Gentle “DATA SUBJECT”,
European and national privacy regulations establish as a fundamental right the protection of natural persons with regard to the processing of their personal data, as well as the free circulation of such data.
We therefore inform you of the following.
“TITULAR”
The “RESTAURATEUR”, Simona Deschino, email info@upperhouse.it, is the sole “DATA CONTROLLER”.
PLATEFORM SRL, email amministrazione@plateform.app
, hereinafter “SERVICE PROVIDER”, is the “DATA PROCESSOR” as it carries out processing in the interest of and on behalf of the “RESTAURATEUR”.
The “SERVICE PROVIDER” has developed and owns hardware and software used for the operation of a booking and marketing platform for the restaurant industry.
The “SERVICE PROVIDER” is also the owner of the duly registered trademark "PLATEFORM"[1].
With the term "PLATEFORM", reference is made hereinafter to the platform and the services it offers.
The “RESTAURATEUR” is the sole “DATA CONTROLLER” as the “SERVICE PROVIDER” carries out processing only in the interest of and on behalf of the “RESTAURATEUR”.
The “RESTAURATEUR” is the “DATA PROCESSOR” only with reference to the processing it carries out directly.
The “SERVICE PROVIDER” has no interest in personal data.
The “RESTAURATEUR” has interest in personal data.
When the contractual relationship between the “SERVICE PROVIDER” and the “RESTAURATEUR” ends, the “SERVICE PROVIDER” retains only “ANONYMIZED” data that do not refer to the natural person (simple anonymous statistical data), while the “RESTAURATEUR” reserves the right to retain all the data but must provide the “DATA SUBJECT” with a new privacy notice, specifying that the “SERVICE PROVIDER” no longer has any role.
The obligation to provide a new notice rests exclusively with the “RESTAURATEUR”. The “SERVICE PROVIDER” has no way of knowing whether the new notice has been sent to the “DATA SUBJECT” and therefore cannot be held in any way responsible for failure to send it.
PROFILING[2]
"PLATEFORM" does not provide any automated processing of personal data.
“DATA PROTECTION OFFICER”
In this case, the law does not require the designation of a Data Protection Officer.
METHODS BY WHICH DATA ARE COLLECTED
a) paper form, at the “RESTAURATEUR”. The data subsequently flow into "PLATEFORM";
b) WiFi access form, from "PLATEFORM";
c) online form, from the “RESTAURATEUR’s” website or from "PLATEFORM";
d) table/delivery booking, from "PLATEFORM", directly or via a link on the “RESTAURATEUR’s” webpage, on other platforms (e.g. Facebook), or via apps installed on the “DATA SUBJECT’s” devices.
e) other platforms: for example Reserve with Google, or integrated POS software
f) access to the WiFi service at the RESTAURATEUR’s premises: upon connection, browsing and access data (e.g. IP address, device used) are also recorded, processed in compliance with applicable laws for network security purposes.
“PROCESSING”
In general
This refers to the data collected and their nature – source – purpose – legal basis – duration.
Deletion
After the indicated retention periods have expired, the data will be deleted or anonymized, in line with technical procedures for deletion and backup.
a) freebies
The data required are: first name, last name, email and/or mobile number.
The source is the “DATA SUBJECT”.
The purpose is to allow the “DATA SUBJECT” to receive the freebies.
The legal basis is consent. Without consent, the service cannot be provided.
The retention period is 12 months.
It is always possible to unsubscribe.
The processing involves “DIRECT MARKETING”, with separate and explicit consent.
The legal basis is consent.
The retention period is 12 months.
It is always possible to unsubscribe.
Without consent for both types of processing, the freebie will not be received.
b) Subscription to the “salotto buono”
The data required are: first name, last name, email, mobile number, date of birth, address/residence.
The source is the “DATA SUBJECT”.
The purpose is to allow the “DATA SUBJECT” to access and enjoy “situations” designed for a selected clientele.
The legal basis is consent. Without consent, the service cannot be provided.
The retention period is 12 months.
It is always possible to unsubscribe.
Subscription to the “salotto buono” takes place by express invitation of the “RESTAURATEUR” and is never automatic.
The processing involves “DIRECT MARKETING”, with separate and explicit consent.
The legal basis is consent.
The retention period is 12 months.
It is always possible to unsubscribe.
Consent for both types of processing is required to access the “salotto buono”.
c) WiFi Subscription
The data required and processed are: first name, last name, email, phone number, IP address, device, access data.
The source is the “DATA SUBJECT”.
Purposes: WiFi access → legal basis: consent, sending promotions via email/SMS → legal basis: consent, anonymous statistical analysis to improve the service → legal basis: legitimate interest.
The legal basis is consent. Without consent, the service cannot be provided.
The retention period is 12 months. For marketing: until withdrawal of consent.
It is always possible to unsubscribe.
The processing involves “NEWSLETTER SUBSCRIPTION”, with separate and explicit consent.
The legal basis is consent.
The retention period: until withdrawal of consent.
It is always possible to unsubscribe.
Without consent for both types of processing, the WiFi service cannot be accessed.
The newsletter service is technically managed by Plateform using the sub-processor SendGrid (Twilio Inc.), which processes the data exclusively on behalf of the Controller. More information: https://sendgrid.com/policies/privacy
d) Newsletter Subscription
The data required are: first name, last name, email, mobile number.
The source is the “DATA SUBJECT”.
The purpose is to allow the “DATA SUBJECT” to receive, by automated and traditional contact methods, communications about events and more.
The legal basis is consent, except in the case of so-called Soft-Spam[3], for which the legal basis is legitimate interest.
The retention period is 24 months.
It is always possible to unsubscribe.
e) Reservation and Take away
The data required are: first name, last name, email, mobile number, reservation date and time, number of people. The “DATA SUBJECT” may also voluntarily provide information on dietary preferences or needs (e.g. allergies, intolerances, choice between meat/fish).
The source is the “DATA SUBJECT”.
The purpose: reservation management and confirmation → legal basis: contract, sending reminders or post-visit requests (e.g. reviews) → legal basis: consent, sending promotions via email/SMS → legal basis: consent.
The legal basis is contractual.
The retention period: reservation data: 24 months, marketing: until withdrawal of consent, dietary preferences: the information may be stored in the system for the user’s benefit for future reservations, until deactivation. Such data are not used for profiling or marketing of the user account or the platform, unless deletion is requested.
The processing involves “DIRECT MARKETING”, with separate and explicit consent.
The legal basis is consent.
The retention period is 12 months.
It is always possible to unsubscribe.
Consent for both types of processing is NOT required to access the reservation service.
f) Delivery
The data required are: first name, last name, email, mobile number, delivery address.
The source is the “DATA SUBJECT”.
The purpose is to allow the “DATA SUBJECT” to access the service.
The legal basis is contractual.
The retention period is that of the relationship.
The processing involves “DIRECT MARKETING”, with separate and explicit consent.
The legal basis is consent.
The retention period is 12 months.
It is always possible to unsubscribe.
Consent for both types of processing is NOT required to access the Delivery service.
The “DATA SUBJECT” may indicate, whether requested or not, data relating to “THIRD PARTIES”. For such data, the “DATA SUBJECT” assumes all responsibility, in particular guaranteeing that the data have been acquired in full compliance with the current regulations and that consent for processing has been obtained, providing broad indemnity, for example, against any dispute, claim, or request for compensation.
g) Storage
The “SERVICE PROVIDER” only retains consumption data and only in “ANONYMIZED” form. It therefore does not need to request consent and may retain such data indefinitely, since they are not personal data and it is no longer possible to recover the key to link such data with the “DATA SUBJECT”.
h) Rights defense
The data collected are those used for the processing.
The source is the processing itself.
The “CONTROLLER” and the “DATA PROCESSOR” have a legitimate interest in retaining data relating to the operations carried out should it become necessary to defend their rights.
The legal basis is legitimate interest.
The retention period is the standard limitation period, i.e. 10 years from the last processing.
THIRD-PARTY PROVIDERS PROCESSING PERSONAL DATA OF THE CUSTOMER/END USER (“DATA SUBJECT”)
"PLATEFORM" provides the possibility of being integrated with software from “THIRD-PARTY SERVICE PROVIDERS” (as happens, for example, with some POS management software), provided they offer adequate data confidentiality guarantees, without prejudice to the fact that the responsibilities of “PLATEFORM” and “THIRD-PARTY SERVICE PROVIDERS” remain distinct and independent.
Among the sub-processors used by Plateform is SendGrid (Twilio Inc.), a platform used for sending newsletters. More info on the privacy policy: https://sendgrid.com/policies/privacy
COMMUNICATIONS
Apart from the cases listed above, your data will not be communicated to partners, consulting companies, private companies.
TRANSFER OF DATA ABROAD
The data collected will not be transferred to third countries.
Currently, "PLATEFORM" stores the data on servers located in countries of the European Union.
Should servers outside the European Union be used in the future, only servers that guarantee adequate security measures will be chosen (e.g. countries that ensure an adequate level of protection or on the basis of Standard Contractual Clauses (SCC) approved by the European Commission).
RIGHTS OF THE DATA SUBJECT
By simple written request via email sent to the “SERVICE PROVIDER” or the “RESTAURATEUR”, the “DATA SUBJECT” always has the right:
— to request access
— to request rectification
— to request erasure
— to request restriction of processing
— to object to processing
— to request data portability
— to withdraw consent to processing
— to lodge a complaint if their rights have been violated.
DATA OF MINORS
It is not expected that data will be collected from persons who have not reached the age of majority. For this reason, all our forms bear the following wording:
“DO NOT COMPLETE IF YOU ARE UNDERAGE”.
ONLINE PAYMENTS
Online payments will be managed through PAYPAL, SATISPAY or other online platforms, which will be the sole and exclusive controllers of that data. For online payments PLATEFORM SRL uses their systems.
In no case may PLATEFORM SRL be held liable for any damage arising to the Customer from the use of services offered by PAYPAL, SATISPAY or other platforms.
NAVIGATION DATA, COOKIES AND OTHER TECHNOLOGIES
"PLATEFORM" does not release cookies.
[1] The trademark is registered in Italy for classes 9, 16, 35, 38, 41, 42.
[2] “PROFILING” consists in enabling the “CONTROLLER”, through algorithms, to carry out automated analysis assessing personal aspects concerning a natural person, in particular in order to analyze or predict aspects concerning professional performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements of the “DATA SUBJECT” (see Recital 71 and Art. 4 no. 4) GDPR). It therefore means analyzing in an automated way preferences, habits, directly expressed or inferred, for example, from “clicks” online on items/sections of websites, which allow better understanding of the preferences of the “DATA SUBJECT”, also in order to send them, via automated and traditional contact methods, information and/or promotional and commercial service/product communications more suitable to the data subject, who will thus also be subject to an automated decision-making process.
[3] The possibility of carrying out soft-spam is subject to the following requirements:
the user is already a customer;
only via email;
only with email already indicated within the service or product provided;
only for direct sale of products and/or services;
for similar products or services;
provided there has been no objection to receiving promotional communications;
with the possibility of simply objecting.