Data ControllerAs per Articles 4 and 24 of Regulation (EU) 2016/679 (“GDPR”), the Data Controller is Citylab S.r.l., with registered office at Corso Venezia 54, 54, Milan, 20121 (MI), VAT no. 12784550969, in the person of its pro tempore legal representative.
Purpose of processing | Legal basis for processing | Storage period | Nature of consent
Purpose A)Purpose of processing: direct marketing through newsletter subscription: commercial/promotional information, invitations to events promoted and/or organized by the Data Controller and/or the joint controllers via e-mail/newsletter. The Data Controller, in order to compare and potentially improve the results of communications, uses systems to send newsletters and promotional communications with reports. Thanks to such reports, the Data Controller is able to know, for example: the number of readers, the number of people who open the communications, unique clicks, and clicks; the devices and operating systems used to read the communications; details regarding the activity of individual users; details of the e-mails sent (delivered and undelivered), of those forwarded. All this data is used for the purpose of comparing and potentially improving the results of communications.Legal basis: consent as per Article 6, paragraph 1, letter f) of the GDPR.Data storage period: until consent is withdrawn (opt-out).Nature of consent: optional. Failure to give consent for this purpose will prevent you from receiving newsletters.
Purpose B)Purpose of processing: profiling (non-automated) with analysis of preferences, personal interests, etc., in order to send more targeted commercial offers.Legal basis: consent as per Article 6, paragraph 1, letter f) of the GDPR.Data storage period: 12 (twelve) months.Nature of consent: optional. Failure to provide consent for this purpose will prevent you from receiving newsletters that closer match your preferences. Lack of such consent will not affect your ability to subscribe to our newsletter to receive marketing communications if you have given consent for that purpose.
Purpose C)Purpose of processing: transfer of your data to third parties for marketing purposes. Third parties are defined as partners and sponsors of the Data Controller and such entities for other Group entities.Legal basis: consent as per Article 6, paragraph 1, letter f) of the GDPR.Data storage period: until objection (opt-out), to be exercised with respect to the third party that, following the transfer of the data for marketing purposes, is the Autonomous Controller for the marketing activity carried out by such party.Nature of consent: optional. If you do not consent, your data will not be transferred to third parties for marketing activities. Failure to give consent will not affect the processing of your data for the other purposes to which you have consented.
RecipientsIn order to comply with existing contracts or related purposes, your data will be processed by the Data Controller and by third-party companies contractually linked to Data Controller, and in particular may be disclosed to third parties belonging to the following categories: (i) CITYLAB’s internal staff, who could have knowledge of your data, as they are in charge of certain processing activities that are related and instrumental to the management of the newsletter or marketing service; (ii) parties that provide services for the management of the IT system and telecommunications networks; (iii) freelancers, firms or companies as part of assistance and consulting relationships; (iv) parties that provide services for the management of the activities indicated above in the above purposes of processing (parties for communications, printing brochures, flyers, websites, movies); (v) platform operators for the services listed above (e.g. web hosting); (vi) competent authorities for compliance with laws and/or provisions of public bodies, upon request.
The parties belonging to the above categories act as data processors, or operate completely independently as separate data controllers.
The list of data processors is constantly updated and is available at the Data Controller’s registered office or by contacting the Data Controller at the addresses indicated in section 1 of this policy.
Transfer to third countries and international organizationsPersonal data provided will be transferred abroad to countries outside of the EU. Newsletters are sent using the MailChimp platform, which belongs to Rocket Science Group LLC, based in the United States, where your personal data could be transferred. Please be informed that the company in question relies on the Privacy Shield agreement, which guarantees a level of protection of personal data adequate to the standards required by the GDPR.
Data subject rights | Lodging a complaint with the supervisory authorityYou may exercise your rights as per the GDPR by e-mailing the Data Controller at email@example.com. You may, at any time, ask the Data Controller: for access to your personal data (Article 15); to rectify your data (Article 16); to erase your data (Article 17); to restrict the processing of your data (Article 18). Moreover, in the cases envisaged, you have the right to object (Article 21) at any time to the processing of your data (including automated processing, e.g., profiling), as well as to withdraw your consent without prejudice to the lawfulness of the processing based on the consent prior to withdrawal. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of the processing based on consent before you withdrew it.
To object to the processing of your data and to exercise your other rights, write to firstname.lastname@example.org. To stop receiving direct marketing communications, simply write an e-mail at any time to email@example.com with the subject line “unsubscribe from newsletter” or use our automatic unsubscribe systems in our e-mails, and you will no longer be contacted. To be excluded from profiling only, simply write to firstname.lastname@example.org with the subject line “”no profiling”. Without prejudice to any other administrative and jurisdictional recourse, if you believe that the processing of your data breaches the GDPR, as per Article 15 letter f) of the GDPR you have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it). In the cases envisaged, you have the right to the portability of your data (Article 20) and, in this case, the Data Controller will provide you with your personal data in a structured, commonly used and machine-readable format. The Data Controller informs you that there are no automated decision-making processes.