In accordance with EU Regulation 2016/679 (“GDPR“) and the applicable national legislation on the protection of personal data, Hypelab S.r.l., with registered office in Strada Nazionale Giardini, 476, 41126 Modena MO, registered with the Register of Companies of Modena, VAT code P.IVA 04033480361, in its capacity as data controller (hereinafter “Data Controller” or “Hypelab“), hereby informs you that your personal data will be processed for the following purposes.
1. CATEGORIES OF PERSONAL DATA PROCESSED
The Data Controller processes personal identification data and other personal data (not belonging to special categories) which are communicated by users when requesting services from the Data Controller through the Websites and related mobile application, or when otherwise using the Websites and related mobile application. Most notably, the personal data include, but are not limited to:
in the context of the use of the Websites and related mobile application: first name, last name, telephone number, e-mail address, postal address, IP address and session ID;
in the context of the KYC (Know-Your Customer) and AML (Anti-Money Laundering) procedures, where required: in addition to the above categories of personal data, the selfie and the picture of the selected ID-document used by the user during the authentication process.
The Data Controller also processes, exclusively in anonymous form, data relating to the use of the Website (including the overall number of downloads and the most frequently viewed screens).
2. PURPOSES OF THE PROCESSING AND LEGAL BASIS
Personal data may be processed for the following purposes and legal basis:
A) “Service Purposes” such as:
to process and accommodate the user’s requests as better detailed in the general terms and conditions of the services;
to enable the user to access and use our service as better detailed in the general terms and conditions of the services;
to enable the use of the Website and its operational functions, including the resolution of technical problems (also using the customer support function displayed on the Website).
For the “Service Purposes” referred to in this letter A), personal data will be processed without the need to collect the user’s prior consent.
B) Purpose of fulfilment of the Data Controller’s legal obligations
Personal data will be processed in order to ensure the compliance of the Data Controller with the obligations provided for by applicable laws, regulations or national and EU legislation or imposed by the competent
authorities, without the need to collect the user’s prior consent (i.e. KYC/AML obligations pursuant to relevant European and Italian laws).
C) Purposes related to the pursuit of a legitimate interest of the Data Controller, in particular:
to prevent and repress unlawful acts, as well as to exercise the Data Controllers’ rights in court and manage claims: the Data Controller’s interest lies in the constitutional right to take judicial action (art. 24 of Italian Constitution) and, as such, is socially recognized as prevailing over the interests of the individual data subject concerned;
to manage and maintain the Websites and related mobile application: the Data Controller’s interest lies in the general interest of a company to ensure its business operations, also through the operation of the Websites and related mobile application, as well as in the implementation of possible improvements of the service offered;
to prevent or uncover fraudulent activities or abuse harmful to the Websites (including to verify the entitlement of users acting on behalf of third-party) and related mobile application: the interest of the Data Controller lies in the legitimate, actual and current interest not to suffer damages as a result of the unlawful conduct of third-parties;
to send commercial communications by e-mail relating to services and products of the Data Controller which are similar to those that the user has already used, if the user is already a customer of Hypelab: the interest of the Data Controller lies in the general interest of a company to promote its services and is considered legitimate because in line with the reasonable expectations of the data subjects, in light of the relationship between them and the Data Controller. Each e-mail will allow the user, by clicking on the specific link provided therein, to refuse further mailings.
For the purposes referred to in this letter C), personal data will be processed to pursue a legitimate interest of the Data Controller, without the need to collect the user’s prior consent.
D) “Marketing purposes”:
to contact the user with communications and/or newsletters about the activities, initiatives and commercial offers of the Data Controller, as well as to conduct market researches and surveys or other activities aimed at measuring the quality of the services offered (including by mail, telephone, e-mail, SMS notifications, Whatsapp).
For the marketing purposes referred to in this letter D), personal data will be processed only with the prior express consent of the user.
E) “Marketing purposes of third parties”, in particular:
to communicate personal data to the Data Controller’s partners, which will process the personal data for their own marketing purposes, including by mail, telephone, e-mails, SMS notifications, Whatsapp.
For the marketing purposes of third parties referred to in this letter E), personal data will be processed only with the prior express consent of the user.
3. PROCESSING METHODS
The processing of personal data is carried out, electronically and on paper, by means of the collection, recording, updating, organization, storage, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, restriction, erasure and destruction of personal data. Personal data are protected so as to minimize the risk of destruction, loss (including accidental loss), unauthorized access/use or use incompatible with the initial purpose for which the personal data have been collected. This is achieved through the technical and organizational security measures implemented by the Data Controller.
4. RETENTION OF PERSONAL DATA
The Data Controller processes the personal data for the time necessary to fulfil the purposes for which they have been collected, and in any case for no later than the periods detailed below. It being understood that, at the end of the periods indicated below, the Data Controller will nevertheless be entitled to further retain the personal data, in whole or in part, for certain purposes, as expressly required by specific legal provisions or to exercise or defend a right within the ten-year limitation period provided for in Article 2946 of the Italian Civil Code (for example, in the event of a legal proceeding against the user).
In the context of the use of the Websites and related mobile application, the Data Controller processes personal data for the time necessary to fulfill the purposes set out in Section 2 above (Purposes and legal basis of the processing) and in any case:
no later than 2 years from the collection thereof, for the Service Purposes, the Purpose of fulfilment of the Data Controller’s legal obligations and the Purposes related to the pursuit of a legitimate interest of the Data Controller);
no later than 2 years from the collection thereof, for the Marketing Purposes and the Marketing Purposes of third parties.
5. PROVISION OF PERSONAL DATA
In the context of the use of the Websites and related mobile application, the provision of personal data:
for the “Service Purposes” of the Website and/or the App is necessary. These personal data are necessary for the relationship with the Data Controller and the use of the services. The user may, however, decide not to provide personal data, but in such case he/she will not be able to use the services of the Data Controller;
for the “Marketing purposes” in the context of the use of the Website and/or the App is optional. Failure to provide personal data does not prevent the user from using the services of the Data Controller, but the user will not receive the information and offers of the Data Controller’s and will not be contacted to participate in market researches, surveys or activities aimed at measuring the quality of the services offered;
to communicate your personal data to the Data Controller’s partners and to sector search engines for the “Marketing purposes of third parties” in the context of using the Websites and related mobile application is optional. Failure to provide personal data does not prevent the use of the Data Controller’s services, but the user’s personal data cannot be communicated to the Data Controller’s partners for the “Marketing purposes of third parties”.
6. ACCESS TO PERSONAL DATA
Personal data will be processed by our staff in charge for the processing of personal data and by the following categories of subjects (including, but not limited to):
employees and/or collaborators of the Data Controller in their capacity as data processors and/or persons authorized to process personal data and/or system administrators (by way of example, consultants authorized to manage the Websites and to provide the relevant services in the context of the use of the Website; real estate analysts in the context of the use of the App);
employees and consultants of the legal, marketing (in case you consented to the Marketing Purposes), finance, administration and accounting departments and our other departments, in their capacity as data processors and/or persons authorized to process personal data;
third parties to whom the Data Controller outsources certain services, including processing operations, as external data processors (e. IT service providers, hosting providers, etc..).
7. COMMUNICATION OF PERSONAL DATA
In the context of the use of the Websites and related mobile application, the Data Controller may communicate the personal data of the users:
1 without the user’s consent:
to control bodies, law enforcement agencies or the judiciary, financial and tax administrations, ministerial bodies and competent authorities, local authorities (regions, provinces, municipalities), upon their express request, which will process the personal data as autonomous data controllers for institutional purposes and/or in accordance with the law in the context of investigations and controls.
2 only with the user’s prior consent, exclusively in the context of the use of the Websites:
to the Data Controller’s partners and/or companies operating in business sectors similar and/or complementary to Hypelab (e.g. Fotball teams, manufacturing, etc..), for the Marketing Purposes of third parties.
The updated list of the third-party autonomous data controllers to which users’ personal data may be communicated is kept at the offices of the Data Controller and may be requested by contacting the address indicated in the below Section 10 (Exercise of data subjects’ rights).
8. TRANSFER OF PERSONAL DATA
Personal data will not be disseminated or transferred to third countries located outside the European Union and/or the EEA. However, Data Controller may, during its activity and providing its services, adopt tools and solution in cloud which may require, even if for a short period of time, a temporary transfer of personal data, in countries located outside the European Union and/or the EEA. In any case such transfer will be performed in compliance with GDPR and with providers which may assure respect of standard clause and with an adequate level of protection. of such data. More information can be required to the Data Controller anytime via email.
9. DATA SUBJECT’S RIGHTS
As data subject, save for the limitations provided by law, you have the right:
to obtain confirmation of the existence of your personal data, even if not yet recorded, and that such data are made available to you in an intelligible form;
to receive indication of and, if necessary, copy: a)the origin and category of personal data; b) in case of automated processing carried out with electronic means, information about the logic involved; c) the purposes and methods of processing; d) the identity of the data controller and the data processors; e) the recipients or categories of recipients to which the personal data may be communicated or which may otherwise get to know said personal data, in particular if they are recipients located in third countries or international organizations; f) where possible, the period of retention of the personal data or the criteria used to determine that period; g) the existence of an automated decision-making and, if so, the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; h) the existence of adequate safeguards in case of transfer of the personal data to a non-EU country or to an international organization;
to obtain, without undue delay, the updating and rectification of inaccurate personal data or to have incomplete personal data completed;
to withdraw at any time, easily and without hindrance, any consents given, using, if possible, the same channels used to give such consents;
to obtain the cancellation, transformation into anonymous form or blocking of data: a)unlawfully processed; b) no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) if the consent on which the processing is based has been withdrawn and if there is no other legal basis, d) if the user has objected to the processing and there is no prevailing legitimate grounds to continue processing; e) in the event of fulfilment of a legal obligation; f) in the case of data relating to minors. The Data Controller may refuse the erasure only if necessary: (1) for the exercise of the right to freedom of expression and information; (2) for the compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; (3) for reasons of public interest in the area of public health; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; (5) for the establishment, exercise or defense of legal claims;
to obtain the limitation of the processing in the case of: a) contestation of the accuracy of personal data; b) unlawful processing by the Data Controller to prevent their erasure; c) exercise of a right of the user in court; d) verification whether the legitimate grounds of the Data Controller override those of the
if the processing is carried out by automatic means, to receive the personal data concerning you without hindrance and in a structured, commonly used and machine-readable format, in order to transmit them to another data controller or – if technically feasible – to obtain direct transmission by Casavo to another data controller;
to object, in whole or in part, to the processing of personal data: a) for legitimate reasons, related to the particular situation of the user,; b) for the purpose of sending communication material, using automated calling systems without the intervention of an operator by e-mail and/or by traditional means by telephone and/or mail;
to lodge a complaint with a supervisory authority (i.e. the Garante per la protezione dei dati personali).
Where necessary, in the above cases, the Data Controller will inform the recipients to whom the personal data of the user are communicated of the possible exercise of rights by the latter, except in specific cases (e.g. when this proves impossible or involves disproportionate efforts).
10. EXERCISE OF DATA SUBJECTS’ RIGHTS
The user may at any time exercise the rights set out in the above Section 9 (Data subjects’ rights):
by sending a registered letter to the Data Controller’s address; and/or
by sending an email to [email protected]
DATA CONTROLLER AND DATA PROCESSOR
The Data Controller is: