The following policy contains all the information needed to understand the purposes and methods of processing personal data of visitors to the websites of Passepartout S.p.A. (hereinafter referred to as "Siti Passepartout").
In the exercise of its business activity Passepartout S.p.A. reserves maximum attention to the protection of personal data of all those who work or interact with it (hereinafter referred to as "data subject" and / or "User" for the sake of brevity), implementing appropriate technical and organizational measures to guarantee a level of security adequate to the risk. In accordance with the principles of transparency and correctness, the following information is provided with this information in order to make all interested parties aware of the Passepartout website management methods with reference to the processing of Users' personal data by Passepartout SpA , and this also in compliance with the provisions of the San Marino law n. 171 of 21 December 2018 concerning the protection of individuals with regards to the processing of personal data (hereinafter referred to as "RSM Privacy Law") and, where applicable, by Regulation (EU) no. 2016/679 regarding the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter referred to as "GDPR").
The processing of these data will take place in a lawful and correct manner, with the use of manual and / or automated systems that allow data to be stored, managed and transmitted solely for the purposes expressly specified below.
All databases and archives used by Passepartout S.p.A., are protected by specific and secure passwords and / or access keys exclusively to the knowledge of the employees and collaborators of Passepartout S.p.A., expressly authorized and involved in the process of protection of personal data.
This policy can always be accessed and consulted at the following address https://www.passepartoutsoftware.com/utility/privacy-policy .
II. DATA CONTROLLER, REPRESENTATIVE AND DATA PROTECTION OFFICER
The data controller is Passepartout S.p.A., a company governed by the laws of San Marino, mainly engaged in the production and distribution of software and related services, with headquarters in the Republic of San Marino in Dogana (Cap 47891) in Via Consiglio dei Sessanta n. 99. The company, is registered at the Register of Companies of the Republic of San Marino on August 6th 2010 under no. 6210, with Economic Operator Code n. SM03473, registered capital € 2,800,000 i.v. and can be contacted, for the purposes of this document, by e-mail at the following address email@example.com or via phone dialing number 800 414243(hereinafter also referred to as "Passepartout" for brevity).
Passepartout S.p.A. has designated as its representative in the European Union, pursuant to art. 27 of the GDPR, the company “Paci Rappresentante Privacy S.r.l”. registered with the Chamber of Commerce of Romagna, share capital € 10,000.00, based in Rimini, in P.tta Gregorio da Rimini n. 1, which can be contacted for the purpose of this document at the following e-mail address firstname.lastname@example.org or via phone dialing +39 0541 902128 (hereinafter referred to as "Representative" for brevity).
The Data Protection Officer (referred to in Chapter IV, Section 4 of the GDPR) designated by Passepartout S.p.A. can be contacted for the purpose of this document, at the following e-mail address email@example.com or via phone dialing number 800 414243.
III. PERSONAL DATA AND PROCESSING OF PERSONAL DATA
Personal Data means «all information related to an identified or identifiable natural person person (« data subject »); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity».
The processing of personal data means «any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data (or sets of personal data), such as, by way of example but not limited to, collection, the registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or "interconnection, limitation, cancellation or destruction».
 The definition of "personal data" is given in art. 2, paragraph 1, lett. a) of the RSM Privacy Law and art. 4, first paragraph, lett. a) of the GDPR.
 According to the provisions of letter b) paragraph 1 art. 2 of the RSM Privacy Law and paragraph 2) of art. 4 of the GDPR.
IV. PERSONAL DATA PROCESSING PLACE
The processing operations connected to the Passepartout Sites take place at the registered office of Passepartout as identified above and generalized.
V. DATA PROCESSING METHODS & TYPES
The personal data of the user visiting one of Passepartout’s websites could be the following and information is mainly collected according to one of the methods specified below.
a) Browsing Data
Computer systems and software procedures used to operate the Passepartout Sites acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols.
This information is not collected to be associated with specific individuals. Anyhow, because of nature, through processing and association with data held by third parties it could allow to identify users.
This data category includes the following browsing information:
IP addresses, domain names, browsing and any other data concerning the User’s interaction with the Passepartout Sites, for example, when viewing or searching for content, installing applications or software;
addresses in Uniform Resource Identifier (URI) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the answer received from the server (error, etc.) and other parameters related to the operating system and theIT environment of the User; data related to the devices and / or computers used by the User to access the Passepartout Sites, including the type of browser, unique device code, language, operating system, reference web page, visited pages, location and information about cookies, data on the computer and connection (for example, statistics on page views, incoming and outgoing website traffic, URL of origin);
name of the Internet service provider (ISP);
date and time of visit;
web page of origin and exit of the visitor;
possibly the number of clicks.
geo localization data, in particular through the use of mobile devices;
b) Data provided by the User
With the activation of specific features and / or services provided in the Passepartout Sites and upon the User's request (i.e. marketing activities, newsletters, purchase of Passepartout services, etc.). In addition to the above, the personal data collected from Passepartout SpA could also include:
(I) identifying information such as name, surname, date and place of birth, address, tax code, VAT number and registered office, ISS code, telephone number, e-mail address (also certified e-mail), username , password, gender, or other data that Passepartout is required or authorized to collect and process, in accordance with the current legislation, to authenticate or identify the User or to verify the information provided and collected.
(II) data related to invoicing (and shipment, if needed) the Passepartout Services;
(III) financial data as some Passepartout Services support payments and transactions with third parties. For this purpose, it may be necessary to provide certain data for the identification and verification of the identity of the person and payment method used, such as the name, surname, credit / debit card number, card expiry date. When such data is collected by Passepartout it will be saved only in encrypted form. In some cases, to allow the User to speed up payment transactions in the future, Passepartout may store the last four digits of the card number.
VI. Processing of special categories of personal data (so-called "sensitive data")
Particular categories of personal data such as data that reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, as well as processing of genetic data and biometric data intended to uniquely identify a natural person, data related to the health, sexual life or sexual orientation of the person are not required and collected in any way and therefore not treated by Passepartout.
The optional, explicit and voluntary activity of sending e-mails to the addresses indicated on the Passepartout Sites entails the subsequent acquisition of the sender's address, necessary to respond to his requests, as well as any other personal data included in the message. The explicit and voluntary optional registration through appropriate Web forms present on the Passepartout Sites, involves the subsequent acquisition of all data inserted in the fields by the User, necessary to reply to the requests made.
VIII. DATA PROCESSING PURPOSE AND METHODS
The processing of personal data by Passepartout takes place exclusively for the following purposes:
With reference to browsing data explained in the previous paragraph V sub a), Passepartout carries out processing activities in order to monitor the technical functioning and performance of the PPT Website, to understand how to improve and evolve the services offered. These data are necessary to guarantee the supply and usability of the Passepartout Sites.
The data referred to in the previous paragraph V, sub b), instead, are used by Passepartout according to the following:
(I) To offer the services related to the Passepartout contracts and the relative support.
Through the communicated information and data, Passepartout is able to perform the contractual agreements provided by the Passepartout Services requested by the Interested Party (also in the name and / or on behalf of third parties) or to implement measures and / or pre-contractual negotiations related to the same Passepartout Services, including administrative and accounting activities, management of tax obligations, payments and invoicing. The information collected will also be used to customize and improve the Passepartout Services, also offering the necessary technical support, to contact the User in relation to his account or in any case regarding his contractual position, to resolve problems of the account and / or of the reserved area, resolve a dispute and carry out debt collection activities. Personal data may also be processed to verify and resolve any operating anomalies of the Passepartout Services; to perform data analysis and testing, to conduct research and investigations and to develop new features and services in order to provide the user with a better experience.
(II) To offer security and protection to the personal data received and to Passepartout’s security systems.
Collected data is also used by Passepartout to: verify the identity and authenticate Users, make and / or receive payments, protect users against possible frauds and / or abuse, respond to a request or complaint, perform checks and apply Passepartout policies, prevent, detect, mitigate and / or ascertain security breaches and / or activities that are prohibited and / or illegal. These data could also be used to ascertain responsibility in the event of hypothetical cybercrimes against the Passepartout Website.
(III) To communicate with the interested party.
Data could be used to contact the User for the purposes contained in this document and in cases provided by law. Contact and communication could occur via e-mail (also certified e-mail), telephone, SMS, regular mail, push notifications on mobile devices and through the programs licensed under the scope of Passepartout Services.
Passepartout may therefore use the User's information to send service communications and / or respond to requests, to offer discounts and special promotions, to know opinions through surveys or questionnaires.
(IV) To perform marketing activities.
With the express and specific consent of the User to be provided according to the methods specifically indicated from time to time, Passepartout could use the information of the User to promote new features or new products or services to which he might be interested, carry out marketing activities through telephone calls, e-mails (also with certified e-mail) SMS, regular mail, push notifications on mobile devices, through the programs licensed under the scope of the Passepartout Services, as well as through third parties specifically appointed (i.e. Passepartout resellers specifically designated to distribute licenses for the use of its programs).
In any case, the User may revoke the express consent on marketing activities by following the appropriate instructions included in the tools used by Passepartout (eg newsletter, e-mail etc.) or by sending an email at firstname.lastname@example.org
The processing of personal data collected will be lawful and correct in accordance with the policies set forth by GDPR regulation, using manual or automated systems that allow to store, manage and transmit (both in paper and electronic format) such data only for the purposes specified in this document. Only personnel duly authorized by Passepartout (and under the responsibility of Passepartout) will be able to access the personal data collected.
IX. SOCIAL NETWORK PLUGIN
The collection and use of information obtained by means of the plugin are governed by the privacy policies of the social networks, please refer to it. Facebook Twitter Google+ Pinterest AddThis Linkedin
X. LEGAL BASIS OF DATA PROCESSING
The legal bases through which Passepartout processes personal data of the interested party are multiple and include:
(I) contracts signed or agreements to be concluded (with the interested parties) to make use of the Passepartout Services; as well as
(III) Passepartout's legitimate interests [with respect to which it is possible to make opposition pursuant to the following paragraph XII, sub i)], such as the interest (of Passepartout):
to prevent frauds;
to carry out direct marketing activities to improve, customize and develop the Passepartout Services;
to guarantee the provision of the Passepartout Sites, to improve, customize and develop the Passepartout Sites and to monitor their technical functioning and performance;
to carry out the marketing of new features or products that may be of interest to the User;
to promote data security and protection;
to carry out the processing of data within a group of companies or entities connected for internal administrative purposes, without prejudice to the general principles and regulatory requirements for the transfer of personal data within an entrepreneurial group also towards an enterprise located in another Country (including countries that are not part of the European Union).
Passepartout also has legitimate interest in the processing of personal data related to website traffic, to the extent which is strictly necessary and proportionate to ensure security of the network and information, meaning the ability of a network or an information system to resist, at a certain level of security, unforeseen events or illicit or malicious acts that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted and the security of the related services offered or made accessible through such networks.
Passepartout may collect additional personal data or integrate those already in its possession with other information collected by third parties (for example its suppliers, distributors, business partners), also using data and information of public domain, information collected through appropriate databases or further contact information, credit verification data and information related to solvency provided by the offices in charge, in compliance with the current legislation. Passepartout could also collect data through social media used by the User. In fact, when the User links his / her account to the social media site, the latter may authorize Passepartout to automatically access certain data in their possession. With this possibility, the interested party expressly provides Passepartout with access to sites and the various contents provided therein.
Processing of personal data as data controller. Passepartout may process personal data not as data controller but as responsible (and / or sub-responsible) for processing (pursuant to and for the purposes of Article 28 of the GDPR). In such cases, data processing would be done by Passepartout, on behalf of the data controller (subject other than Passepartout), according to the terms and conditions agreed with the data controller. In all the cases in which Passepartout will be in charge of taking on the responsibility of data processing, since Passepartout doesn’t have any relationship with the interested party, the data controller will remain exclusively in charge, in compliance with the current legislation, to fulfill all the services and / or in general all the prescriptions provided for by the same legislation regarding the interested party. The data controller must also take care of adequately informing the interested party of all the appropriate elements so that the latter can always have full and clear awareness of the activity carried out by Passepartout as data processor. Passepartout will perform in any case the duties of data processor in accordance with the provisions contained in the GDPR (and subsequent amendments and additions).
XI. CONDITIONS FOR SHARING INFORMATION WITH THIRD PARTIES
Personal data provided to Passepartout may be shared with third parties only in the following cases:
Consent of the interested party: the interested party may authorize Passepartout to share (or disclose) data with (and to) third parties, for example when using the Passepartout community (such as forums or other social tools) or when he has expressed his intention to be contacted by Passepartout and / or by the commercial partners or distributors of Passepartout for any need or clarification regarding the Passepartout Services.
Treatment by external entities. Personal data could also be shared:
within a group of entrepreneurial companies or entities connected to Passepartout for internal administrative purposes without prejudice to the general principles and regulatory requirements for the transfer of personal data within an entrepreneurial group, including company located in another country;
with Passepartout’s providers that process payments, personalize advertising, prevent, detect and verify potentially illegal acts to violate Passepartout Services; for invoice collection; consultancy, training and organization of events;
with third-party couriers (i.e. DHL, UPS, GLS, Poste Italiane etc.) with which PPT shares delivery addresses, contact information and shipment codes;
with suppliers of websites, applications, services and tools with which Passepartout collaborates for the provision of the Passepartout Services.
Need for justice, legal and / or general protection. Passepartout may keep or disclose personal data where necessary to meet the judicial requirements, for example, following a request made by an administrative authority, a control and / or supervisory authority or in the context of a judicial proceeding or, in any case, in compliance with law provisions, or in any case for the exercise of legal rights or for defense against complaints and / or legal actions or to prevent, detect or investigate illegal activities, frauds, abuses, violations of the subjective legal positions of Passepartout or where there are security threats, even just potential, of the Passepartout Services or the physical security of any person.
Data Center Passepartout. Passepartout will process and store personal data collected in the servers it possesses (including in the Republic of San Marino).
XII. DATA CONSERVATION PERIOD
The retention period of personal data is determined (or can be determined) according to the purpose or legal basis under which the processing should take place.
With reference to the browsing data referred to in the previous section, paragraph V, sub-lett. a), such data will be deleted a few hours after their processing.
Data referred to in the previous paragraph V sub-letter b), will be kept for the time necessary to fully perform the services required by the contract (including those closely connected to its termination).
In any case, data will be stored for a period of time not exceeding the greater of the two periods indicated below, corresponding to:
10 years from the termination of the Passepartout Services.
the maturation of the statute of limitations for the start of the actions and / or initiatives that Passepartout could experience to ascertain, exercise or defend a right in court as a result of and / or as a result of the contracts established or to be established (with the Interested Parties) that concern the Passepartout Programs and Services.
Personal data processed for marketing and commercial purposes will be retained until the interested party does not express his intention to withdraw consent for this purpose. It remains the case in which the interested party has expressed, for multiple reasons, consent for a longer period (in such case the retention period will correspond to the period allowed) or if Passepartout must satisfy his legitimate interests as identified above (in such case the retention period will correspond to the period required to satisfy such interests). It also remains the case in which the increase or decrease in the data retention period is required to meet judicial needs, for example to comply with a request from the administrative authority and / or supervisory authority or for the exercise and / or protection (by judicial and / or extrajudicial authorities) of rights or to defend oneself from complaints and / or legal actions. Once the retention period is over, personal data will be safely removed. Personal data processed for marketing and commercial purposes will be kept until the interested party has expressed the intention to revoke the consent expressed for this purpose.
XIII. RIGHTS OF THE INTERESTED PARTY
All interested parties whose personal data is processed by Passepartout, in accordance with the terms and conditions provided by the Privacy RSM Law and, where applicable, by the GDPR, may exercise the rights described below:
Right of access, rectification and deletion of data, limitation and opposition to the use of data and right to withdraw consent. Except for what provided above in terms of conservation, the interested party may, at any time, access his personal data, as well as update, modify, limit the processing or request its cancellation. If you choose to delete data, please note that although most of the information stored will be deleted within 60 (sixty) days, it may take up to 180 (one hundred and eighty) days to delete all data entered into the Passepartout systems depending on the size or complexity of the systems and procedures used. When the processing of data is subject to the consent issued by the interested party, this consent may be revoked at any time. You can therefore always oppose yourself to receiving newsletters and to the processing of your data for marketing and commercial purposes. The interested party may also oppose himself to the processing of his data even if this activity carried out for the legitimate interests of Passepartout. If asked to withdraw consent, limit the use of data or delete the personal data previously provided, Passepartout may no longer be able to provide Services and / or customer support. In any case, requests for data deletion are subject to current legal requirements and the conservation of documents required by laws or regulations.
Right to portability. The interested party has the right to receive his personal data in a structured, commonly used and readable format and has the right to transmit this data to another data controller.
Right to lodge a complaint. The interested party will always have the right to lodge a complaint with the competent Supervisory Authority, where he sees problems related to the use of his personal data. 
Reporting right . Anyone can send a notification to the Guarantor for the protection of personal data if they believe that there are violations of the Privacy Law RSM
Opposition right . Opposing the measure issued by the Guarantor Authority for the protection of personal data, including administrative sanctions  Passepartout or the interested party may file an opposition with a judicial appeal  The opposition does not suspend the execution of the provision.
Automated decision-making process. Passepartout can use automated profiling technologies in compliance with the current legislation. In any case, no automated decisions will be made on the interested party that could have significant consequences for him, except in circumstances in which such decision is necessary to execute a contract or because the User has expressly given his consent.
We also inform you that, if the data processing is based on explicit consent , the interested party has the right to revoke the consent at any time without prejudice to the lawfulness of the processing based on the consent before the revocation. If the interested party will need further assistance regarding their rights, they can contact our Data Protection Officer using the contact details provided in the upper paragraph II.
The exercise of the rights described above may be requested by sending an email to the following address: email@example.com.
 According to the art. 66 of the Privacy RSM Law and (in the cases referred to in article 3, paragraph 2, of the GDPR) of art. 77 of the GDPR.
 According to the art. 68 of the Privacy RSM Law.
 According to the provisions of art. 69 of the Privacy RSM Law.
 referred to in Articles 72 and 73 of the Privacy RSM Law.
 Pursuant to Article 70 of the Privacy RSM Law.
 See art. 8, paragraph 2, lett. a) of the Privacy Law RSM and (with reference to the cases referred to in Article 3, paragraph 2, of the GDPR) Article 9, paragraph 2, letter a) of the GDPR.
Passepartout does not process personal data of subjects under 16 years of age. If the User is under the age of 16, pursuant to art. 8, c. 1 of GDPR, he will have to legitimize his consent through the authorization of his parents or guardians.
XV. SECURITY MEASURES
The Passepartout Sites process the data of users in a lawful and correct manner, adopting the appropriate security measures to prevent unauthorized access, disclosure, modification and destruction of data.
Specifically, Passepartout has adopted and adopts organizational measures (distribution of roles and responsibilities in the execution of activities and controls), procedures and techniques (firewalls, antivirus and other advanced technologies) appropriate to protect data against loss, theft, as well as use, disclosure or unauthorized modification. Processing is carried out using IT and / or telematic tools, with organizational methods and procedures strictly related to the specified purposes.
In addition to the data controller, in some cases, categories of employees involved in the organization of the site (administrative, commercial, marketing, legal, system administrators) or external subjects (as suppliers of third-party technical services, couriers, hosting providers, IT companies, communication agencies) may have access to the data. The interested party may know in detail the methods and procedures used by Passepartout for this purpose in the appropriate section available at the following link: https://privacy.passepartout.sm/pdf/MisureTecnicheSicurezza_24_05_2018.pdf
XVI. TRANSFER OF PERSONAL DATA
Using international partners, Passepartout could transfer personal data of the interested party to countries outside the European Union, in compliance with the provisions of GDPR. The PPT Website may share some of the data collected with services located outside the European Union area. In particular, with Google, Facebook and Microsoft (LinkedIN) through social plugins and the Google Analytics service. The transfer is authorized and strictly regulated by Article 45, paragraph 1 of EU Regulation 2016/679, for which no further consent is required. The companies mentioned above guarantee their adherence to the Privacy Shield.
Third countries to whom personal data will be transferred may be subject to a legal system with privacy and data protection laws that differ from those of the country in which the interested party resides. Even in the event of data transfer, the interested party can always make use of the rights indicated in the above paragraph XII. Should Passepartout disclose personal data to third parties (for example regarding the services registered for), these will act as autonomous holders or will be appointed by Passepartout as responsible for data processing.
Any transfer of personal data to a third country and / or to an international organization will in any case take place in full compliance with the terms, methods and conditions provided:
by the Privacy RSM Law - to articles 46, 47, 48 and 50, - where the transfer contemplates, respectively, one of the hypotheses governed therein; as well as
from the GDPR - to articles 45, 46, 47 and 49, - where the transfer contemplates, respectively, one of the hypotheses governed therein.
XVI. COMPLETENESS AND MODIFICATIONS