PRIVACY POLICY
(“Privacy Policy”)
(Version “01”, November 2017)
Table of contents
1. General provisions
2. Data subjects, services and scope
3. Principles, source, nature and types of processed Data
4. Purposes of the processing. Consequences in case of failure to provide
5. Persons in charge of the processing and processors
6. Methods of processing and security measures
7. Data Subjects’ rights as natural persons
- General provisions
1.1. Controller. In accordance with provisions of section 13 of the Legislative Decree June 30, 2003, n. 196 (“Personal Data Protection Code”) and of section 13 of the E.U. Regulation 679/2016 (“Regulation”), by this Privacy Policy Tooly.tips S.r.l. (“tooly.tips”), Tax Code and VAT n. 02966010213, having its registered office in Bolzano (Italy), Via Sant’Osvaldo no.41 (39100 - BZ), in its capacity as personal data controller (“Controller”), fulfils its duties to provide data subjects (“Data Subjects”), as hereinafter identified, information relating to the processing of their own personal data (“Personal Data”), supplied or collected through the use of the website reachable at the URL: http://www.tooly.tips/ (“Website”).
1.2. Extended applicability to social networks. This Privacy Policy – as far as compatible – shall also be applicable to accounts, directly or indirectly, managed by the Controller on the main social network channels (“Social Channels”, such as, for example,, Facebook™, Twitter™, Instagram™, Google Plus™, etc.), in any way connected to the Controller.
1.3. Amendments. The Controller reserves the right to amend and update the Privacy Policy, as a result of any further additions and/or amendments of any national, E.U laws and regulations on personal data protection. For this reason, the Privacy Policy is published and marked with progressive identification numbers and month of publication, starting from the release of July 2017, marked by the identification number “00”. Any new release of the Privacy Policy shall be published on the Website as a replacement of the previous version and shall be valid and enforceable from the publication date, unless otherwise specified.
1.4. Applicable rules. The Controller processes Personal Data in accordance with (i) the provisions of the Personal Data Protection Code and all relevant principles herein specified, such as, in particular, the principles of legitimacy, fairness, proportionality and principles requiring that processing of personal data be relevant and not excessive to achieve the purposes for which said data are collected; (ii) the E.U. legislation, having particular regard to the Regulation, as directly applicable, and relevant principles, including, in particular, principles of accountability, privacy by design and privacy by default; (iii) guidelines issued by the Italian Data Protection Authority (“Data Protection Authority”).
1.5. Cookies. Cookies are small text files that, in the course of navigation within the Website, are sent to the Data Subjects’ terminal equipment, where Cookies are stored to be then re-transmitted to the Website during Data Subjects’ subsequent visits to the Website. For the information on Personal Data and on the information processed through cookies, all persons concerned are invited to read the Cookie Policy (“Cookies Policy”), reachable by the Website footer.
1.6. Cross-reference. This Privacy Policy supplements the provisions contained in the Warnings, in the General Conditions and in the Cookie Policy and in any other information messages published on the Website.
1.7. Definitions. In this document, the following terms generally indicated with a capital letter (whether they are singular or plural), save as otherwise specified herein, shall have the meaning set out in the Warnings and in the General Conditions.
- Data Subjects, services and scope of application
2.1. Data Subjects. The category of Data Subjects consists of: (i) tooly.tips’ customers, either natural or legal persons, organizations and associations, which have a business and professional relationship with tooly.tips and use the Website as a consequence of said relationships (“Customers”); (ii) simple internet users, who use the Website (“Visitors”). For convenience, in this Privacy Policy the expression “Customers” includes Vendors, Resellers and Users as defined in the Warnings.
2.2. Services provided by tooly.tips. Through the Website, tooly.tips offers:
a. as regards Customers, a B2B channel, providing, in particular, storage and assessment services as well as sale of software used in the context of Hospitality Technology;
b. as regards Visitors, contents of various nature on Hospitality (reviews, articles, webinars, infographics, market surveys, etc.).
2.3. Scope of application. tooly.tips is only liable for the processing of Personal Data, in relation to which it shall exercise its powers and carry out its duties and responsibilities in its capacity as Controller. The Controller is not able to exercise control over websites of third parties. The Privacy Policy shall not be deemed valid and enforceable for any processing made by third parties, including Customers, whose websites may be reached through connections and/or hyperlinks from the Website. Data Subjects are invited by the Controller to read privacy policies of third party websites, accessed through the Website, by browsing linked webpages, in order to understand the conditions applicable to the processing of personal data.
- Principles, source, nature and types of processed Personal Data.
3.1. Principles and assessment of processing. According to the principles of: data protection by design and by default (under section 25 of Regulation), accountability, data minimization and transparency (under section 5 of Regulation), the Controller, prior to processing and issuance of this Privacy Policy, has carried out an assessment on the type of processing operations to be made on Personal Data through the Website. Without prejudice to the provisions of the Cookie Policy, the assessment shows that: (i) in almost all cases, processing carried out by the Controller refers to Customers; (ii) processing of Personal Data of natural persons covers only common Personal Data of the same persons, as hereinafter specified; (iii) processing does not pose risks to the rights and freedom of Data Subjects; (iv) processing serves exclusively to provide services requested by Data Subjects and it is performed in accordance with the purposes set out hereinafter.
3.2. Source. The Controller processes Personal Data:
a. pertaining to Customers, found on the Internet or on public archives and/or directories or having an unrestricted access, such as, for instance, those directed by the Italian Chamber of Commerce;
b. voluntarily provided by legal representatives or contact persons of Customers by filling in the specific forms of the Website or sent to the Controller, in order to establish business and professional relationship;
c. voluntarily provided by Data Subjects, when signing up to the newsletter, publishing reviews and/or comments and requiring the Controller to provide information;
d. collected according to the Cookie Policy, by surfing the Website.
3.3. Exclusion of sensitive and special Personal Data. In addition to Personal Data covered by the Cookie Policy, the Controller processes common personal data (“Common Personal Data”) which are not comprised in the definition of sensitive data and/or judicial data as set out in the Personal Data Protection Code (under section 4 letters d and e) and in the definition of special categories of personal data of the Regulation (under section 9.1), as well as in the definition of data concerning health (under section 4.15) of the same Regulation (hereinafter jointly defined as “Special Data”). Data Subjects are invited to not send and communicate to Controller any Special Data. Special Data accidentally received shall be erased and/or removed or however anonymized.
3.4. Common Personal Data processed. Common Personal Data may consist of the following data, including but not limited to:
a. as regards Data Subjects: e-mail addresses, for the newsletter subscription, name and surname and e-mail addresses for communications sent to Controller, name and surname and e-mail addresses for publications of reviews and comments;
b. as regards Customers: name and surname of natural persons, including name and surname of representatives of legal persons, organizations and associations, by virtue of their powers to act as representatives or authorized contact persons, name and business name, tax code number, VAT number, residence for tax purposes, full references, physical and telephone numbers, facsimile and e-mail addresses, Postal Code Numbers, information needed to execute contracts, bank account details and data referred to payments.
3.5. Browsing data. The Controller processes hidden Data, collected in the course of browsing by Visitors, according to the Cookie Policy.
- Purposes of the processing. Consequences in case of failure to provide.
4.1. Purposes. The Controller processes Personal Data for the following purposes, as specified in the table hereinbelow (“Table”), in which is furthermore highlighted if an express consent to the processing of Personal Data is needed (or not):
|
Purposes
|
Consent
|
A
|
allow accomplishment of all formalities and fulfilment of obligations required by law, including but not limited to fiscal and administrative formalities and obligations
|
not required
|
B
|
provide, through the Website, services agreed with Customers by virtue of the business and professional relationships established with them;
|
not required
|
C
|
enable Data Subjects to publish reviews and comments and Tooly.tips to reply to communications sent by Data Subjects to the contact details published on the Website
|
not required
|
D
|
send to Data Subjects newsletters and informational, commercial and promotional material in relation to the Website’s functionalities, including DEM (Digital Email Marketing), questionnaires and surveys
|
required
|
4.2. Optional supply of personal data. The provision of Personal Data by Data Subjects is optional, with the sole exception of data needed to comply with legal obligations, it being understood that the refusal to provide said data entails the consequences set forth herein below. In any form to be filled in on-line is however specified the mandatory or optional nature of the provision of Personal Data. It is herein specified that in the on-line forms the symbol * identifies the mandatory Personal Data needed in the pursuit of purpose for which said data have been provided.
4.3. Refusal for processing. Any refusal to supply Personal Data deemed essential for providing the services offered through the Website or any objection, on legitimate grounds, to the processing of Personal Data already supplied, shall prevent tooly.tips from providing said services. In particular,
a. any failure to supply or any refusal to agree to the processing of the name, surname and e-mail address, shall prevent Data Subjects from receiving the newsletter, sending communications to the Controller and publishing reviews and comments on the Website;
b. any failure to supply or refusal agree to the processing of Personal Data needed to establish business and professional relationships with tooly.tips shall prevent Customers from using or continuing to use the services, by way of business, provided by tooly.tips through the Website.
4.4. Giving and withdrawal of consent. In relation to the purpose set out in the Table under letter D, the consent is deemed given by Data Subjects when they have checked the appropriate box in the registration or compilation form. Data Subjects may withdraw their own consent by sending a communication to the Controller, without any formal requirement, also by telephone; however, to facilitate all practices resulting from the withdrawal, including the deletion of the e-mail address from the mailing list, Data Subjects are invited to communicate their withdrawal, according to instructions given in every newsletter. The withdrawal of the consent for the purpose set out in the Table under letter D causes the interruption of processing.
- Persons in charge of the processing and processors
5.1. Controller and persons in charge of the processing. tooly.tips is the Controller of the processing of Personal Data as to the Website’s functionalities. Directors, shareholders, employees and independent collaborators of the Controller (independently from the contractual relation concerned) may process Personal Data in their capacity as designated persons in charge of the processing, according to section 30 of the Personal Data Protection Code. Persons in charge of the processing and processors shall be appropriately trained and duly empowered to allow access to Personal Data according the specific duties and tasks assigned and in compliance with the Privacy Policy.
5.2. Processors. The Controller may designate as processors – as per the Personal Data Protection Code – internal and external entities/individuals, including but not limited to (legal and tax) advisors and third companies (in particular, internet service providers and service providers). The complete list of all processors – if appointed – may be required by Data Subjects, by addressing a request to the Controller, to the e-mail address set out in section 7.1. of the Privacy Policy. According to the Regulation, the Controller is not obliged to designate processors.
5.3. Limitations. Persons in charge of the processing and processors shall be appropriately trained and duly empowered to allow access to Personal Data according to the specific duties and tasks assigned and in compliance with the Privacy Policy.
- Methods of processing and security measures.
6.1. Methods of processing. The Personal Data of Data Subjects are processed almost exclusively by automated procedures, by using computerized systems or in a limited number of cases through manual means, but in any case by adopting methods which are strictly related to the purposes for which data have been collected and anyway to guarantee their security, in accordance with section 11 of the Personal Data Protection Code.
6.2. Place of processing. Processing of Personal Data is made in the head offices of the Controller and/or – if appointed – of the processors (in particular, internet service providers and service providers). Personal Data of Data Subjects are collected in one or more electronic databases, hosted on the server located in Italy.
6.3. Personal Data storage times. Personal Data are stored for the period of time necessary to pursue the purposes for which said data have been collected, up to the withdrawal of the consent by Data Subjects (for instance, for the purpose of forwarding the newsletter), except for mandatory data which are stored within the limits laid down by law.
6.4. Dissemination and assignment. The Personal Data processed shall not be disseminated. Personal Data may not be assigned to third parties, without the relevant prior anonimization. The Controller may assign Personal Data of Customers which are not natural persons.
- Rights of Data Subjects as natural persons.
7.1. Rights. Data Subjects as natural persons may directly address to the Controller or the processor, if designated by the Controller, in order to enforce their rights according to Personal Data Protection Code (section 7, as fully set forth hereinbelow) and to the Regulation (sections 15, 16, 17) and, in particular, to access their own Personal Data, obtain updating and modification, object on legitimate grounds to the processing of their own Personal Data (with the effects provided by the Privacy Policy), by sending an e-mail to the address info@tooly.tips or, with specific regard to the newsletter, by clicking the “unsubscribe” button or following the instructions published on the Website.
7.2. Claim. Notwithstanding the above, according to sections 13 and 15 of the Regulation, Data Subjects as natural persons may lodge a claim with the Data Protection Authority, in order to enforce the above specified rights.
***
Legislative Decree June 30, 2003, n. 196
Section 7 (Right to Access Personal Data and Other Rights)
1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2); and
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the following rights:
a) to obtain updating, rectification or, where interested therein, integration of the data;
b) to obtain erasure, anonymization or blocking of data that have been processed unlawfully,
including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) to obtain certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part,
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
a) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
Article 15
(Right of access by the data subject)
1.The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2.Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3.The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4.The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. Section 3 Rectification and erasure
Article 16
(Right to rectification)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Article 17
(Right to erasure ‘right to be forgotten’)
1.The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 4.5.2016 L 119/43 Official Journal of the European Union EN (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). 2.Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. 3.Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims.