Privacy Policy App Canossa Racelink

Privacy Policy statement for Canossa Racelink App

Playstore URL: https://play.google.com/store/apps/details?id=it.raduni.app

Rev. 06 of 06/03/2024

Subject: information about the processing of your personal data pursuant to art. 13 Reg EU 2016/679
Pursuant to and in accordance with Legislative Decree D.Lgs No. 196 of 30 June 2003 Personal Data

Protection Code
(hereinafter “Code”) and Regulation EU 2016/679 on Data protection, we hereby inform you that your personal data will be processed by the Controller indicated below.

For the sake of clarity, we hereby provide the following definitions:
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whetheror not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal data: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

 

1. 1. IDENTITY AND CONTACT DETAILS OF THE JOINT CONTROLLERS (for the sake of brevity hereinafter also called
      “Controller”) and the DATA PROTECTION OFFICER – DPO

CONTROLLER
CANOSSA EVENTS SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)
Tel. + 39 (0)522 421096 – e-mail: info@canossa.com
JOINT CONTROLLER
CANOSSA LIFESTYLE SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)
Tel. + 39 (0)522 421096 – e-mail: info@canossa.com
CANOSSA RACING SRL – Via Filippo Turati 28 – Loc. Roncolo 42020 Quattro Castella (RE)
Tel. + 39 (0)522 421096 – e-mail: info@canossa.com

DPO FOR CANOSSA EVENTS SRL
Contact details: e-Mail dpo@ambientelavorosalute.com
In its capacity as Joint Controllers, such joint controllership being based on the sharing of data and the purposes of the
processing, in accordance with the provisions of art. 13 of Regulation EU 679/2016, Gruppo Canossa hereby informs you
that your personal data may be used by each of the joint controllers, compliant with the provisions of the Regulation and
in relation to the respective main purposes, in the manner indicated below as regards the company whose name appears
at the top of this privacy policy statement.
DATA SUBJECTS: PRIVATE CLIENT

 

2. 2. SUBJECT MATTER, PURPOSE AND LEGAL BASIS FOR PROCESSING
      a. Purpose and Subject matter: Commercial or contractual. Provide the requested service, draw up an offer, execute
      a contract undersigned by the parties.
      Data provision modalities: paper form, orally, e-mail, telephone, web
      Categories of data processed and legal basis: Data records, phone numbers, business name, tax code number and
      other identification numbers, bank account details, credit card numbers, details relating to the vehicles and e-mail
      Privacy Policy statement
      Rev. 06 of 06/03/2024 Page 2 of 8
      address of the data subject. This processing falls within the lawful processing activities established by art. 6 subsection 1 point B of EU Regulation 2016/679 on Data Protection.
      Category of entities who/that may become acquainted with your personal data – Recipients –
      Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
      or for carrying out activities that are ancillary to the aforementioned purposes, to:

 

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.

• • Companies/ bodies/ agencies of which use is made for the logistical organization of the event.
    The agreements signed with these parties are aimed at allowing only essential processing activities to be performed
    and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Personal Data may also be transferred to Independent Controllers, such as public Monitoring or Surveillance
    Authorities.
    Refusal of data processing: refusal to provide personal data or outright objection to having them processed, right to
    which the data subject is entitled, will make it impossible to continue all relations.
    You may object to having your data processed by means of the contact details in point 1
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

b. Purpose and Subject matter: Soft marketing. The data processing will include the e-mail contact details you have
provided for soft marketing activities, such as promotion advertising of similar services to those in which you
expressed interest by using our specific product / service, this solely and exclusively in the mutual and legitimate
interest of both parties. The activity will be actualized by maintaining relatively infrequent e-mail contact.
Data provision modalities: paper form, orally, e-mail, telephone, web
Categories of data processed and legal basis: Data records and e-mail address. This processing falls within the lawful
processing activities established by art. 130 sub-section 4 of Legislative Decree 30 June 2003, No. 196 “Personal
data protection Code”, integrated by the amendments made by Legislative Decree 10 August 2018, No. 101. Please
note that “should the Data Controller use, for the purpose of direct sale of its products or services, the e-mail contact
details provided by the data subject…, it may dispense with requesting the consent of the data subject him/herself.”
Category of entities who/that may become acquainted with your personal data – Recipients –
Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
or for carrying out activities that are ancillary to the aforementioned purposes, to:

 

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    Categories of External Processors who/that may be appointed:
    Privacy Policy statement
    Rev. 06 of 06/03/2024 Page 3 of 8

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.

• • Parties who/that provide, on behalf of the Controller, business and marketing services in accordance with the
    limits and obligations expressed in the previous paragraphs.
    The agreements signed with these parties are aimed at allowing only essential processing activities to be performed
    and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Personal Data may also be transferred to Independent Controllers, such as public Monitoring or Surveillance
    Authorities.
    Refusal of data processing: The data subject may object at any time to the processing in question via communication
    to the e-mail address of the Controller indicated in paragraph 1 or as indicated in each e-mail communication (OPTout). The right of the data subject to withdraw his/her consent to the data processing does not affect the lawfulness
    of the processing prior to such withdrawal.
    You may object to having your data processed by means of the contact details in point 1. You are hereby reminded
    that for no reason will the collected data be disseminated or used for different purposes.

c. Purpose and Subject matter: Third party marketing for companies belonging or related to Gruppo Canossa. The data
that will be processed are contact details for promotion advertising activities concerning the products or services
offered by companies belonging or related to Gruppo Canossa.
Data provision modalities: paper form, orally, e-mail, telephone, web
Categories of data processed and legal basis: Data records, phone numbers, business name, tax code number and
other identification numbers, e-mail address of the data subject. This processing falls within the lawful processing
activities established by art. 6 sub-section 1 point A of EU Regulation 2016/679 on Data Protection.
The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.
Category of entities who/that may become acquainted with your personal data – Recipients –
Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
or for carrying out activities that are ancillary to the aforementioned purposes, to:

 

• • staff members of the companies belonging or related to Gruppo Canossa, specifically appointed and authorized
    for this purpose, also as processors, for specific processing activities;
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.
    The agreements signed with these parties are aimed at allowing only essential processing activities to be performed
    and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Refusal of data processing: refusal to provide personal data or outright objection to having them processed, right
    to which the data subject is entitled, does not affect the possibility of taking part in/registering for the event.
    You may object to having your data processed by means of the contact details in point 1
    Privacy Policy statement
    Rev. 06 of 06/03/2024 Page 4 of 8
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

d. Purpose and Subject matter: Processing of data relating to health: food allergies and intolerances for the purpose of
organizing meals; medical data relating to fitness to take part in sports activities; body measurements for the
purpose of making made-to-measure clothing; data relating to religious beliefs with regard to food choices and
organizing meals. The purpose of the processing in question is the preparation and provision, in safe conditions and
consistent with the contract between the parties, of the organizational services relating to the event. These data
will be transmitted to the partners (independent data controllers or data processors) who/that contribute to the
organization of the event itself.
Data provision modalities: paper form, orally, e-mail, telephone, web
Categories of data processed and legal basis: Processing of data relating to health: food allergies and intolerances for
the purpose of organizing meals; medical data relating to fitness to take part in sports activities; body measurements
for the purpose of making made-to-measure clothing; data relating to religious beliefs with regard to food choices
and organizing meals. This processing falls within the lawful processing activities established by art. 9 sub-section 2
point A of EU Regulation 2016/679 on Data Protection.
The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.
Category of entities who/that may become acquainted with your personal data – Recipients –
Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations or
for carrying out activities that are ancillary to the aforementioned purposes, to:

 

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.
    The agreements signed with these parties are aimed at allowing only essential processing activities to be performed
    and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Personal Data may also be transferred to Independent Controllers, such as Hotels, Restaurants, Public Monitoring or
    Surveillance Authorities.
    Refusal of data processing: refusal to provide personal data or outright objection to having them processed, right to
    which the data subject is entitled, will result in provision of meals with risk of allergic reactions or other problems and
    not being able to obtain made-to-measure clothing. In addition, you will not be able to take part in competitions
    requiring medical fitness for sports activities. You are informed that on request, this consent can be given separately,
    for each of these three processing operations.
    You may object to having your data processed by means of the contact details in point 1
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

Privacy Policy statement
Rev. 06 of 06/03/2024 Page 5 of 8
e. Purpose and Subject matter: Publication of photos and video footage via the press (web, social media, printed
publications, apps) of images / video recordings of the data subject. Such publications as may be made without face
blurring or anonymization of recognizable characteristics. Publication is for promotional / marketing purposes.
Data provision modalities: taking of photographs /audio visual recording
Categories of data processed and legal basis Image data item and/or vocal recording. This processing falls within the
lawful processing activities established by art. 6 sub-section 1 point A of EU Regulation 2016/679 on Data Protection.
The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.
Category of entities who/that may become acquainted with your personal data – Recipients –
Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
or for carrying out activities that are ancillary to the aforementioned purposes, to:

 

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.
    The agreements signed with these latter parties are aimed at allowing only essential processing activities to be
    performed and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Personal Data may also be transferred to Independent Controllers, such as public Monitoring or Surveillance
    Authorities.
    Refusal of data processing: Refusal to provide personal data or outright objection to having them processed, right
    to which the data subject is entitled, will not compromise the relations with our organization.
    You may object to having your data processed by means of the contact details in point 1
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.

f. Purpose and Subject matter: Publication of personal data (data records of participants in the events / comments
and interviews) in the press (web, social media, printed on paper) for the purpose of promoting and highlighting the
event via the communication media in use.
Data provision modalities: paper form, orally, e-mail, telephone, web
Categories of data processed and legal basis: Data records of the participants in the events, possible comments and
interviews. This processing falls within the lawful processing activities established by art. 6 sub-section 1 point A of
EU Regulation 2016/679 on Data Protection.
The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.
Category of entities who/that may become acquainted with your personal data – Recipients –
Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
or for carrying out activities that are ancillary to the aforementioned purposes, to:
Privacy Policy statement
Rev. 06 of 06/03/2024 Page 6 of 8

 

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.
    The agreements signed with these latter parties are aimed at allowing only essential processing activities to be
    performed and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Personal Data may also be transferred to Independent Controllers, such as Public Monitoring or Surveillance
    Authorities.
    Refusal of data processing: Refusal to provide personal data or outright objection to having them processed, right
    to which the data subject is entitled, does not affect the possibility of taking part in/registering for the event.
    You may object to having your data processed by means of the contact details in point 1.
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.
    g. Purpose and Subject matter: GPS geolocation for security purposes and smooth running of the event in which you
    take part. Geolocation by the operations centre for the purpose of roadside assistance or to alert the emergency
    services where necessary.
    Data provision modalities: By smartphone equipped with GPS and SIM card purposely consigned to the crew prior
    to starting.
    Categories of data processed and legal basis: GPS coordinates. Data records. Telephone numbers and length of
    incoming and outgoing calls. This processing falls within the lawful processing activities established by art. 6 subsection 1 point A of EU Regulation 2016/679 on Data Protection. The data subject must give his/her CONSENT to
    having his/her personal data processed for the specific purpose. Consent is declared unequivocally when the
    competitor voluntarily collects the GPS smartphone at the start and signs the consent form. Vice versa, refusal to
    collect the smartphone unequivocally implies refusal of this type of processing which therefore remains on a fully
    voluntary and non-mandatory basis.
    Category of entities who/that may become acquainted with your personal data – Recipients -:
    Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
    or for carrying out activities that are ancillary to the aforementioned purposes, to:

• • the Controller’s staff, specifically appointed and authorized for this purpose, also as processors, for specific
    processing activities;
    External companies, with external processor relationships, which provide technological support essential to the
    proper operation of the service and remote assistance for the users in real time.
    Only if offences have been committed or are suspected of having been committed in relation to use of the
    smartphone may the data be communicated to authorized third party organizations involved in the investigations
    and to public authorities.
    Privacy Policy statement
    Rev. 06 of 06/03/2024 Page 7 of 8
    Duration of the Processing: The data collected are stored for the duration of the event. Those of the GPS will be
    eliminated at the end of the event while the other data will be stored for documentary purposes for as long as a
    right can be exercised by either of the parties. More precisely, telephony-related data must be kept for at least five
    years in the case of investigations by the judicial authorities or the police.
    The user can interrupt the processing and, thus, its duration at any time by switching off the smartphone consigned
    or by re-consigning it. If you decide to interrupt the processing by switching off the smartphone we kindly ask you
    to inform the organizers beforehand for the sole purpose of preventing false alarms.
    Refusal of data processing: You can refuse this processing at any time. Merely do not collect the smartphone
    consigned by the organization or switch it off – in this case we kindly ask you to inform the organizers beforehand
    to prevent false alarms – or re-consign it. Your refusal will make it impossible to provide prompt assistance if you
    lose your way, are involved in road accidents or experience other difficulties.
    h. Purpose and Subject matter: Transmission of data records and identity documents to hotel facilities (as independent
    Controller) for the purpose of providing the remote check-in service before the client reaches the facility, thereby
    speeding up the registration operations.
    Data provision modalities: paper form, orally, e-mail, telephone
    Categories of data processed and legal basis: Data records and possibly copies of identity documents (e.g. identity
    card, passport). This processing falls within the lawful processing activities established by art. 6 sub-section 1 point
    A of EU Regulation 2016/679 on Data Protection.
    The data subject must give his/her CONSENT to having his/her personal data processed for the specific purpose.
    Category of entities who/that may become acquainted with your personal data – Recipients –
    Your Personal Data may be made accessible, for the aforementioned purposes or in fulfilment of legal obligations
    or for carrying out activities that are ancillary to the aforementioned purposes, to:

• • staff members of the companies belonging or related to Gruppo Canossa, specifically appointed and authorized
    for this purpose, also as processors, for specific processing activities;

• • hotel facility (as Independent Data Controller) at which the data subject will stay
    Categories of External Processors who/that may be appointed:

• • Parties who/that provide technical, organizational, professional, operational services on behalf of the Controller
    in order to achieve the stated purposes.

• • Parties who/that provide computer, legal services on behalf of the Controller to support the achievement of the
    stated purposes.
    The agreements signed with these parties are aimed at allowing only essential processing activities to be performed
    and ensuring the confidentiality, security and integrity of the data for each specific processing activity.
    Refusal of data processing: refusal to provide personal data or outright objection to having them processed, right
    to which the data subject is entitled, does not affect the possibility of taking part in/registering for the event. The
    data subject will be obliged to join the queue at the check-in upon his/her arrival at the facility.
    You may object to having your data processed by means of the contact details in point 1
    You are hereby reminded that for no reason will the collected data be disseminated or used for different purposes.
    Privacy Policy statement
    Rev. 06 of 06/03/2024 Page 8 of 8

 

1. 1. DURATION OF THE PERSONAL DATA PROCESSING
      Wherever not better specified in the previous pages, the data are kept for 10 years after discontinuance of the relations
      or, in the event of regulatory amendments or changes in case law, for as long as their storage is required to assert a
      right of both parties.
      Regular controls are performed to verify the obsolescence of stored data.

1. 1. TOOLS AND LOGIC APPLIED TO THE PROCESSING OF PERSONAL DATA
      With regard to the purposes described herein, the data processing is performed by means of manual, IC and ICT tools
      using logic strictly related to the aforementioned purposes and, in any case, in a manner that ensures the security and
      confidentiality of the personal data.

1. 1. RIGHTS OF THE DATA SUBJECT
      All the rights mentioned below can be exercised by means of the Controller’s contact details as indicated in paragraph
      1 at the beginning of this document.

 

• • Right to obtain from the Controller access to your personal data

• • Right to obtain from the Controller the rectification / erasure / restriction of the processing of your personal
    data

• • Right to object to the Controller to the processing of your personal data

• • Right to receive a full list of the data Processors

• • Right to receive your personal data in a structured, commonly used and readable format

• • Right to lodge complaint with a supervisory authority, such as the Data Protection Authority, using
    the contact details in the following link https://www.garanteprivacy.it/home/footer/contatti
    There is no automated decision-making process, including profiling, as referred to in article 22, paragraphs 1 and 4 of
    European Data Protection Regulation 2016/679

 

1. 1. TRANSFER OF THE DATA ABROAD
      Your Personal Data will be processed both within the European Union and stored on servers located within the European
      Union, and processed and stored in countries outside the European Union when an adequate level of protection is
      ensured. That level shall be deemed adequate when the European Commission has reached an adequacy decision in
      relation to the recipient country or if the foreign Controllers or Processors involved provide adequate safeguards of a
      contract or agreement type, such as contractual clauses on data protection (art. 46, par. 2, point c and point d of
      Regulation EU 2016/679 on Data Protection). With regard to group entities with main establishment outside the
      European Union, transfer of data abroad is performed on the basis of an adequacy decision (art. 45 of Regulation EU
      2016/679 on Data Protection) pursuant to specific contractual agreements.
      That being said solely in respect of confidentiality and the purposes described herein, such safeguards are available for
      consultation at the Controller’s main establishment or are provided via e-mail. Such requests can be submitted by means
      of the contact details in point 1