’s Startup Act”

Le principali agevolazioni accordate alle “start-up innovative” e alle “PMI innovative” dalla normativa italiana sono le seguenti:

  • Costituzione digitale e gratuita: Le “start-up innovative” possono scegliere di redigere l’atto costitutivo (e le sue successive modifiche) per mezzo di un modello standard Il documento può essere firmato utilizzando una firma digitale: i.e. l’intera procedura può essere eseguita online attraverso una piattaforma dedicata e, come ulteriore vantaggio, il suo utilizzo è gratuito. Da notare comunque che tale procedura rimane volontaria: è sempre possibile costituire un S.r.l. per atto notarile, registrandola successivamente nella sezione speciale del Registro;
  • Taglio alle spese: Le “start-up innovative” e le “PMI innovative” sono esonerate dal pagamento dell’imposta di bollo dovuta alla registrazione nella sezione speciale del Registro delle Imprese. Inoltre, le “start-up innovative” sono esentate dal pagamento della quota annuale solitamente dovuta alle Camere di Commercio;
  • Gestione societaria flessibile: Le “start-up innovative” e le “PMI innovative” costituite in forma di S.r.l., sono dotate di alcune particolarità che implicano cambiamenti radicali nella struttura finanziaria della S.r.l. (g. creare categorie di quote con diritti specifici, offrire al pubblico quote di capitale, ecc.) che rendono tali società più simili ad una S.p.A.;
  • Copertura delle perdite: In caso di perdite, mentre le società ordinarie devono ridurre il capitale entro l’esercizio successivo, le “PMI innovative” e le “start-up innovative” possono farlo due esercizi finanziari dopo aver subito le perdite;
  • Disciplina giuslavoristica su misura nelle “start-up innovative“: In generale, le “start-up innovative” sono sottoposte alle disposizioni sui contratti a tempo determinato come stabilite nel “Jobs Act” (decreto legge 81/2015). Pertanto, le “start-up innovative” possono assumere personale con contratto a tempo determinato per un massimo di 36 mesi. Tuttavia, in deroga alle disposizioni del Jobs Act, le “start-up innovative” possono assumere personale con contratti a tempo determinato di qualsiasi durata, anche molto breve, che può essere rinnovato più volte. Dopo i 36 mesi, il contratto può essere rinnovato una sola volta, per un massimo di 12 mesi, per una durata complessiva dunque di 48 mesi. Trascorso questo periodo di 4 anni, il contratto a tempo determinato viene automaticamente convertito in un contratto a tempo indeterminato.  Gli stipendi dovuti ai lavoratori impiegati in “start-up innovative” possono avere una componente variabile legata ad obiettivi e a parametri di produzione in base ad accordi fra le parti (come la produttività del dipendente o la redditività della società ecc.), incluse le “stock option” e i programmi “work-for-equity” (i ricavi derivanti da questi strumenti finanziari – che possono essere utilizzati per pagare anche i lavoratori nelle “PMI innovative” – sono deducibili dalle tasse sia a fini fiscali che contributivi e sono soggetti solo a tassazione sulle plusvalenze);
  • Incentivi fiscali per investire nelle “start-up innovative”: (per le “PMI innovative”, tali incentivi entreranno in vigore dopo l’attuazione di apposito decreto interministeriale, in conformità con la normativa UE in materia di aiuti di Stato): Questa agevolazione prevede per le persone fisiche una detrazione IRPEF pari a 30 % dell’importo investito, fino ad un importo massimo di € 1 milione; per le persone giuridiche il beneficio consiste in una deduzione dall’imponibile IRAP pari al 30% dell’importo investito, fino ad un massimo di € 1,8 milioni. Tali sovvenzioni si applicano sia in caso di investimenti diretti in “start-up innovative” sia in caso di investimenti indiretti tramite altre società, come gli OICR, che investono prevalentemente in “start-up innovative”. Queste misure sono condizionate al mantenimento della partecipazione nella “start-up innovativa” per un minimo di 3 anni;
  • Equity crowdfunding: Le “start-up innovative”, le “PMI innovative” e anche gli OICR e altre società che investono prevalentemente in “start-up innovative” e “PMI innovative” possono raccogliere capitali attraverso portali online Inoltre, la legge di bilancio del 2017 ha avviato il processo per estendere l’applicabilità di questo strumento a tutte le PMI italiane;
  • Accesso diretto, semplificato e gratuito per “start-up innovative” e “PMI innovative” al Fondo di garanzia per Piccole e Medie Imprese: Un fondo statale che facilita l’accesso al credito tramite garanzie sui prestiti bancari. La garanzia copre fino all’80% dei prestiti bancari concessi alle “start-up innovative” e alle “PMI innovative”, fino ad un massimo di 2,5 milioni di Euro, ed è fornito attraverso una procedura semplificata;
  • Fail Fast: Le “start-up innovative” sono esentate dalla procedura standard di fallimento, concordato preventivo e liquidazione coatta amministrativa in caso di una crisi di sovraindebitamento. Di conseguenza, i tempi di liquidazione giudiziale vengono ridotti e gli oneri amministrativi e la stigmatizzazione sociale diminuiscono drasticamente;
  • Conversione in “PMI innovative”: Le “start-up innovative” di successo, diventate aziende “mature” con una notevole esperienza e valore di produzione, le cui attività sono ancora caratterizzate da una componente significativa di innovazione tecnologica, possono transitare nello status di “PMI innovative”. Inoltre, l’Investment Compact ha esteso molte delle agevolazioni conferite alle “start-up innovative” ad una più ampia gamma di società caratterizzate da una spiccata propensione all’innovazione.

Risulta oppurtuno notare che mentre per le “start-up innovative” il legislatore ha stabilito di limitare le agevolazioni ad un massimo di 5 anni dalla data di costituzione della società, per le “PMI innovative”, purché siano soddisfatti i requisiti legali, gli strumenti di sostegno non sono soggetti ad un limite temporale

Ulteriori agevolazioni

Oltre agli strumenti facenti parte del pacchetto normativo originale (“Decreto Crescita 2.0”), il Ministero dello Sviluppo Economico si è impegnato in ulteriori misure per sostenere l’ecosistema dell’innovazione. Tra queste iniziative, meritano di essere menzionate: Smart&Start Italia (uno schema di finanziamento agevolato per “start-up innovative” con sede in Italia), Italia Startup Visa (una nuova procedura accelerata per l’emissione di visti di lavoro autonomo per cittadini non-UE che intendono istituire una “start up innovativa” in Italia) e Italia Startup Hub (una procedura accelerata che estende il programma Visa Startup Italia a cittadini non-UE già in possesso di regolare permesso di soggiorno che intendono soggiornare in Italia oltre la data di scadenza per avviare una “start-up innovativa”).

Infine, due importanti misure applicabili a tutte le imprese italiane sono di particolare interesse per le “start-up innovative” e le “PMI innovative”:

  • Credito d’imposta per la Ricerca e lo Sviluppo: Dal periodo di imposta 2017 fino al 2020, il credito è pari al 50% dei costi annuali incrementali per le attività di R&S, sia intra muros che per le spese extra muros. Il credito d’imposta è riconosciuto fino ad un massimo annuale di € 20 milioni per ciascun periodo di imposta. La base della misura è calcolata rispetto alla media dei costi sostenuti nei 3 periodi fiscali precedenti a quello in corso al 31 dicembre 2016, purché in ciascuno dei periodi fiscali i costi per R&S siano stati pari o superiori a € 30.000;
  • Patent Box: Consiste in sgravi fiscali sui redditi derivanti dall’uso della proprietà intellettuale. Il Patent Box concede alle società un’opzione per escludere dall’imposizione il 50% dei redditi derivanti dallo sfruttamento commerciale di beni immateriali (opere dell’ingegno, brevetti, marchi d’impresa, marchi commerciali).


Dopo l’introduzione delle “start-up innovative” e delle “PMI innovative” all’interno del panorama giuridico italiano, in largo anticipo sui tempi rispetto ad altri Paesi europei, tali realtà hanno dimostrato di essere una leva strategica per lo sviluppo dell’economia del Paese.

Infatti, l’alto tasso di innovazione insito nel DNA di queste nuove forme societarie, può giocare un ruolo fondamentale per rilanciare la crescita e l’occupazione, soprattutto giovanile, dell’Italia.

KWM Italy vuole dunque fornire il proprio contributo in questo entusiasmante settore con l’obiettivo di aiutare le strat-up e le PMI a sviluppare efficacemente o meglio strutturare le loro idee e il loro business.


Artificial Intelligence and Legal Personality

[“In a scenario where an algorithm can take autonomous decision, then who should be responsible for these decisions?” Milan-based corporate lawyer Stefania Lucchetti said]. My interview in Politico’s article on the introduction of a concept of legal personality for artificial intelligence. This conversation has come of age, and while we do not yet have all answers it is very important to start asking the right questions.

Read the article at:

Data Protection as a Corporate Governance Issue



Today we held a round table and seminar at our King & Wood Mallesons office dedicated to data protection during which we discussed the implications of the GDPR from a practical point of view both from the legal side and the technical side.  Aside from the obvious duty to be compliant, my view is that an appropriate data protection structure and responsibility line is not just an IT issue or a legal issue but a it is a corporate governance issue, as it entails serious risk management considerations both from a financial perspective as well as a reputational perspective and therefore each company needs to deploy sufficient investments to ensure adequate compliance.

Boards need to make an essential philosophical switch in accepting that this is a key enterprise risk which needs to be addressed at a board level with adequate resources.

Lack of a proper action can entail heavy sanctions for the company in accordance with the GDPR, with ensuing board responsibilities towards the company (for example in Italy under Art. 2392 of the Italian Civil Code for lack of appropriate action to protect the company).