during the consultation and use of the website www.yspot.co (hereinafter, the “Site”),some personal data (“Data“) will be collected and processed, as defined by art. 4, par. 1 of the EU Regulation 16/679 (hereinafter, the “GDPR“) and by the Data Protection Law (hereinafter, the “PrivacyLaw“)
The purpose of this information (hereinafter, the “InformationNotice“), provided pursuant to Article 13 GDPR, is to provide a comprehensive overview of the purposes, methods of collection and use of personal data as well as the data retention periods of each user (hereinafter, “Data Subject” or, in the plural, “Data Subjects“).
Each interested party is invited to read this informative report in order to better understand the methods of processing of their personal data as well as their rights as provided for by the GDPR.
|2. Categories ofInterestedParties 2|
|3. Categories ofdataprocessed 2|
|3.2. Data provided voluntarily by theinterestedparty 2|
|3.3. ThirdPartyData 2|
- Data Controller and Data ProtectionOfficer
The data controller of personal data is Yspot s.r.l. (hereinafter also the “Company” or “Data Controller”) with registered office in Saluzzo (CN), via Spielberg 89, C.F./P.IVA 03881650042 email firstname.lastname@example.org (hereinafter also the “Company” or “Yspot”).
The Data Controller processes personal data in compliance with the principles of lawfulness, correctness, transparency, purpose limitation and storage, data minimization, accuracy, integrity and confidentiality.
- Categories ofInterest
Yspot processes the personal data of the users of the Site.
- Categories of processeddata
Different types of personal data are processed through the Site:
This category of Data includes IP addresses or domain names of the computers used by the users who connect to the Site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s computer environment. These Data are used only for statistical information (therefore they are anonymous), to check the correct functioning of the Site, and are deleted immediately after processing. The Data could be used to ascertain responsibility in case of hypothetical computer crimes to the detriment of the Site as better reported in paragraph 5.
- 3.2.Data provided voluntarily by the interestedparty
The Site, in some of its parts, requires the interested party to enter some personal data such as name, surname, date of birth, email, through, for example, the compilation of the form “Account” in the “Main menu“; the subscription to the “Newsletter” service.
- 3.3.Third PartyData
Should you decide to provide us with Data from third parties, please ensure that these parties have been previously and adequately informed of the processing methods and purposes indicated herein.
Failure to provide the data will make it impossible for the Data Controller to provide the products/services requested.
- Servicesofferedbythesite.Purposesoftheprocessing,legalbasisandperiodofstorageofpersonal data
Through the “Shop” section of the Site, the interested party is given the opportunity to make their purchasing choices. The method of acquiring the information necessary to complete the purchase process requires the personal data and address of the recipient as well as additional information related to the payment option selected.
Purposeofthetreatment: to process the information necessary to complete the purchase process.
Legalbasisofprocessing: art. 6, paragraph 1, letter b) of the GDPR, “performance of acontracttowhichthedatasubjectispartyorperformanceofpre-contractualmeasurestakenattherequestofthesame“.
Storagetime: personal data will be processed only for the time necessary for the mandatory storage of accounting records, i.e. no longer than 10 years from the completion of the purchase process.
4.2 Account Registration
The interested party may proceed to register a personal account through the specific section of the Site.
Legalbasisofprocessing:art. 6, paragraph 1, letter b) of the GDPR, “performance of acontracttowhichthedatasubjectispartyorperformanceofpre-contractualmeasurestakenattherequestofthesame“.
Retention period: Personal data will be retained as long as the user maintains the account.
4.4 “Newsletter” service
The Site offers the user the chance to subscribe to the “Newsletter” service, so that he or she can be kept constantly informed of all the latest news about Yspot initiatives, products and services. In order to subscribe to the newsletter service the user is required to enter his e-mail address.
Purpose of processing: to allow the user to subscribe to the newsletter service.
Legal basis of the processing: art. 6, paragraph 1, letter a) of the GDPR, “consent of the data subject“.
Storagetimes:personal data will be stored until the moment of any cancellation of the user from the service through the unsubscribeprocedure at the bottom of each communication sent by the Company or specific request of the interested party to the Data Controller.
- 5.Further personal data processingactivities
5.1 Establishment, exercise and defence of rights in extrajudicial and/or judicial proceedings
Where necessary, the Data Controller reserves the right to process the personal data of the Interested Parties, collected through the Site, in order to ascertain, exercise or defend its own rights in an extrajudicial and/or judicial context or whenever the judicial authorities exercise their jurisdictional functions.
Legalbasisoftheprocessing:art. 6, paragraph 1, letter f) of the GDPR, “theprocessingisnecessaryforthepurposesofpursuingthelegitimateinterestsofthedatacontroller“. To support such processing, in order to be able to demonstrate its legitimacy, the Data Controller has carried out a balancing of interests between the interest pursued and the rights and freedoms of the Data Subjects.
Storageperiod:personal data will be stored for a period strictly limited to the duration of the litigation, until the time limit for appeals has expired
5.3 Website security and information management in the event of corporate reorganisation
The Data Controller, where necessary, processes the personal data of the Interested Parties, collected through the Website, in order to ensure the security of the Website as well as in the context of extraordinary corporate transactions to which the Data Controller may be a party in the future.
Legalbasisofprocessing:art. 6, paragraph 1, letter f) of the GDPR, “processingisnecessaryforthepurposes ofpursuingthelegitimateinterestsofthedatacontroller“.
Retention time: personal data will be kept for the period strictly limited to verify the security of the Site.
In pursuance of the purposes set forth in paragraphs 4 and 5, Personal Data is processed mainly through electronic or automated means, in any case, suitable to guarantee security and confidentiality, as well as to prevent unauthorised access to Personal Data by third parties. In any case, Personal Data may be communicated to:
- persons authorised by the Data Controller to process personal data, as employees and/or collaborators, who have received adequate operating instructions, are committed to confidentiality or are subject to an adequate legal obligation of confidentiality;
- persons, companies or professional firms providing assistance and consultancy to the Data Controller, duly appointed as Data Processors pursuant to Article 28, GDPR. The list of data processors is available to interested parties at the Data Controller. By way of example, the following are some of the categories of subjects that process data on behalf of the Data Controller: companies that offer hosting services, companies that offer communication and marketing services.
- Companies that provide payment services, including Paypal, Klarna and Stripe, acting as independent data controllers.
- subjects, bodies or authorities to which the communication of the personal data of the interested party is obligatory by virtue of provisions of law or orders of the competent authorities.
The management and storage of the Data takes place on the servers of the Data Controller and/or third party companies appointed as Data Processors. These servers are located in Germany and in any case within the European Union.
- 7.Transfer of data outside the EuropeanUnion
Personal Data are not transferred to countries outside the European Union and the European Economic Area. If such a transfer should become necessary and/or unavoidable due to the organizational needs of the Owner, please note that:
- it will be made only to countries for which there is an adequacy decision adopted by the European Commission;
- in the case of a country other than that referred to in the preceding point, the transfer of data will be governed by the Standard Contractual Clauses without prejudice to the adoption, with the agreement of the Parties involved, of another of the safeguards established by art.46 of the GDPR or the application of one of the derogatory mechanisms referred to in art.49 of the GDPR.
- 8.Rights of the interestedparties
Pursuant to articles 15 to 22 of the GDPR, the Data Subject has the right to obtain, from the Data Controller, confirmation as to whether or not Personal Data concerning him or her is being processed and, if so, to obtain access to his or her data.
In addition, the Interested Party has the right to:
- know the purposes of data processing;
- know the categories of data being processed;
- know the recipients or categories of recipients to whom the data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;
- to know, where possible, the expected data retention period or, if this is not possible, the criteria used to determine that period;
- revoke the consent given at any time, without prejudice to the lawfulness of the processing based on the consent given before withdraw;
- ask the data controller to rectify or erase the data or restrict the processing of the data concerning him/her;
- oppose the processing of your data, without prejudice to the right of the Data Controller to evaluate your request, which may not be accepted in the event of the existence of compelling legitimate grounds for processing that override your interests, rights and freedoms;
- complain to a supervisory authority;
- if the data is not collected from the data subject, receive all available information on its origin;
- to be made aware of the existence of an automated decision-making process, including profiling as referred to in Art. 22, par. 1 and 4, and, at least in such cases, significant information on the logic used, as well as the importance and consequences foreseen for such processing in relation to the Data Subject;
- in the cases and within the limits provided for by the GDPR, the Privacy Code and any sector regulations, obtain the portability of the data, i.e. receive them from the Data Controller, in a structured, commonly used and machine-readable format, and transmit them to another Data Controller without hindrance.
Requests should be made in writing to the Data Controller at the addresses indicated above.
This Policy is effective as of 23 November 2021