PRIVACY NOTICE FOR MOBILE APPLICATIONS
CLIENT PRIVACY POLICY ON DATA PROCESSING PURSUANT TO ART. 13 OF EU REGULATION 2016/679 ("REGULATION")
Lascaux S.r.l. (VAT No. 01805480512), with registered office in Arezzo (AR), Via Calamandrei 129, as the “Data Controller” (hereinafter “Lascaux” or the “Controller”), is constantly committed to protecting the privacy of its clients.
This document (the “Notice”) has been drafted to allow you to understand how your personal data, as well as the data relating to the legal entity you represent by virtue of a legal or contractual authority, will be processed in relation to the purchase of the services (the “Services”) available on the Platform https://www.askme.it/ (the “Platform”) and/or provided outside the Platform and, if applicable, to provide explicit and informed consent to the processing of the personal data you provide.
The information and data you provide, or otherwise acquire, will be processed in compliance with the provisions of the Regulation and the confidentiality obligations that guide the activities of Lascaux.
1. DATA CONTROLLER
The processing of personal data provided by the Client to Lascaux for the purpose of executing this Agreement and the subsequent provision of the Service shall be carried out in compliance with Legislative Decree No. 196/2003 the “Personal Data Protection Code” (hereinafter, the “Code”), with European Regulation No. 679/2016 concerning the protection of personal data of natural persons (hereinafter, the “GDPR”).
For the sole purposes of the collection, processing, and management of data necessary for the provision of the Services, Lascaux acts as an independent Data Controller, in accordance with the definitions of roles set out in Legislative Decree No. 196/2003 and Regulation No. 679/2016.
2. PERSONAL DATA SUBJECT TO PROCESSING
We inform you that Lascaux will process information concerning you, which may consist of an identifier such as a name, an identification number, an online identifier, or one or more factor specific to your physical, physiological, psychological, economic, cultural, or social identity that can make you identified or identifiable (hereinafter “Personal Data”).
The data processed in the context of the Services are the following:
2.1 PERSONAL AND OTHER DATA
In order to proceed with the purchase of the Services, you will be required to provide Personal Data such as your first name, last name, and email address. With regard to the legal entity you represent, you will also be required to provide the company name, VAT number, registered office address, telephone number, electronic invoicing code, and certified email address (PEC) registered with the Italian Revenue Agency. Depending on the payment method agreed for your Services, we may also request data relating to the debit/credit card used or your banking details (e.g., IBAN).
2.2 BROWSING DATA
The IT systems and software procedures responsible for the functioning of the Portal acquire, during their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified individuals, but, by its very nature, could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the Portal, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the server’s response (successful outcome, error, etc.), and other parameters related to the user’s operating system and IT environment. Such data are used solely to obtain anonymous statistical information on the use of the Portal, to verify its correct operation, and to identify anomalies and/or abuses. They are deleted immediately after processing.
The data may be used to establish liability in the event of hypothetical computer crimes against the Portal or third parties. Except for this eventuality, web contact data is not retained for longer than 12 months (GDPR retention).
2.3 THIRD-PARTY DATA PROVIDED BY THE DATA SUBJECT
During the registration phase, you may send Lascaux Personal Data relating to other individuals.
In such cases, you act as an independent data controller, thereby assuming all legal obligations and responsibilities in this regard. Consequently, you grant the broadest indemnity with respect to any claim, demand, or request for compensation for damages arising from the processing of such Personal Data that may be brought against Lascaux by third parties whose Personal Data has been processed through your use of the functions in violation of the applicable personal data protection laws.
In any case, should you provide or otherwise process Personal Data of third parties, you hereby warrant – assuming full related responsibility – that such specific processing is based on the consent of the relevant third party or on another appropriate legal basis that legitimizes the processing of the information in question.
3. PURPOSE OF PROCESSING
Lascaux will use your Personal Data for the following purposes:
- to finalize the purchase order of the Services you requested; to issue the invoice relating to your purchase; and to provide you with any other service you may request (“Provision of Services”);
- to send promotional and marketing communications, including newsletters, through automated tools (e-mail, push notifications). Please note that the Controller collects a single consent for the marketing purposes described herein, pursuant to the General Measure of the Italian Data Protection Authority “Guidelines on promotional activities and spam prevention” dated July 4, 2013. Should you, in any case, wish to object to the processing of your data for marketing purposes carried out using the means indicated herein, as well as revoke the consent you have given, you may do so at any time by contacting the Controller at the contact details provided in this Notice, without prejudice to the lawfulness of the processing based on the consent provided prior to its withdrawal (“Marketing”);
- to comply with obligations established by law, regulation, or EU legislation (“Compliance with Legal Obligations”);
- in the event it is necessary to establish, exercise, or defend a legal claim, as well as to perform data and network security checks and to prevent and combat possible cyber crimes (“Defensive Purposes and Prevention of Cyber Crimes”).
4. LEGAL BASIS AND MANDATORY OR OPTIONAL NATURE OF THE PROCESSING
The legal basis for the processing of Personal Data for the purpose of Provision of Services is the performance of a contract to which the data subject is a party, pursuant to Article 6(1)(b) of the Regulation.
The legal basis for processing for Marketing purposes is the consent of the data subject, pursuant to Article 6(1)(a) of the Regulation.
The purpose of Compliance with Legal Obligations represents a legitimate processing of Personal Data pursuant to Article 6(1)(c) of the Regulation. Once the Personal Data has been provided, processing is in fact necessary to comply with a legal obligation to which Lascaux is subject.
The legal basis for processing for Defensive Purposes and the Prevention of Cyber Crimes is the legitimate interest of the Controller, pursuant to Article 6(1)(f) of the Regulation.
The provision of your Personal Data for the purposes of Provision of Services, Compliance with Legal Obligations, and Defensive Purposes and the Prevention of Cyber Crimes is mandatory: refusal will not entail any further consequences, but in the absence of such data it will not be possible to use the Platform and purchase the Services.
Consent to the processing of your Personal Data for Marketing purposes is optional, and in its absence the processing will not take place, without any consequence for you. You may withdraw the consent given at any time pursuant to Article 7 of the Regulation, without prejudice to the lawfulness of the processing based on the consent given prior to withdrawal.
5. DISCLOSURE OF PERSONAL DATA
Your Personal Data may be shared, for the purposes set out in Section 3, with the following categories of recipients:
- entities typically acting as data processors, namely: (i) individuals, companies, or professional firms providing assistance and consultancy to Lascaux in accounting, administrative, legal, tax, financial, debt collection, marketing, and market research matters related to the provision of the Services; (ii) entities with which it is necessary to interact for the provision of the Services (such as hosting providers, providers of email delivery platforms, providers of payment services and payment gateways for product and service orders in the context of e-commerce); (iii) entities delegated to carry out technical maintenance activities (including maintenance of network equipment and electronic communication networks) (collectively, the “Recipients”);
- entities, bodies, or authorities to whom it is mandatory to communicate your Personal Data by virtue of legal provisions or orders of the authorities;
- individuals authorized by Lascaux to process Personal Data necessary to carry out activities strictly related to the provision of the Services, who are bound by confidentiality or have an appropriate legal obligation of confidentiality (e.g., employees of Lascaux);
- companies within the Lascaux Group for internal administrative purposes.
6. TRANSFER OF PERSONAL DATA
The transfer of personal data provided by the Client to Lascaux for the purposes of executing this Agreement and the subsequent provision of the Service shall be carried out in compliance with Legislative Decree No. 196/2003 and European Regulation No. 679/2016, in accordance with the privacy notice issued by Lascaux during the registration process and on the basis of the consent to data processing given by the Client at that time.
7. PERSONAL DATA RETENTION
Your Personal Data will be retained only for as long as necessary for the purposes for which it is collected, in compliance with the principle of data minimization set out in Article 5(1)(c) of the GDPR. The Controller may retain certain data even after the termination of the contractual relationship, for the time necessary to fulfill contractual and legal obligations, as well as when it is necessary to establish, exercise, or defend the Controller’s legal claims.
Further information regarding the retention period of the data and the criteria used to determine such period may be requested by writing to the Controller at the contact details indicated above.
8. RIGHTS OF THE DATA SUBJECTS
You have the right to request from the Controller, at any time, access to your personal data, their rectification or erasure, or to object to their processing. You also have the right to request the restriction of processing in the cases provided for under Article 18 of the Regulation, to withdraw at any time the consent given pursuant to Article 7 of the Regulation, and to obtain the data concerning you in a structured, commonly used, and machine-readable format, in the cases provided for under Article 20 of the Regulation. You also have the right to lodge a complaint with the competent Supervisory Authority (the Italian Data Protection Authority – Garante per la Protezione dei Dati Personali) pursuant to Article 77 of the Regulation, if you believe that the processing of your data is in breach of the applicable law.
You may submit an objection to the processing of your data pursuant to Article 21 of the Regulation, setting out the reasons justifying your objection. The Controller reserves the right to assess your request, which may not be accepted if there are compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
Requests must be made in writing to the Controller via email at: [email protected]