Information on the processing of personal data Customers and Users

Art. 13 e 14 of the New European Regulation 2016/679 concerning the protection of natural persons about the processing of personal data (GDPR)

Pegaso Control System srl (owner of the brand “Fotosmile”), based in Via A. Fleming 4/A, 37036 San Martino Buon Albergo Verona (VAT number: 02516100233), in quality of the Owner of the processing of data collected, in accordance with Article 13 of the General Data Protection Regulation of the EU n. 679/2016 (hereinafter “Regulation” or “GDPR”), encourages you to read carefully the following information on the processing of personal data provided to Pegaso Control System srl.

We wish to inform you that your personal data that we have received are subject, on our part, to treatment whether in paper or electronic form for the purposes described below, and we submit for your approval the privacy policy prepared by the Company. This information may be integrated by the owner of the processing of data if any additional services requested by you may result in further treatment.

 

1)    The owner and the party in charge of personal data processing

The owner of your data is Pegaso Control System srl. (hereinafter referred to as “Company” or “Pegaso” or “Fotosmile”), based in Via A. Fleming 4 / A, 37036 San Martino Buon Albergo Verona (VAT number: 02516100233) (telephone contacts: + 39 045 994499, email: privacy@fotosmile.com).

In this role, it is responsible for ensuring the application of organizational and technical measures that are necessary and adequate for the protection of your data. The Company has identified a Privacy Focal Point; i.e. a person who collaborates with the owner of the processing of data in applying the identified protection measures has been appointed.

This subject may be contacted for questions concerning the processing of his/her data, at the following e-mail address: privacy@fotosmile.com

 

2)    Information about the processing of personal data

a.    The source of the personal data

Your personal data are collected by Pegaso Control System S.r.l. Some examples of these data are: your name, surname, address, fiscal code, telephone number, e-mail address, IP internet address, location of the device that connects to the network and Company’s website.

b.    Purposes and legal basis of the processing of personal data

The processing of your personal data will be carried out in accordance with the current legislation on Privacy and for the purposes described below. Therefore, the Company undertakes to treat the data according to the principles of accuracy, lawfulness, transparency, and in compliance with the purposes set out below, and to collect them in the necessary and correct way.

 

3)    Use of the processing of personal data

The processing of your personal data is necessary for the acquisition of information which are preliminary to the conclusion of a contract that will be stipulated with the owner of the processing of data and for the improvement and execution of the contract that foresees the provision of the service.

Nature of the conferment: Mandatory

Consequences of the refusal to provide data: failure to provide the data shall entail the impossibility for the company to satisfy your pre-contractual/contractual requests and to perform the contract.

Minimum measures for data protection:  data on paper documents are protected against the risk of intrusion and kept in an environment with limited access to the authorized personnel only. The digitized data are protected from the risk of dispersion and/or intrusion using suitable electronic systems and software that can guarantee their integrity.

Retention period of personal data:  your personal data will be processed actively during the time necessary to manage the existing relationship and/or the execution of the contract. The information collected for the evaluation of the conclusion of the contract, in case of non- completion, will be cancelled within 12 months.

 

4)    Legal obligations

It means to fulfil the obligations established by law, regulations, community legislation (for example, antimoney laundering and anti-terrorism legislation, supervisory provisions for financial intermediaries, etc.). It is mandatory to provide the personal data for these purposes, and the processing of the data, including communication, does not require the consent of the customer. Any refusal to supply these data would imply for Pegaso the impossibility of management, execution and/or conclusion of the contract.

All the purposes strictly related and instrumental to the management and implementation of obligations arising from contractual and pre-contractual relationships established with Pegaso, including the necessary preliminary verifications of the communicated data. It is mandatory to provide the personal data for these purposes, and the processing of the data, including communication, does not require the consent of the customer. Any refusal to supply the data would imply for Pegaso the impossibility of management, execution and/or conclusion of the contract.

Data will be processed in paper form and through IT tools with security and confidentiality profiles suitable to guarantee security and confidentiality and to prevent unauthorized access to personal data.

The processing of personal data for the purposes mentioned above will be carried out in accordance with the provisions of the Regulation mentioned above.

 

5)    Nature of Data processing

We remind you that the processing of your data, for the purposes identified in section 4 and 5 of the “purpose of the processing of” is mandatory for the performance of the respective processing purpose; any refusal to supply the data or the incorrect communication of one of the necessary information will have the following consequences: a) in the case of the establishment of a contractual relationship, the impossibility for the owner of the data processing to guarantee the processing consistency, whether written or oral, in relation to or for which it was provided; b) the possible lack of correspondence of the data treatment results with fiscal, administrative or business obligations for which it was required.

The provision of additional personal data not directly required by law or other legislation may still be necessary if such personal data are connected or instrumental to the establishment, implementation or continuation of the contract; in this case, the refusal to supply those data could lead to the inability to correctly execute the existing relationship.

 

6)    Methods of processing and storage period for data

The data will be processed using manual, computerized and telematic or automated tools, with logics that are strictly related to the purposes and to ensure the security and confidentiality of data, with special regard to the use of remote communication techniques.

The processing of the data will take place with appropriate tools that will ensure the security and confidentiality of data, in compliance with the provisions of Chapter II (Principles) and Chapter IV (Data Controller and controller) of the Regulation.

The processing of the data may also be performed through automated tools in order to store, manage or transmit the data and, in any case, it will be executed in compliance with the provisions of the Regulations.

  1. Minimum data protection measures: Data on paper documents are protected against the risk of intrusion and stored in an environment with access restricted only to authorized personnel. The digitized data are protected from the risk of dispersion and/or intrusion using suitable electronic instruments and software to guarantee their integrity.
  2. Retention period for the personal data: your personal data will be processed for this purpose during the time necessary to fulfil the legal obligations required by current legislation. In this regard, your personal data will be stored for 10 years from the termination of the contract or, if in a subsequent period, from a binding decision issued by a competent authority (for example, a sentence of the court), without prejudice to any retention obligation related to categories of data, for longer periods of time, required by the legal system.

With particular reference to the acquisition of photos and videos on ride:

  • They can reside in local servers that are in the points of sale inside the parks. Every picture taken but not purchased is automatically deleted the day after its acquisition through an automated process.
  • All the photos with augmented reality that are purchased will be available for 60 (sixty) days on a server managed by a temporary storage platform. This server is reserved for Fotosmile and its management complies with the regulations of this document.
  • For all the photos purchased through the “web show” service, photos that guarantee to download the multimedia content, the data are stored in a server managed by a dedicated company based in Italy. The retention period for the personal data is 30 (thirty) days and the server is reserved for Fotosmile and it is managed through a dedicated platform.
  • For Videos through server managed by a web server platform. Purchased video will be stored for 30 (thirty) days and then they will be cancelled. Those video that will not be purchased, will be automatically canceled after 24 hours.
  • At the end of this period, all data will be deleted automatically (in accordance with applicable regulations) or shall be made anonymous permanently.

We also collaborate with cloud services providers of third parties for the provision of hosting and data storage services and other type of services, in accordance with standard terms and conditions that may not be marketable. These services providers operate in accordance with all the security measures that they consider appropriate to protect the information contained in their system or at least they are of good reputation as to guarantee the application of those measures. However, we disclaim any responsibility (to the maximum extent permitted by applicable law) for damage that may result from the improper use of any information, including personal data, by these companies.

In order to guarantee the safety, Pegaso may use geolocation functions to trace the location of an IP address and the location from which a computer connects to Fotosmile network and website.

 

7)    Our FOTOSMILE App

When using our App, you agree to all the terms and conditions contained in this document and related to the use of the App. If users decide to activate or sign the receipt of notification, they also accept to receive push notifications. The users allow the App to use the localization services. In this way, the App may suggest some information according to users’ geographic location.

 

8)    Data processing related to the operation of this site

Dati di navigazione

During their normal operation, IT systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the communication protocols of the Internet. It concerns information that is not collected to be associated with specific individuals, but by their own very nature could enable the identification of the customers by processing and associating data of third parties. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, URI addresses (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the dimension of the file obtained in reply, the numerical code indicating the status of the response from the server (success, error, etc.) and other parameters related to the users’ operating system and their IT environment.

 

Purpose and legal basis of the processing
(GDPR-Art.13, sect. 1, lett.c)
These data are used only to obtain anonymous statistical information on the Site and to check its correct functioning. The data could also be used to ascertain responsibility in case of hypothetical computer crimes against the site (legitimate interests of the owner).
Area of communication
(GDPR-Art.13, sect. 1, lett.e,f)
Data can be processed only by internal personnel, who is regularly authorized and instructed to the treatment (GDPR-Art. 29), or by any person responsible for maintaining the web platform (defined, in this case, as external managers). Data will not be disclosed to other parties, disseminated or transferred to non-EU countries. If an investigation is carried out, they can be made available to the competent authorities.
Retention period for the personal data
(GDPR-Art.13, sect. 2, lett.a)
Data are usually stored for short periods of time, except for any extension connected to investigations.
Provision of data
(GDPR-Art.13, sect. 2, lett.a)
Data are not provided by the interested party, but they are automatically acquired by the technological systems of the site.

 

Cookies

In some cases, Fotosmile uses cookies. A cookie is a very small text document that can be sent from a website to your browser. Fotosmile’s server uses the “cookies” function to store a temporary information on the visitor’ s client to avoid repeating the procedure at any access.

Some elements of connection with Social Network may use cookies: the owner of the data shall not be aware in any case any information managed by these cookies.
Fotosmile website uses Google Analytics service to obtain aggregate statistical data on the traffic generated by visitors. Users can decide freely not to allow the storage of data relating to their visits using the deactivation functions that Google makes available.

 

Newsletter subscription

 

Fotosmile websites can provide a newsletter service, which provides interested parties with useful information related to the topics discussed.

 

Purpose and legal basis of the processing
(GDPR-Art.13, sect. 1, lett.c)
Only the e-mail address is requested, for the sole purpose of sending the newsletter. Registration is subject to acceptance of specific, free and informed consent (GDPR-Art.6, sect., lett.a)
Area of communication
(GDPR-Art.13, sect. 1, lett.e,f)
Data are processed exclusively by authorized and trained personnel (GDPR-Art.29), or by any persons responsible for the maintenance of the web platform or for sending the newsletters (defined, in this case, as external managers). Data will not be disclosed or transferred to non-EU countries.
Retention period for the personal data
(GDPR-Art.13, sect. 2, lett.a)
Data are stored until the possible “unsubscription” of the users, that can be carried out at any time through the link situated at the bottom of each message sent.
Provision of data
(GDPR-Art.13, sect. 2, lett.f)
A failure to provide the email address and consent will make it impossible to obtain the newsletter service.

 

User registration

 

Some Fotosmile sites give to the user the possibility to sign up, in order to get access to reserved sections where they can use specific services.

 

Purpose and legal basis of the processing
(GDPR-Art.13, sect. 1, lett.c)
Data necessary for the creation of the profile and the administrative/operational management are requested. The treatment of personal data is carried out in accordance with legal obligations (GDPR-Art.6, paragraph 1, letter b, c). It is also requested a specific, free and informed consent (GDPR-Art.6, comma1, lett.a), documented through a special check-box (GDPR- Art.7, comma1).
Area of communication
(GDPR-Art.13, sect. 1, lett.e,f)
Data are processed exclusively by authorized and trained personnel (GDPR-Art.29). Data will not be disclosed or transferred to non-EU countries.
Retention period for the personal data
(GDPR-Art.13, sect. 2, lett.a)
Data are stored for a period compatible with the purpose of the collection. Data will be stored until any request for cancellation by the user.
Provision of data
(GDPR-Art.13, sect. 2, lett.f)
A failure to provide data will make it impossible to complete the registration or access to restricted areas.

 

Data provided voluntarily by the User

 

The optional, explicit and voluntary dispatching of electronic and/or ordinary mail to the addresses indicated in this website entails the subsequent acquisition of the sender’s address, which is necessary in order to reply to the requests, and also any other personal data contained in the message. If the senders decide to send their curriculum in order to submit their professional application, they are the only responsible for the relevance and accuracy of the data that they have sent. Any curriculum without the authorization to process personal data will be immediately deleted. It should be remembered that any information sent to a newsgroup or a forum, shall be considered as public information. In this type of communication there is the possibility that such information is detected and used by others. Please, pay attention during the online sessions.

 

9)    Transfer of data abroad

Personal data will be managed and stored in servers of the owner and/or third-party, called data controller, situated within the European Union. Currently the servers are situated in Europe.

Our e-mail is served through Microsoft Office 365 platform. All the security and IT information related to the use of the e-mail shall be kept confidentially. Personal data of individuals will never be transmitted to third parties, unless it is necessary to solve a specific request of the interested party. In these circumstances, Fotosmile will seek the explicit consent before taking any action. Fotosmile will not add any email address to any mailing list or subscription service, unless the individual explicitly requests it.

Data will not be transferred outside the European Union. In any case, it is understood that the owner of the data, if necessary, will be entitled to move the location of the servers within the European Union and/or in non-EU countries.

In this case, the data owner ensures that the transfer of Extra-EU data will take place in accordance with Articles 44 ss. of the Regulations and the applicable law provisions. The data owner will also stipulate agreements, if necessary, that guarantee an adequate level of protection.

 

10)    Right of the data subject

Regarding the treatments described in this Privacy Policy, as required by the European Regulation 679/2016, as data subject, you have the rights described in the Articles 15 -21 and, in particular:

  • Right of access – Article 15 GDPR: the right to obtain the confirmation as to whether or not personal data relating to the data subject are being processed and, in this case, to obtain access to personal data.
  • Right of rectification – Article 16 GDPR: the right to obtain, without undue delay, the correction of any inaccurate personal data and/or the integration of incomplete personal data;
  • Right to cancel (right to be forgotten) – Article 17 GDPR: right to obtain, without undue delay, the cancellation of personal data.
  • Right to limitation of treatment – Article 18 GDPR: right to obtain limitation of treatment, when:
  1. The concerned person contests the accuracy of the data, for the period that the owner needs to verify the accuracy of such data;
  2. The treatment is unlawful, and the data subject opposes their erasure and requests the restriction of their use instead.
  3. The processing of sensitive data is possible when it is necessary for the establishment, exercise or defense of a right in a legal claim pending before a court.
  4. Data subject refused to data processing pursuant to Art.21 GDPR, during the period necessary for the verification of the possible prevalence of legitimate reasons of the data owner compare with those the data subject.
  • right to data portability – Article 20 GDPR: data subject shall have the right to obtain personal data that has been provided to the owner, in a structured and commonly used electronic format. Data subject shall also have the right to transmit those data to another owner without restrictions, where the treatment is based on consent and is carried out by automated means. Furthermore, if is necessary, it includes the right of personal data to be transmitted to another owner directly to the Bank;
  • right of opposition – Article 21 of the GDPR: In cases where personal data might lawfully be processed to protect the vital interests of the data subject, or on grounds of public interest, official authority or the legitimate interests of the owner, any data subject should nevertheless be entitled to object to the processing of any data relating to them. The burden of proof should be on the owner to demonstrate that their legitimate interests may override the interests or the fundamental rights and freedoms of the data subject; where personal data are processed for direct marketing purposes, including profiling connected to marketing purposes, data subject shall have the right to object.

 

The above-mentioned rights can be executed against the owner, by contacting the references indicated above.

As data subject, the exercise of your right is free pursuant to Article 12 of the GDPR. However, in case of manifestly unfounded or excessive requests, also due to their repetitiveness, the owner may charge a reasonable fee, considering the administrative costs incurred to manage your request or deny the satisfaction of your request.

  • RIGHT OF REVOCATION:

Data subject should have the right to revoke his or her consent at any time. The revocation of consent shall not affect the lawfulness of processing based on consent before the revocation. Please, send a certified or simple email to the following address: privacy@fotosmile.com

 

  • RIGHT TO COMPLAIN:

Data subject has the right to lodge a complaint with the Authority for the protection of personal data at the following address: Piazza di Montecitorio n. 121, 00186, Rome (RM).

 

11)    Notes

Under no circumstances Pegaso or its affiliates will respond towards users about the incorrect use of the images or videos purchased by them. This limitation of liability is meant to avoid the recovery of any indirect and/or incidental damages, even if Pegaso or its affiliates are aware of the probability of such damages and despite any failure of the essential purpose of any remedy. This limitation of liability shall be applied in case of damages deriving from the improper use of the images and the reliance to be placed on them, as well as to the damages caused by possible publications on other sites.

User’s relationship with Facebook, Google or any other third-party website or social app is governed solely by the user’s agreement with such third-party website or app.

 

Changes to the present document

This information may be subject to variations. You should always check this information regularly and refer to the latest version. For further information about privacy, please check the document on the processing of data.

  • Data owner, controller and processors

PEGASO CONTROL SYSTEM SRL, based in San Martino Buon Albergo, Via A.Fleming 4/a, is the owner of the processing of the data.

 

Data: 21/05/2018