Data Protection Policy
This policy is an information notice given pursuant to Article 13 of Regulation (EU) No 2016/679 (general data protection regulation, hereinafter the “GDPR”) by Business Service Milano S.r.l. (B.S.M.), with a sole shareholder, with registered office in Milan, via Donatello n. 38, VAT NUMBER 05818750969, data controller for the website “https://www.cplace.it” (in the following the “Website”). The data controller can be contacted also via email at the address firstname.lastname@example.org.
This information notice is addressed to subjects who access the Website, both through PCs or mobile devices (the “Data Subjects”). Other websites, if any, accessible by means of hyperlinks inserted in the Website are not covered by this information notice. In the event that Data Subjects access such websites by means of hyperlinks, the relevant processing will be performed in full autonomy by the data controllers thereof. B.S.M. does not assume any liability for the abovementioned processing.
The Data Subject may browse the Website to obtain information on the various spaces, called “CPlace”, made available by B.S.M. (hereinafter the “Spaces”), without the need to actively communicate his/her personal data. If he or she so wishes, the Data Subject may communicate his or her data using the appropriate functions on the Website in order to get in contact with the Data Controller.
The data processing will be carried out by B.S.M. ., as independent data controller and/or by the data processors, if any, appointed from time to time by the same and/or by persons authorised to perform processing activities by B.S.M. and/or by data processors.
1. PROCESSING OF BROWSING DATA
The IT systems and software procedures used to operate the Website acquire, during their normal operation, some personal data of the Data Subject whose transmission is implicit in the communication protocols of the Internet.
This is information that is not directly associated with identified users, but which by its nature could, through processing and associations with data held by third parties, allow the identification of such users.
This category of data includes IP addresses or domain names of computers used by users connecting to the Website, URIs (Uniform Resource Identifiers) of requested resources, information about access, information about location, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error, etc..), information about the user’s visit including clickstream URL data, within and from the Website, the duration of the visit to certain pages and the interaction on those pages and other parameters related to the operating system and computer environment of the user.
The data collected during the browsing of the Website by the Data Subject are processed in order to (i) manage the Website and resolve any functioning problems, (ii) ensure that the content of the Website is presented in the most effective way for the Data Subject and his/her devices, developing, testing and making improvements to the Website, (iii) as far as possible, to keep the Website safe and protected, (iv) to obtain anonymous statistical information on the use of the Website and to control its correct functioning, (v) to identify anomalies and/or abuses in the use of the Website. The data could also be used to ascertain liability in the event of possible IT crimes committed against the Website or third parties and may be disclosed to judicial authorities, if they expressly request so. Except in the latter case, data are currently stored for a maximum period of twelve months. Such processing activities are lawful, since there is a legitimate interest of the Data Controller and they do not breach the fundamental rights and freedoms of the Data Subjects.
2. PROCESSING OF DATA COMMUNICATED USING THE FUNCTIONALITIES OF THE WEBSITE
The Data Subject wishing to do so may communicate his or her personal data to the Data Controller by means of special functions on the Website. The communication of data marked with an asterisk is mandatory in order to be contacted by B.S.M., therefore failure to communicate such data makes it impossible to continue with the request.
The Data Subject may contact B.S.M. by filling in and sending the form in the “contact” section. The contact data of the Data Subject collected through this function will be processed by the Data Processor exclusively in order to respond to the submitted requests. Such processing is lawful as it is based on the legitimate interest of the Data Controller to respond to the requests received.
Moreover, by sending the form specifically filled in with the e-mail address, the Data Subject can subscribe to the “Cplace” newsletter, with which the Data Controller will inform about the events and activities carried out in the Spaces. Such data are processed by B.S.M. in order to subscribe the interested party to the newsletter service and send it to him/her, such processing is lawful as it is necessary in order to comply with the Data Subject’s subscription request.
Finally, the Data Subject can send B.S.M. his request to reserve one of the Spaces present on the Website through the “Reservation” function. The communicated data are processed by B.S.M. in order to verify the Data Subject’s request, including the availability of the Space(s), to provide further information and to carry out all the activities necessary for the possible execution of the agreement for the use of the Space(s). Such processing is lawful since it is necessary for the execution of the pre-contractual measures requested by the Data Subject, as well as necessary for the pursuit of the legitimate interest of the Data Controlar to communicate with the Data Subjects who contacts him on behalf of a third party interested in the Space(s).
3. MODALITIES OF PROCESSING
Processing activities are performed through IT devices in the manner necessary to pursue the purposes for which data were collected.
The processing of data is carried out using procedures that protect their confidentiality and will consist of its collection, recording, organisation, storage, interrogation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction, including the combination of two or more of the above activities. The data will also be processed with IT and electronic tools and stored with the adoption of appropriate security measures in accordance with the provisions of current laws and regulations, in order to reduce the risk of data destruction or loss, also accidental, unauthorized access, or processing not authorised or not in accordance with the purposes of collection. The security measures will be adapted over time in accordance with the law and with technical developments in the sector.
4. DISCLOSURE AND DISSEMINATION OF DATA
B.S.M. does not disseminate the data of the Data Subject. However, the processing of data may involve the disclosure of data to third parties, other than employees and collaborators of B.S.M. authorised to perform processing activities.
In carrying out the data processing activities described in this information notice, B.S.M. also avails itself of the cooperation of specialised third parties, who may become aware of the data, including for example IT (e.g. data hosting, system protection services), telematics and storage service companies, to whom tasks or services of a technical or organizational nature are entrusted, and who act as data processors of B.S.M. or independent data controllers.
The recipients of data are all located within the European Economic Area (“EEA”).
The data processors appointed by B.S.M. and the employees and collaborators authorised to process data will be given adequate instructions, with particular reference to the adoption of adequate security measures, in order to ensure the confidentiality and security of the data. In any case, only those personal data necessary for the performance of their specific tasks will be disclosed to them. The data processors contractually undertake to ensure compliance with current legislation aimed at the protection of the personal data of Data Subjects and to adopt all the necessary measures for the adequate protection of Data Subjects’ data.
5. DATA RETENTION
Data are processed for the following periods of time:
a) data collected for the purposes mentioned under sect. 2 a) and c) of this data protection notice are stored by the Data Controller for a maximum period of 12 months as from the last contact with the Data Subject and then deleted;
b) data collected for the purposes mentioned under sect. 2 b) of this data protection notice are stored by the Data Controller for a maximum period of 24 months from its collection and then deleted.
B.S.M. points out that, in the event that the Data Subject, or the third party for which the Data Subject acts, should execute an agreement for the use of the Space(s), any personal data processed for this porpoise shall be object of a specific data protection notice, and the retention periods mentioned therein shall apply to such data.
6. DATA SUBJECTS’ RIGHTS
The Data Subject can exercise the following rights vis-à-vis B.S.M.:
a) right to access:
The Data Subject may ask, at any time, which data concerning him/her are being processed by B.S.M., the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom data are disclosed, the period of retention or the criteria used to determine this period and their origin if the data are not collected from the Data Subject.
b) right to rectification:
The Data Subject may request the rectification of inaccurate data or, taking into account the purposes of the processing, the completion of incomplete personal data, as provided for by Article 16 of the GDPR.
c) right to erasure and right to be forgotten:
The Data Subject may request the erasure of data processed by B.S.M. in the cases provided for by Article 17 of the GDPR, e.g. when personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. B.S.M., however, will not proceed with the cancellation of the data if the processing is necessary to comply with a legal obligation to which B.S.M. is subject (e.g. keeping of accounting records) or if it is necessary for establishing, exercising or defending a right in court.
d) right to restriction of processing:
The Data Subject may request that data processing be restricted, in the cases provided for by Article 18 GDPR, for example when the data subject contests the accuracy of personal data, for the period necessary for B.S.M. to verify the accuracy of such data.
e) right to data portability
Upon request of the Data Subject, B.S.M. will deliver to the Data Subject the data concerning him/her processed by automated means, in a structured, commonly used and machine-readable format. However, this right is limited to data processed by B.S.M. for the execution or performance of a contract with the Data Subject, or on the basis of his/her consent. If technically feasible, and if the Data Subject requests so, B.S.M. will transmit the data directly to another data controller.
f) right to object:
• The Data Subject has the right to object, at any time, to the processing of data, including profiling, which takes place on the basis of the legitimate interest; this right is however provided only for reasons related to the particular situation of the data subject, who must declare them. In case of objection, B.S.M. may continue the processing if it demonstrates the existence of compelling legitimate grounds to proceed with the processing that prevail over the interests, rights and freedoms of the Data Subject or (ii) to establish, exercise or defend a right in court.
• The Data Subject also has the right to object at any time to the processing of his/her personal data for direct marketing purposes, including profiling linked to such direct marketing.
g) right to lodge a complaint:
The Data Subject who believes that the processing of data carried out by B.S.M. breaches the applicable legislation on the protection of personal data has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).