Consent for Processing of Personal, Sensitive and
Legal Data
pursuant to Legislative Decree 196/2003 and EU Regulation 2016/679
1. Definitions
2. Identification of Data Controller and contact information for Data Processor
3. Type of data. Method of processing
4. Log and Analytics data
5. Cookies
6. Social Plug-ins
7. Rights of the Data Subject
8. Risk Analysis and protection method for processed data
1. Definitions
1.1 The
User/Data Subject is the subject who accesses the website www.orobieultratrail.it (henceforth for the sake of brevity WEBSITE) and registers personal data in order to use the functions of the website, pursuant to letter “i” of art. 4 of Legislative Decree no. 196/03, or, “
a natural person, legal person, entity or association to which the personal data refers”. For application of EU Regulation 2016/679, the term “
Data Subject” refers to any identified or identifiable natural person, considering the natural person as identifiable as the person who can be directly or indirectly identified, with specific reference to an identification datum like a name, identification number, location information, online identification or one or more characteristic elements of the person’s physical, physiological, genetic, psychiatric, economic, cultural or social identity.
1.2 In accordance with article 23 (“
Consent”) of Legislative Decree no. 196/03, processing of personal data by private subjects is only permitted with the
consent of the Data Subject, provided of their own free will and specifically in reference to the processing of their personal data in writing on the consent form provided with the Privacy Policy pursuant to article 13 of Legislative Decree no. 196/03; for the application of EU Regulation 2016/679, “
Consent” is intended as any manifestation of specific, informed and unequivocal free will of the Data Subject providing their consent, through a positive and unequivocal declaration or action, that the data being processed are personal data for which they are the Data Subject.
1.3 For application of EU regulation 2016/679, the “
Personal Datum” is intended as information of any kind relative to the Data Subject; “
Genetic Data” are intended as data relative to the genetic, hereditary characteristics or data acquired from a natural person that provide unequivocal information about the physiology or health of a person and that are the results of a biological sample examination; “
Biometric Data” are intended as personal data obtained through a specific technical process relative to physical, physiological or behavioral characteristics of a natural person that permit or confirm unequivocal identification, including facial images or dactyloscopy results; “
Data Concerning Health” are intended as personal data relative to the physical or mental health of a natural person, including provision of health assistance services, which reveal information relative to the state of health of the Data Subject.
1.4 For application of EU Regulation 2016/679, “
Processing” is intended as any operation or group of operations, also carried out using automated processes, applied to the personal datum, among which the collection, registration, organization, structuring, conservation, adaptation or modification, extraction consultation, use, communication through transmission, diffusion or any other form of distribution, comparison or interconnection, limitation, erasure or destruction of the data; “
Cross-Border Processing” is intended as processing of personal data taking place in facilities (intended as any location selected by the Data Controller and the location where the main processing activities are executed by the Data Processor) in more than one member state of the EU or in facilities located in only one member state but that may significantly impact Data Subjects in more than one member state.
1.5 For application of EU Regulation 2016/679, “
Profiling” is intended as any form of automated personal data processing consisting of the use of the personal data for evaluating specific personal aspects relative to a natural person, in particular for analyzing or predicting aspects relative to professional income, economic status, personal preferences, health, interests, reliability, behavior, location or movement of the Data Subject.
1.6 For application of EU regulation 2016/679, “
Pseudonymization” is intended as the processing of personal data according to a method that ensures that the same data cannot be attributed to a specific subject without the use of additional information, on the condition that these additional data
are conserved separately and subject to technical and organization measures designed to guarantee that these data are not attributed to an identified or identifiable natural person.
1.7 For application of EU regulation 2016/679 per “
Data Controller” is intended as the natural or legal person, the public authority, the service or other body that, singularly or together with others, determines the purposes and means of personal data processing; “
Data Processor” is intended as the natural or legal person, the public authority, the service or other body that processes the data on behalf of the Data Controller; “
Recipient” is intended as the natural or legal person, the public authority, the service or other body that receives communications of personal data, whether third parties or not; “
Third Parties” are intended as a subject different from the Data Subject, the Data Controller, the Data Processor, the persons authorized for processing by the Data Controller or the Data Processor or the Recipient;
1.8 For application of EU Regulation 2016/679, “
Supervisory Authority” is intended as any authority that verifies the correct application of EU Regulation 2016/679 in Italy, in particular it is intended as the Guarantor of the Protection of Personal Data with office in Rome, Piazza di Monte Citorio no. 121 – pec: protocollo@pec.gpdp.it.
2. Identification of the Controller
The identification details of the Data Controller are:
Spia S.r.l. - email: info@outbg.it .
The Data Processor can be contacted at the following email address: email info@outbg.it .
Any changes of the name of the Data Processor will be communicated, also at the time of renewal of consent, via changes made to the name of the Data Processor.
The Data Controller and owner of the WEBSITE may be involved in mergers, incorporations, acquisitions, divisions, and in this case could transfer assets of the company, including the personal data of the Data Subject, who acknowledges and accepts the same; in this case the Data Subject will be informed prior to their personal data being transferred or if the data are subject to a different policy and/or authorization for processing.
3. Type of data. Method of processing
The Personal Data are processed legally, correctly, transparently and solely for the purposes connected to executing the functions on the WEBSITE.
The Personal Data are collected exclusively for commercial purposes in conformity with the purpose for which the User/Data Subject registered on the WEBSITE, and nevertheless for purposes connected to and/or necessary for managing the WEBSITE, therefore excluding any diverse uses and/or those which may conflict with the interests of the User/Data Subject, without prejudice to the legal obligations governing the Data Controller or Data Processor.
The processed Personal Data will be exclusively limited to data pertinent to the functions of the WEBSITE that the User/Data Subject registered to use.
The Personal Data will be exact, and if necessary updated according to the indications provided by the User/Data Subject during registration.
The Personal Data will be stored for period that is necessary for the activity for which the data processing is necessary and for a maximum period of another 2 (two) months from the expiry of the consent for processing. In any case, the processing cannot exceed ten years, unless the consent for this purpose is expressly renewed by the Data Subject.
The Personal Data will be processed using means that guarantee their security and exclude the possibility of loss or destruction, also partial.
The acquisition and processing of Personal Data shall also be carried out for the purposes set forth in the anti-money laundering regulations introduced by Community Directive no. 2001/97 EC, in Legislative Decree no. 56/2004 as amended, and as transposed in Ministerial Decrees for implementation, in recognition of the possibility that the same data are communicated to the Italian Exchange Office UIC for verification of correct fulfillment of the aforesaid requirements.
The portability of Personal Data is optional and not obligatory, except when specifically required by law, but is necessary for registration on the WEBSITE and providing consent for processing is mandatory for registration. The transfer of Personal Data takes place each time the Data Subject accesses the WEBSITE for registration and to manage/use the services offered, or each time the same connects the registered account on the WEBSITE to a third-party website where allowed.
If the data necessary for registration and navigation on the WEBSITE are not transferred, it is not possible to accept and/or proceed and the account is not enabled or will be cancelled if consent is denied for the renewal of the authorization to process Personal Data.
If the Data Subject is authorized to use mobile applications linked to the WEBSITE, data relative to the location of the Data Subject are also transferred, stored and processed, including general information (e.g. IP address, postal code) and more specific information (e.g. GPS functions in mobile devices used to access the platform or specific functionalities of the platform). If the Data Subject accesses the WEBSITE from a mobile device and does not want the device to provide location information, the GPS function or other location tracking functions can be disabled on the device, as long as this is possible on the device.
The WEBSITE may allow the collection by Third Parties, upon authorization by the User/Data Subject, of information about the online activities of Users, also for profiling purchases by the User and for commercial purposes.
The Data Subject consents to transmission of Personal Data to Third Parties (e.g. providers or web maintenance and software programs used by the Data Controller organization).
The Data Controller may transfer the data of the Data Subject abroad or to third party countries depending on the payment method selected by the User for purchases on the WEBSITE (e.g. credit card or PayPal).
The Data Subject commits to keep their personal data updated and will communicate any changes or updates to the Data Controller.
4. Log and Analytics data
The User/Data Subject is aware of the Processing of “Log Data”, data that are automatically recorded by our web servers or server space, also Third Party websites, each time that the User/Data Subject accesses the WEBSITE or uses it, regardless of the whether the user is registered or has accessed an account; these data consist of, for example, an IP address, the date and time of access, the hardware and software used for access, the incoming and outgoing websites and URLs, the number of clicks, the pages viewed and order of the pages, as well as the amount of time spent on specific pages. These data are also the object of a separate consent form that the Data Subject provides to the Data Controller that performs when monitoring activities via the browser (e.g. Google) and that can be used for analytics services (e.g. Google Analytics – made anonymous through the IP pseudonymization function) and for tracking the activities of the User/Data Subject during interaction with the WEBSITE.
5. Cookies
No personal data of the users is acquired by the WEBSITE through so-called cookies. Cookies are not used for the transmission of personal data, nor are persistent cookies, nor user tracking systems of any kind. The use of session cookies (which are not memorized persistently on the user’s computer and disappear upon closing the browser) is strictly limited to transmission of session identification data (consisting of random numbers generated by the server) necessary for safe and efficient website browsing. The session cookies used on this website do not rely on other potential technologies that may be harmful to confidentiality of user browsing and do not permit acquisition of the User's personal data. The cookies for integrating third party products and software (Google Maps, YouTube videos, social network links, online payments, etc.) integrate functions developed by third parties within the website to share website contents or to use third party software (like software for generating maps and software offering additional services). These cookies are sent by third party domains and partner websites that offer their functions on the website. You can open cookies management in your browser for the relative software producer (e.g. Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera, etc.).
The Data Subject can disable the use of cookies through browser settings, but the performance and processing of data subsequent to a "Do Not Track” signal in the http heading on your browser or application will change. The activities of the Data Subject are tracked if the same clicks on an advertisement for services of the WEBSITE on websites or platforms of Third Parties, including search engines and social networks.
6. Social Plug-ins
The WEBSITE may use social plug-ins provided by Third Parties, such as, for example, the Facebook Like button; with the use of similar plug-ins, the Data Subject can send the information displayed on a specific part of the WEBSITE to Third Parties. If the Data Subject has not logged in in their account at Third Party sites, the Third Party will not be privy to their identity, unless consent was provided for Personal Data processing by the Data Subject to the Third Party. If the Data Subject is logged in to their account at the Third party site, then the Third party could collect information relative to the visit by the Data Subject on the WEBSITE through the Third Party account. Similarly, their interactions with the social plug-in could be recorded by the Third Party. These methods for accessing the data of the Data Subject by the Third Party are not connected to the WEBSITE functionality and the processing of the data is not carried out by the Data Controller or by the Data Processor of the WEBSITE, but by the Third Party for which the Data Subject provided consent for data processing. The Data Subject declares to be aware of the Privacy Policy of these Third Parties and their practices governing personal data processing and declares to have validly authorized their processing, exonerating the Data Controller and Data Processor of the WEBSITE.
7. Rights of the Data Subject
The Data Subject shall be guaranteed all rights as set forth in art. 7 of Legislative Decree no. 196/03.
The User/Data Subject is guaranteed, in accordance with EU Regulation 2016/679 and implemented by request to the Data Processor:
- the right to access (art. 15 of said EU Regulation) data to verify the existence of ongoing data processing and the purpose of the processing, the category of data processed, the recipients of the processed data, the storage period of the processed data, the possible existence of an automated selection process, including profiling pursuant to art. 22, sections 1 and 4 of EU Regulation 2016/679;
- the right of rectification of the data, including integration of incomplete data (art. 16 of said EU Regulation);
-
the right of erasure (art. 17 of said EU Regulation) of data without delay upon the request of the Data Subject, and mandatory if:
- the data are no longer necessary for the purpose of the Processing;
- the consent for Processing is revoked;
- the Data Subject opposes Processing in accordance with art. 21 of the EU Regulation;
- the data were processed illegally;
- the obligation of erasure complies with Italian or EU legal provisions. The obligation of erasure is not applied in the case of exercising the right to free expression and information, for fulfillment of a legal obligation that requires the processing, for reasons in the interest of the greater public or public order, and legal purposes that require processing.
- the right to restriction of processing (art. 18 of said EU Regulation) when the Data Subject disputes the exactness of the processed personal data for a period necessary for subsequent verification, the processing is illicit and the Data Subject opposes the erasure, the Data Controller must not continue processing but the Data Subject requests continuation for legal reasons and to exercise the rights of the defendant in court and when the Data Subject is opposed to processing while awaiting verification of the prevalence of legitimate reasons of the Data Controller.
- the obligation of the Data Controller to communicate (art. 19 of said EU Regulation) to possible Recipients of processed personal data any erasures, changes, limitations to processing.
- the right to data portability (art. 20 of said EU Regulation) including the right of the Data Subject to receive the data in a structured, commonly used and durable format, legible on automatic devices, also in several issues, by email to the address specifically indicated by the User/Data Subject free of charge, and the right to transfer personal data to another Data Controller, without obstruction, if the processing is carried out using automated means, like the case in point;
- the right to object of processing of Personal Data (art. 21 of said EU regulation), without prejudice of the right of the Data Controller to demonstrate the existence of legitimate reasons for proceeding with said processing;
- the right to not be subject to a decision based on automated processing, including profiling, unless this selection process is necessary for the stipulation of the contract or execution of the same between the Data Subject and the Data Controller, according to national or community law, the consent can be considered already explicitly affirmed by the Data Subject (art. 22 of said EU Regulation).
8. Risk Analysis and protection method for processed data
The Data Controller declares that there are no specific risks connected to the processing of the Personal Data of the Data Subject, to have evaluated all responsibilities and risks of conservation and processing, to have carefully selected the most suitable precautions for guaranteeing confidentiality and intangibility of the data of the Data Subject.
The Data Controller reserves the right to use all suitable methods to guarantee the security of the data, including encryption and pseudonymization of the processed personal data.
The Data Controller nevertheless declares to use suitable and available anti-intrusion and anti-violation systems at servers, or server spaces, or via Third Parties.
The Personal Data will be processed using suitable means for guaranteeing security and preventing the loss or destruction, also partial (e.g. system backup, anti-virus systems, change of access password to data for the representatives of the Data Controller periodically, uninterruptible power supply).
The User/Data Subject
spontaneously declares to authorize, in conformity with the above statements and more in general in accordance with Legislative Decree no 196/03 and EU Regulation 2016/679, the processing of their personal data.
The User/Data Subject
spontaneously declares to authorize, in conformity with the above statements and more in general in accordance with Legislative Decree no 196/03 and EU Regulation 2016/679, the processing of their personal data for commercial purposes, including profiling, marketing and sending commercial and promotional materials.