INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA CARRIED OUT THROUGH THE “M+ SALES SUPPORT” APP

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)

Mosaico+ S.r.l., with registered office in Viale E. Jenner 4, 20159 Milan, Italy (“Company”), is the Data Controller, pursuant to Article 4, n. 7) of the GDPR, with regard to the processing of the personal data collected through the use of the “M+ Sales Support” app (“App”).

Processing of personal data refers to any operation or set of operations which is performed upon personal data or sets of personal data, with or without the help of automated processes, even if not registered in a database, such as collection, recording, organisation, structuring, storage, processing, selection, blocking, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, comparison or interconnection, restriction, erasure or destruction.

The Company therefore informs you, as Data Subject, that, according to Articles 13 and 14 of the GDPR, it will process said data for the purposes indicated below, manually and / or with the support of IT or telematic means.

1.PERSONAL DATA PROCESSED

The use of the App is reserved to the salesforce of the Company who is already in possession of login credentials, which are provided by the Company. Processed data are:

  • authentication and contact data, such as the user’s first and last name, e-mail and password for login;
  • information relating to the mobile device on which the App is installed, Android or iOS system-related parameters (e.g., log files, that may contain date and time of access, browser, device information), the transmission of which is implicit for the normal functioning of the App;
  • information on the use of the App by the user: by way of example, but not limited to, contents accessed by the user, duration of App usage, sharing of contents with third parties. Said data are collected by using tracking tools that do not allow for the direct identification of the user;
  • data pertaining to user satisfaction.

2.PURPOSES AND LEGAL BASIS OF THE DATA PROCESSING

The personal data are acquired and processed in compliance with GDPR provisions for the following purposes:

  • PROVISION OF SERVICES AND APP SECURITY: information regarding the mobile device is collected to ensure the correct functioning of the App and the correct performance of the services offered through the App (legal basis: performance of a contract to which the data subject is party) as well as to guarantee the IT and application security of the App, including fraud risk monitoring and prevention (legal basis: legitimate interest of the Controller);
  • USER TRACKING: the data pertaining to the users’ interaction with the App are analyzed in order to conduct statistical analysis aimed at improving user experience.
    The tracking tools used in order to carry out the processing do not allow for the direct identification of the user. More specifically, the App uses the following tracking tools.
Tracking toolNamePurposeFirst/Third PartyLegal basisData retention period
Google Analyticsmplusagents (M+)
ID: 428819828
Conduct statistical analysis in aggregate form.Third PartyLegitimate interest of the Controller14 months
  • CUSTOMER SATISFACTION INITIATIVES
  • COMPLIANCE WITH LEGAL OBLIGATIONS (e.g., administrative and accounting obligations) or ensuring the exercise of data subjects’ rights, as provided for by applicable national and supranational legislation (legal basis: compliance with a legal obligation to which the Controller is subject).
  • ASCERTAINMENT, EXERCISE OR PROTECTION OF RIGHTS OF THE CONTROLLER IN A JUDICIAL OR EXTRA-JUDICIAL PROCEEDING: in case of disputes relating to the App (legal basis: legitimate interest of the Controller).

3.DATA STORAGE PERIOD

All personal data are collected and registered in a lawful and fair manner and for the purposes described above. Data are processed also with the help of IT systems and databases, consistently with said purposes, so as to ensure their security and confidentiality.

The personal data will be stored in compliance with the principle of storage limitation for no longer than necessary for the purposes for which the personal data have been collected or subsequently processed.

More specifically:

i. the information required to deliver the services will be stored for the period of use of said services by the data subject;

ii. the information related to user tracking will be stored for the period of time specified for each tracking tool;

iii. data collected in the context of customer satisfaction initiatives will be retained for the period necessary to elaborate statistics in aggregate form;

iv. data processed for the fulfillment of legal obligations will be stored for as long as required by the applicable regulations (and for a maximum of 10 years for administrative and accounting obligations);

v. data necessary for the ascertainment, exercise or protection of the Controller’s rights will be stored for the duration the judicial and /or extra-judicial proceeding and/or enforcement actions, until time limits for appeals have expired.

Once the above-mentioned periods have expired, data will be destroyed or anonymised, subject to the erasure and back-up technical procedures and accountability requirements of the Company.

4.MANDATORY SUBMISSION OF DATA FOR PURSUING THE PURPOSES OF PROCESSING

The collection of information relating to the user’s device is essential to ensure the proper functioning of the service offered by the App.

Data subjects can object to the processing of tracking data and/or to the processing of their data for customer satisfaction initiatives by contacting the Company through the above-mentioned postal address or by sending an e-mail to privacy@mplusdesign.it.

5.DISCLOSURE OF PERSONAL DATA

Data may be communicated to subjects acting as data controllers such as, for example, authorities, supervisory bodies and, in general, public or private subjects entitled to request them.

Data may be processed by employees and collaborators of Mosaico+ S.r.l. as “persons authorised to process” (i.e., persons who, under the direct authority of the Controller, are authorised to process personal data, as provided for in Article 29 of the GDPR and Article 2 quaterdecies of Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).

Data may also be processed by trusted companies providing Mosaico+ S.r.l. with technical and organisational support and/or provide services instrumental to the abovementioned purposes, such as consultancy firms. These companies are direct collaborators of Mosaico+ S.r.l. and are appointed as Data Processors. Their list is constantly updated and is available, upon request, by contacting the Controller at the above-mentioned address or by sending an email to privacy@mplusdesign.it.

6.TRANSFER OF PERSONAL DATA TO NON-EEA COUNTRIES

Data collected using tracking tools may be transferred to countries outside the European Union whose level of data protection has been deemed adequate by the European Commission under Article 45 of the GDPR.

In the absence of an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, the transfer of data will take place pursuant to the provisions set forth in the GDPR, Chapter V, and, in particular, pursuant to Article 46 of the GDPR.

7.DATA CONTROLLER AND DATA PROCESSORS

The Data Controller is:

Mosaico+ S.r.l.
Via E. Jenner 4
20159, Milan
Italy

As mentioned above, data may also be processed by trusted companies that provide Mosaico+ S.r.l. with services instrumental to the above-indicated purposes of processing. These companies are direct collaborators of Mosaico+ S.r.l. and are appointed as Data Processors. Their list is constantly updated and is available, upon request, by contacting the Controller at the above-mentioned address or by sending an email to privacy@mplusdesign.it.

8.RIGHTS OF THE DATA SUBJECT

Pursuant to Articles 15 to 21 of the GDPR, the data subject has the right to:

a) request access to his/her personal data, their rectification and erasure, as well as the restriction of the processing in the circumstances defined by Art. 18 GDPR;

b) object, on grounds relating to his or her particular situation, at any time, to the processing of his/her personal data based on the legitimate interest of the Controller;

c) receive personal data in a structured, commonly used and machine-readable format (so-called “data portability”), if processing is based on consent or on the performance of a contract and is carried out by automated means;

d) lodge a complaint with the Italian Data Protection Authority (“Garante per la Protezione dei Dati Personali”), in accordance with the procedures and instructions available on the Authority’s official website (garanteprivacy.it) or with the Authority of the member State in which he/she habitually resides or works or of the State in which the alleged infringement took place.

Any rectification, erasure or restriction of the processing made on request of the data subject – unless impossible or requiring an unreasonable effort – will be notified by the Company to the entities and/or individuals to whom the personal data have been communicated. The Company may disclose the details of said entities and/or individuals to the data subject, if so requested by the data subject him/herself.

The exercise of rights is not subject to any form of constraint and is free. To exercise the rights, the data subject may contact the Data Controller through the above-mentioned postal address or by sending an e-mail to privacy@mplusdesign.it.

For a concrete and prompt implementation of the data subject rights under Articles 15 to 21 of the GDPR, and in accordance with Article 12 of the GDPR, the Company has adopted appropriate measures to provide all required information and communications in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Company also undertakes to provide the information in writing or by other means and, when requested by the data subject, also orally, provided that the identity of the data subject has been proven.

The Company shall also provide the data subject with information on the action taken following a request under Articles 15 to 21 of the GDPR. The Company shall provide the response without undue delay and, in any case, within a reasonable time, taking into account the complexity and number of the requests.

If the Company does not take action on the request of the data subject, the Company shall inform the data subject without undue delay of the reasons for not taking action and on the possibility of lodging a complaint with the Italian Data Protection Authority, or the different competent Authority, and seeking a judicial remedy.