EXTENDED INFORMATION NOTICE PURSUANT TO ARTICLES 12, 13 AND, WHERE APPLICABLE, 14 OF THE GDPR – REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA (HEREINAFTER, THE GDPR)
The data controller provides below the information notice pursuant to Articles 12, 13 and, where applicable, 14 of the GDPR concerning the processing of personal data supplied by the Customer/data subject when completing and signing the Contract in order to purchase the products/services offered for sale by the data controller, by voluntarily uploading personal data to this website (in particular by filling out forms) or simply by browsing it.
1. Data Controller and contact details
The Data Controller is GYMMO PTSTUDIO S.r.l., with registered office in Milano (MI), Via Pietro Paleocapa, 1, C.F. 20121, VAT No. 09391610962, tel. +39 02 36588480, e-mail info@gymmoptstudio.it, website https://www.gymmoptstudio.it/ (hereinafter, the Site).
2. Principles applicable to the processing
In accordance with the GDPR, the Data Controller constantly undertakes to ensure that personal data are:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is not incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which the personal data are processed;
- processed, through appropriate technical and organisational measures, in such a way as to ensure their security;
- processed, where based on consent, following a freely given decision by the Customer/data subject, on the basis of a request presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
The Data Controller adopts appropriate technical and organisational measures in order to ensure the protection of personal data by design and to guarantee that, by default, only data necessary for each specific purpose of processing are processed.
The Data Controller collects and pays the utmost attention to indications, comments and opinions sent by the Customer/data subject to the contact details indicated above, in order to implement a dynamic privacy management system that ensures effective protection of individuals with regard to the processing of their data.
This Information Notice may be subject to changes, in line with developments in the regulatory framework and with the technical and organisational measures adopted over time by the Data Controller; therefore, the Customer/data subject is kindly invited to periodically visit this section of the Site to consult any updates and the Information Notice in its version applicable at any given time.
3. Methods of processing personal data
The processing of personal data is carried out manually and by electronic means, using logics strictly related to the purposes indicated below and, in any case, in such a way as to guarantee the security and confidentiality of the data.
4. Purposes of the processing of personal data
(4a) Purposes for which the processing of data is necessary
The personal data provided by the Customer/data subject are mainly processed for the performance of the Contract, for the management of credit and, more generally, of the relationship arising from the Contract itself.
The provision of data in the Contract or subsequently, during the contractual relationship, for the processing purposes in question is mandatory; therefore, failure to provide such data, or their partial or inaccurate provision, will make it impossible to conclude and/or perform the Contract and, for the Customer/data subject, to use the products/services offered by the Data Controller, potentially exposing the Customer/data subject to liability for contractual non-performance.
The personal data supplied by the Customer/data subject may also be processed where this is necessary in order to comply with a legal obligation to which the Data Controller is subject, for the protection of the vital interests of the Customer/data subject or of another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or for the purposes of the legitimate interests pursued by the Data Controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the Customer/data subject; in these cases, too, the provision of data is mandatory and, therefore, failure to provide, or partial or inaccurate communication of data may expose the Customer/data subject to any liabilities and penalties provided for by the legal system.
(4b) Further purposes of processing following specific and explicit consent by the Customer/data subject
In addition to the processing purposes mentioned above, the personal data provided/obtained may also be processed, subject to the consent of the Customer/data subject, to be expressed by selecting the box <<Give consent>> on the Contract or on the Site (or using other social or web applications of the Data Controller), for the performance of market surveys and for sending commercial and promotional communications, by telephone (including use of the mobile phone number provided) and by automated means of contact (e-mail, SMS, MMS, fax, etc.), concerning products/services of the Data Controller or of companies belonging to the Group, if any, of which the Data Controller is part.
Consent for the processing purposes set out in this point (4b) is optional; therefore, in the event of refusal, the data will be processed solely for the purposes indicated in the previous point (4a), without prejudice to what is specified below with regard to the legitimate interests of the Data Controller or of third parties.
5. Categories of personal data processed
The Data Controller mainly processes identification/contact data (first name, last name, addresses, type and number of identity documents, telephone numbers, e-mail addresses, tax/billing data, and others) and, where commercial transactions are envisaged, financial data (bank details, in particular current account identifiers, credit card numbers, and other data related to the aforementioned commercial transactions).
The processing performed by the Data Controller, both for the performance of the Contract and on the basis of the express consent of the Customer/data subject, generally does not concern special categories of personal data, known as sensitive data (revealing racial or ethnic origin, political opinions, religious beliefs, health status or sexual orientation, etc.), nor genetic and biometric data or so-called judicial data (relating to criminal convictions and offences).
However, it cannot be excluded that, in order to perform the obligations arising from the Contract, the Data Controller may need to store and/or process sensitive, genetic, biometric or judicial data of the Customer/data subject or of third parties whose data the Customer/data subject holds as data controller; in such cases, processing by the Data Controller will take place under, and within the limits of, the appointment of the Data Controller itself as data processor by the Customer/data subject.
The Data Controller also processes, in its capacity as data controller with reference to the Site and, potentially, as data processor appointed for this purpose (as described above) by the Customer/data subject, so-called browsing data. The computer systems and software procedures used to operate websites acquire, during their normal operation, some personal data, the transmission of which is implicit in the use of internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature could allow users to be identified. This category of information includes geolocation data, IP addresses, type of browser, operating system, domain names and the addresses of websites from which access or exit is made, information about pages visited by users within the site, access time, time spent on each page, analysis of internal navigation paths and other parameters related to the user’s operating system and computer environment. It is therefore information which, by its very nature, could, through processing and association with data held by third parties, allow users to be identified.
The Site may also use cookies, both session cookies (which are not stored on the user’s computer and disappear when the browser is closed) and persistent cookies, to transmit personal information or, in any case, systems for tracking users.
6. Source of personal data
The personal data processed by the Data Controller are collected directly by the Data Controller from the Customer/data subject at the time of, and during, the Customer/data subject’s browsing of the Site (or when using other social or web applications of the Data Controller), or, also through its sales staff, upon or following the signing of the Contract, during its performance, or from public sources.
As specified above, the Data Controller, in its capacity as data processor appointed for this purpose, may, in order to perform the obligations arising from the Contract, store and/or process data, particularly browsing data, potentially even sensitive, genetic, biometric or judicial data, of third parties whose data are held by the Customer/data subject as data controller, acquired, with the prior consent of such third parties, at the time of, and during, their browsing of the Site (or when using other social or web applications attributable to the Data Controller).
7. Legitimate interests
The legitimate interests of the Data Controller or of third parties may constitute a valid legal basis for processing, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. In general, such legitimate interests may exist where there is a relevant and appropriate relationship between the Data Controller and the data subject, for example where the data subject is a customer of the Data Controller. In particular, it is in the legitimate interest of the Data Controller to process personal data of the Customer/data subject: for fraud prevention purposes, for direct marketing purposes, to ensure the free circulation of such data within the corporate group, if any, to which the Data Controller belongs, or relating to traffic data in order to guarantee network and information security, i.e. the ability of a network or system to withstand unforeseen events or unlawful acts that could compromise the availability, authenticity, integrity and confidentiality of data.
8. Circulation of personal data
(8a) Communication of personal data – categories of recipients
In addition to employees and collaborators of the Data Controller in various capacities (who are authorised by the Data Controller to process the data on the basis of appropriate written operating instructions, in order to guarantee the confidentiality and security of the data), some processing operations may also be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, functional to the purposes referred to in point (4a), therefore both for the performance of contractual and legal obligations, including but not limited to: commercial and/or technical partners; companies providing banking and financial services; companies providing document archiving services; debt collection companies; audit and financial statement certification firms; rating companies; entities providing professional assistance and consultancy services to the Data Controller; customer care service companies; factoring, securitisation or other credit-assignee companies; companies belonging to the Group, if any, to which the Data Controller belongs; business information providers; IT service companies. The entities in these categories process personal data as autonomous data controllers, or as data processors with regard to specific processing operations that fall within the contractual services provided by such entities to/for the benefit of the Data Controller; the Data Controller provides data processors with appropriate written operating instructions, particularly with reference to the adoption of minimum security measures, in order to ensure the confidentiality and security of the data.
Some processing operations may be carried out by third parties to whom the Data Controller entrusts certain activities, or parts thereof, also for the purposes referred to in point (4b), including but not limited to: commercial and/or technical partners; companies that institutionalise marketing services; advertising agencies; entities providing assistance and consultancy services in relation to prize competitions and promotions. The entities in these categories process personal data as autonomous data controllers, or as data processors with regard to specific processing operations that fall within the contractual services provided by such entities to/for the benefit of the Data Controller; the Data Controller provides data processors with appropriate written operating instructions, particularly with reference to the adoption of minimum security measures, in order to ensure the confidentiality and security of the data.
The list of data processors with whom the Data Controller has relations is available, upon written request sent to the registered office of the Data Controller, and is subject to periodic updating.
Personal data may also be communicated, upon request, to the competent authorities, in fulfilment of obligations arising from mandatory legal provisions.
(8b) Transfer of personal data to third countries
The personal data of the Customer/data subject may also be transferred abroad, both to countries within the European Union and to countries outside the European Union and, in the latter case, either on the basis of an adequacy decision, or within and subject to the adequate safeguards provided for by the GDPR (in particular in the presence of standard data protection clauses approved by the European Commission), or, outside the cases mentioned above, where one or more of the derogations provided for by the GDPR apply (in particular, on the basis of the explicit consent of the Customer/data subject, or for the performance of a Contract concluded by the Customer/data subject, or for the performance of a contract concluded between the Data Controller and another natural or legal person for the benefit of the Customer/data subject, namely for the performance of activities entrusted to such other person by the Data Controller in order to perform the Contract concluded with the Customer/data subject). In the event of data transfers to countries outside the European Union, the Customer/data subject is entitled, upon written request sent to the registered office of the Data Controller, to be informed of the appropriate safeguards or the derogations that legitimise the cross-border processing. It is understood that, in the event of data transfers to countries outside the European Union, the Customer/data subject may always contact the Data Controller in respect of any request relating to their data, including for the exercise of the rights recognised to the Customer/data subject by the GDPR.
9. Criteria for determining the period of retention of personal data
For the purposes referred to in point (4a) above, the period of retention of the personal data provided by the Customer/data subject, and consequently the possible processing thereof, coincides with the limitation period of the rights/duties (legal, tax, etc.) arising from the Contract: therefore, as a rule, 10 years, unless events interrupting the limitation period occur that may, in fact, extend such period.
For the purposes referred to in point (4b) above, the period of retention of the data provided by the Customer/data subject, and consequently the possible processing thereof, ends upon revocation of the consent previously given by the Customer/data subject or, in the absence of such revocation, in any case upon the expiry of one year from the termination of any relationship between the Data Controller and the Customer/data subject.
10. Rights of the Customer/data subject
The Data Controller recognises – and facilitates the exercise by the Customer/data subject of – all rights provided for by the GDPR, in particular the right to request access to their personal data and to obtain a copy thereof (Art. 15 GDPR), the right to rectification (Art. 16 GDPR) and erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR, where applicable) and the right to object to processing (Arts. 21 and 22 GDPR, in the cases mentioned therein and, in particular, to processing for marketing purposes or processing that results in automated decision-making, including profiling, producing legal effects concerning them, where applicable).
The Data Controller also recognises the right of the Customer/data subject, where processing is based on consent, to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To do so, the Customer/data subject may unsubscribe at any time on the Site (or on other social or web applications of the Data Controller) or by using the appropriate link included at the bottom of each commercial communication received, or by contacting the Data Controller at the contact details indicated above.
The Data Controller further informs the Customer/data subject of their right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), as the supervisory authority operating in Italy, and of the right to bring a judicial remedy, both against a decision of the Authority and against the Data Controller and/or a data processor.
11. Security of systems and personal data
Taking into account the state of the art and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller adopts technical and organisational measures deemed appropriate to ensure a level of security appropriate to the risk, in particular ensuring, on a permanent basis, the confidentiality, integrity, availability and resilience of processing systems and services (also through the encryption of personal data, where necessary), and the ability to restore the availability of data in a timely manner in the event of a physical or technical incident, and adopting internal procedures to regularly test, verify and evaluate the effectiveness of the technical and organisational measures in place.
In assessing the appropriate level of security, account is taken of the risks posed by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The Data Controller ensures that anyone acting under its authority and having access to personal data does not process such data unless instructed to do so by the Data Controller.
That said, the Customer/data subject acknowledges and accepts that no security system can guarantee absolute protection with certainty; therefore, the Data Controller shall not be liable for acts or events of third parties who, despite the appropriate safeguards adopted, unlawfully gain access to systems without proper authorisation.
12. Automated decision-making, including profiling
The Data Controller may carry out automated processing, including profiling, for the purposes referred to in point (4b) above, in order to optimise the navigability of the Site (or the usability of other social or web applications of the Data Controller) and to improve the purchasing experience, without prejudice to the rights of objection and withdrawal of consent by the Customer/data subject as specified above.
Profiling means any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning, for example, the personal preferences, interests or location of that person, also for the purpose of creating profiles or homogeneous groups of individuals based on characteristics, interests or behaviour.
The Data Controller does not carry out any automated processing that produces legal effects concerning the Customer/data subject or similarly significantly affects them, unless such processing is necessary for entering into, or performing, the Contract, is authorised by law or is based on the explicit consent of the Customer/data subject, in all cases recognising the right of the Customer/data subject to obtain human intervention, to express their point of view and to contest the decision.