Information on the processing of personal data
Pursuant to European Regulation 2016/679 of the European Parliament and of the Council of 27th April 2016
on the protection of natural persons with regard to the processing of personal data (in short “GDPR”)
In any case, the logical and physical security of the data and, in general, the confidentiality of the personal data processed will be ensured by taking all the necessary suitable technical and organisational measures to ensure their security.
This Information Statement:
- is understood to be provided for the websites https://www.photosi.com and https://www.albumepoca.com (hereinafter the “Website”);
- is understood to be provided for the mobile Application called “PhotoSì” (hereinafter the “App”)
- constitutes an integral part of the Website, the App and services provided by PhotoSì;
- is provided pursuant to art. 13 of the Regulation, to those who interact with the web services of the Website, the App and the Data Controller, both simply during browsing and during the use of specific services made available by means of the Website and the App.
- A) Data Controller’s identity and contact details
Registered office in via Carpegna 22,
Riccione (47838 - RN)
Tax code and VAT number 03550860401
Tel 0541/609903 – email@example.com
- B) What data we collect and how
- Data provided voluntarily by the data subject
During the use of the Website and the App, we may ask you to provide us with certain personal data or personal information which can be used to identify you, for example by email or online form, the assistance function incorporated in the App and our Services, or by means of another form of request.
Such information may include your name, surname, address, email and telephone number.
Specific summary information may be progressively made available on pages of the Website or the App, prepared for particular services upon request.
- C) Purposes of personal data processing and legal basis
Your personal data will be processed:
(i) without your mandatory consent for the following purposes:
- guarantee the complete and correct functioning of the Website and App, manage different services linked to the Website and the App (for example registration, language, login or access to reserved functions, selected products), use of Website and App functionalities, PhotoSì account registration, the management of PhotoSì services, the management of orders, purchases, sales and deliveries of products and relative monitoring, customer service management, the management of payments, the management of returns and repairs, the management of contacts with the customer, the management of vouchers and discounts;
- administrative-accounting management and related obligations (issuance of receipts, invoices, preparation of payments);
- collect and analyse traffic, Website and App use in anonymous form, generate internal statistics, economic analysis and management of the company, analysis of software use and feedback on products and services, general promotional offers and, with reference to contact details provided for contractual purposes, the sending of advertisements for similar products, with the right to cancel immediately upon request.
The above processing modes comply respectively with the following legal bases:
- fulfilment of a contract or pre-contractual measures, meeting a request by the interested party –condition of lawfulness of Article 6, letter b) GDPR;
- legal obligation to which the Data Controller is subject – condition of lawfulness Article 6, letter c) GDPR – or for the assessment, the exercise or the defence of a right in judicial proceedings;
- the pursuit of the Data Controller's legitimate interest – condition of lawfulness article 6, letter f) of the GDPR – regarding the full and correct functioning of the App and the pursuit of company policies, direct marketing or customer loyalty building, the improvement of company operation and market surveys, the improvement of services provided to own customers.
The provision of the data for the purposes referred to in the previous section (i), is mandatory and the lack of data and/or any express refusal to process the data will make it impossible for the Data Controller to implement the contract or the pre-contractual measures, and it will make it impossible for the interested party to fulfil the obligation, which might even result in the penalties provided for by the legal system.
(ii) with your prior consent (Article 7, GDPR) for the following purposes:
- various types of marketing activities, including the promotion of products and services, the sending of promo codes, the distribution of posters, invitations, information and promotional material, the sending of newsletters and commercial notifications by email, sms, push notifications;
- profiling activities of various kinds, including behavioural analysis for promotional purposes, the creation of lists for promotional purposes, commercial communication, and the sending of newsletters, emails, sms, push notifications, the creation of profiles for the provision of services and adverts that are targeted to and personalised for the customer’s requirements.
The conveyance of data for purposes stated in the previous section (ii) is optional, meaning that you may decide not to grant your consent, or withdraw it at any time, without any consequences on Website and App functionality or PhotoSì services.
- D) Categories of recipients of personal data
For the purposes referred to in the previous paragraph, the personal data you have provided may be transferred or made accessible to:
- employees and collaborators of the Data Controller, in their capacity as authorised data processing staff (or the so called “individuals in charge of processing”);
- third parties who carry out outsourcing activities on behalf of the Data Controller, in their capacity as Data Processors, including:
- providers for the development of the Application and its instruments (e.g. SDK OneSignal, SDK Social Networks), third party cookie managers, contractual partners of PhotoSì, who process data provided by users, service providers for the management of the computerised system and telecommunications networks and the company tasked with managing e-commerce, service providers for the management of hard copy and/or computerised documentation storage, service providers for the management of customer services, also through websites, (e.g. call centres, help desks, etc.), service providers for the management of commercial communication;
- freelancers, offices or companies in the field of assistance and consultancy relationships, also for the control of the company organisational management;
- banks and credit and insurance institutions to carry out economic activities (payments/collections), and insurance activities;
- persons who carry out checks, audits and the certification of the activities carried out by PhotoSì S.p.a., also in the interest of customers;
- judicial or supervisory authorities, administrations, public bodies and authorities (both national and foreign ones).
The complete updated list of the Data Processors is available upon written request to the address firstname.lastname@example.org.
- E) Storage and transfer of personal data abroad
The management and storage of personal data occur on Cloud and on servers located inside and outside the European Union owned by and/or available for the Data Controller and/or third-party companies in charge of that, duly appointed as Data Processors.
The transfer of data abroad to non-EU countries occurs exclusively in the context of the management of information systems for requirements strictly related to the performance of business activities and, in any case, in compliance with the provisions contained in Chapter V, GDPR.
Your personal data will not be disclosed.
- F) Storage period for personal data
Personal data collected for the purposes indicated in the previous paragraph (C), section (i) will be processed and stored for the entire duration of any contractual relationship established.
From the date of termination of this relationship, for any reason or cause, the data will be stored for the duration of the limitation period applicable ex lege, that is 10 years.
While pictures and photographs are processed for the period of time necessary for their processing and stored for the period of 1 month, after which they are automatically deleted and destroyed.
The personal data collected for the purposes indicated in the previous paragraph (C), section (ii) will be processed and stored for the time necessary to fulfil such purposes and, in any case, for a period of no more than 24 months for marketing and no more than 12 months for profiling from the date in which we will receive your consent.
After this storage period, the data will be destroyed or anonymised.
In compliance with the provisions of Chapter III, Section I, GDPR, you may exercise the rights indicated therein, and more specifically:
- Right of access - To obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the following information: the purposes of the processing, the categories of personal data concerned and the storage period, the recipients to whom these can be disclosed (Article 15, GDPR).
- Right to rectification - To obtain, without undue delay, the rectification of inaccurate personal data concerning you and have incomplete personal data completed (Article 16, GDPR).
- Right to erasure - To obtain, without undue delay, the erasure of the personal data concerning you, in the cases provided for by the GDPR (Article 17, GDPR).
- Right to restriction of processing - To obtain restriction of processing in the cases provided for by the GDPR (Article 18, GDPR).
- Right to data portability - To receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance, in the cases provided for by the GDPR (Article 20, GDPR).
- Right to object - To object to processing of personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing (Article 21, GDPR)
- Right to lodge a complaint with a supervisory authority - To lodge a complaint with the Authority for the protection of personal data, Piazza Venezia n. 11, Rome - https://www.garanteprivacy.it/.
You may exercise these rights by simply sending a request per e-mail to the Data Controller’s address email@example.com.