Privacy notice pursuant to article 13 of the GDPR Regulation EU 2016/679 and to the applicable relevant national legislation on privacy e data protection.

Pica Group S.p.A., in its capacity of data controller (hereinafter also, for the sake of brevity, “Pica Group”, the “Company” or the “Controller”), informs the users of its app (“APP”) named “PICA” and/or the website owned by Pica Group (hereinafter, also the “Users”) on the processing of their personal data.
PICA is a product of Pica Group S.p.A., Data Controller of the personal data provided by the Users. All the services provided by PICA are subject to the provisions included in PICA’s “Terms and conditions” of use, available both in the smartphone app and on website at: www.getpica.com .

In relation to certain specific processing activities as referred to in this notice (see below), it is specified that Pica Group does not always act as the data controller of the User’s personal data, but rather, at times, as the external data processor of its business partners, subject to compliance with all the obligations provided for by the applicable reference legislation.

This privacy notice is provided exclusively in relation to the processing of the personal data provided by the Users or otherwise collected as a result of the use of the APP and/or the website.

Data controller

The data controller is:
Pica Group S.p.A.
with registered office in:
Via dell’Aprica, 12
20158 Milano, Italia
Tel. +39 0544 188 9362

Operational headquarters:
via XXII Ottobre 15/b
48015 Cervia (RA), Italia
E-mail: privacy@getpica.com

The Company has appointed its Data Protection Officer (“DPO”), who can be reached at the following e-mail address: dpopica@lcalex.it

Functioning of the app and/or the website

PICA (hereinafter also “APP”) provides a service based on a technology which has been developed and licensed by Pica Group and which allows the automatic matching, through an appropriate tag, between a photo taken during a competition/event and the photographed subject (natural person). The Users will receive directly on their smartphone the pictures of themselves, just after they have been taken. The Users can then choose and purchase the photos they prefer, share them on social networks and with the modalities described in the above-mentioned “Terms and conditions”.

Sources and types of data collected by the app and the website

The personal data will be collected directly from the User during the User registration phase in the APP and/or the website www.getpica.com. The collected data are the ones strictly necessary to achieve the purposes set out in the following paragraphs, and are:

(i) e-mail address;
(ii) pictures and videos;
(iii) special categories of data (ex art. 9 of the Regulation) such as, specifically, biometric data referable to the data subject, as defined by article 4, paragraph 1, no. 14, of the GDPR, acquired by means of facial detection and recognition technology; and (iv), possibly (since, following registration, the User may freely enrich his/her profile as he/she wishes) additional personal data of a common nature such as, by way of example but not limited to, billing data, postal address and telephone number.
Please remember that the service is restricted to persons of eighteen (18) years of age or older, who are registering for or are using the service, and who are therefore guaranteeing to be at least eighteen (18).

It should be noted that the purchase of the pictures depicting the Users will be carried out through Stripe (who acts an autonomous data controller, whose specific privacy policy is available at the following link), and that the data related to the User’s credit card shall not be recorded in the APP under any circumstance.

The processing of the data by means of the abovementioned third parties falls under their direct and exclusive liability. The Controller therefore declines any responsibility on the matter.
The User is then therefore asked to consult the privacy notice directly on the websites of said third parties.

Scope of the data processing

The Users personal data will be collected and processed exclusively for the following purposes:

a) to outline the authentication profile necessary to access the APP and/or the website and therefore allow the User to register to it, execute the terms and conditions of use of this application accepted during registration, access its personal area, allow the use of the services provided by this APP and/or the website following registration, manage any requests made by the User. Such data provision is, as the case may be, a contractual obligation or a pre-contractual measure adopted at the request of the data subject, and failure to provide it shall result in the inability of the Company to execute the above;

b) to fulfill the obligations provided by laws and regulations, or to execute an order of the judicial authority or other authorities to which the Controller shall be subject. Such data provision is a legal requirement and failure to provide it shall result in the Company not being able to fulfill its obligations as outlined above;

c) to pursuit a legitimate interest of the Controller, such as the management and resolution of any issues of a technical nature to ensure the proper functioning of the APP and/or the website, or to conduct analyses on aggregate data related to the use of the APP and/or the website by Users. Such data provision is optional and failure to provide it shall result in the Company being able to pursue its legitimate interests;

d) to allow the Controller to contact Users to send individual communications, exclusively by e-mail, of an informative and promotional nature, on the basis of the contractual relationship already established with the same, and concerning products and/or services of the same type with respect to those being sold (Soft Spam), in accordance with the provisions of art. 130, co. 4, of Legislative Decree 196/2003 and ss.mm.ii, unless opposed. The legal basis for such processing lies in the legitimate interest of the Controller to maintain and strengthen the human and professional relationships established with Users. Legitimate interest that does not affect the rights and freedoms of Users as it finds its respective balance in the interest and reasonable expectation of Users to receive information on products similar to those already purchased and on the activity of the Controller;

e) to allow the Controller to perform marketing activities in order to provide the User with information on commercial offers (also on behalf of third parties- sponsors), by e-mail or through other tools (e.g. push notifications). Such data provision is optional and shall require the User’s free and specific prior consent and failure to provide it will result in the inability of the Controller of performing the marketing activities mentioned herein (nevertheless, it shall not have any negative consequence on the registration on the APP and/or the website or its use);

f) to enable the Controller to transmit Users’ data to third party companies, with which PICA cooperates closely, for the management of contract services and to enable these third party companies to send communications of advertising, informative and promotional material. The legal basis for such processing is the User’s consent. Consent can always be freely revoked by contacting the Data Controller at the following email address: privacy@getpica.com. The provision of data is optional, any refusal will result in the impossibility, even partial, of pursuing this purpose (nevertheless, it shall not have any negative consequence on the registration on the APP and/or the website or its use);

g) to use the facial recognition service to find their own photos taken by photographers appointed by Pica or the promoter (“Promoter”) at specific events (“Events”) organized by third parties. In order to use the service contemplated herein, the User shall provide a picture of his/her face (“selfie”) via his/her own device. The data processing carried out for such purposes implies the acquisition of special categories of data (as defined in Article 9 of the Regulations), i.e., of biometric data referring to Users, as defined by Article 4, paragraph 1, no. 14, of the GDPR, through the use of face detection and recognition technologies, in order to be able to provide Users with the multimedia material referring to them. Data provision for this purpose is optional.

Any refusal to provide such data shall result in the inability of the Controller to provide the matching service described herein.
With specific reference to the roles of the parties involved in the processing activities, the Company:

a) shall act as the data controller of the personal data provided by the User (i.e. e-mail address, photographs collected at the Events, selfies taken by the User when accessing PICA) where the photographs taken of the subjects at the Events are provided to the latter upon payment of a fee and/or where Pica was qualified as an autonomous data controller due to the configuration of the contractual relationship with the Promoter;

b) shall act as an external data processor of the personal data provided by the User (i.e. photographs taken at the Events) and provided to them free of charge on behalf of the Promoter.

Any processing for additional purposes will be carried out after complying with the information obligations set forth in both articles 13 and 14 of the Regulation.
Special categories of data
In relation to the possible use of the technologies allowing face detection and recognition indicated herein, the Company may process special categories of data (i.e., biometric data referable to the Users).
The processing of biometric data shall be carried out by the Company exclusively after collecting the Users’ specific consent pursuant to article 9, paragraph 2, letter a) of the Regulation, as well as after the fulfillment of any further legal obligation to which the Controller shall be subject.

Methods of data processing and recipients of the personal data

Data processing shall be carried out both by means of hard copy, and by electronic and telematic tools, and with safety measures suitable to prevent unauthorized access, disclosure, modification, or destruction of the personal data.
The collected personal data shall not be subject to any disclosure, nor will they be made known to unspecified parties, in any form, including making them available or their mere consultation. Without prejudice to communications carried out to fulfill legal obligations, personal data may be known, exclusively for the purposes indicated above, not only by the Controller but also by the following recipients:
• third parties supporting or assisting the Controller in activities of management and provision of the services provided through the APP and/or the website, and who shall be subject to specific confidentiality obligations;
• authorities in general, administrations, public bodies and agencies, courts, and other public administrations, both domestic and foreign;
• third parties, owners of the platforms used for the purchase of the multimedia material referable to the Users.

The subjects hereby listed will act as external data processors or as autonomous data controllers for the purposes set forth herein.
Personal data will be processed by authorized persons employees of the Company who will have access to the databases linked to the APP and/or the website.
In any case, personal data shall be processed and stored within the European Union.
In the case of personal data processing carried out in Third Countries, it will take place only after suitable safeguards have been put in place, as required by the mandatory laws and regulations.
The update list of the appointed data processors may be requested at any time by writing Pica Group at the following e-mail address: privacy@getpica.com.

Data retention

In accordance with the principles of proportionality and necessity, the data will not be stored for longer periods of time than those necessary to achieve the abovementioned purposes, unless required by law.
Specifically, the data processed for the purpose of letter a) above - for the registration by the User to the APP and benefit from the services rendered by this APP as a result of registration, will be retained for the duration of the contractual relationship and for the ordinary statute of limitations period of 10 years provided by the applicable regulatory provisions. Data processed for the purpose of letter b) above - the fulfillment of legal obligations to which the Controller is subject, shall be retained for the duration provided by law. 
In the case of data processed for the proper maintenance and operation of the APP for the purpose of letter c) above - the data will be retained for as long as it is necessary to resolve any bugs and malfunctions of the APP, as well as for as long as required by the legal regulations to which the Controller is subject.
Data processed for the purpose of letter d) above - sending commercial communications on the basis of legitimate interest (so-called Soft Spam), will be retained until opt-out request by the User, exercisable by the means of the contacts made available to the Controller or via the “unsubscribe” button found in each communication sent to the Controller, or for a period of 24 months from the last active contact with the User.
Data processed for marketing purposes referred to in the letter e) above, subject to the consent of Users, will be retained until the opt-out request by the data subject or for a period of 24 months from the date consent was given.
Data processed for data transfer to third-party referred to in the letter f), will be retained or a period of time necessary to technically enable the proper transfer of the data to the third parties and thereafter as regulated in the notices to be disclosed by each data controller.
At the end of such processing, data will be definitively deleted or irreversibly anonymized within the computer systems and, if any, the Controller’s paper files.
Biometric data mentioned above (i.e. pictures of User’s face) for the purpose of letter g) above, will solely be used to allow to find other photos referrable to the relevant User, taken during the Events.
In case the photographs taken to the individuals (as data subjects parties) at the Events are provided to them for free, Pica will agree with the Promoter the time period within which the Users will be able to access the photos of the Events and/or to proceed to the cancellation of the photos from the platform (in this case, upon prior notice provided to the User).

Legal basis

The legal basis of the data processing activity consists in the fulfillment of legal obligations, of contractual and pre-contractual obligations to which the Controller is subject, as well as the consent provided for specific purposes (if any).
As for the purposes set forth in letter c) and d) above, the Company, in processing the personal data to pursue its own legitimate interests, will make sure that these latter will not prevailing upon the rights, interests or fundamental freedoms of the data subjects.

Rights of the data subjects

Data subjects are entitled, at any time and in accordance with the conditions laid down by law, to obtain confirmation as to whether the data itself exists and to know its content and source, to verify its accuracy or request its integration or updating, or its rectification (pursuant to articles 15-22 GDPR 2016/679 and to the applicable legal framework). Pursuant to the same legal provisions, data subjects are entitled to request the deletion, the transformation in an anonymous format or the blocking of the processed data in breach of the law, the right to limit the processing in the cases provided for by law, the right not to be subject to decisions based solely upon automated processing, as well as, again in the cases provided for by law, to oppose, for legitimate reasons, their processing and to obtain the data related to the Users concerned in a structured format, commonly used and machine-readable, as provided for by the Regulation.
Moreover, the data subject may withdraw the consent they might have provided to a specific processing activity, without prejudice to the lawfulness of the data processing carried out before the consent withdrawal.

The requests shall be addressed:

Via traditional paper mail to the Pica Group S.p.A. address
Via e-mail, to the address: privacy@getpica.com .

In any case, the data subject shall always have the right to lodge a complaint with the Italian Data Protection Authority according to article 77 of the Regulation, if they believe that the processing of their data is not compliant with the applicable laws and regulations.

Changes to this personal data privacy policy

The Controller reserves the right to make any changes or updates deemed necessary or required by the applicable laws, at its sole discretion and at any time. The Users shall be duly informed of any changes/updates.

Legal references

European Users notice: this privacy notice is drafted in fulfillment of the obligations set forth in article 13 GDPR 2016/679. Such privacy notice may exclusively be referred to the “PICA” App and the Pica Group website www.getpica.com.

For any further information you may contact the data controller:
Pica Group S.p.A.
with registered office in:
Via dell’Aprica, 12
20158 Milano, Italia
Tel. +39 0544 188 9362

Operational headquarters:
via XXII Ottobre 15/b
48015 Cervia (RA), Italia
privacy@getpica.com