Privacy policy

Data Controller

The Data Controller is the company YLYA srls, VAT and Tax Code: 02439230505, Via Enrico Fermi, 13, 56022 Castelfranco di Sotto (PI). This Privacy Policy aims to provide you with the necessary information so that you can give explicit and informed consent to the processing carried out through or on the occasion of the use of the Website.

The Data Controller protects the privacy of the personal data acquired and guarantees their necessary protection from any event that may put them at risk of violation. To this end, it implements recommended practices concerning the collection and use of personal data, which will be processed according to the internationally recognized principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimization, accuracy, integrity, and confidentiality, as well as the exercise of the rights recognized by applicable legislation to the data subjects.

This Privacy Policy refers exclusively to the Website and does not apply to other websites, pages, or online services that may be accessed via hyperlinks published within it.

Collection and Processing of Personal Data
The Data Controller collects, receives, and processes personal data of users who access the website to use its functionalities, to contact them for assistance purposes, and/or to take advantage of the services offered by YLYA srls.

If personal data is provided on behalf of third parties, the transmitting party must ensure, beforehand, that the data subjects have read this Privacy Policy.

Personal Data Subject to Processing
In order to allow the use of the website and its services, the Data Controller needs to know and process certain personal data. The personal data subject to processing are as follows:

Contact details - name, place and date of birth, tax code, address, telephone number, mobile number, email address.
Interests - information provided regarding the person's interests, including the services they are interested in.
Other personal data - information related to education, professional situation, or business-related information.
Browsing data - information related to the ways in which the website is used, the ways in which our communications are forwarded, including information collected through cookies. Examples of this type of data are the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the response given by the server (successful, error, etc.), and other information related to the user's operating system and computer environment.

Voluntarily Provided Data by Users
The optional, explicit, and voluntary sending of email messages, including through forms, as well as the submission of a curriculum vitae, involves the acquisition of the sender's name, email address, and any other personal data included in the email message, in the forms, or in the curriculum vitae, if attached. In particular, users who intend to submit their application and curriculum vitae through the Website are invited from now on to pay the utmost attention to its content, not including any personal data belonging to special categories, namely personal data suitable for revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as data relating to health.

Voluntarily Provided Data by Users for Marketing Purposes
In the case of users who give their consent to the processing of personal data to receive advertising and promotional communications about YLYA srls services, for any discounts, gifts, and exclusive offers, pursuant to Article 13 of the Code. In particular, the processing aims to conclude, manage, and execute the request made by the Data Subject to subscribe to the company's newsletter and other mailing lists in order to receive commercial and/or promotional and/or advertising communications about the company's services via email; to organize, manage, and execute the aforementioned subscription request, also by communicating the data to third-party providers; to fulfill legal obligations or other obligations required by the competent authorities.

Purposes of Processing and Legal Basis

The personal data obtained by the Data Controller are solely those provided during the navigation of the Website, while using its Services, or through the submission of specific communications via email or contact forms.

The processing of personal data must be justified by one of the legal bases provided by the current legislation on the protection of personal data, as described below. Personal data is processed for the following purposes:

Establishment and execution of contractual relationships and related obligations, including any communication regarding the services. The Data Controller may process contact data for the purpose of establishing and executing contractual relationships, providing the requested services, and responding to inquiries and complaints. The Company may also use contact data, particularly email addresses, to provide information about the service.

The legal basis for this processing is the necessity to perform a contract in which the data subject is a party and the necessity to comply with legal obligations.

Use of the website. The Data Controller may process contact data and website usage data to:

(i) manage the services;
(ii) transmit contact requests or provide information or assistance. This data, necessary for the use of the Website, is also processed to obtain statistical information about the use of the Services (most visited pages, number of visitors per hour or day, geographical areas of origin, etc.) and to ensure the proper functioning of the offered Services. The legal basis for this processing is the fulfillment of contractual obligations.

Submission of curriculum vitae for potential job collaborations. The provision of personal data for this purpose is optional. However, without such consent, it will not be possible to collect and evaluate the spontaneous application. The legal basis for this processing is the explicit consent of the data subject.

Sending commercial and promotional communications. The provision of personal data, particularly email addresses, with express consent, for sending commercial communications about our products and services, keeping you updated on news, offers, and promotions.

The provision of personal data for this purpose is optional. The legal basis for this processing is the explicit consent of the data subject.

Sending marketing communications related to similar services/products. The provision of personal data, particularly email addresses or phone numbers, to receive information about promotional initiatives, conducted through automated contact methods, or for market research and statistical surveys related to services/products similar to those requested by you. The legal basis for this processing is the legitimate interest of the Company in maintaining an effective contractual relationship.

Compliance with legally binding requests to fulfill a legal obligation, regulations, or orders of the judicial authority, as well as to defend a right in court. The Company collects your contact data to fulfill a legal obligation and/or to defend its own right in court. The legal basis for this processing is a legal obligation that the Company is required to comply with. Personal data may be processed using both electronic and paper-based tools.

Consequences of Non-Disclosure of Personal Data
The provision of data is optional but necessary for the fulfillment of contractual and regulatory obligations towards the data subject (purposes mentioned in points a-b-c), and for these purposes, consent is not required.

Incorrect communication of requested personal data, for the same aforementioned purposes, in addition to preventing the fulfillment of contractual obligations, may also result in the inability of the Data Controller to ensure the adequacy of the processing and the possible lack of correspondence of the processing results with the obligations imposed by the applicable regulations.

The purpose mentioned in point d) can only be achieved with the explicit and specific consent of the data subject, who is free to provide it or not, with no consequences in case of refusal (except for the inability to receive proposals and communications according to the data subject's preferences). However, it is always possible to object to or revoke consent, even after giving specific consent.

Consequences of Withholding Consent for Marketing Purposes by the Data Controller
If the user decides not to give consent for the processing of personal data for marketing purposes, the Data Controller will not be able to process the data for such purposes. This will not affect the execution of the assigned task.

Moreover, even if the user consents today to the processing of personal data for promotional and marketing purposes, they can always revoke their consent or object to the processing for such purposes. From that moment on, the collected personal data cannot be processed for marketing activities without any negative consequences on the assignment given to YLYA srls.

Categories of data subjects

Personal data may also be disclosed to companies responsible for fulfilling contractual or regulatory obligations or managing services related to the aforementioned purposes. The details of such companies will be made available to the data subject upon request. Personal data will not be disclosed or transferred outside the European Union.

In particular, for the performance of a large part of its activities, the Company also relies on external companies, professionals/consultants/technicians, with whom it has entered into specific agreements, including but not limited to:

  • Carrying out data processing and transmission services or general computer services;
  • Carrying out installation, maintenance, and updating interventions aimed at ensuring the optimal functioning of equipment, systems, and procedures;
  • Carrying out expert, accounting, financial statement certification, professional consultancy, and customer assistance activities;
  • Carrying out control, auditing, and certification activities;
  • Carrying out data storage, communication/documentation activities related to relationships with customers, suppliers, employees, collaborators, and other relevant parties;
  • Providing customer assistance (call center/help desk, etc.); measuring customer satisfaction;
  • Organizing and managing promotional initiatives (including any prize operations, contests, etc.) aimed at customers or potential customers, activated upon their request.

Data may be communicated and/or transferred for promotional purposes, with your consent for such purposes, to entities operating in the Classified Advertising sector (online ad sites), Marketing Automation, Email Marketing, Social Media, and SMS marketing.

Nevertheless, the following entities may become aware of your personal data in relation to the aforementioned processing purposes: entities authorized to access data under provisions of EU law or the law of the Member State to which the Data Controller is subject. In addition, our employees may also become aware of your personal data, provided they have been designated as subjects acting under the authority of the Data Controller in accordance with Article 29 of the European Regulation or as System Administrators. Any communication of your personal data will be carried out in full compliance with the legal provisions provided by the European Regulation and the technical and organizational measures implemented by the Data Controller to ensure an adequate level of security.

Retention of personal data and data breach policy

The processing of collected personal data is carried out using both electronic and manual means made available to the authorized and trained individuals appointed by the Data Controller. Paper-based and, above all, electronic archives where data is stored are protected by security measures appropriate to counter the risks of violation identified by the Data Controller. The Data Controller periodically verifies these security measures to ensure the confidentiality of the collected data.

Personal data is retained for the time necessary to fulfill the activities related to the execution of the assignment received from the Data Controller and to comply with the resulting obligations, including legal obligations, for up to ten years after the conclusion of the contractual relationship (Article 2946 of the Civil Code) or from when the rights derived from it can be enforced (pursuant to Article 2935 of the Civil Code).

Furthermore, the Data Controller is required to retain the personal data of its Customers for the fulfillment of obligations (e.g., tax and accounting obligations) that persist even after the conclusion of the contract (in this case, however, the Data Controller is authorized to use only the data strictly necessary for such purposes and for the time necessary to achieve them). Conversely, personal data collected for marketing purposes may be retained by the Data Controller for a maximum period of 24 months from the date of collection. Navigation data does not persist for more than seven days and is deleted immediately after aggregation, except when necessary for the investigation of crimes by the Judicial Authority. The computer archives are located within the EU borders, and their connection or interaction with databases located abroad is not envisaged.

Data Breach Policy:

In the event of a personal data breach, the autonomous Data Controller has established a crisis team and specific intervention procedures to promptly resolve the issue and provide the user with appropriate communication to enable them to take suitable precautions to minimize potential damage resulting from the breach.

The communication of the breach to the user will specify:

  • The name and contact details to obtain more information;
  • The potential consequences of the personal data breach;
  • The measures adopted or proposed for adoption by the Legal Representative to remedy the personal data breach and, if applicable, to mitigate its possible negative effects.

The Data Controller will proceed with a public communication, or a similar measure, and will not be obliged to inform the user if adequate technical and organizational protection measures are implemented regarding the data subject to the breach, subsequent measures are adopted to prevent new high risks to the rights of the user, or if the communication would require disproportionate efforts. In any case, the opportunity to keep the user updated will be evaluated, even if not strictly mandatory.

The Data Controller will also communicate the breach to the Privacy Authority within 72 hours, as necessary. For this reason, if a Data Processor or a Sub-Processor becomes aware of the breach, they must report it within 24 and 12 hours, respectively, from the discovery of the incident.

Any personal data breaches can be reported by writing to info@ylya.itThe document you provided appears to be a privacy policy or data protection notice. It outlines how personal data is processed, the categories of recipients with whom personal data may be shared, the retention period of personal data, and the data breach policy.

Data Subject Rights

Please note that at any time, the data subject can: request the data controller to access their personal data and obtain information about them (including the source of the data when it is not obtained directly from the data subject but, for example, from public entities; the purposes and objectives of the processing; the recipients of the data; the retention period of the data or the criteria used to determine it); request the rectification of inaccurate data or the integration of incomplete data; request the erasure of their personal data (in cases specified in Article 17(1) of the GDPR and subject to the exceptions provided in paragraph 3 of the same article); request the restriction of the processing of their personal data (in cases specified in Article 18(1) of the GDPR); request and obtain from the data controller, in cases where the legal basis for the processing is a contract or consent, and the processing is carried out by automated means, their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller (the so-called right to data portability); object at any time to the processing of their personal data in specific circumstances; revoke consent at any time, but limited to cases where the processing is based on the data subject's consent for one or more specific purposes and concerns common personal data (e.g., date and place of birth or residence) or special categories of data (e.g., data revealing racial origin, political opinions, religious or philosophical beliefs, health or sex life).

Processing based on consent and carried out before its withdrawal remains lawful. The data subject also has the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy. In the event of requests made by the data subject, the data controller must respond without undue delay and, in any case, no later than one month from the receipt of the request.

If necessary, taking into account the complexity and number of requests received by the data controller, this period may be extended by two additional months. In any case, within one month from the receipt of the data subject's request, the data controller must inform them of any reasons for the extension.

Contact
For any further information and to submit any requests, the data controller provides the following contact address: info@ylya.it