Francesco Gelmetti is a data protection and cybersecurity lawyer based in our Milan office.  He joined our practice in 2024. Prior to joining Norton Rose Fulbright, he worked in an Italian firm.  He also worked as the Group Data Protection Officer of a global energy company.

As regards data protection matters, Francesco has experience in the following areas:

• structuring and implementation of Italian ad multijurisdictional GDPR compliance projects;
• preparing data protection impact assessments (DPIAs) for complex data protection projects (e.g., video surveillance systems at work, KYC and sanction laws screenings, whistleblowing platforms, Microsoft 365 services);
• advising on intercompany transfer of personal data and transfer impact assessments (TIAs) to foreign countries such as the United States, United Kingdom, and Singapore;
• advising in connection with investigations carried out by Italian data protection authorities;
• advising on notifications to data protection authorities and individuals in case of personal data breaches;
• advising and supervising day-to-day ordinary data protection compliance matters, including, for example: employment context issues, agreements with data processors, controllers, and joint-controllers, marketing activities, customer relationship management, websites and e-commerce.

As regards cybersecurity matters, Francesco has experience in the following areas:

• advising the board of directors and members of the compliance committee on the management of IT incidents and cyberattacks;
• coordinating the legal framework and response team in the set-up of a security operation centre (SOC);
• implementing IT and security programmes and procedures (e.g., data retention procedure, guidelines on the use of IT instruments by the employees, security policy), also under ISO 27001, NIS Directive, Dora Regulation cybersecurity standards.