Your privacy is very important to us. TopView Srl therefore carefully considers the protection of your personal data during the different personal data processing activities.
What is personal data and data protection?
Personal data is all the information about an identified or identifiable natural person, also known as the data subject. A person is considered ‘identifiable’ when a natural person can be directly or indirectly identified, in particular by reference to an identifier such as:
- a name;
- an identification number;
- location data;
- an online identifier;
- or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person (article 4, §1 GDPR).
- Data relating to race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and processing of genetic data, biometric data for the unique identification of a person, or data about health, sexual behaviour or sexual orientation, criminal offences or convictions are considered sensitive data.
Unless an organisation can refer to one of the exceptions, the processing of these data is forbidden pursuant article 9 of the GDPR.
We at TopView Srl do not process any sensitive personal data. If we would at any time require these types of data for providing you with our services, we will always ask you for your explicit consent and provide you with additional safeguards.
Which data protection regulation is applicable?
The basic principles and obligations are documented in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
Furthermore, the processing of Personal Data is in accordance with the Italian Legislative Decree DLGS Nr 196/2003
What does processing of personal data mean?
This means any operation or set of operations which is performed on personal data (whether or not by automatic means), such as the:
- collection; recording; organisation; storage; consultation; use; (art. 4, §2 GDPR).
Controller vs. processor
The controller is a natural or legal person that determines the purposes and means for the processing of personal data. The processor on the other hand, processes this data on behalf of and only on request and with instructions from the controller (art. 4, §7 and §8 GDPR).
What are the basic principles of data protection?
Personal data must be processed fairly and lawfully with respect to you. In order to process personal data lawfully, a legal basis must exist.
Pursuant article 6 of the GDPR, these legal bases are:
- performance and preparation of a contract;
- compliance with a legal obligation;
- protection of vital interests;
- performance of a task carried out in the public interest or in the exercise of official authority;
- legitimate interest.
TopView Srl ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. More about our processing activities and their legal ground can be found below.
The fairness of processing obliges us to only process your accurate (updated) data for specific, explicit and legitimate purposes. Processing incompatible with the initial purpose for which the data were collected, is not allowed.
Data minimisation is also a key principle and limits the processing to what is necessary for the purposes for which the data were collected. This also implies the processing must be limited in time.
You as a data subject must be made aware of the following matters in clear and plain language:
- Identity and contact details of the controller;
- If a Data Protection Officer is appointed and his or her contact details;
- Processing purposes and legal basis;
- If the personal data processing is supported by a legitimate interest and an explanation of this interest;
- Categories of receivers of the personal data;
- Transfer of personal data to third countries (outside the EU) or international organisations (and on what basis);
- Time limit for the storage of personal data or the criteria used to determine the time limit;
- Your rights (including the right to revoke consent);
- The right to lodge a complaint with the supervisory authority;
- Explanation when the transmission of personal data is a contractual or legal obligation;
- If the personal data is received from a third party, the categories of personal data received and the third party.
Specific legislation may contain exceptions or set additional requirements which the organisation must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.
Confidentiality and integrity
Technical and organisational measures must be taken to ensure the processing of personal data can take place with the appropriate guarantees, so that the data are protected against accidental loss and against unlawful processing, destruction or damage.
What personal data do we process?
- The data you actively and knowingly provide us
We at TopView Srl only process data we have received directly from you, for example when you fill in the contact form at our website.
- The data you provide to us by the use of our service
You might not be aware of it but by using our service you provide us with some data that might be personal (‘Observed data’), such as your location data, IP address, metadata (data that provides information about other data) and login codes and passwords.
Why do we process your personal data?
TopView Srl only processes personal data if necessary to achieve a certain objective. That is why we use your personal data when necessary for:
- The compliance with a legal obligation which is imposed upon the organisation;
- The preparation, execution and termination of an agreement;
- The purposes of the legitimate interests of our company in conducting and managing our business to enable us to give you the best service/products and the best and most secure experience.
Otherwise, we will make sure to obtain your explicit consent.
If you have given your consent for a specific processing purpose to TopView Srl in order to process your data for that purpose, you can withdraw this consent at any time. We will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent.
If TopView Srl processes your personal data for other purposes and in order to do so it refers to other legal bases, we will still be allowed to process your personal data.
TopView Srl tries via its current privacy and data protection policy to provide you with this information in order to be as transparent as possible with respect to the processing of your personal data. This general policy must be read together with more specific information notes which give additional information concerning about the organisation’s specific processing purposes.
We process your personal data for the following:
- To prepare or execute an agreement with you
To prepare, execute or terminate an agreement, we will need certain personal data which may vary depending on the type of contract. The retention period will depend on the type of agreement and the legal requirements.
- To send direct marketing communications
Sending out our newsletter or other direct marketing communications will only occur based on your explicit consent. Based on our legitimate interest we may also process your profession in order to send you more personal and relevant information. You may unsubscribe at any time.
How do we process your personal data
We at TopView Srl ensure that your personal data shall be processed:
- For specific, explicit and legitimate purposes and may not be processed further in a way incompatible with the initial purposes for which the data were collected. Therefore, we shall clearly communicate the purposes before starting the processing.
- Limited to what is necessary for the purposes for which the data were collected. If possible, TopView Srl will anonymise the data or use pseudonyms in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced so that it is difficult (pseudonymisation) or even impossible (anonymisation) to identify an individual.
Example: if we wish to use your data for statistics, we will anonymise them as much as possible.
- Limited in time and only as necessary for the specific purpose.
- Accurately, and the data shall be updated when necessary. TopView Srl shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are processed.
- Transparently, therefore TopView Srl shall provide you the required information in a clear and plain language. Depending on the concrete case, we can disclose the information both on a collective and/or individual basis.
Technical and organisational measures
TopView Srl is committed to keeping your information as secure as possible. Therefore we have implemented various technical and organisational measures (art. 25, §2 GDPR) to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, etc. We have, when choosing the proper security measures, considered the nature, context, purpose and scope of the processing, the possible risks when processing the personal data, the costs for the implementation of the measures and the state of the art. It is however important to remember that the internet is an open system and we cannot guarantee that unauthorised third parties will never be able to defeat those measures or use your personal data for improper purposes. Nevertheless, we at TopView Srl commit ourselves to keep updating and reviewing these measures so that we can offer your personal data an appropriate safety level. You can help us with this by regularly updating the TopView Srl software as well as other software installed on your devices.
These measures are applicable to the physical access to personal data, access to the personal data via computers, servers, networks or other IT hardware and software applications and databases.
Examples of these measures include but are not limited to: the appointment of a Data protection policy and management, retention policy, incident response plan, processor management, regular evaluations of policies, storage of data in controlled facilities with limited access (by e.g. physical access control), confidentiality obligations and awareness trainings for employees, role-based access control systems.
The organisation shall ensure that the third parties that receive personal data from the organisation will comply with the applicable data protection legislation and this policy.
Your rights as a data subject
Right of access
Pursuant article 15 of the GDPR, you have the right to obtain confirmation from the organisation of whether or not your personal data are being processed. If your data are being processed, you may request the right to consult your personal data as used/stored by the organisation.
DREAMS shall inform the data subject about the following:
- the processing purposes;
- the categories of personal data concerned;
- the receivers or categories of receivers to which the personal data are supplied;
- transfer to receivers in third countries or international organisations;
- if possible, the period during which it is expected that the personal data will be retained, or if this is not possible, the criteria used to determine this period;
- that the data subject has the right to ask the organisation to correct or erase personal data, or to limit the processing of his or her personal data, as well as the right to object to this processing;
- that the data subject has the right to lodge a complaint with a supervisory authority;
- if the personal data are not collected from the data subject, all available information about the source of the data;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Right to rectification
When you establish that DREAMS has incorrect or incomplete data about you, you always have the right to inform us of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the organisation (article 16 GDPR).
Right to be forgotten
You as a data subject can ask to have your personal data erased pursuant article 17 of the GDPRif the processing of this data is not in accordance with the data protection legislation and within the limits of the law.
Right to the restriction of processing
You may ask to have the processing restricted (article 18 GDPR) if:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy;
- The processing is unlawful and you oppose the erasure of the data;
- The organisation no longer needs the data, but you request that your data are not be removed, given that you might need them for the exercise or defence of legal claims;
- You have objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
You have the right to obtain your personal data which you provided to the organisation in a structured, commonly-used and machine-readable format pursuant article 20 of the GDPR. You have the right to have those personal data transmitted to another controller (directly by the organisation).
This is possible if you have consented to the processing and if the processing is carried out via an automated process.
Right to object
When personal data are processed for direct marketing purposes (including profiling), you can always object to this processing.
You can also object to processing due to a specific situation regarding yourself as the data subject. TopView Srl shall stop processing the personal data unless we demonstrate compelling legitimate grounds for the processing which overrides the interests of the data subject or for the exercise or defence of legal claims (article 21 GDPR).
Automated individual decision-making
Since TopView Srl does not make automated individual decisions, this paragraph is only meant to inform data subjects of the full range of actions that can be taken under article 22 of the GDPR.
You as a data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you such as by evaluating personal aspects with respect to the performance of work, reliability, creditworthiness, etc.
This right not to be subjected to such automated decision-making does not exist when the decision is permitted by a mandatory legal provision.
Nor may you invoke this right when the decision is necessary for entering into, or the performance of, a contract between the data subject and the organisation or is based on the data subject’s explicit consent. In these last two cases, you do have the right to obtain human intervention from someone at the organisation and you have the right to make your point of view known and to challenge the automated decision process.
The right to withdraw consent
If you have given your consent for a specific processing purpose to TopView SrlS in order to process your data, you can withdraw this consent at any time by adjusting your privacy settings or by sending an e-mail to firstname.lastname@example.org
Procedure for exercising your rights
You may exercise your rights by:
- Sending an e-mail to the Data Protection Management via email@example.com
Since we want to make sure you are really you, we can ask you to identify yourself. That way we can ensure that it is indeed the data subject requesting to exercise his or her rights.
If you have any questions about the application of the principles or the organisation’s (legal) obligations, you can always contact the Data Protection Management via firstname.lastname@example.org
In principle TopView Srl shall respond to the data subject’s request within one month. If not, we shall inform you why the request received no response or why it did not receive a response in good time.TopView Srl shall take the necessary measures to inform the receivers of the data subject’s personal data about exercising the right to correction, right to erasure or the limitation of processing by the data subject.
Exercising your rights is in principle free, but in the event you exercise of multiple and/or unreasonable requests, we can ask a reasonable fee.
Do we share your personal data?
We can share your personal data, based on our legitimate interest, to third party providers who help us with our services. Examples include third parties hosting our web servers, providing marketing assistance, and providing customer service. These processors will have access to your personal data but only when strictly necessary to perform their functions on instructions from TopView Srl and they may not use that data for any other purpose. Our Processor Management implies that we make sure these processors also comply with the legal requirements pursuant data protection legislation and observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data. Processing agreements containing obligatory clauses are conducted with our processors.
We can also share your personal data with any third party you have asked us to share your personal data with, such as Twitter, LinkedIn or any other social media site you have asked us to connect with your account.
We may disclose your personal data to enforce our policies, to comply with our legal obligations or in the interests of security, public interest or law enforcement in any country where we have entities or affiliates. For example, we may respond to a request by a law enforcement agency or regulatory or governmental authority. We may also disclose data in connection with actual or proposed litigation, or to protect our property, security, people and other rights or interests.
In the event that the TopView Srl activities are integrated with another business, your details will be disclosed to any prospective purchaser’s adviser and will be transferred to the new owners of the business. In this case, we will implement the appropriate safeguards to ensure the integrity and confidentiality of your personal data. However, use of your personal information will remain subject to this Policy.
Transfer to third countries
It is also possible for the organisation to transfer your personal data to parties (processors) that are based in third countries, these are countries outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein).
Such a transfer is possible if the country where the receiver offers sufficient legal guarantees to protect your personal data and which the European Commission has assessed as being adequate. In other cases, the organisation has concluded a standard contract with the receiver so that equivalent or similar protection to that offered in Europe is offered. Unifly ensures to have such safeguards in place when transferring your data to third countries.
Fatture In Cloud: https://www.fattureincloud.it/gdpr/
Audit and review
The organisation shall inform the data subject when it is impossible for it to comply with this policy due to mandatory legal provisions which are imposed upon the organisation.
Cookie and Automatically Collected Information.
For almost any modern website to work properly, it needs to collect certain basic information on its users. To do this, a site will create files known as cookie – which are small text files – on its users’ computers. These cookie are designed to allow the website to recognise its users on subsequent visits, or to authorise other designated websites to recognise these users for a particular purpose.
Cookie do a lot of different jobs which make your experience of the Internet much smoother and more interactive. For instance, they are used to remember your preferences on sites you visit often, to remember your user ID and the contents of your shopping baskets, and to help you navigate between pages more efficiently. They also help ensure that the advertisements that you see online are more relevant to you and your interests. Some data collected is designed to detect browsing patterns and approximate geographical location to improve user experience.
When you use our website, we may send one or more cookie to your device. We may use both session cookies and persistent cookies.
- A session cookie disappears after you close your browser.
- A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Service. We may also automatically record certain information from your device by using various types of technology, including “clear gifs” or “web beacons.” This automatically collected information may include your IP address or other device address or ID, web browser and/or device type
The purpose of the SessionID cookie is to uniquely identify a user associated to the session. The cookie-related information is not used to identify you personally.
Please review your web browser “Help” file to learn the proper way to modify your cookie settings.
Please note that if you delete or choose not to accept cookies, you may not be able to utilize our Services to their fullest potential. We may use third party cookie as well.
Please note that some linked websites may also contain images called ‘web beacons’ (also known as ‘clear gifs’). Web beacons only collect limited information, including a cookie number, a timestamp, and a record of the page on which they are placed. Websites may also carry web beacons placed by third party advertisers. These beacons do not carry any personally identifiable information and are only used to track the effectiveness of a particular campaign (for example by counting the number of visitors).
Information collected by cookie is now classed as personal data.
which cookie do we use?