Privacy Policy

Further Information for Users

Legal Basis for Processing

The Data Controller processes Personal Data related to the User if one of the following conditions applies:

• The User has given consent for one or more specific purposes.
• The processing is necessary for the execution of a contract with the User and/or the implementation of pre-contractual measures;
• The processing is necessary to comply with a legal obligation to which the Data Controller is subject;
• The processing is necessary for the performance of a task in the public interest or the exercise of public powers vested in the Data Controller;
• The processing is necessary for the pursuit of the legitimate interest of the Data Controller or a third party.

It is always possible to request the Data Controller to clarify the specific legal basis of each processing and, in particular, to specify whether the processing is based on the law, provided by a contract, or necessary to conclude a contract.

Further information on the retention period

Unless otherwise stated in this document, Personal Data is processed and stored for the time required to fulfill the purpose for which it was collected and may be kept for a longer period due to legal obligations or based on the consent of the Users.

Therefore:

• Personal Data collected for purposes related to the execution of a contract between the Data Controller and the User will be retained until the execution of such contract is completed.
• Personal Data collected for purposes related to the legitimate interest of the Data Controller will be retained until the fulfillment of such interest. The User can obtain further information regarding the legitimate interest pursued by the Data Controller in the relevant sections of this document or by contacting the Data Controller.

When the processing is based on the User's consent, the Data Controller may retain the Personal Data for a longer period until such consent is revoked. Furthermore, the Data Controller may be obligated to retain the Personal Data for a longer period to comply with a legal obligation or an order from an authority.

At the end of the retention period, the Personal Data will be deleted. Therefore, once this period expires, the rights to access, deletion, correction, and data portability can no longer be exercised.

User Rights under the General Data Protection Regulation (GDPR)

Users can exercise certain rights with respect to the Data processed by the Data Controller.

In particular, within the limits set by law, the User has the right to:

• revoke consent at any time. The User can revoke their previously given consent to the processing of their Personal Data.
• object to the processing of their Data. The User can object to the processing of their Data when it occurs based on a legal basis other than consent.
• access their Data. The User has the right to obtain information about the Data processed by the Data Controller, on certain aspects of the processing, and to receive a copy of the Data being processed.
• verify and request correction. The User can verify the accuracy of their Data and request its update or correction.
• obtain the restriction of processing. The User can request the restriction of the processing of their Data. In this case, the Data Controller will not process the Data for any other purpose except for its storage.
• obtain the deletion or removal of their Personal Data. The User can request the deletion of their Data by the Data Controller.
• receive their Data or have it transferred to another controller. The User has the right to receive their Data in a structured, commonly used, and machine-readable format and, where technically feasible, to have it transferred seamlessly to another controller.
• file a complaint. The User can file a complaint with the competent data protection authority or take legal action.

Users have the right to obtain information regarding the legal basis for the transfer of Data abroad, including to any international organization governed by international law or established by two or more countries, such as the UN, as well as information on the security measures adopted by the Data Controller to protect their Data.

Details on the right to object

When Personal Data is processed in the public interest, in the exercise of public powers vested in the Data Controller, or to pursue a legitimate interest of the Data Controller, Users have the right to object to the processing for reasons related to their particular situation.

Users are informed that, if their Data is processed for direct marketing purposes, they can object to the processing at any time, free of charge and without providing any reason. If Users object to the processing for direct marketing purposes, their Personal Data will no longer be processed for such purposes. To find out if the Data Controller processes Data for direct marketing purposes, Users can refer to the respective sections of this document.

How to exercise the rights

Any requests to exercise the User's rights can be addressed to the Data Controller through the contact details provided in this document. The request is free of charge, and the Data Controller will respond as quickly as possible, in any case within one month, providing the User with all the information required by law. Any corrections, deletions, or limitations on processing will be communicated by the Data Controller to each of the recipients, if any, to whom the Personal Data has been disclosed, unless this proves impossible or would involve disproportionate effort. The Data Controller will inform the User of such recipients if requested.