PRIVACY NOTICE FOR WEBSITE DATA
updated to EU Reg 2016/679
(European Regulation on the Protection of Personal Data)

Introduction

ASSIST s.r.l. (Company) takes your privacy seriously and is committed to ensuring the security of your personal data. The Data Protection Notice (“Privacy Policy”) describes the processing of personal data carried out by the Company through the website www.assistapp.it (Website) and the mobile application “assistapp” (Pwa), the purposes and legal bases of data processing, as well as your rights and entitlements as data subjects. The Company may process the user’s personal data when they visit the Website and/or the Pwa and use the services and features available on the Website and/or the Pwa. Our Privacy Policy for the use of our web pages does not apply to your activities on social network sites or other providers’ sites that you may access through links on our pages. We therefore invite you to review the data protection guidelines published on the web pages of such providers.

Where required by EU Reg 2016/679, user consent will be sought before processing their personal data. If the user provides personal data of third parties, they must ensure that the communication of data to the Company and the subsequent processing for the purposes specified in the applicable privacy notice complies with EU Reg 2016/679 and applicable regulations.

Identification details of the data controller, data processor, and Privacy Officer

The Data Controller for data processing is ASSIST s.r.l. (Tax code and VAT number 16083121000) with registered office in Via Tacito 26, 00193 Roma (RM) – email address: info@assist-tap.com – and email address: legal@assist-tap.com

Processing of your personal data

When you visit our web pages, we store certain data about the browser and operating system used, the date and time of the visit, access status, use of web page functions, keywords entered, frequency of access to individual web pages, the names of data retrieved, the amount of data transmitted, the website from which you accessed our web pages, and the website you visit by accessing it through our web pages, either by clicking on links on our pages or by entering a domain directly in the input field of the same tab (or window) of your browser where you opened our web pages.

Additionally, for security reasons, especially to prevent and detect potential cyberattacks on our web pages or fraud attempts, we store your IP address and the name of your Internet Service Provider for a period of sixty days.

If you have subscribed to the newsletter service offered on our website, the personal data provided in the newsletter subscription, such as your name, surname, and email address, will be processed for the purpose of sending the newsletter unless you have consented to further processing. Subscriptions can be canceled at any time using the ‘unsubscribe’ function in the newsletter.

Additional personal data is stored by us only if provided within the scope of registration, a contact form, or the execution of a contract, and even in these cases, exclusively on the basis of consent given by you or within the limits permitted by applicable regulations.

There is no legal or contractual obligation to provide your personal data. However, certain functions of our web pages may depend on the provision of personal data. In these cases, not providing your personal data may result in the limitation or unavailability of certain functions.

Purposes of processing and legal basis

The personal data collected during visits to our web pages (see Section 3, letter a) are processed exclusively to facilitate user navigation as much as possible. The processing is based on our legitimate interests (Art. 6 (1) lett. f GDPR). The continuous improvement of our website is a legitimate interest. More information about the balancing of interests test is available upon request.

Your IP address and the name of your Internet service provider (see Section 3, letter b) are processed to protect our IT systems from cyberattacks and other illegal actions. This processing is based on our legitimate interests (Art. 6 (1) lett. f GDPR). The continuous improvement of our website is a legitimate interest. More information about the balancing of interests test is available upon request.

The processing of your personal data for the purpose of sending the newsletter (see Section 3, letter c) is based on our legitimate interests (Art. 6 (1) lett. f GDPR). The continuous improvement of our website is a legitimate interest. More information about the balancing of interests test is available upon request. If you have given your consent for the processing of your personal data for additional purposes, the legal basis for the processing is your consent (Art. 6 (1) lett. a GDPR).

If we are provided with additional personal data, e.g., within the scope of registration, a contact form, a survey, or for the execution of a contract (see Section 3 letter d), we process this data for the aforementioned purposes, customer management, and – where necessary – for the performance and accounting of any commercial transactions, only to the extent necessary in individual cases. In such cases, the processing is necessary for the initiation or performance of a contract with you (Art. 6 (1) lett. b GDPR).

If the processing is necessary to comply with a legal obligation (e.g., retention obligation), the processing is based on Art. 6 (1) lett. c GDPR.

Furthermore, with the additional and specific optional consent of the user, the Company may process personal data for marketing purposes, i.e., to send the user promotional material and/or commercial communications related to the Company’s services, to the contact details provided, both through traditional methods and/or means of contact (such as postal mail, operator-assisted phone calls, etc.) and automated methods (such as internet communications, fax, email, SMS, mobile device applications such as smartphones and tablets – so-called APPS -, social network accounts – e.g., via Facebook or Twitter -, automated phone calls, etc.).

Recipients of Personal Data

The user’s personal data may be disclosed to:

All individuals, both public and private, with access to such data as recognized by regulatory provisions.

Our collaborators and employees within the scope of their respective duties. The Company relies on external IT service providers who provide server infrastructure, IT maintenance activities, comprehensive IT solutions (such as cloud services), and software solutions on behalf of the Company. The Company also engages external service providers for invoice storage, customer service, and market research purposes.

All individuals and/or legal entities, public and/or private, for whom communication is necessary or functional to carry out our activities, in the ways and for the purposes outlined above.

Your personal data is generally processed within the EU. In exceptional cases, your data may be transferred to recipients outside the EU (e.g., technical service providers). This is done in accordance with applicable data protection regulations (Art. 45 GDPR). Third countries considered to have an adequate level of data protection include Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Uruguay, and Japan. Recipients in the United States may be partially certified under the EU-U.S. Privacy Shield and can therefore be considered as providing an adequate level of data protection (Art. 45 (1) GDPR). In cases where processing occurs in countries where the European Commission has not determined an adequate level of data protection, adequate data protection measures have nevertheless been ensured, particularly by entering into agreements with data recipients based on the EU’s Standard Contractual Clauses issued by the European Commission pursuant to Art. 46 (2) GDPR.

Retention of Personal Data

Personal data is stored and processed through the Company’s computer systems, managed by third-party technical service providers. Data is processed solely by specifically authorized personnel, including personnel responsible for extraordinary maintenance operations.

Personal data is processed both in paper and electronic form and entered into the company’s information system in full compliance with EU Regulation 2016/679, including security and confidentiality profiles, and in accordance with the principles of fairness and lawfulness of processing.

In accordance with EU Regulation 2016/679, data is kept and stored for the time necessary to achieve the purposes for which it is processed and in any case for as long as the user decides to remain registered on our website.

When it is no longer necessary to use your personal data to fulfill contractual or legal obligations, they will be removed from our systems and documentation, or measures will be taken to anonymize them so that you can no longer be identified through them, unless it is necessary to retain your information, including personal data, to fulfill legal obligations.

Security and Quality of Personal Data

The Company is committed to protecting the security of user’s personal data and complies with security provisions set forth by applicable regulations to prevent data loss, unlawful or illicit use of data, and unauthorized access to it, particularly with reference to the Technical Regulations regarding minimum security measures. Furthermore, the information systems and computer programs used by the Company are configured to minimize the use of personal and identifying data; such data is processed only for specific purposes pursued from time to time. The Company employs multiple advanced security technologies and procedures to help protect user’s personal data; for example, personal data is stored on secure servers located in access-protected and controlled areas. Users can help the Company update and maintain their personal data by communicating any changes regarding their address, qualifications, contact information, etc.

Nature of Providing Personal Data

The provision of certain personal data by the user is mandatory to enable the Company to manage communications, respond to user requests, or recontact the user to follow up on their request. This type of data is marked with an asterisk [*], and in such cases, providing it is mandatory for the Company to fulfill the request, which cannot be processed without it. On the other hand, the collection of other data not marked with an asterisk is optional, and the failure to provide it will not have any consequences for the user.

The provision of personal data by the user for marketing purposes, as specified in the “Purpose of Processing and Legal Basis” section, is optional, and refusing to provide it will have no consequences. Consent given for marketing purposes extends to communications made through both automated and traditional contact methods, as exemplified above.

Rights of the Data Subject

Article 15 of EU Regulation 2016/679 (Right of Access)

The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, and, if so, access to the personal data and the following information:

The purposes of the processing.

The categories of personal data concerned.

The recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries or international organizations.

The envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period.

The existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.

The right to lodge a complaint with a supervisory authority.

The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The data controller provides a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information is provided in a commonly used electronic format. The right to obtain a copy under paragraph 3 must not adversely affect the rights and freedoms of others.

Article 16 of EU Regulation 2016/679 (Right to Rectification)

The data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Article 17 of EU Regulation 2016/679 (Right to Erasure – “Right to be Forgotten”)

The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay when one of the following grounds applies:

The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

The data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.

The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.

The personal data has been unlawfully processed.

The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject.

The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

The above shall not apply to the extent that processing is necessary:

For exercising the right of freedom of expression and information.

For compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR.

For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

For the establishment, exercise, or defense of legal claims.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the data controller before the restriction of processing is lifted.

Article 18 of EU Regulation 2016/679 (Right to Restriction of Processing)

The data subject has the right to obtain from the data controller restriction of processing where one of the following applies:

The accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data.

The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead.

The data controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise, or defense of legal claims.

The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the data controller override those of the data subject.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the data controller before the restriction of processing is lifted.

Article 20 of EU Regulation 2016/679 (Right to Data Portability)

The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where:

The processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and

The processing is carried out by automated means.

In exercising their right to data portability pursuant to paragraph 1, the data subject has the right to have the personal data transmitted directly from one data controller to another, where technically feasible.

The exercise of the right referred to in paragraph 1 of this Article is without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Article 21 of EU Regulation 2016/679 (Right to Object)

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.

The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.

Article 22 of EU Regulation 2016/679 (Automated Individual Decision-Making, Including Profiling)

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

Withdrawal of Consent to Processing

The data subject has the option to withdraw consent to the processing of their personal data by sending a registered letter with return receipt to the following address: ASSIST s.r.l., 00193 Rome, Via Giuseppe Gioachino Belli n. 36, accompanied by a photocopy of their identification document, with the following text: “withdrawal of consent for the processing of all my personal data,” or through a certified email to assist2021@legalmail.it. Upon completion of this operation, your personal data will be removed from the archives as soon as possible.

Complaint

If you believe that the processing of your personal data may constitute a breach of legal regulations, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

The competent data protection supervisory authority for us is the Italian Data Protection Authority (“Garante per la protezione dei dati personali”), phone: +39 06696771, email: protocollo@gpdp.it.

Cookies

For further information on the cookies used and their functions, please refer to the cookie policy.