VIRGIN ACTIVE ITALIA S.S.D.L.p.A. (“VAI”) and REVOLUTION S.S.D.L.r.l. (“Revolution”), in the capacity as joint controllers of the processing (the “Data Controllers”) pursuant to Article 26 of Regulation (EU) 2016/679 (the “Regulation”), consider Personal Data protection to be one of the main aims of its own business.
This Policy describes the processing of Personal Data, including the special categories of data under Article 9 of the Regulation, related to the creation of your Revolution account (the “Account”), which allows you to have access to the Platform (as defined below) in compliance with the “TERMS AND CONDITIONS OF USE OF THE REVOLUTION PLATFORM”, as well as to benefit from its services, as described in the “GENERAL TERMS AND CONDITIONS OF THE REVOLUTION SERVICE” within the premises and structures it manages (the "Services").
* * *
The processing of your personal data will be marked by the principles of fairness, lawfulness, transparency, restriction of the aims and of the keeping, minimisation and accuracy, integrity and confidentiality, as well as by the principle of investment with responsibility under Article 5 of the Regulation. Therefore, your Personal Data will be processed in compliance with the law provisions under the Regulation and with the confidentiality obligations foreseen therein.
TABLE OF CONTENTS
* * *
1. DATA CONTROLLERS AND DATA PROCESSOR OF THE PERSONAL DATA
The particulars of the Data Controllers of the processing are the following:
- Virgin Active Italia S.S.D.L.p.A., having registered office in Archimede 2, Corsico (Milan), VAT No. 03641880962;
- Revolution S.S.D.L.r.l., having registered office in Via Archimede 2, Corsico (Milan), VAT No. 09634340963.
They jointly establish the aims and the means of the processing; Virgin Active Italia S.S.D.L.p.A. has been appointed to represent Revolution S.S.D.L.r.l. to reply to the requests made by the data subjects, based on the provisions of an internal agreement entered into between the parties, pursuant to Article 26 of the Regulation, the essential contents of which may be requested in writing to Virgin Active Italia S.S.D.L.p.A. to the address mentioned above.
The App does not only offer the features described above, but also uses the technology of supplier Technogym S.p.A., having registered office in 47521 Cesena (Forlì-Cesena) Via Calcinaro 2861 which, indeed, makes some additional features available to the App, thus acting as data processor, duly nominated under Article 28 of the Regulation. It would not be possible for the App to offer all the Services distinguishing the latter without such features. You may receive a full list of the data processors by sending a request to Virgin Active Italia to the address shown in this paragraph. Please note that, pursuant to the internal agreement entered into with Revolution, Virgin Active Italia S.S.D.L.p.A. is the Data Controller in charge of providing feedback to any data subjects who may request information in connection with the processing of their own personal data.
The structure of the Data Controllers is endowed with a data protection officer (the “Data Protection Officer” or “DPO”). The DPO is available for any information pertaining to the processing of your Personal Data carried out by the Data Controllers.
1.1Interaction with MyWellnessCloud
As already mentioned in the paragraph above, Technogym S.p.a. supplies some important features of the Services. Such supplier acts in the capacity as data processor, however, you may already be a holder of an account at Technogym (called "Mywellness"), or create your Mywellness account after creating your Account, or even not create it at all. In all cases, the Services supplied by VAI and Revolution remain unchanged.
2. THE PERSONAL DATA UNDER PROCESSING
2. 1 Surfing data
The IT systems and the software procedures in charge of running the Platform acquire some Personal Data throughout their ordinary operation, the spreading of which is implied in using the Internet communication protocols. This information is not collected to be associated with identified subjects, however and given its own nature, such information could allow to identify the users through processing and associations with data held by third parties. The IP addresses or the domain names of the devices used by the users connecting with the Platform, the URI (Uniform Resource Identifier) of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in reply, the numerical code showing the state of the reply given by the server (successful, error, etc.) and other parameters related to the operating system and to the user’s computer environment fall within this category of data.
These data are used to retrieve anonymous statistical information on the use of the Platform and to control the respective correct use, in order to allow – given the architecture of the systems used – the correct supply of the services, for security reasons and to ascertain the respective liability in case of hypothetical computer crimes against the Platform or against third parties.
2.2 Personal Data and special categories of data voluntarily supplied by the user
The Platform requests you to register by supplying the following Personal Data: name, surname, email address, password, telephone number, date of birth, gender, age, tax code.
After completing the user profile, you will then be asked for your weight and height, which are deemed to belong to a special category under Article 9 of the Regulation.
You may complete your personal profile on the Platform by adding further optional data, amongst which, your picture.
Furthermore, inside the online Shop you will be asked for the data needed to make the purchase of the products available.
In using particular features (for instance, “Invite a friend”), there could be a processing of third party Personal Data sent by you to the Data Controllers. As regards the latter case, you would be acting as independent data controller of the processing, thus undertaking the entire obligations and liabilities under law. In this respect, you hold us fully harmless from any formal notice, claim, request for damages arising out of the processing, etc., which may be received by the Data Controllers from third parties whose Personal Data you have communicated to the Data Controllers in breach of the applicable Personal Data protection rules. In any event, should you supply third party Personal Data to the Data Controllers in using certain features offered by the Data Controllers, you hereby warrant – thus undertaking any liability connected therewith – that such particular case of processing has suitable legal grounds under applicable laws and regulations entitling to the processing of the information at issue.
2.3 Training data
Such data will necessarily be processed to supply the foreseen Services.
Furthermore, some training data may be projected on a big screen during the training session following your consent to such extent. In particular, the following will be seen by anyone present during your training session: your bike number, your nickname, your heart rate, your so-called FTP (i.e. Functional Threshold Power, that is the ability to sustain the highest possible power output in cycling effort, characterised by the maximum percentage of possible effort) and your caloric expenditure.
Failure on your side to give your consent to the showing of the data at issue on the studio’s big screen (“show me on the screen”) will not prevent you from benefitting from the Services and you may at all times revoke any such consent through the Platform’s settings.
The Platform memorises some information to improve the use of the Services, for instance, your log-in information (so that you do not have to insert it every single time you have access). The Data Controllers have no access whatsoever to such information, exclusively memorised inside the device. In particular, as regards the cookies used, please note as follows.
Cookies are small text files that the websites visited by the user send to and record on his/her computer or mobile device, to be then sent again to the same websites at the next visit. It is precisely thanks to cookies that a website remembers the user’s actions and preferences (such as, for instance, log-in data, the language chosen, the size of the characters, other display settings, etc.) in such a way that they do not need to be mentioned again when the user returns to visit such website or surfs from one page to another of the website. Cookies are thus used for the purposes of computer authentication, session monitoring and for memorising information on the activities of the users having access to a Website, and may also contain a single user id allowing to keep track of the user’s surfing inside the website for statistical or advertising purposes. In surfing a website, the user may also receive on his/her own computer or mobile device cookies of websites or of web servers other than the one he/she is visiting (the so-called “third-party” cookies). Some operations may not be carried out without using cookies which, in certain cases, are thus technically necessary for operating the website.
There are different types of cookies depending on their characteristics and features, and these may remain in your computer or mobile device for different periods of time: the so-called session cookies, which are automatically cancelled when the browser is closed; the so-called persistent cookies, which remain in your device until a fixed expiry.
Amongst the technical cookies that do not request an express consent for their use, the Italian Data Protection Authority (cf. The Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies decision of 8 May 2014, hereinafter, the “Decision”) also includes:
Instead, the user’s prior consent is required for “profiling cookies”, that is those aimed at creating profiles related to the user and used to send advertising messages in line with the preferences shown by the user while surfing the Internet.
Types of cookies used by the Website
The Website uses the following types of cookies and offers the possibility to deselect them:
In particular, the first-party cookies sent through the Website are shown below:
Cookies in the Website
|Type of cookie||Technical name of the cookies||Features and aims||Time of persistence|
|Surfing or session technical cookie||ASPXAUTH||This cookie is used to check if a user is authenticated (ASP.NET authentication)||365 days|
|Surfing or session technical cookie||ASP.NET_SessionId||This cookie is used to identify the users’ sessions on the server||365 days|
|Technical cookie||cookie_accept||This cookie is used to memorise the user’s preferences regarding the cookies||365 days or until the user deletes it|
How to display and change the cookies through one’s own browser or through specific software
The user may authorise, block or delete the cookies (either totally or partially) through the specific features of his/her own browser, or by using specific software: however, should all or some of the cookies be deactivated, it could happen that the Website may not be consulted or that some services or certain features of the Website are not available or do not work correctly and/or the user may be forced to change or to insert some information or preferences manually each time he/she visits the Website. To receive additional information as to how to set the preferences on the use of the cookies through one’s own browser, you may consult the relevant instructions:
3. AIMS, LEGAL GROUNDS AND COMPULSORY OR OPTIONAL NATURE OF THE PROCESSING
The data that you supply to us through the Platform following your specific consent, if necessary, will be processed for the following purposes:
1. Supply of the Services
The supply of your data is optional failing which, however, it will not be possible to supply the requested Services. Pursuant to Article 26, paragraph 1, letter b, of the Regulation, we do not require the consent to the processing of your personal data for such aims, since such data are necessary to perform the agreement to which you are a party and/or to implement precontractual measures adopted, if any, upon your request. In any event, it is however necessary that you give your express consent to the processing of the special categories of your data for the purposes of ascertaining the fitness for indoor cycling activity (medical certificate) and, in general, to supply the Services. Failing any such consent, it will not be possible to create your account and to participate to the rides, since the processing of some of your sensitive data, given the fact that they belong to a special category under Article 9 of the Regulation, is implied in the requested Services;
2. Statistical surveys/analysis on aggregate or anonymous data, without it being possible to identify the user, aimed at measuring how the App works, at measuring the traffic and at assessing usability and interest
The processing on aggregate or anonymous data do not foresee the application of the Regulation;
3. Fulfilment of obligations provided for by law, regulation or EU laws and regulations
Please note that the aim under this paragraph 3.3 amounts to a lawful processing of Personal Data, pursuant to Article 6(1)(c) of the Regulation, the consent to the processing of your personal data for such purposes is not necessary;
4. Drafting of studies, research, market statistics; sending of information and promotional material, and of customer satisfaction surveys. Such communications may take place by phone through an operator, email, SMS-type messages, social networks or push notices, by post and/or by phone through an operator and/or through the official pages of Revolution and of VAI on the social networks
The processing carried out for marketing purposes is based on the granting of your consent under Article 6(1)(a) of the Regulation. The supply of your Personal Data for these purposes is therefore totally optional and will not prevent you from benefitting from the Services. Should you wish to object to the processing of your Personal Data for marketing purposes, you may do so at any time by writing to Virgin Active Italia S.S.D.L.p.A., via Archimede 2, Corsico (Milan). Please note that if the data controller uses, for the purposes of the direct sale of own products or services, the email address given by the data subject within the scope of the sale of a product or of a service, it may not request the data subject’s consent, provided that it is the case of similar services to those to be sold and provided that the data subject, duly informed, does not refuse any such use, initially or on the occasion of future communications.
Some of your data may be spread, since they may be shared (for example: the nickname, the levels of moves reached and training attendance) with the ‘friends’ in the App’s social community. In this way, your data will be spread within such community.
Such processing will only take place following your specific consent, which may be revoked at any time through the App’s settings.
Your data may be processed, following your specific consent, in order to analyse your interests, habits and consumption choices, also for the purpose of being able to send you customised information and promotional material on the services offered by our Clubs (hereinafter, “Profiling”). The legal grounds for any such processing may be found in our consent, as per Article 22.2(c) of the Regulation. Failure on your side to give your consent to the processing at issue will not jeopardise the enjoyment of the Services, however, if you have chosen to receive messages on our initiatives and promotions, you will receive general messages not based on your interests and on your preferences.
4. METHODS OF PROCESSING DATA, SECURITY MEASURES
The Data Controllers – or third parties appointed data processors under section 28 of the Regulation – process your Personal Data with limitation to the respective achievement on the Data Controllers’ side of the aims mentioned above, mainly with automated tools, but also on paper, for the time needed for achieving the aims for which they were collected.
Specific security measures are complied with to prevent the loss of data, illegal or incorrect uses, and unauthorised access in compliance with the provisions under section 32 of the Regulation concerning security measures.
5. INTERACTION WITH FACEBOOK
You may register to the Services not only by filling in the specific registration form but also, if you have a Facebook profile, by merely clicking on the “Login with Facebook” button. In this case, Facebook will automatically send some of your data to the Data Controllers, specified in the specific pop-up window, which is used at the moment of the request, and you will not have to fill in any other forms.
6. RECIPIENTS OF THE PERSONAL DATA
Your Personal Data may be disclosed to parties outside the Data Controllers’ organisation, the activity of which is necessary and instrumental to the supply of the Services such as, for instance, technology suppliers.
Furthermore, upon your specific consent, the Data Controllers may collect pictures (photos and videos) during the ride performances and may spread them on the available means of communications (e.g. official Facebook pages of Revolution and/or VAI). This could entail the spreading of your image: if you do not wish that a video or a picture of you be taken, and you have not given your consent to the spreading of your data as described in detail under paragraph 3.5 above, just to be sure, please inform VAI and/or Revolution staff in charge on site. Failure to give your consent to the spreading of your data will not prevent you from benefitting from the Services.
Your Personal Data may be shared for the purposes under section 3 with parties:
7. KEEPING OF PERSONAL DATA
The Personal Data processed for the purposes under section 3.1 will be kept for the duration of the agreement.
Those data strictly necessary for the Data Controllers for defending themselves against possible legal actions may be kept at a later stage, as foreseen by the law provisions in force (section 2946 of the Civil Code, et seq.)
The Personal Data processed for the purposes under section 3.3 will be kept until the time foreseen by the specific obligations or applicable law provision.
For the purposes under section 3.4 and 3.5, your Personal Data will be processed, instead, until the revocation of our consent. Without prejudice, in any event, to the possibility that VAI and Revolution have to keep your Personal Data until the time permitted by Italian law for the protection of own interests (section 2947(1)(3) of the Civil Code). Further information in connection with the period for keeping the data and with the criteria used for determining any such period may be requested to the Data Controllers in writing.
8. YOUR RIGHTS
You are entitled to request the Data Controllers, at any time, to have access to your Personal Data, to have the latter corrected or cancelled or to object to their processing; you are also entitled to request the restriction of processing in the cases foreseen under Article 18 of the Regulation, as well as to obtain the data concerning you in a structured, commonly used and machine-readable format in those cases foreseen by Article 20 of the Regulation.
All requests must be sent in writing to the physical address of Virgin Active Italia S.S.D.L.p.A.
In any event, you will always be entitled to lodge a complaint with the competent supervisory authority (the Data Protection Authority) pursuant to Article 77 of the Regulation, should you deem that the processing of your data is against the laws and regulations in force.
You may write to Virgin Active Italia S.S.D.L.p.A., via Archimede 2, Corsico (Milan), if you wish to receive any type of information on the processing of your Personal Data carried out by the Data Controllers, or if you wish to exercise the rights above, or for any other request.
(L.V. 15 February 2018)