Privacy notice pursuant to articles 13 and 14 of the GDPR Regulation EU 2016/679

Pica Group S.p.A., in its capacity of data controller (hereinafter also, for the sake of brevity, “Pica Group”, the “Company” or the “Controller”), informs the users of its app (“APP”) named “PICA” and/or the website owned by Pica Group (hereinafter, also the “Users”) on the processing of their personal data.

PICA is a product of Pica Group S.p.A., Data Controller of the personal data provided by the Users. All the services provided by PICA are subject to the provisions included in PICA’s “Terms and conditions” of use, available both in the smartphone app and on website at: www.getpica.com .

In relation to certain specific processing activities as referred to in this notice (see below), it is specified that Pica Group does not always act as the data controller of the User’s personal data, but rather, at times, as the external data processor of its business partners, subject to compliance
with all the obligations provided for by the applicable reference legislation.

This privacy notice is provided exclusively in relation to the processing of the personal data provided by the Users or otherwise collected as a result of the use of the APP and/or the website.

Data controller

The data controller is:
Pica Group S.p.A.

with registered office in:
Via dell’Aprica, 12
20158 Milano, Italia
Tel. +39 0544 188 9362

Operational headquarters:
via XXII Ottobre 15/b
 48015 Cervia (RA), Italia
E-mail: privacy@getpica.com

The Company has appointed its Data Protection Officer (“DPO”), who can be reached at the following e-mail address: dpopica@lcalex.it .

Content

1.Functioning of the app and/or the website
2.Sources and types of data collected by the app and the website
3.Scope of the data processing
4.Methods of data processing and recipients of the personal data
5.Data retention
6.Legal Basis
7.Rights of the data subjects
8.Changes to this personal data privacy policy
9.Legal references

1. Functioning of the app and/or the website

PICA (hereinafter also “APP”) provides a service based on a technology which has been developed and licensed by Pica Group and which allows the automatic matching, through an appropriate tag, between a photo taken during a competition/event and the photographed subject (natural person) and to any third parties (e.g., household members) associated by the User under his/her own responsibility. The Users will receive directly on their smartphone the pictures of themselves, just after they have been taken. The Users can then choose and purchase the photos they prefer, share them on social networks and with the modalities described in the above-mentioned “Terms and conditions”. Please note that at any time the User who does not wish to appear in “co-participant” photos (i.e. photos in which he is portrayed together with other participants), can
independently select from the APP the appropriate “anonymize-me” flag, obscuring his face and/or can proceed in any case to the immediate deletion of all his data (including images depicting him) and his profile using the appropriate functionality on the APP.

2. Sources and types of data collected by the app and the website

The personal data will be collected directly from the User during the User registration phase in the APP and/or the website www.getpica.com. The collected data are the ones strictly necessary to achieve the purposes set out in the following paragraphs, and are:

(i) e-mail address;
(ii) pictures and videos;
(iii) special categories of data (ex art. 9 of the Regulation) such as,
specifically, biometric data referable to the data subject or to individuals belonging to the latter’s household and who are - under the responsibility of the User - matched to the profile created, as defined by article 4, paragraph 1, no. 14, of the GDPR, acquired by means of facial detection and recognition technology; and
(iv), possibly (since, following registration, the User may freely enrich his/her profile as he/she wishes) additional personal data of a common nature such as, by way of example but not limited to, billing data, postal address and telephone number.

Please remember that the service is restricted to persons of eighteen (18) years of age or older, who are registering for or are using the service, and who are therefore guaranteeing to be at least eighteen (18).

It should be noted that the purchase of the pictures depicting the Users will be carried out through Stripe (who acts an autonomous data controller, whose specific privacy policy is available at the following link), and that the data related to the User’s credit card shall not be recorded in the APP under any circumstance.

The processing of the data by means of the abovementioned third parties falls under their direct and exclusive liability. The Controller therefore declines any responsibility on the matter.
 The User is then therefore asked to consult the privacy notice directly on the websites of said third parties.

3. Scope of the data processing and legal basis

The Users personal data will be collected and processed exclusively
for the following purposes:

a) to outline the authentication profile necessary to access the APP and/or the website and therefore allow the User to register to it, execute the terms and conditions of use of this application accepted during registration, access its personal area, allow the use of the services provided by this APP and/or the website following registration, manage any requests made by the User. Such data provision is, as the case may be, a contractual obligation or a pre-contractual measure adopted at the request of the data subject, and failure to provide it shall result in the inability of the Company to execute the above;

b) to fulfill the obligations provided by laws and regulations, or to execute an order of the judicial authority or other authorities to which the Controller shall be subject. Such data provision is a legal requirement and failure to provide it shall result in the Company not being able to fulfill its obligations as outlined above;

c) to pursuit a legitimate interest of the Controller, such as the management and resolution of any issues of a technical nature to ensure the proper functioning of the APP and/or the website, or to conduct analyses on aggregate data related to the use of the APP and/or the website by Users. Such data provision is optional and failure to provide it shall result in the Company being able to pursue its legitimate interests;

d) to allow the Controller to contact Users to send individual communications, exclusively by e- mail, of an informative and promotional nature, on the basis of the contractual relationship already established with the same, and concerning products and/or services of the same type with respect to those being sold (Soft Spam), in accordance with the provisions of art. 130, co. 4, of
Legislative Decree 196/2003 and ss.mm.ii, unless opposed. The legal basis for such processing lies in the legitimate interest of the Controller to maintain and strengthen the human and professional relationships established with Users. Legitimate interest that does not affect the rights and freedoms of Users as it finds its respective balance in the interest and reasonable expectation of
Users to receive information on products similar to those already purchased and on the activity of the Controller. Moreover, the data - and in particular the e-mail address issued during the registration of a user to the APP - may also be processed by the Data Controller to send in a determined and limited period of time to Users, both for those who have completed the purchase and to whom the photos have been delivered, and for those who have not yet purchased the
photos, through digital channels (such as, for example, e-mail or messages via APP) marketing communications, having advertising, informational and promotional character of the products and services offered by the Company. The legal basis for such processing is the legitimate interest of the Company in providing an update service on its products and activities to Users that is as accurate as possible and in accordance with the expectations of the data subject, and in
maintaining and strengthening the human and professional relationships established with Users. Legitimate interest which, in view of the reasonable expectation of the interested party and the constitutionally guaranteed interest in free economic initiative, is to be considered prevailing and does not appear to prejudice the rights and freedoms of the Users. The data subject may, at any
time, object to the sending of such communications by using the “unsubscribe” link at the bottom of all communications sent by e-mail, or by contacting the Data Controller at the addresses in paragraph 6 below. The provision of Data is optional, any refusal will result in the impossibility, even partial, to pursue this purpose;

e) to use the facial recognition service to find their own photos taken by photographers appointed by Pica or the promoter (“Promoter”) at specific events (“Events”) organized by third parties. In order to use the service contemplated herein, the User shall provide a picture of his/her face
(“Selfie”) via his/her own device. The data processing carried out for such purposes implies the acquisition of special categories of data (as defined in Article 9 of the Regulations), i.e., of biometric data referring to Users, as defined by Article 4, paragraph 1, no. 14, of the GDPR, through the use of
face detection and recognition technologies, in order to be able to provide Users with the multimedia material referring to them. The processing of biometric data shall be carried out by the Company exclusively after collecting the Users’ specific consent pursuant to article 9, paragraph 2, letter a) of the Regulation. Data provision for this purpose is optional. Any refusal to provide such data shall result in the inability of the Controller to provide the matching service
described herein.

With specific reference to the roles of the parties involved in the processing activities referred to in (g) above, the Company shall act as the data controller of the personal data provided by the User (i.e. e-mail address, photographs collected at the Events, selfies taken by the User when accessing PICA) where the photographs taken of the subjects at the Events are provided to the latter upon
payment of a fee and/or where Pica was qualified as an autonomous data controller due to the configuration of the contractual relationship with the Promoter. In all other cases, (such as, for example, Events with photos rendered free of charge to the User by Pica on behalf of the Organizers) the Company will process Users’ data as an external data processor of the personal data provided by the User (i.e. photographs taken at the Events) and provided to them free of charge on behalf of the Promoter, exclusively to provide the service made available by its partner.

4. Methods of data processing and recipients of the personal data

Data processing shall be carried out both by means of hard copy, and by electronic and telematic tools, including computer-vision techniques and algorithms to perform automatic contouring of objects and people, as well as to
identify the location and bounding box of subjects’ faces, adopting and with safety measures suitable to prevent unauthorized access, disclosure, modification, or destruction of the personal data.

The collected personal data shall not be subject to any disclosure, nor will they be made known to unspecified parties, in any form, including making them available or their mere consultation. Without prejudice to communications carried out to fulfill legal obligations, personal data may be known, exclusively for the purposes indicated above, not only by the Controller but also by the following recipients:

• third parties supporting or assisting the Controller in activities of management and provision of the services provided through the APP and/or the website, and who shall be subject to specific confidentiality obligations, such as, but not limited to: IT service providers for managing databases including contacts and e-mails, digital and IT service providers rendering technical assistance to the Company, banking and financial intermediaries, and where necessary, with the explicit consent of the User, to selected business partners with whom the Company works closely;

• authorities in general, administrations, public bodies and agencies, courts, and other public administrations, both domestic and foreign, as well as parties, including private parties, entitled to request the data (such as, for example, accounting consultants or legal advisors).

The subjects hereby listed will act as external data processors or as autonomous data controllers for the purposes set forth herein.

Personal data will be processed by authorized persons employees of the Company who will have access to the databases linked to the APP and/or the website.

In any case, personal data shall be processed and stored within the European Union.
 In the case of personal data processing carried out in Third Countries, it will take place only after suitable safeguards have been put in place, as required by the mandatory laws and regulations.

The update list of the appointed data processors may be requested at any time by writing Pica Group at the following e-mail address: privacy@getpica.com .

5. Data retention

In accordance with the principles of proportionality and necessity, the data will not be stored for longer periods of time than those necessary to achieve the abovementioned purposes, unless required by law.

Specifically, the data processed for the purpose of letter a) above - for the registration by the User to the APP and benefit from the services rendered by this APP as a result of registration, will be retained for the duration of the contractual relationship and for the ordinary statute of limitations period
of 10 years provided by the applicable regulatory provisions.Data processed for the purpose of letter b) above - the fulfillment of legal obligations to which the Controller is subject, shall be retained for the duration provided by law.

In the case of data processed for the proper maintenance and operation of the APP for the purpose of letter c) above - the data will be retained for as long as it is necessary to resolve any bugs and malfunctions of the APP, as well as for as long as required by the legal regulations to which the Controller is subject.
Data processed for the purpose of letter d) above - sending commercial communications on the basis of legitimate interest (including the so-called Soft Spam for Users who have already purchased photos), will be retained until opt-out request by the User, exercisable by the means of the contacts made available to the Controller or via the “unsubscribe” button found in each communication sent to the Controller, or for a period of 24 months from the conclusion of the
processing of photos related to each single event.

Data processed for third-party marketing purpose referred to in the letter e) above, subject to the consent of Users, will be retained until the opt-out request by the data subject or for a period of 24 months from the date consent was given.

Data processed for data transfer to third-party referred to in the letter f), will be retained or a period of time necessary to technically enable the proper transfer of the data to the third parties and thereafter as regulated in the notices to be disclosed by each data controller.

At the end of such processing, data will be definitively deleted or irreversibly anonymized within the
computer systems and, if any, the Controller’s paper files.

Biometric data mentioned above (i.e. pictures of User’s face) for the purpose of letter g) above, will solely be used to allow to find other photos referrable to the relevant User, taken during the Events.

In particular, the Selfie will be deleted immediately, with the exception of those related to third parties associated with the User, which will remain available in a dedicated section of their personal area to allow the User to recognize who they have already matched to their profile. Selfie vectors are kept for the time strictly necessary for the User’s recognition and subsequently deleted.

In relation to photos purchased by the User, such photos will be retained for the duration of the User’s registration to the APP. Photos not purchased by the User, on the other hand, will be retained for up to a maximum of 24 months after the conclusion of the event and/or the conclusion of the processing of the photos, given Pica’s legitimate interest of free enterprise and the reasonable expectation of the participant to find photos related to past events in which he or she participated in a reduced time frame (e.g., the previous edition of an event in which the User participated).

In case the photographs taken to the individuals (as data subjects parties) at the Events are provided to them for free, Pica, as data processor, will agree with the Promoter the time period within which the Users will be able to access the photos of the Events and/or to proceed to the cancellation of the photos from the platform (in this case, upon prior notice provided to the User).

6. Rights of the data subjects

Data subjects are entitled, at any time and in accordance with the conditions laid down by law, to obtain confirmation as to whether the data itself exists and to know its content and source, to verify its accuracy or request its integration or updating, or its rectification (pursuant to articles 15-22 GDPR 2016/679 and to the applicable legal framework). Pursuant to the same legal provisions, data subjects are entitled to request the deletion, the transformation in an anonymous format or the blocking of the processed data in breach of the law, the right to limit the processing in the cases provided for by law, the right not to be subject to decisions based solely upon automated processing, as well as, again in the cases provided for by law, to oppose, for legitimate reasons, their processing and to obtain the data related to the Users concerned in a structured format, commonly used and machine-readable, as provided for by the Regulation.

Moreover, the data subject may withdraw the consent they might have provided to a specific processing activity, without prejudice to the lawfulness of the data processing carried out before the consent withdrawal.

The requests shall be addressed:
• Via traditional paper mail to the Pica Group S.p.A. address
• Via e-mail, to the address: privacy@getpica.com.

In any case, the data subject shall always have the right to lodge a complaint with the Italian Data Protection Authority according to article 77 of the Regulation, if they believe that the processing of their data is not compliant with the applicable laws and regulations.

7. Changes to this personal data privacy policy

The Controller reserves the right to make any changes or updates deemed necessary or required by the applicable laws, at its sole discretion and at any time. The Users shall be duly informed of any changes/updates.

8. Legal references

European Users notice: this privacy notice is drafted in fulfillment of the obligations set forth in article 13 GDPR 2016/679. Such privacy notice may exclusively be referred to the “PICA” App and the Pica Group website www.getpica.com.

For any further information you may contact the data controller:

Pica Group S.p.A.

with registered office in:
Via dell’Aprica, 12
 20158 Milano, Italia
Tel. +39 0544 188 9362

Operational headquarters:
via XXII Ottobre 15/b
48015 Cervia (RA), Italia
privacy@getpica.com