(Article 13 of EU Regulation No. 679/2016)
This disclosure describing the processing of your personal data is provided pursuant to Article 13 of EU Regulation 679/2016 (hereinafter “GDPR”) and the applicable national legislation on privacy and protection of personal data.
Identity and contact details of the data controller
YOUNG PLATFORM S.p.A. with registered office in Turin (TO), Via Cigna 96/17 (Tax Code and VAT no. 11931440017), in the person of the legal representative pro tempore Mariano Giovanni Carozzi (Tax Code CRZMNG62M21F205N), email address [email protected], as data controller of personal data (hereinafter “Young Platform” or also the “Data Controller”).
In the event that the Data Controller makes use of data processors or sub-processors pursuant to Article 28 of the GDPR, the updated list of data processors and persons in charge of processing is kept at the Data Controller’s registered office.
Data Protection Officer
Pursuant to Article 37 of the GDPR, the Data Controller has appointed the lawyer Angelo Giunta as Data Protection Officer (hereinafter abbreviated to “DPO”), domiciled at Young Platform’s registered office and contactable at the email address [email protected].
Types of personal data we process
The types of personal data we collect depend on the purpose for which it is collected.
In general, we may collect the following types of personal data directly from you:
- Through the Young Platform Step App:
a) common personal data (such as, but not limited to: first name, surname, date and place of birth, residential address, email address, telephone number);
b) geolocation data;
c) usage, browsing, functional, session, statistical and profiling data, including the device identifier;
d) images and photographs you upload to your personal profile.
- through the website and the Young Platform App:
a) common personal data (such as, but not limited to: first name, surname, date and place of birth, residential address, tax code, email address, telephone number, social security or welfare position code, bank details);
b) financial and transactional information (e.g. information on transactions you have made, etc.);
c) geolocation data (e.g. information on the device used);
d) bank and tax identification data;
e) personal data provided through communications or attachments to communications;
f) usage, navigation, functional, session, statistical and profiling data, including the user’s device identifier or IP address, the time when the user visits the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (successful, error, etc.), and other parameters relating to the user’s operating system and IT environment.
g) images and photographs you upload to your personal profile.
hereinafter referred to as “Personal Data”.
Why we process your personal data, and on what legal basis
The Data Controller processes your Personal Data:
A) Without your express consent (Article 6 (b) – (f) GDPR), for the following purposes:
- to activate and manage the user profile in the Young Platform Step and Young Platform Apps and on the platform at https://youngplatform.com/;
- to fulfil pre-contractual, contractual and tax obligations arising from relationships to which the data subject is a party (by way of example, to provide services reserved for registered users);
- to fulfil the obligations established by law, a regulation, Community legislation or an order issued by the Authority;
- to pursue a legitimate interest of the Data Controller or third parties, provided that there are no prevailing interests or fundamental rights and freedoms of the data subject that require the protection of Personal Data (e.g. the Data Controller’s right of defence in court);
B) Only after specific and separate consent (Article 6 (a) and Article 7 of the GDPR), for the following marketing purposes:
- to send by email, post and/or SMS push notifications and/or telephone contact, newsletters, commercial communications and/or advertising material on the services offered by the Data Controller and service quality satisfaction surveys.
C) Only after your specific and separate consent (Article 6 (a) and Article 7 of the GDPR), for the following profiling purposes:
- to send advertising communications, offers and promotions, by email, post and/or SMS and/or telephone contact, which are consistent with the data subject’s profile.
Profiling will enable the Data Controller to customise products and services offered to Users. To this end, the Data Controller will evaluate the type and number of requests for information submitted, including requests via the Website, purchases of goods or services from the Data Controller, personal and contact information (e.g. place of residence), as well as additional information that Customers provide about themselves (e.g. age and profession).
If you refuse your consent, it will not be possible to carry out the aforementioned activities under B) and C). If you express your consent to the processing activities under B) and C), you will in any case have the right to revoke your consent at any time.
How long we keep and process your personal data
Your Personal Data will be processed by the Data Controller for the period of time necessary to achieve the purposes of the processing referred to in Article 4 above. After this, it will be stored only to undertake the applicable legal obligations in force, for administrative purposes and/or to assert or defend the Data Controller’s rights, and in any case for no longer than the limitation periods of rights established by law.
The Personal Data for the purposes referred to in B) and C) of Article 4 above will be processed by the Data Controller for a maximum of 24 months and a maximum of 12 months respectively.
How we process your personal data
The Personal Data undergoes paper and electronic and/or automated processing for the time necessary to achieve the purposes for which it is collected by the Data Controller or by persons duly authorised and/or appointed to carry out these tasks. Such persons are constantly identified and/or appointed, suitably instructed and made aware of the constraints imposed by law. Security measures are implemented to ensure the protection of confidentiality and to avoid the risks of data loss or destruction, unauthorised access, processing that is not permitted or does not comply with the aforementioned purposes.
Subjects to whom we may disclose your personal data
For the purposes indicated above, your collected data may be made accessible or disclosed to:
– employees and collaborators of the Data Controller, in their capacity as personnel authorised for processing, within the scope of their respective duties and in accordance with the instructions received. Said individuals are, in any case, subject to the obligations of secrecy and confidentiality;
– third parties who carry out outsourced activities on behalf of the Data Controller and whose activity is connected, instrumental or supportive to that of the Data Controller (e.g. management software);
– all public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or banks, including private pension and welfare funds, judicial offices, chambers of commerce), if the disclosure is necessary for or functional to the fulfilment of contractual obligations and statutory obligations;
– all entities (including public authorities) which may access the Personal Data by virtue of regulatory and administrative provisions;
In any case, your collected personal data will not be disseminated.
Transfer of personal data outside the EU
The management and storage of your Personal Data will take place in Europe.
The Data Controller may transfer Personal Data to third parties such as autonomous Data Controllers or to external Data Processors in order to allow the performance of the activities listed in this policy.
In the event that such transfer takes place to countries that do not provide the same level of protection as provided by the GDPR or applicable law, or in any event an adequate level of protection for Personal Data, Young Platform will ensure that each such recipient undertakes specific contractual obligations in accordance with the applicable data protection regulations (including the signing of the Standard Contractual Clauses “SCC” approved by the European Commission) or in the absence of an adequacy decision pursuant to Article 45(3) GDPR, or adequate safeguards pursuant to Article 46 GDPR, including Binding Corporate Rules, Young Platform requests you, pursuant to Art. 49 GDPR, the possibility to transfer personal data to a Third Country subject to your specific consent.
In any case, you may request further information regarding the transfer of your Personal Data, including the receipt of a table containing a detailed list of external data processors, with a description of their activities and the location of their servers, by writing to the e-mail address [email protected].
Pursuant to Articles 15 et seq. of the GDPR and applicable national legislation on privacy and protection of personal data, you have the right to:
- Obtain confirmation from the Data Controller as to whether or not personal data concerning you is being processed and, if so, to obtain access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- where the personal data is not collected from the data subject, any available information as to its source;
- the existence of an automated decision-making process, including profiling.
- Obtain the rectification of inaccurate personal data concerning you from the Data Controller without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data supplemented, including by providing an additional declaration.
- Obtain the erasure of personal data concerning you from the Data Controller without undue delay; the Data Controller is obliged to erase personal data without undue delay within the limits and in the cases provided for by current legislation.
- Obtain the restriction of processing from the Data Controller.
Receive the personal data concerning you and provided to the Data Controller in a structured, commonly used and machine-readable format; you also have the right to data portability and therefore to transmit such data to another data controller without hindrance by the Data Controller to which you provided it, if the processing is based on consent or on a contract and the processing is carried out by automated means.
- Object at any time, for reasons related to your particular situation, to the processing of personal data concerning you if the processing is necessary to perform a task in the public interest, or related to the exercise of public powers vested in the Data Controller, or the processing is necessary to pursue the legitimate interest of the Data Controller or third parties.
- If you believe that your rights have been violated by the Data Controller, lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) and/or another competent supervisory authority under the GDPR.
Following the exercise of the rights referred to in points 2), 3) and 4), the Data Controller shall notify each recipient to whom the personal data has been transmitted of any rectification, erasure or restriction of processing within the limits and in the forms provided for by current legislation.
To exercise the rights listed above towards the Data Controller, you must submit a written request by sending a registered letter with acknowledgement of receipt to YOUNG PLATFORM S.p.A. Via Cigna 96/17, 10155, Turin or by emailing [email protected]
This notice may be modified and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those provided for in Article 4 above, it undertakes to provide you, before such further processing, with adequate information about these different purposes and to carry out such further processing in compliance with current legislation, obtaining your specific consent where necessary.