Pursuant to Regulation (EU) 2016/679 (hereinafter ‘GDPR’), the following information is provided regarding the processing of personal data collected through registration to the community -along with the creation of a personal profile- by the User on the website www.tabaccomapp-community.it (‘the Site’).
The Data Controller is CASA EDITRICE TABACCO s.r.l., with registered office in Tavagnacco (UD), 78 via E. Fermi (email: info@tabaccoeditrice.com - PEC amministrazione@pec.tabaccoeditrice.com - phone: +39 0432 573822).
Pursuant to art. 28 GDPR, the Data Controller has appointed INFOFACTORY s.r.l. as Data Processor for the management and maintenance of this website and its Community. For more information, please contact the Controller at the above-mentioned addresses.
In accordance with the provisions of article 32 GDPR, CASA EDITRICE TABACCO S.R.L. has put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in compliance with the personal data legislation. Therefore, all data are processed using procedures and tools, including IT tools, that are suitable to guarantee their confidentiality, integrity and availability in the manner and within the limits necessary to pursue the purposes indicated below.
A) REGISTRATION AND PARTICIPATION IN THE COMMUNITY
Registration with the Community involves the acquisition of personal data and any other information (photos, deferred GPS routes, preferences on types of activities, etc.) that the registered User spontaneously decides to upload to his or her personal profile.
Purpose and legal basis of processing (GDPR Art. 13, paragraph 1, letter c)
Personal data (name and surname) and contact details (email) are required in order to complete the registration and participate in the community. The legal basis for the processing is the performance of the contract (registration with the Community) to which the data subject is a party (Art. 6, letter b, GDPR). For other data (if any) and/or information uploaded by the User in his/her profile, the legal basis is the consent given by the person concerned.
Scope of communication (GDPR Art. 13, paragraph 1, letter e, f)
Data is only processed by duly authorised and trained personnel. Data (excluding contact details), are shared with all registered Users of the Community. The data may be indexed by search engine operators and/or third parties (e.g., Google).
Data retention period (GDPR Art. 13, paragraph 2, letter a)
The data will be stored for a period determined according to criteria of strict necessity in view of the various purposes pursued and, in any case, in compliance with the current legislation on the protection of personal data and according to the logic of protection of the rights of the Controller (limitation periods as per the Civil Code).
Provision of Data (GDPR Art. 13, paragraph 2, letter e)
Failure to provide required data will make it impossible to register with the Community.
Registration and authentication via Facebook or Apple ID
The User may also choose to register with the Community and subsequently access his personal profile via Facebook or Apple ID by authenticating on the relevant portal to which s/he is referred by clicking on the respective button. In this case, the data controller will have access to the following personal data of the data subject, which will be acquired by the relevant platform:
(i) personal data (name and surname), (ii) email address.
The same information applies to this data as to the purpose and legal basis of the processing, scope of communication, storage period and provision of data.
For more information on the content posted by the User, please refer to the Terms of Use.
(B) COMMERCIAL AND PROMOTIONAL COMMUNICATIONS BY THE CONTROLLER
The voluntary choice to receive commercial and promotional communications entails the processing of the personal and contact data of the person concerned (name, surname and email address to which communications are to be sent).
Purpose and legal basis of processing (GDPR Art. 13, paragraph 2, letter c)
The data are processed in order to send the person concerned periodic electronic communications of an informative nature relating to the Controller's activities, commercial products and news relevant to this area. The legal basis is the consent given by the person concerned.
Scope of communication (GDPR Art. 13, paragraph 1, letter e, f)
Data is only processed by duly authorised and trained personnel. Data is not disseminated or transferred to countries outside the EU.
Data retention period (GDPR Art. 13, paragraph 2, letter a)
The data is stored until the data subject requests revocation.
Provision of Data (GDPR Art. 13, paragraph 2, letter e)
Failure to provide the required data will result in the impossibility of receiving the above-mentioned communications.
(C) COMMERCIAL AND PROMOTIONAL COMMUNICATIONS RELATING TO OFFERS FROM THE CONTROLLER'S PARTNERS
The voluntary choice to receive commercial and promotional communications from third parties and partners of the Controller entails the processing of the personal and contact data of the person concerned (name, surname and email address to which communications are to be sent).
Purpose and legal basis of processing (GDPR Art. 13, paragraph 1, letter c)
The data are processed in order to send the person concerned periodic electronic communications of an informative nature relating to the activities of the Controller's partners, their commercial products and news relevant to this area. The legal basis is the consent given by the person concerned.
Scope of communication (GDPR Art. 13, paragraph 1, letter e, f)
The data are processed exclusively by duly authorised and trained personnel and disseminated, in accordance with the purpose of processing, to the Controller's partners. In any case, data are not transferred to non-EU countries.
Data retention period (GDPR Art. 13, paragraph 2, letter a)
The data is stored until the data subject requests revocation.
Provision of Data (GDPR Art. 13, paragraph 2, letter e)
Failure to provide the required data will result in the impossibility of receiving the above-mentioned communications.
(D) SITE NAVIGATION
Various personal data are processed when you browse the Site, such as IP addresses or domain names of the computers used, the web page of origin and exit, the URI/URL addresses of the resources requested, the date and time of the visit, information relating to your operating system and browser, as well as other technical data relating to navigation.
Purpose and legal basis of processing (GDPR Art. 13, paragraph 1, letter c)
This type of data is processed -in automated and aggregated form- exclusively for purposes related to the management and administration of the Site, as well as for statistical purposes. The data could also be used to ascertain responsibility in the event of computer crimes against the Site and/or other offences. The legal basis is the legitimate interest of the Controller.
Scope of communication (GDPR Art. 13, paragraph 1, letter e, f)
The data are processed exclusively by duly authorised and trained personnel, as well as by the provider of the Site's development and maintenance services, identified as the data processor. Data are not disseminated or transferred to countries outside the EU.
Data retention period (GDPR Art. 13, paragraph 2, letter a)
Unless necessary in the case of investigations following unlawful acts, data are generally not retained for more than ninety days.
Provision of Data (GDPR Art. 3, paragraph 2, letter e)
The data are not provided by the person concerned, but are acquired automatically by the website's technological systems.
The data subject has the right to request, in the specified cases:
1. access to personal data and information (Art. 15 GDPR);
2. rectification or erasure of the same (Articles 16 and 17 GDPR);
3. limitation of the processing of personal data (Art. 18 GDPR).
In addition, the Data Subject may:
1. oppose the processing of personal data under the conditions and within the limits set out in Article 21 of the GDPR;
2. exercise the right to data portability (Art. 20 GDPR).
1, letter a and 9, paragraph 2, letter a of the GDPR), the Data Subject has the right to withdraw such consent at any time, without affecting the lawfulness of the processing based on the consent given prior to the withdrawal.
In order to exercise the rights referred to above, as well as to unsubscribe from the Community, the data subject may contact the Data Controller via the email address info@tabaccoeditrice.com
Finally, if the Data Subject considers that the processing of his or her personal data violates the GDPR, he or she has the right to lodge a complaint with a supervisory authority (Data Protection Authority or other authority that may be competent) pursuant to Article 77 et seq. of the GDPR.
