(Article 13 of EU Regulation 679/2016)
This notice describing the processing of your personal data is provided pursuant to Article 13 of EU Regulation 679/2016 (hereinafter “GDPR”) and the applicable national legislation on privacy and protection of personal data.
Titolare del contratto
Identità e dati di contatto del titolare del trattamento dei dati
YOUNG PLATFORM S.p.A. with registered office in Turin (TO), Via Cigna 96/17 (tax code and VAT no. 11931440017), in the person of the legal representative pro tempore Carozzi Mariano Giovanni (tax code CRZMNG62M21F205N), email address firstname.lastname@example.org, as data controller of personal data(hereinafter “Young Platform” or also the “Data Controller”).
In the event that the Data Controller makes use of data processors or sub-processors pursuant to Article 28 of the GDPR, the updated list of data processors and persons in charge of processing is kept at the Data Controller’s registered office.
Data Protection Officer
Pursuant to Article 37 of the GDPR, the Data Controller has appointed the lawyer Angelo Giunta as Data Protection Officer (hereinafter abbreviated to “DPO”), domiciled at the registered office of Young Platform and contactable at the email address email@example.com.
Types of personal data processed
The types of personal data we collect depend on the purpose for which it is collected.
In general, we may collect the following types of personal data directly from you:
- Through the Young Platform Step App:
- common personal data (such as, but not limited to: first name, surname, date and place of birth, residential address, email address, telephone number);
- geolocation data;
- usage, browsing, functional, session, statistical and profiling data, including the device identifier;
- Through the website and the Young Platform App:
- common personal data (such as, but not limited to: first name, surname, date and place of birth, residential address, tax code, email address, telephone number, social security or welfare position code, bank details);
- financial and transactional information (e.g. information on transactions you have made, etc.);
- geolocation data (e.g. information on the device used);
- bank and tax identification data;
- personal data provided through communications or attachments to communications;
- usage, navigation, functional, session, statistical and profiling data, including the user’s device identifier or IP address, the time when the user visits the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
hereinafter “Personal Data”.
Why we process your personal data, and on what legal basis
- The processing of your Personal Data by the Data Controller takes place: without your express consent (Article 6 (b) – (f) GDPR), for the following purposes:
- to activate and manage the user profile in the Young Platform Step and Young Platform Apps and on the platform at https://youngplatform.com/;
- to fulfil pre-contractual, contractual and tax obligations arising from relationships to which the data subject is a party (by way of example, to provide services reserved for registered users);
- to fulfil the obligations established by law, by a regulation, by Community legislation or by an order of the Authority;
- to pursue a legitimate interest of the Data Controller or third parties, provided that there are no prevailing interests or fundamental rights and freedoms of the data subject that require the protection of Personal Data (e.g. the Data Controller’s right of defence in court);
- Only after specific and separate consent, (Article 6 (a) and Article 7 of the GDPR) for the following marketing purposes:
- to send by email, post and/or SMS push notifications and/or telephone contact, newsletters, commercial communications and/or advertising material on the services offered by the Data Controller and surveys of the degree of satisfaction with the service quality.
- Only with your specific and separate consent (Article 6 (a) and Article 7 of the GDPR), for the following profiling purposes:
- to send advertising communications, offers and promotions, by email, post and/or SMS and/or telephone contact, which are consistent with the data subject’s profile.
Profiling will allow the Data Controller to customise the offer of products and services offered to Users. To this end, the Data Controller will evaluate the type and number of requests for information submitted, including through the Site, purchases of goods or services made from the Data Controller, personal and contact information (e.g. place of residence), as well as additional information that Customers provide about themselves (e.g. age and profession).
If you refuse your consent, it will not be possible to carry out the aforementioned activities under 2) and 3). If you express your consent to the processing activities under 2) and 3), you will, in any case, have the right to revoke your consent at any time.
How long we keep and process your personal data
Your Personal Data will be processed by the Data Controller for the period of time necessary to achieve the purposes of the processing referred to in Article 4 above. After this, it will be stored only to execute the legal obligations in force on the matter, for administrative purposes and/or to assert or defend the Data Controller’s rights, and in any case no longer than the limitation periods of rights established by law.
The Personal Data for the purposes referred to in 2) and 3) of Article 4 above will be processed by the Data Controller for a maximum of 24 months and a maximum of 12 months respectively.
How we process your personal data
The Personal Data undergoes paper and electronic and/or automated processing for the time necessary to achieve the purposes for which it is collected by the Data Controller or by persons duly authorised and/or appointed to carry out these tasks. Such persons are constantly identified and/or appointed, suitably instructed and made aware of the constraints imposed by law. Security measures are used to guarantee the protection of confidentiality and to avoid the risks of loss or destruction, unauthorised access, processing that is not permitted or does not comply with the aforementioned purposes.
Who we may disclose your personal data to
For the purposes indicated above, your collected data may be made accessible or disclosed to:
- employees and collaborators of the Data Controller, in their capacity as authorised data processors, within the scope of their respective duties and in accordance with the instructions received. Said individuals are, in any case, subject to the obligations of secrecy and confidentiality;
- third parties who carry out outsourced activities on behalf of the Data Controller and whose activity is connected, instrumental or supportive to that of the Data Controller (e.g. management software);
- all public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or banks, including private pension and welfare funds, judicial offices, chambers of commerce), if the communication is necessary or functional to correctly fulfil the contractual obligations assumed, as well as the obligations deriving from law;
- all entities (including public authorities) which may access the Personal Data by virtue of regulatory and administrative provisions;
In any case, your collected personal data will not be disseminated.
Third Parties Outside the EU
Transfer of personal data outside the EU Area
The management and storage of your Personal Data will take place in Europe. In any case, it is understood that the Data Controller, if necessary, is entitled to have your Personal Data processed outside the EU Area (EEA). In this case, the Data Controller guarantees as of now that the transfer of the data outside the European Union shall take place in accordance with the applicable legal provisions by stipulating, if necessary, agreements which guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided by the European Commission.
Pursuant to Articles 15 et seq. of the GDPR and applicable national legislation on privacy and protection of personal data, you have the right to:
- Obtain confirmation from the Data Controller as to whether or not personal data concerning you is being processed and, if so, to obtain access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of an automated decision-making process, including profiling.
- Obtain the rectification of inaccurate personal data concerning you from the Data Controller without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data supplemented, including by providing an additional declaration.
- Obtain the erasure of personal data concerning you from the Data Controller without undue delay; the Data Controller is obliged to erase personal data without undue delay within the limits and in the cases provided for by current legislation.
- Obtain the restriction of processing from the Data Controller.
- Receive the personal data concerning you and provided to the Data Controller in a structured, commonly used and machine-readable format; you also have the right to data portability and therefore to transmit such data to another data controller without hindrance by the Data Controller to which you provided it, if the processing is based on consent or on a contract and the processing is carried out by automated means.
- Object at any time, for reasons related to your particular situation, to the processing of personal data concerning you if the processing is necessary to perform a task in the public interest, or related to the exercise of public powers vested in the Data Controller, or the processing is necessary to pursue the legitimate interest of the Data Controller or third parties.
- If you believe that your rights have been violated by the Data Controller, lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) and/or another competent supervisory authority under the GDPR.
Following the exercise of the rights referred to in points 2), 3) and 4), the Data Controller shall notify each recipient to whom the personal data has been transmitted of any rectification, erasure or restriction of processing within the limits and in the forms provided for by current legislation.
To exercise the rights listed above towards the Data Controller, you must submit a written request by sending a registered letter with acknowledgement of receipt to YOUNG PLATFORM S.p.A. Via Cigna 96/17, 10155, Turin or by emailing firstname.lastname@example.org
This notice may be modified and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those provided for in Article 4 above, it undertakes to provide you, before such further processing, with adequate information about these different purposes and to carry out such further processing in compliance with current legislation, obtaining your specific consent where necessary.