Declaration of Authorization to the Processing of personal, sensitive and judicial, identification data pursuant to Italian Legislative Decree no. 196/2003 in force in the territory of the Republic of Italy
The Artizan/Tourist, hereinafter referred to as “data subject” according to the definition given at letter “i” of art. 4 Italian Legislative Decree no. 196/03 and that is: “natural person, juridical person, institution and association to which personal data are referred”,
the sensitive and judicial personal – identification – data (the meaning of each has been given and he/she acknowledges this to be that shown in note 3 stated at the end of this authorization), which may have also been acquired from third parties, will be used – in compliance with current legislation and without prejudice to obligations of confidentiality – exclusively for commercial type aims in compliance with the purpose for which he/she registered on the internet platform called “TOURIZAN” and, however, for purposes connected and/or instrumental to the management and commercial activities conducted by the aforementioned internet platform, excluding – therefore – any other use that may conflict with the interests of the Artizan/Tourist displayed when registering with “TOURIZAN”, without prejudice to the legal obligations of the “TOURIZAN” platform.
He/she acknowledges that the acquisition and processing of data will also take place for the purposes envisaged by legislation in matters of money laundering as introduced by European Community Directive no. 2001/97 CE, by Italian Legislative Decree no. 56/2004 transposing such Directive, and by the Ministerial Decrees implementing such Directive, and he/she is aware of the possibility that the same data may be communicated to the Ufficio Italiano Cambi UIC (Italian Foreign Exchange Office) to verify the correct fulfilment of the aforementioned obligations.
The provision of sensitive and judicial personal – identification – data should be considered merely optional and not mandatory, unless expressly required by legal provisions. The provision of data occurs each time the data subject accesses the “TOURIZAN” platform to create the account, communicate with the “TOURIZAN” platform, access the platform to manage/use the services offered by the “TOURIZAN” platform, or connect his/her account on a third-party site to his/her account on the “TOURIZAN” platform.
When the data subject uses certain functions on the “TOURIZAN” platform, in particular mobile applications, data regarding the position of the data subject are also provided, including general information (e.g. IP address, post code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Platform or specific features of the platform). If the data subject accesses the “Tourizan” platform through a mobile device and does not want the device to provide location-tracking information, the GPS or other location-tracking functions on his/her device can be disabled, provided the device allows this.
“Log Data” are also received, stored and processed. This is information that is automatically recorded by our servers whenever the data subject accesses or uses the “TOURIZAN” platform, regardless of whether he/she is registered or logged in to his/her account; this data may be, for example, the IP Address, the date and time of access, the hardware and software used for access, the sites and URLs from where he/she originates and exits, the number of clicks, pages viewed and the order of those pages, and the amount of time spent on particular pages.
While the data subject may disable the usage of cookies through his/her browser settings, the practices and data processing will never be changed in response to a "Do Not Track" signal in the HTTP header from his/her browser or mobile application. The data subject’s activities are tracked if he/she clicks on advertisements for “TOURIZAN” platform services on third party platforms such as search engines and social networks, and analytics services may be used to track his/her activities in response to those advertisements.
The data subject is aware of the fact that even if he/she chooses to no longer receive targeted advertisements (opting-out), he/she may still receive advertising on or concerning the “TOURIZAN” platform, but it will no longer be tailored to his/her interests.
Third parties may collect information about users' online activities on the “TOURIZAN” platform within the limits of this authorization.
The “TOURIZAN” platform may use social plugins which are provided and operated by third-party companies, such as Facebook’s Like button.
As a consequence of this, the data subject may send to the third-party company the information that he/she is viewing on a certain part of the “TOURIZAN” platform. If the data subject is not logged into his/her account with the third-party company, then the third party may not know his/her identity. If the data subject is logged into his/her account with the third-party company, then the third party may be able to link information about his/her visit to the “TOURIZAN” platform to your account with this company. Similarly, your interactions with the social plugin may be recorded by the third party.
The data subject declares that he/she is aware of the privacy policies of such third party companies and their practices in matters of personal data processing.
In the event of failing to provide the aforementioned data, subscription to the internet platform called “TOURIZAN” may not be accepted and/or continued and the account will be cancelled.
When the processing of sensitive and judicial personal – identification – data is authorised, these data, within the aforementioned limits and for the aforementioned purposes, may be disclosed to Public Entities and/or Private Entities, competent Judicial Authorities and, therefore, subjects in the same places responsible for their transposition and/or processing, as well as the supervisors and/or processors of the internet platform called “TOURIZAN” (whose functions he/she acknowledges to be those shown in note 4 stated at the end of this authorization). In order to identify the security measures adopted and any updates and/or modifications to the identification data of the controllers, supervisors and/or processors – as well as, for this latter aspect, the following points “f” and “g” – reference should be made to the O.S.P. (Official Security Plan) which can be downloaded from the internet platform.
The data subject will be guaranteed all rights as better described in art. 7 (“Right to access personal data and other rights”) of Italian Legislative Decree no. 196/03, the content of which he/she declares that he/she understands and whose full text he/she acknowledges to be that given in note 5 shown at the end of this authorization.
The identification data of the controllers of processing are:
BELEZA S.R.L. with registered office in Bergamo, Italy, Galleria Santa Marta no. 1, Tax Code 04071540167, VAT no. 04071540167, registered in the Companies Register of Bergamo at no. 04071540167.
Furthermore, it should be noted that in accordance with art. 4 letter “g”, the “supervisor of processing” is BELEZA S.R.L., represented by the pro tempore legal representative; any change to the name of the supervisor will be communicated.
Reference should be made to the O.S.P. for the names of the company servicing the software and hardware of IT systems connected and/or linked to the internet platform called “TOURIZAN”.
The processing of sensitive and judicial personal – identification – data will take place within the limits of the law, as established by art. 25 of Italian Legislative Decree no.196/03, the content and text of which he/she acknowledges to be that shown in note 6 given at the end of this authorisation, as well as for the aims described above, and they also may be subject not only to processing, but also to communication and/or disclosure as better defined in letters “a”, “l” and “m” of paragraph 1 of art. 4 of Italian Legislative Decree no.196/03 and which he/she acknowledges to be that stated in note 7 at the end of this authorization.
The processing of data will take place in a suitable manner to ensure their security and confidentiality and may also be carried out using automated tools capable of storing, managing and transmitting the same.
The data and documentation will be kept, in storage, for a period of 10 years.
The data subject acknowledges that the processing of personal data may take place in countries other than that of his/her residence and, as such, other legislation in force in those jurisdictions in matters of personal data may be applied.
The manager/owner of the “TOURIZAN” platform could be involved in mergers, acquisitions, demergers and in this case assets of its company could be transferred, including the personal data of the data subject, who acknowledges and accepts the same; in this case, the data subject will be informed before his/her personal data are transferred or are however subject to different policies and/or authorizations to the processing of personal data.
The data subject may review, update, correct or fully delete his/her personal details on his/her account and this will be possible by logging into his/her account. All reviews, posts on forums and similar materials published by the data subject could continue to be accessible publicly on the “TOURIZAN” platform, in association with his/her name, even if his/her account has been deleted.
The “TOURIZAN” platform will contain links to other websites that are not owned or subject to control by the same. The “TOURIZAN” platform does not exercise any control over websites that belong to third parties. These other websites may place their own cookies, web beacons or other files on the data subject’s device, or collect and solicit personal data from the data subject. They will have their own rules about the collection, use and disclosure of personal data, rules that are extraneous to the “TOURIZAN” platform.
The “TOURIZAN” platform may allow registered account holders to participate in online discussion forums.
If the data subject participates in a discussion forum, then his/her participation in the discussion, as well as some of his/her public information (such as his/her profile picture and public profile page) will be visible to users who browse the pages of the discussion forum. If the data subject publishes content in a discussion forum, this will be visible to users that browse or are part of the discussion forum. The possibility of browsing the pages of the discussion forum depends on the forum settings, and may or may not be limited to members of the discussion forum.
This authorisation may be modified and in this case the “TOURIZAN” platform will require new expressed acceptance.
At any moment, the data subject may request a copy of his/her personal data being processed and in this case the “TOURIZAN” platform will send the copy of personal data being processed within 40 (forty) days of receipt of the written request of the data subject, debiting an all-inclusive amount of €10.00.
The data subject undertakes to keep personal data updated and, to this end, shall communicate to the “TOURIZAN” platform any need for modification or updating.
The data subject has the right to obtain, free of charge, from the “TOURIZAN” platform the deletion of personal data that he/she believes to be the subject of processing that does not comply with this authorisation and provisions of law in force in the country where the processing takes place.
Based on the foregoing, he/she spontaneously declares that he/she authorises, in compliance with the aforementioned and more generally the provisions of Italian Legislative Decree no. 196/03, the processing of his/her personal data of any nature, including that defined as sensitive and judicial, identification data.
1. ART.26 paragraph 4 letter “c” – GUARANTEES FOR SENSITIVE DATA “(...) 4. Sensitive data may be the subject of processing without consent, by authorisation of the Data Protection Authority: c) when the processing is necessary for the purposes of investigations by defence counsel pursuant to Law no. 397 dated 7 December 2000 or – however – to enforce or defend a right in a court of law, provided that the data are processed exclusively for such purposes and for the time period strictly necessary for their prosecution. If the data reveal the state of health and sex life, the right must be of equal ranking to that of the data subject or consisting of a right of personality or other right or fundamental and inviolable freedom (...)”.
3. ART.4 – DEFINITIONS: (...) b) < personal data >, any information regarding a natural person, legal entity, organisation or association, identified or identifiable, even indirectly, by reference to any other information, including a personal identification number; c) < identification data >, personal data that permit the direct identification of the data subject; d) < sensitive data >, the personal data revealing racial origin and ethnicity, religious convictions, philosophies or other kind, political opinions, membership of parties, trade unions, associations or organisations of a religious, philosophical, political or trade union nature, as well as personal data that reveals the state of health and sex life; e) < judicial data >, personal data that reveal measures pursuant to art. 3 paragraph 1, letters from a) to o) and from r) to u) of Italian Presidential Decree no. 313 dated 14.11.2002 in matters of criminal records, of administrative sanctions connected to a crime and the relative pending charges, or the capacity of the accused or suspected person in accordance with articles 60 and 61 of the code of criminal procedure”.
4. ART.4 – DEFINITIONS: (...) f) < controller >, the natural person, legal entity, public administration and any other authority, association or organism responsible for – even together with another controller – decisions regarding the purposes, methods of processing of personal data and the tools used, including the security profile; g) < supervisor >, the natural person, legal entity, public administration and any other authority, association or organism appointed by the controller of personal data processing; h) < processors >, the natural persons authorised to perform processing operations by the controller or supervisors”.
5. ART. 7 – RIGHT OF ACCESS TO PERSONAL DATA AND OTHER RIGHTS: 1. The data subject has the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form. 2. The data subject has the right to be informed: a) of the source of the personal data, b) of the purposes and methods of processing; c) of the logic applied in the case of processing carried out with the aid of electronic devices; d) of the identification data of the controller, supervisor and representative appointed in accordance with art. 5 paragraph 2; e) the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data supervisors or processors. 3. The data subject has the right to obtain: a) the updating, rectification or – where interested therein – integration of the data; b) the erasure, anonymization or blocking of data that have been processed unlawfully,including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters “a” and “b” have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected. 4. The data subject has the right to object in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.”
6. ART.25 – BANS ON COMMUNICATION and DISCLOSURE: “1. Communication and disclosure are forbidden not only in the case of the ban laid down by the Data Protection Authority or by the Judicial Authority: a) in reference to personal data of those for which the cancellation was ordered, or when the time period indicated in art. 11 paragraph 1, letter “e” has passed; b) for purposes other than those indicated in the notice of processing, where prescribed. 2. This is without prejudice to the communication or disclosure of data requested, in compliance with the law, by the police forces, judicial authorities, training and security organisations and other public entities in accordance with art. 58, paragraph 2, for purposes of defence or security of the State or the prevention, ascertainment or combating of offences”.
7. ART.4 – DEFINITIONS: (...) a < processing > any operation or set of operations, carried out even without the aid of electronic devices, concerning the collection, recording, organisation, storage, consultation, manipulation, modification, selection, extraction, comparison, use, interconnection, blocking, communication, disclosure, erasure and destruction of data, including data not recorded in a database (...); l) < communication > the making known of personal data to one or more particular entities, other than the data subject, by the representative of the controller in the territory of the State, by the supervisor and by the processors in any form, even by their provision or consultation; m) < disclosure > the making known of personal data to unspecified entities, in any form, even by their provision or consultation”.