I. PREFACE AND SCOPE OF APPLICATION
The following document contains all information needed to understand purposes and methods used to process the personal data of the Passepartout S.p.A. websites visitors (hereinafter referred to as "Passepartout websites").
In the exercise of its business activity, Passepartout S.p.A. pays maximum attention to the protection of personal data of all those who work with or interact with it (hereinafter referred to as "Users" or “interested party”), adopting for this purpose every suitable, adequate and necessary safety procedure.
Firmly believing in the principles of transparency and correctness, this document has been created to provide all interested parties with a complete description of how the Passepartout Sites are managed with regards to the processing of personal data of Users by Passepartout SpA, in accordance with the provisions of Regulation (EU) no. 2016/679 on the protection of individuals with regards to the processing of personal data, as well as the free movement of such data (hereinafter referred to as "GDPR").
II. DATA PROCESSOR
Passepartout S.p.A., (hereinafter also referred to as "Passepartout") a company governed by the laws of San Marino, mainly engaged in the production and distribution of software and related services, with headquarters in the Republic of San Marino in Dogana (Cap 47891) in Via Consiglio dei Sessanta n. 99. The company, is registered at the Register of Companies of the Republic of San Marino on August 6th 2010 under no. 6210, with Economic Operator Code n. SM03473, registered capital € 2,800,000 i.v. and can be contacted, for the purposes of this document, by e-mail at the following address firstname.lastname@example.org or via phone dialing number 800 414243.
Passepartout S.p.A. has designated as its representative in the European Union, pursuant to art. 27 of the GDPR, the company “Paci Rappresentante Privacy S.r.l”. registered with the Chamber of Commerce of Romagna, share capital € 10,000.00, based in Rimini, in P.tta Gregorio da Rimini n. 1, which can be contacted for the purpose of this document at the following e-mail address email@example.com or via phone dialing +39 0541 902128 (hereinafter referred to as "Representative" for brevity).
The Data Protection Officer (referred to in Chapter IV, Section 4 of the GDPR) designated by Passepartout S.p.A. can be contacted for the purpose of this document, at the following e-mail address firstname.lastname@example.org or via phone dialing number 800 414243.
III. PERSONAL DATA
Personal data includes all information concerning an individual, who is identified or identifiable by reference to elements such as name, ID card, physical, physiological or genetic traits, economic, cultural or social identity, as well as the details on his location.
IV. PERSONAL DATA PROCESSING PLACE
Data processing connected to the Passepartout Sites take place at the registered office of Passepartout as identified above.
V. DATA PROCESSING
The personal data of the user visiting one of Passepartout’s websites could be the following and information is mainly collected according to one of the methods specified below.
a) Browsing Data
Computer systems and software procedures used to operate the Passepartout Sites acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols.
This information is not collected to be associated with specific individuals. Anyhow, because of nature, through processing and association with data held by third parties it could allow to identify users.
This data category includes the following browsing information:
(I) IP addresses, domain names, browsing and any other data concerning the User’s interaction with the Passepartout Sites, for example, when viewing or searching for content, installing applications or software;
(II) addresses in Uniform Resource Identifier (URI) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the answer received from the server (error, etc.) and other parameters related to the operating system and theIT environment of the User; data related to the devices and / or computers used by the User to access the Passepartout Sites, including the type of browser, unique device code, language, operating system, reference web page, visited pages, location and information about cookies, data on the computer and connection (for example, statistics on page views, incoming and outgoing website traffic, URL of origin);
(III) name of the Internet service provider (ISP);
(IV) date and time of visit;
(V) web page of origin and exit of the visitor;
(VI) possibly the number of clicks.
(VII) geo localization data, in particular through the use of mobile devices;
b) Data provided by the User
With the activation of specific features and / or services provided in the Passepartout Sites and upon the User's request (i.e. marketing activities, newsletters, purchase of Passepartout services, etc.). In addition to the above, the personal data collected from Passepartout SpA could also include:
(I) identifying information such as name, surname, date and place of birth, address, tax code, VAT number and registered office, ISS code, telephone number, e-mail address (also certified e-mail), username , password, gender, or other data that Passepartout is required or authorized to collect and process, in accordance with the current legislation, to authenticate or identify the User or to verify the information provided and collected.
(II) data related to invoicing (and shipment, if needed) the Passepartout Services;
(III) financial data as some Passepartout Services support payments and transactions with third parties. For this purpose, it may be necessary to provide certain data for the identification and verification of the identity of the person and payment method used, such as the name, surname, credit / debit card number, card expiry date. When such data is collected by Passepartout it will be saved only in encrypted form. In some cases, to allow the User to speed up payment transactions in the future, Passepartout may store the last four digits of the card number.
Processing of special categories of personal data (so-called "sensitive data")
Particular categories of personal data such as data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, as well as processing of genetic data and biometric data intended to uniquely identify a natural person, data related to the health, sexual life or sexual orientation of the person are not required and collected in any way and therefore not treated by Passepartout.
The optional, explicit and voluntary activity of sending e-mails to the addresses indicated on the Passepartout Sites entails the subsequent acquisition of the sender's address, necessary to respond to his requests, as well as any other personal data included in the message. The explicit and voluntary optional registration through appropriate Web forms present on the Passepartout Sites, involves the subsequent acquisition of all data inserted in the fields by the User, necessary to reply to the requests made.
VII. DATA PROCESSING PURPOSE AND METHODS
The processing of personal data by Passepartout takes place exclusively for the following purposes:
With reference to browsing data explained in the previous paragraph V sub a), Passepartout carries out processing activities in order to monitor the technical functioning and performance of the PPT Website, to understand how to improve and evolve the services offered. These data are necessary to guarantee the supply and usability of the Passepartout Sites.
The data referred to in the previous paragraph V, sub b), instead, are used by Passepartout according to the following:
(I) To offer the services related to the Passepartout contracts and the relative support.
Through the communicated information and data, Passepartout is able to perform the contractual agreements provided by the Passepartout Services requested by the Interested Party (also in the name and / or on behalf of third parties) or to implement measures and / or pre-contractual negotiations related to the same Passepartout Services, including administrative and accounting activities, management of tax obligations, payments and invoicing. The information collected will also be used to customize and improve the Passepartout Services, also offering the necessary technical support, to contact the User in relation to his account or in any case regarding his contractual position, to resolve problems of the account and / or of the reserved area, resolve a dispute and carry out debt collection activities. Personal data may also be processed to verify and resolve any operating anomalies of the Passepartout Services; to perform data analysis and testing, to conduct research and investigations and to develop new features and services in order to provide the user with a better experience.
(II) To offer security and protection to the personal data received and to Passepartout’s security systems. Collected data is also used by Passepartout to: verify the identity and authenticate Users, make and / or receive payments, protect users against possible frauds and / or abuse, respond to a request or complaint, perform checks and apply Passepartout policies, prevent, detect, mitigate and / or ascertain security breaches and / or activities that are prohibited and / or illegal.
(III) To communicate with the interested party. Data could be used to contact the User for the purposes contained in this document and in cases provided by law. Contact and communication could occur via e-mail (also certified e-mail), telephone, SMS, regular mail, push notifications on mobile devices and through the programs licensed under the scope of Passepartout Services.
Passepartout may therefore use the User's information to send service communications and / or respond to requests, to offer discounts and special promotions, to know opinions through surveys or questionnaires.
(IV) To perform marketing activities. With the express and specific consent of the User to be provided according to the methods specifically indicated from time to time, Passepartout could use the information of the User to promote new features or new products or services to which he might be interested, carry out marketing activities through telephone calls, e-mails (also with certified e-mail) SMS, regular mail, push notifications on mobile devices, through the programs licensed under the scope of the Passepartout Services, as well as through third parties specifically appointed (i.e. Passepartout resellers specifically designated to distribute licenses for the use of its programs).
In any case, the User may revoke the express consent on marketing activities by following the appropriate instructions included in the tools used by Passepartout (eg newsletter, e-mail etc.) or by sending an email.
The processing of personal data collected will be lawful and correct in accordance with the policies set forth by GDPR regulation, using manual or automated systems that allow to store, manage and transmit (both in paper and electronic format) such data only for the purposes specified in this document. Only personnel duly authorized by Passepartout (and under the responsibility of Passepartout) will be able to access the personal data collected.
VIII. SOCIAL NETWORK PLUGIN
The collection and use of information obtained by means of the plugin are governed by the privacy policies of the social networks, please refer to it.
IX. LEGAL BASIS OF DATA PROCESSING
The legal bases through which Passepartout processes personal data of the interested party are multiple and include:
(I) contracts or agreements to be concluded (with the interested parties) to make use of the Passepartout Services; as well as
(III) Passepartout's legitimate interests [with respect to which it is possible to make opposition pursuant to the following paragraph XII, sub i)], such as the interest (of Passepartout):
to prevent frauds;
Passepartout also has legitimate interest in the processing of personal data related to website traffic, to the extent which is strictly necessary and proportionate to ensure security of the network and information, meaning the ability of a network or an information system to resist, at a certain level of security, unforeseen events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted and the security of the related services offered or made accessible through such networks .
(IV) data collected from third parties or through other sources; Passepartout may collect additional personal data or integrate those already in its possession with other information collected by third parties (for example its suppliers, distributors, business partners), also using data and information of public domain, information collected through appropriate databases or further contact information, credit verification data and information related to solvency provided by the offices in charge, in compliance with the current legislation. Passepartout could also collect data through social media used by the User. In fact, when the User links his / her account to the social media site, the latter may authorize Passepartout to automatically access certain data in their possession. With this possibility, the interested party expressly provides Passepartout with access to sites and the various contents provided therein.
V) Processing of personal data as data controller. Passepartout may process personal data not as data controller but as responsible (and / or sub-responsible) for processing (pursuant to and for the purposes of Article 28 of the GDPR). In such cases, data processing would be done by Passepartout, on behalf of the data controller (subject other than Passepartout), according to the terms and conditions agreed with the data controller. In all the cases in which Passepartout will be in charge of taking on the responsibility of data processing, since Passepartout doesn’t have any relationship with the interested party, the data controller will remain exclusively in charge, in compliance with the current legislation, to fulfill all the services and / or in general all the prescriptions provided for by the same legislation regarding the interested party. The data controller must also take care of adequately informing the interested party of all the appropriate elements so that the latter can always have full and clear awareness of the activity carried out by Passepartout as data processor. Passepartout will perform in any case the duties of data processor in accordance with the provisions contained in the GDPR (and subsequent amendments and additions).
X. CONDITIONS FOR SHARING INFORMATION WITH THIRD PARTIES
Personal data provided to Passepartout may be shared with third parties only in the following cases:
(I) Consent of the interested party: the interested party may authorize Passepartout to share (or disclose) data with (and to) third parties, for example when using the Passepartout community (such as forums or other social tools) or when he has expressed his intention to be contacted by Passepartout and / or by the commercial partners or distributors of Passepartout for any need or clarification regarding the Passepartout Services.
(II) Treatment by external entities. Personal data could also be shared:
within a group of entrepreneurial companies or entities connected to Passepartout for internal administrative purposes without prejudice to the general principles and regulatory requirements for the transfer of personal data within an entrepreneurial group, including company located in another country;
with Passepartout’s providers that process payments, personalize advertising, prevent, detect and verify potentially illegal acts to violate Passepartout Services; for invoice collection; consultancy, training and organization of events;