INFORMATION AND REQUEST FOR CONSENT TO THE PROCESSING OF PERSONAL
DATA
pursuant to article 13 of EU Regulation 679/2016
Nutribook s.r.l.s. in the
person of the legal representative pro tempore, with registered office in San
Lazzaro di Savena (BO) Italy, via Vittoria 23G, C.F. 03967501200, e-mail
address privacy@nutribook.app - pec address: nutribook@pec.it (hereinafter
“Nutribook” or the “Provider”) is the sole owner of the Nutribook software as
well as the author and publisher of the website www.nutribook.app , of the
related mobile app "My Diet by Nutribook" and, in general, of the
'Nutribook' Platform, created in order to simplify the nutrition professional's
activity and encourage direct and immediate contact with the Patient.
This information is
provided by Nutribook s.r.l.s. pursuant to art. 13 of the European Regulation
(EU) 2016/679 (hereinafter GDPR) in relation to the personal data which will
become available to the Controller or External Processor, based on what is described
below, through this website and through the Nutribook mobile app that is aimed
at visitors to the website, Users, Professionals who are Nutribook Customers
who purchase or obtain for consideration the right to use the services offered
through the Platform and it is also aimed at the Patients of the Professionals
and/or Customers to whom the Platform is made available.
When providing us with
your Personal Data, we invite you to read this Information, pointing out that
"Personal Data" means, pursuant to EU Regulation 679/2016, all
information relating to natural persons (so-called Interested Parties)
that is collected through the this website and stored on the servers of this
website and the Nutribook software.
For the purposes of this
information it is intended:
- for Provider:
Nutribook s.r.l.s., a company that develops software, including customized
software, and applications for mobile devices in the nutrition sector;
- for Software or
Platform: the applications, web and mobile, developed by Nutribook and of
which it is the owner and author, the distribution and use of which are subject
to the terms and conditions set out in this link https://www.
nutribook.app/terms which must be accepted by the User when accessing the
website and/or registering on the Platform and/or purchasing the Services;
- by Account:
personal area dedicated to the User who registers on the Platform or who uses
the service(s) offered, free of charge or for a fee, offered by Nutribook;
- for User:
anyone, by accessing the platform through the relevant registration procedure,
proceeds to create the Account or uses the Services offered by Nutribook as a
Patient, Professional and/or Customer;
- for access
credentials: the username and password generated by the User at the time of
registration which - together with the code sent by the Provider to the
telephone number indicated by the User - allow access to the Account;
- for Professional:
the Nutrition Doctor, the Nutritional Biologist, the Dietitian, the Dietitian
and in any case the Nutrition Professional authorized to carry out the relevant
activity;
- for Customer:
the Professional, the professional partnership or the professional association
that accesses the Platform and uses the services upon payment of the relevant
fee;
- for Patient:
the Professional's client;
- for Data Controller:
“the natural or legal person, public authority, service or other body which,
individually or together with others, determines the purposes and means of the
processing of personal data;
- for Data Processor:
"the natural or legal person, public authority, service or other body that
processes personal data on behalf of the data controller".
DATA CONTROLLER AND EXTERNAL PROCESSOR
The Data Controller of
the data collected by the site and that communicated through the Platform by
the User, with the exception of that relating to Patients, is Nutribook
s.r.l.s..
Nutribook is not the
Data Controller of the personal data relating to Patients and this both with
reference to those communicated to Nutribook by Customers and/or Professionals
and to those that are spontaneously communicated by the patient and/or entered
into the Platform through the use of the same , including the mobile app.
For this data, the Data
Controller is the Professional and/or the Client who - as part of their
professional activity - is bound to professional secrecy. Nutribook processes
Patient data only following the creation of the Account by the Professional
and/or the Customer or in any case communication by the latter of the Patient
data.
The Patient must
therefore contact the Data Controller to find out the purposes and means of the
processing, the times and place of storage of the data, the subjects to whom
the data are communicated and - in general - any other information relating to
the processing as well as to exercise all the rights provided for by privacy
legislation, including that of access to the data themselves.
PERSONAL DATA PROCESSED
The data processed by
Nutribook as Data Controller consist of the common data referred to in art. 4,
par. I, n. 1 GDPR and in particular:
(A) data relating to
navigation on the website https://nutribook.app and therefore, by way of
example, IP addresses, domain names of Users' computers (visitors to the
website) and other parameters relating to the system operational and IT
environment of the User as well as the data deriving from the use of cookies,
collected for the management of the website and to improve the service offering
by Nutribook and for carrying out marketing activities. The collection of
navigation data, with the exception of marketing activities, allows us to
guarantee the normal functioning of the service and its maintenance as well as
the rapid resolution of problems affecting the Platform. For further
information you can consult our cookie policy, which can be reached via the
following link: https://www.nutribook.app/cookie.
(B) the data
communicated by Users, with the exception of Patients, at the time of
registration on the Platform and/or at the time of purchasing the license to
use the Platform such as:
- personal data
(name and surname);
- contact data and
other identifying data: telephone number and/or e-mail address, title, tax
code, place of professional activity, gender and other data that the User
spontaneously communicates at Nutribook.
- payment data:
information relating to the purchase made and the related payment (e.g.
credit/debit card number, IBAN address);
- billing data: name,
surname, tax code, address, postal code and country of residence.
In case of use of the
Platform by the User in its free version, the interested party will be asked
exclusively for the name, surname, e-mail address and mobile number, without
prejudice to further spontaneous communication of data.
These personal data are
collected directly from the interested party when entering their personal data
in the appropriate fields provided in the dedicated screen in the application.
Nutribook also
processes, as Data Controller, the personal data referred to in the articles.
4, par. I, n. 1 and 9 GDPR, communicated spontaneously by the User through the
section on the website "fill in the form below"; in this case the
processing is carried out under the sole condition that the interested party's
consent to the processing exists, which is considered explicitly expressed in
the event of spontaneous communication of such data to the Data Controller.
Finally, Nutribook
processes the personal data relating to Patients who use the mobile app
made available by Customers and/or Professionals, in the exclusive capacity of
External Data Processor pursuant to art. 28 GDPR. In fact, Nutribook processes
the personal data of Patients only after their communication by the Professional
and/or Customer, also through specific creation of Accounts, and following
specific instructions provided by the Customer and/or by the Professional
himself who - in the relationship with the Patient – is the Data Controller
and therefore chooses the purposes and means of the processing. The creation of
the Patient's account and the use of the Nutribook mobile app are optional and
any agreement in this regard has effect exclusively between the Professional
and/or the Customer and the Patient.
The personal data
relating to Patients are those referred to in art. 4, par. I, n. 1 GDPR and
referred to in art. 9 GDPR (such as, by way of example, health and nutritional
data, also deduced from medical records) and in particular those collected
on the occasion of the creation of the Patient's Account carried out by the
Professional and/or the Client, those that the Professional and/or the Customer
enters into the relevant account of the relevant Patient and those that the
latter enters into his own Account, even where evident from the relevant
documents and/or photographs uploaded therein.
THE PURPOSES OF DATA PROCESSING AND THE
LEGAL BASES FOR PROCESSING
1) The processing of the common data listed above sub. A and B) referring
to the User who is not a Patient is aimed at the creation of the account and/or
the correct and complete execution of the license agreement for the use of the
services offered by the Platform and, in particular, in order to make the
services offered by the Owner, provide technical and commercial assistance,
process the related requests as well as payment. In this case the legal basis
of the processing is the execution of a contract of which
the interested party is a party or the execution of pre-contractual measures
adopted at the request of the interested party pursuant to art. 6, par. 1.,
lit. b) GDPR
and the failure to
communicate personal data prevents the completion of the contractual
relationship itself and therefore does not allow you to proceed with the
creation of the Account and/or activate the services offered by Nutribook.
2) The personal data listed above sub. A and B) relating to the User who is
not a Patient may also be processed in order to fulfill the obligations
established in the tax and accounting fields as well as in order to comply
with the obligations incumbent on the Owner and provided for by current
legislation. In this case the legal basis of the processing is the fulfillment
of a legal obligation incumbent on the Data Controller, pursuant to art. 6,
par. 1., lit. c), GDPR and the failure to communicate personal data
prevents the completion of the contractual relationship itself.
3)Personal data relating to the User who is not a
Patient could also be processed for one or more specific purposes not included
among those indicated above, on the basis of the consent expressly expressed
pursuant to art. 6, par. 1, letter. a).
In this case the consent will be collected by the Data Controller
separately, on the occasion of the specific purpose for which it is necessary,
which will be expressly identified and communicated to you. The provision of
such data is optional, and any failure to provide it will not prevent the
completion of the license agreement for the use of the Services offered through
the Platform and you, as an interested party, may decide to revoke the consent
previously given by communicating the revocation. to the Owner, without any
formality, to the address indicated in this information, without prejudice to
the lawfulness of the
processing based on consent given before revocation.
Where personal data is communicated spontaneously through the dedicated
section of the site "fill in the form below", consent is considered
explicitly expressed by the interested party.
4) Personal data relating to the User who is not a Patient may be processed
for the purposes of statistical analysis and improvement of the service, also
through the use of analytical, technical and/or profiling cookies. In this case
the legal basis is legitimate interest pursued by the Data Controller pursuant to
art. art. 6, par. 1 letter f) GDPR (pursuit of its social purposes, also improving the
browsing experience of visitors and customers and thus meeting their
expectations of information and offers) or, as regards profiling cookies, the consent
expressly expressed by the interested party to pursuant to the art. 6, par. 1,
letter. a) GDPR.
For more information on the processing of data for these purposes, you can
consult the cookie information provided by the Data Controller and available at
the following: https://www.nutribook.app/cookie.
The purposes and legal bases relating to the processing of Patients'
personal data are determined exclusively by the Professional and/or the
relevant Client, the only person legitimated in this sense, to whom the Patient
must refer in order to receive information regarding the processing
itself.
PROCESSING METHODS
Personal data are
processed in compliance with the principles of lawfulness, correctness,
minimization, necessity, relevance, transparency and confidentiality within the
scope of the purposes indicated above and may be processed:
a) through paper and IT
tools;
b) depending on the
case, collecting, recording, structuring, conserving, adapting, extracting,
consulting, using, communicating, possibly disseminating, making available,
comparing, interconnecting, limiting, deleting and/or destroying the acquired
data;
c) without implementing
processing involving automated evaluation and/or decision-making processes or
profiling activities, except for the use of profiling cookies, as indicated
above and for which please refer to the aforementioned cookie policy;
d) with the adoption of
specific security measures in order to protect the computer archives on which
the data are allocated, prevent the loss and/or unavailability of the data,
illicit or incorrect use of the same or unauthorized access.
Security measures are
adopted to guarantee the integrity and confidentiality of the data, in order to
prevent the risk associated with their loss, violation, illicit and/or
incorrect use as well as unauthorized access.
The personal data are
subject to periodic verification of their obsolescence and consequent
cancellation.
PROCESSING PLACE
The data are processed
at the operational headquarters of the Data Controller, located within the
European Union and in particular in Italy as well as in the places where the
Platform's servers are located, located in Europe and in any other place where the
parties involved in the treatment are localized.
The personal data
processed for the purposes referred to in this information may also be partly
transferred and stored on servers located outside the European Union.
The transfer of data
outside the European Union is carried out by the Data Controller in compliance
with the provisions of the art. 45 et seq. GDPR, with the implementation of
suitable guarantees, such as the adoption of standard contractual clauses (SCC)
or treaties by virtue of the existence of an adequacy decision by the
Commission relating to the recipient state of the data.
In any case, we inform
you that the transfer of your data outside the European Union, in the absence
of an adequacy decision, may entail possible risks for the protection of your
data.
It is possible to
contact the Owner for further information.
DATA STORAGE
The personal data
relating to Users who do not qualify as Patients, subject to processing for the
purposes indicated above, are kept for the time necessary to achieve the
purposes for which they were collected and therefore for the time necessary to
provide the requested services , including assistance following the purchase of
the license to use the Platform and, subsequently, for the time in which the
Owner is subject to conservation obligations for tax purposes or for other
purposes, also connected to the protection of his rights, required by law or
regulation.
In the case of data
processing based on specific and separate consent, the data will be processed
by the Data Controller starting from the moment in which consent is obtained
from the interested party and until its possible revocation. The revocation of consent
does not affect the processing carried out by the Data Controller before the
revocation.
Patients' personal data
are stored by Nutribook, as External Data Processor for the time specifically
agreed with the Customer and/or Professional. If the Patient deletes their
Account independently, Nutribook will retain only the Patient data necessary to
comply with the contract with the Customer and/or the Professional and
therefore generally the navigation data and common data of the Patient himself.
DATA COMMUNICATION
Your personal data may
be communicated to:
1. AUTHORIZED TO
PROCESSING: persons authorized by the Data Controller who are appropriately
educated and trained, after signing a confidentiality agreement (e.g. employees
and/or external collaborators of the Data Controller).
2. EXTERNAL PROCESSING
PERSONS:
to. subjects who offer
services necessary for the use of the Platform and Services offered therein;
b. the accountant or
other suppliers who provide functional services for the purposes indicated
above;
c. banking institutions
that provide functional services for the purposes indicated above and payment
system operators.
You can contact the Data
Controller to find out the exact and updated list of all the external data
processing managers appointed by the Data Controller.
4. PARTIES WHO PROCESS
DATA IN PURSUANCE OF SPECIFIC LEGAL OBLIGATIONS
5. PARTIES WHO PROCESS
THE DATA AS INDEPENDENT DATA CONTROLLERS: such as, by way of example, the
subjects to whom the data must be mandatorily communicated for the purpose of
executing the contract of which the interested party is a party.
E. JUDICIAL,
ADMINISTRATIVE OR OTHER AUTHORITIES FOR THE COMPLIANCE OF LEGAL OBLIGATIONS
RIGHTS OF THE INTERESTED PARTY
Among the rights
recognized by the GDPR to the interested party of the processing carried out by
the Data Controller, include those of:
- ask the Data
Controller if processing and access to personal data and information relating
to them is underway, who must acknowledge the request within 30 days;
- request the
rectification of inaccurate data or the integration of incomplete data; the
deletion of personal data concerning you (upon the occurrence of one of the
conditions indicated in art. 17, paragraph of the GDPR and in compliance with
the exceptions provided in paragraph 3 of the same article); the limitation of
the processing of your personal data (in the event of one of the hypotheses
indicated in art. 18, paragraph 1 of the GDPR); - request and obtain from the Data Controller - in the
cases in which the legal basis of the processing is the contract or consent,
and the same is carried out by automated means - your personal data in a
structured and machine-readable format, also for the purpose of communicate
such data to another data controller (so-called right to portability of
personal data);
- object at any time to the
processing of your personal data in the event of particular situations
concerning you;
- revoke consent at any
time, limited to cases in which the processing is based on your consent for one
or more specific purposes. Processing based on consent and carried out prior to
its revocation, however, retains its lawfulness;
- lodge a complaint with
a Supervisory Authority (Authority for the protection of personal data -
www.garanteprivacy.it) if you believe that the processing of your personal data
is contrary to the legislation in force. Alternatively, you can lodge a complaint
with the Guarantor Authority of the EU State in which you reside or usually
work or in the place where the alleged violation occurred.
The exercise of the
rights listed above must be carried out in writing, by sending a request to the
Data Controller to the data indicated in this information. The Data Controller
will respond to the request within 30 (thirty) days of actual receipt of the
communication. In the event that a longer period of time is necessary due to
the particular complexity of the case, the deadline of 30 (thirty) days may be
extended by a further 60 (sixty) days with a reasoned written communication
within 30 (thirty) days of receipt of the request. In the event of manifestly
unfounded, excessive and/or repeated requests, a contribution may also be
requested, without prejudice to administrative costs.
The exercise of the
Patient's rights must be carried out by the Patient himself towards the Data
Controller alone and therefore the Client and/or Professional.
Nutribook, in its
capacity as External Data Processor, is in fact not responsible for the data
processing carried out by the Customer and/or the Professional.
Nutribook is in any case
required to collaborate with the Data Controller in order to provide feedback
to the interested party's requests and protect the latter's data. The Patient
can contact Nutribook to request information and/or help and to report any
problems and/or situations deemed non-compliant with this information, with the
protection of personal data and/or harmful to the GDPR.
Document updated as of
August 31, 2023
TRANSLATE with x
English
TRANSLATE with
EMBED THE SNIPPET BELOW IN YOUR SITE
Enable collaborative features and
customize widget: Bing Webmaster Portal