CANOSSA APP Privacy Policy

Subject: information about the processing of your personal data pursuant to art. 13 Reg EU 2016/679

Pursuant to and in accordance with Legislative Decree D.Lgs No. 196 of 30 June 2003 Personal Data Protection Code (hereinafter “Code”) and Regulation EU 2016/679 on Data protection, we hereby inform you that your personal data will be processed by the Controller indicated below.

For the sake of clarity, we hereby provide the following definitions:

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal data: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

ACCEPTANCE OF THIS PRIVACY POLICY

Please read this privacy policy carefully. When you download our APP and expressly consent where necessary, you agree to be bound by this privacy policy.

1. IDENTITY AND CONTACT DETAILS OF THE JOINT CONTROLLERS (for the sake of brevity hereinafter also called “Controller”) and the DATA PROTECTION OFFICER – DPO

CONTROLLER

CANOSSA EVENTS SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)

Tel. + 39 (0)522 421096 – e-mail: info@canossa.com

JOINT CONTROLLER

CANOSSA LIFESTYLE SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)

Tel. + 39 (0)522 421096 – e-mail: info@canossa.com

CANOSSA RACING SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)

Tel. + 39 (0)522 421096 – e-mail: info@canossa.com

DPO FOR CANOSSA EVENTS SRL

Contact details: e-Mail dpo@ambientelavorosalute.com

As Joint Controllers, such joint controllership being based on the sharing of data and the purposes of the processing in accordance with the provisions of art. 13 of Regulation EU 679/2016, Gruppo Canossa hereby informs you that your personal data may be used by each of the joint controllers, compliant with the provisions of the Regulation and in relation to the respective main purposes, in the manner indicated below as regards the company whose name appears at the top of this privacy policy statement.

DATA SUBJECTS: Those who register in the CANOSSA APP.

2. SUBJECT MATTER, PURPOSE AND LEGAL BASIS FOR PROCESSING
   1. Purpose and Subject matter: Registration in the APP and provision of services

Data provision modalities: Compilation of app registration form

Type of data collected: personal data acquired from the app concerning: first name, last name, e-mail, mobile phone, sex, address, city, Postal Code, place and date of birth. Data of a technical kind acquired through App operation (particularly information about the device used) are also collected. The data will be used for undertaking all the activities connected or related to the provision of the services offered via App.

Legal basis of processing (lawfulness) This processing falls within the lawful processing activities pursuant to art. 6 sub-section 1 point B of EU Regulation 2016/679 on Data Protection

Category of entities who/that may become acquainted with your personal data – Recipients -:

Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations or for carrying out activities that are ancillary to the aforementioned purposes, to:

• the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific processing activities;
• to third-party organizations or to other entities which perform out-sourced activities on behalf of the Controller, in their capacity as external Processors, specifically appointed and authorized to carry out specific processing activities.

The agreements signed with these latter parties are aimed at allowing only essential processing activities to be performed and ensuring the confidentiality, security and integrity of the data.

Categories of External Processors who/that may be appointed:

• Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller in order to achieve the stated purposes.
• Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the stated purposes.

Personal Data may also be transferred to Independent Controllers, such as public Monitoring or Surveillance Authorities.

Refusal of data processing: refusal to provide personal data or outright objection to having them processed, particularly regarding mandatory data (marked with an asterisk * near to the registration field) – right to which the data subject is entitled, makes it impossible to register in the APP.

You may object to having your data processed by means of the contact details in point 1

You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

1. Purpose and Subject matter: Soft marketing. The data processing will include the e-mail contact details you have provided for soft marketing activities, such as promotion advertising of similar services to those in which you expressed interest by using our specific product / service, this solely and exclusively in the mutual and legitimate interest of both parties. The activity will be actualized by maintaining relatively infrequent e-mail contact.

Data provision modalities: paper form, orally, e-mail, telephone, web

Categories of data processed and legal basis: Data records and e-mail address. This processing falls within the lawful processing activities established by art. 130 sub-section 4 of Legislative Decree 30 June 2003, No. 196 “Personal data protection Code”, integrated by the amendments made by Legislative Decree 10 August 2018, No. 101. Please note that “should the Data Controller use, for the purpose of direct sale of its products or services, the e-mail contact details provided by the data subject…, it may dispense with requesting the consent of the data subject him/herself.”

Category of entities who/that may become acquainted with your personal data – Recipients –

Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations or for carrying out activities that are ancillary to the aforementioned purposes, to:

• the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific processing activities;

Categories of External Processors who/that may be appointed:

• Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller in order to achieve the stated purposes.
• Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the stated purposes.
• Parties who/that provide, on behalf of the Controller, business and marketing services in accordance with the limits and obligations expressed in the previous paragraphs.

The agreements signed with these parties are aimed at allowing only essential processing activities to be performed and ensuring the confidentiality, security and integrity of the data for each specific processing activity.

Personal Data may also be transferred to Independent Controllers, such as Public Monitoring or Surveillance Authorities.

Refusal of data processing: The data subject may object at any time to the processing in question via communication to the e-mail address of the Controller indicated in paragraph 1 or as indicated in each e-mail communication (OPT-out). The right of the data subject to withdraw his/her consent to the data processing does not affect the lawfulness of the processing prior to such withdrawal.

You may object to having your data processed by means of the contact details in point 1. You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

1. Purpose and Subject matter: Publication of photos and video footage via the press (apps) of images / video recordings of the data subject.

Data provision modalities: taking of photographs /audio visual recording

Categories of data processed and legal basis Image data item and/or vocal recording. This processing falls within the lawful processing activities established by art. 6 sub-section 1 point A of EU Regulation 2016/679 on Data Protection.

The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.

Category of entities who/that may become acquainted with your personal data – Recipients –

Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations or for carrying out activities that are ancillary to the aforementioned purposes, to:

• the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific processing activities;

Categories of External Processors who/that may be appointed:

• Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller in order to achieve the stated purposes.
• Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the stated purposes.

The agreements signed with these latter parties are aimed at allowing only essential processing activities to be performed and ensuring the confidentiality, security and integrity of the data for each specific processing activity.

Personal Data may also be transferred to Independent Controllers, such as Public Monitoring or Surveillance Authorities.

Refusal of data processing: Refusal to provide personal data or outright objection to having them processed, right to which the data subject is entitled, will not compromise the relations with our organization.

You may object to having your data processed by means of the contact details in point 1

You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

3. DURATION OF THE PERSONAL DATA PROCESSING

Wherever not better specified in the previous pages, the data are kept for 10 years after discontinuance of the relations or, in the event of regulatory amendments or changes in case law, for as long as their storage is required to assert a right of both parties.

Regular controls are performed to verify the obsolescence of stored data.

4. TOOLS AND LOGIC APPLIED TO THE PROCESSING OF PERSONAL DATA

With regard to the purposes described herein, the data processing is performed by means of manual, IT and ICT tools using logic strictly related to the aforementioned purposes and, in any case, in a manner that ensures the security and confidentiality of the personal data.

5. RIGHTS OF THE DATA SUBJECT

All the rights mentioned below can be exercised by means of the Controller’s contact details as indicated in paragraph 1 at the beginning of this document.

• Right to obtain from the Controller access to your personal data
• Right to obtain from the Controller the rectification / erasure / restriction of the processing of your personal data
• Right to object to the Controller to the processing of your personal data
• Right to receive a full list of the data Processors
• Right to receive your personal data in a structured, commonly used and readable format
• Right to lodge complaint with a supervisory authority, such as the Data Protection Authority, using the contact details in the following link https://www.garanteprivacy.it/home/footer/contatti

There is no automated decision-making process, including profiling, as referred to in article 22, paragraphs 1 and 4 of European Data Protection Regulation 2016/679

6. TRANSFER OF THE DATA ABROAD

Your Personal Data will be processed both within the European Union and stored on servers located within the European Union, and processed and stored in countries outside the European Union when an adequate level of protection is ensured. That level shall be deemed adequate when the European Commission has reached an adequacy decision in relation to the recipient country or if the foreign Controllers or Processors involved provide adequate safeguards of a contract or agreement type, including contractual clauses on data protection (art. 46, par. 2, point c and point d of Regulation EU 2016/679 on Data Protection). With regard to group entities with main establishment outside the European Union, transfer of data abroad is performed on the basis of an adequacy decision (art. 45 of Regulation EU 2016/679 on Data Protection) pursuant to specific contractual agreements. Consents will be collected each in a dedicated register.

That being said solely in respect of confidentiality and the purposes described herein, such safeguards are available for consultation at the Controller’s main establishment or are provided via e-mail. Such requests can be submitted by means of the contact details in point 1

This privacy policy may be subject to changes and additions over time; you are therefore advised to check it regularly. In the case of privacy policy updates that significantly affect your activity, we will inform you of the changes made before they come into force.