INFORMATION AND CONSENT FOR THE PROCESSING OF PERSONAL DATA
The following privacy policy aims to describe how the 18Tickets website and application (hereinafter referred to as "Application") manage the processing of personal data of users who utilize the services offered. This document also serves as an information notice pursuant to Article 13 of the European Regulation 2016/679 “GDPR”.
The Data Controller may modify or simply update this privacy policy, in whole or in part. Changes and updates will be binding as soon as they are published on the Application. Users are therefore invited to review the policy and related information each time they access the Application.
1. PRINCIPLES
Personal data is processed in compliance with the principles of relevance, lawfulness, and fairness as outlined by the Privacy Code. This is done using appropriate security measures and based on the consent provided by users where required.
These data are stored in a form that allows the identification of the data subject for no longer than necessary for the purposes for which they were collected or subsequently processed.
2. DATA CONTROLLER, PROCESSOR, AND LOCATION OF DATA PROCESSING
The Data Controller is Parrocchia Santa Maria Assunta, with its registered office at Piazza Agliardi 1, 24055 Cologno Al Serio, Milano.
The Data Processor is 18Months Srl, with its registered office at Via G. De Castillia 3, Vimercate MB, 20871, VAT number 07610120961, MB-1880446, share capital €40,000, phone +39 02 45074055, email privacy@18months.it, PEC 18monthssrl@legalmail.it (hereinafter referred to as the Processor).
Data is processed in Italy at the operational offices of the Controller and Processor and in any other location where parties involved in the processing are located. Processing is carried out only by authorized personnel or individuals responsible for occasional maintenance operations. For further information, please contact the Controller.
3. PURPOSES
Unless the communication of personal data is mandated by legal obligations or strictly necessary for fulfilling contractual requests or obligations for service execution, personal data is voluntarily provided by users during service activation for the following purposes:
- Execution and management of the contract: external management of payments via credit card, bank transfer, or other means. Payment data is acquired directly by the payment service provider without being processed by this Application. User registration and authentication to use the ticket purchase service and the Application. Support and user contact.
- Compliance with legal obligations.
- Profiling of user characteristics, behaviors, and choices to provide personalized services or promotions.
- Support and user contact.
4. TYPES OF PERSONAL DATA PROCESSED
-
A. PERSONAL DATA
Personal data may be voluntarily provided by the User or collected automatically during the use of this Application.
Failure to provide certain personal data may prevent the Application from delivering its services.
The User assumes responsibility for third-party personal data published or shared through this Application and guarantees they have the right to communicate or disclose them, holding the Controller harmless from any liability toward third parties.
Specifically, all users under the age of 16 are invited not to disclose their personal data under any circumstances without prior authorization from a parent or legal guardian. Should the Controller become aware that personal data has been provided by a minor (under 16 years of age), such data will be immediately deleted, or specific parental consent will be requested, reserving the right to block access to the services of the Site for any user who conceals their minor status or provides personal data without parental consent.
-
B. NAVIGATION DATA
The IT systems and software procedures used for the operation of this Application acquire, during normal operation, certain personal data whose transmission is implicit in the use of internet communication protocols.
These data are not collected to be associated with identified subjects but, by their nature, could, through processing and association with data held by third parties, identify users. This category includes IP addresses or domain names of the computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained, etc.
These data are used to obtain anonymous and aggregated statistical information on the use of the Application and to monitor its correct functioning. They are stored permanently on third-party servers (hosting providers) and may be used to ascertain liability in case of hypothetical cybercrimes against the Application.
-
C. COOKIES
The Application uses cookies, defined by the Data Protection Authority as small text strings that websites send to the user’s terminal (usually to the browser), where they are stored to be sent back to the same sites on the next visit by the same user.
During navigation on the Application, the user may also receive cookies sent by third-party sites or web servers, where some elements (images, maps, links, etc.) of the site being visited are located.
Cookies are used to access online services more quickly and improve the user’s browsing experience (session monitoring, user information storage, faster content loading, etc.).
L’utente al primo accesso ha la possibilità di confermare l’installazione o meno dei cookie disponibili, o in alternativa, di visualizzare la Cookie Policy, contenente tutte le modalità di manifestazione e negazione del consenso. On the first access, users can choose whether to confirm the installation of available cookies, view the Cookie Policy, or deny consent.
5. LINKS TO THIRD-PARTY SITES
The Controller may present or offer products or services of third parties on the Application. For privacy matters, these third-party sites adopt criteria independent of ours. The Controller assumes no responsibility for the content or activities of such linked sites.
6. LEGAL BASIS AND DATA RETENTION
The legal bases for data processing are as follows: for purpose no. 1, it is the execution of the contract, and the data is retained for the duration of the contractual relationship and, subsequently, for 10 years as established by law and tax obligations; for purpose no. 2, it is the fulfillment of legal obligations, and the retention period complies with the provisions of the applicable regulations; for purpose no. 3, the legal basis is the user's consent, expressed through a dedicated flag and revocable at any time, and the data retention period will be a maximum of 7 years from the date of registration.
7. PROCESSING METHODS
Data processing includes activities such as collection, registration, storage, modification, communication, deletion, and dissemination. Processing may occur using paper, electronic, IT, telematic, or innovative tools in ways that ensure security and confidentiality.
Furthermore, the applied methodologies ensure that access to the data is granted only to authorized individuals.
8. RIGHTS OF THE DATA SUBJECT
In relation to the aforementioned data processing, you may exercise the rights outlined in Article 13 of GDPR 679/16, as better detailed in Articles 15, 16, 17, 18, 20, 21, and 22 of GDPR 679/16. Specifically, you will have the right to:
- Obtain confirmation as to whether or not personal data concerning you exists, even if not yet recorded, and to receive such data in an intelligible form;
- Request from the Data Controller access to your personal data, as well as the right to data portability;
- Obtain the updating and rectification or, where interested, the integration of your data;
- Object, in whole or in part: a) For legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) To the processing of personal data concerning you for the purpose of sending advertising material, direct sales, market research, or commercial communications;
- Obtain the erasure, anonymization, or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed;
- Withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, in cases provided by law;
- Lodge a complaint with a supervisory authority;
- Obtain confirmation that the operations referred to in points 4 and 6 above have been notified, including their content, to those to whom the data has been disclosed or disseminated, unless this proves impossible or involves a disproportionate effort relative to the right being protected;
Requests may be submitted using the following methods:
- Email: Send an email to the Data Controller at (pasini.lucio@hotmail.it) or the Data Processor at (privacy@18months.it);
- Registered mail: Send a letter to the Data Controller at (Piazza Agliardi 1, 24055 Cologno Al Serio, Milano) or alternatively to the Data Processor at (18Months Srl Via de Castillia 3, 20871 Vimercate MB).
9. COMMUNICATION AND DISSEMINATION OF DATA
Your data may be communicated to the following categories of subjects:
- Entities with access to personal data by virtue of legal or administrative provisions;
- Third-party companies (e.g., event organizers) whose tickets are sold through the application, solely for the purpose of managing and verifying entries, as well as providing pre- and post-sale support;
- Banks and companies managing national or international payment circuits through which online payments are made.
Your data will also be used exclusively in anonymized and aggregated form for statistical and consumption analysis purposes.
Personal data may also be disclosed to third parties such as, but not limited to:
- Companies, consultants, or professionals responsible for managing the hardware and software used by 18Months to provide its services;
- Companies or providers tasked with sending documentation and/or informational materials;
- Companies responsible for processing and/or sending advertising and informational materials on behalf of the Data Controller or third-party companies whose tickets are sold through the application.
10. DEFINITIONS
Application: Website, app, hardware, or software tool through which users' personal data is collected.
Personal data: Any information relating to an identified or identifiable natural person ("data subject"). A natural person is considered identifiable if they can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
User: The individual using this Application, who must coincide with the Data Subject or be authorized by them, and whose personal data is being processed.
Data Processor: The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data, including the security measures applied in connection with the functioning and use of this Application. Unless otherwise specified, the Data Controller is the owner of this Application.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.