Privacy Policy PRIVACY POLICY

INFORMATION ON THE PROCESSING OF PERSONAL DATA

INTRODUCTION

This document describes the policy regarding the processing of personal data in connection with the use of the online platform "Lugano Eventi" (hereinafter the "Platform"), consisting of the website www.luganoeventi.ch (hereinafter the "Site") and related resources, including pages and profiles on social media (in particular: Facebook, Instagram, YouTube and Twitter), as well as the App for mobile devices "Lugano Eventi" (hereinafter the "App"), available free of charge and without registration at online stores. The Platform is intended for the support, development and promotion of cultural and entertainment activities at the local level. The Platform is designed to offer people a free guide to major public events and facilities open to the public in the City of Lugano. The Platform is for information and dissemination purposes only. Lugano Eventi is not responsible for the misuse or improper use of the Platform by users, or for the content and events posted by them, each user being solely responsible to the public for the content and opinions posted, respectively for the organization of events. The conditions governing in detail the use of the Platform are described in a separate document, accessible at this https://luganoeventi.ch/it/termini-condizioni. The same is understood to be reproduced and supplemented in full here. Paragraphs A and B specify the ownership of the Platform, contact details for communications, and describe the mechanism for acceptance and review of this document. Paragraphs C and D describe the owner's policy regarding the processing of users' personal data and cookies. Finally, paragraph E governs the substantive law applicable to the legal relationship between the parties and establishes the competent court in case of a dispute related to that relationship. This document informs the user, pursuant to and for the purposes of Articles 4 para. 5 of the Federal Data Protection Act (DPA) and, where applicable, Articles 13 and 14 of the European Regulation (EU) 679/2016 (hereinafter "GDPR"), that the personal data provided or otherwise acquired in the context of the Platform's activity will be processed, in accordance with the principles set forth in the above regulations. It should be noted that the GDPR, in accordance with Article 3 para. 2, applies only in the case of processing of personal data related to:

Offering goods or services to individuals in the EU;

Monitoring the behavior of individuals in the EU.

SITE OWNER AND COMMUNICATIONS

  The Site is owned by the City of Lugano (CH) (hereinafter the "Owner") and is managed by the Events and Congresses Division of the City of Lugano. All communications shall be in writing and shall be deemed validly and effectively executed upon receipt thereof, if made by regular mail, respectively upon the sending of the reading confirmation, if made by electronic mail. Contacts: Events and Congress Division, City of Lugano Via Trevano 55 CH - 6900 Lugano T.: +41 58 866 74 40 (from Switzerland) E-mail: eventi@lugano.ch

ACCEPTANCE AND MODIFICATION OF THIS POLICY

Through your use of the Platform, you agree to the terms and conditions, as well as the processing of personal data described by this policy, in the version in effect at the time of use. The current version can be viewed by clicking on the appropriate link at the bottom of the Site. It is the user's responsibility to carefully check the status of the terms and conditions, as well as the policy before using the Platform, the Owner's right being reserved to update this document at any time and at its own discretion, notably in accordance with the evolution of applicable law, functionalities, as well as services and products made available to the user. Where required by law, the Owner will request express consent from the user via electronic channels (online or by email).

DATA PROTECTION POLICY

Data controller

The Data Controller is the Municipality of Lugano, represented by the appointed bodies and instances in accordance with current municipal and cantonal regulations. The Data Controller can be contacted through the contact details specified in Paragraph A above.

Municipal data protection officer

The Controller, as part of promoting the relationship of trust with the user in relation to the proper processing of his/her personal data, has appointed a Municipal Data Protection Officer (effective 1.1.2020), whose task is to advise the Controller on the applicable data regime, conduct regular audits, respond to inquiries, and follow up on the exercise of users' rights. The Municipal Data Protection Commissioner can be contacted by regular mail at the following address: City of Lugano c/o Legal Affairs Division Via della Posta 8 CH - 6900 Lugano T.: +41 58 866 70 80 Fax: +41 58 866 75 40 Any communication regarding the protection of personal data may also be sent to the following e-mail address: giuridico@lugano.ch

Legal regime applicable to data processing

In the context of operating the Platform, the Data Controller, as a public entity under Swiss law, exercises an activity of an economic nature that does not derive from a sovereign power. That being said, the processing of personal data of users is in principle governed by the Federal Data Protection Act (DPA, SR 235.1). Through access to and subsequent use of the Platform, the user manifests, where necessary for the lawfulness of the processing, i.e. in the absence of a legal basis or processing related to the fulfillment of a contract or a legal task, his or her consent to the processing of personal data contemplated or presupposed herein. WHEREAS, the Municipality of Lugano in principle does not process personal data falling within the scope of the GDPR, as specified in the input, should the GDPR be exceptionally applicable, the Data Controller grants the data subjects the protections provided by the GDPR itself (in particular, the rights provided for in Articles 12 - 23). The text of the GDPR can be accessed by activating this link.

Concepts and categories of personal data

Personal data is defined as any indication or information that directly or indirectly makes it possible to identify a person, whether natural or legal ("Personal Data"). Personal data worthy of particular protection are considered to be information about religious, philosophical, political or trade union opinions or activities, health, intimate sphere or race affiliation, mental, mental or physical state, as well as information about crimes committed, their penalties imposed and measures taken. The Platform does not request / collect / process personal data worthy of special protection. The user is therefore advised not to spontaneously transmit information of this nature via the Platform and related resources (in particular: e-mail, contact form, social media, etc.).

Purpose and lawfulness of processing

The Data Controller processes Personal Data in relation to the purposes summarized in the following table. Purposes of processing Justification Data retention period Use of the Platform by the user (Site, App, Social Media, Newsletter) Private interest preponderant | Fulfillment of contractual obligations 90 days; cookie and social plug-in disclosure is reserved Statistical analysis regarding the use of the Platform for the purposes of security, technical optimization and evaluation/improvement of services and content Private interest preponderant 90 days; cookie information is reserved (with particular reference to statistical-analytical cookies) Activities of an organizational, administrative, financial and accounting nature and customer/user data management, regardless of the nature of the data processed. In particular, internal organizational activities pursue these purposes. Overriding private interest | General Law: 10 years (legal obligation to preserve documents with accounting value); otherwise, destruction or anonymization as soon as the purpose underlying the processing is achieved Newsletter Overriding private interest | Fulfillment of contractual obligations (voluntary registration of the user to the service) Until unsubscription (opting - out) Online event reporting form Overriding private interest | Fulfillment of contractual obligations (voluntary notification of the user - event promoter) General: 12 months; 10 years if the communication has accounting, contractual or commercial value E-mail and postal communications Preponderant private interest | Fulfillment Contractual obligations General: 12 months; 10 years if the communication has accounting, contractual or commercial value Localization Preponderant private interest 90 days; cookie disclosure is confidential (with particular reference to statistical-analytical cookies) The Data Controller collects and processes Personal Data necessary to make possible, respectively optimize, the use of the Platform. This data includes information concerning the use of the Site and the App, in particular the correspondence between the parties, the e-mail address, the IP address of the user's device, its approximate location when using the Platform by analyzing the IP address provided by the Internet access provider, the unique identifier of the mobile device, the characteristics of the browser (type, language, plug-ins installed, etc.), the pages visited, the length of stay on the Site, the links activated, and cookies. This data is processed in an automated manner to derive analytical and statistical information about the use of the Platform, enable navigation on the Site or the use of the App, evaluate the introduction of new features, improve the quality of the services offered, measure the use of the Site and the App and optimize their usability. The Platform processes Personal Data voluntarily transmitted by the user, in particular through the online reporting form or email, for the purpose of communication, contractual fulfillment, or making available the requested information. The Platform does not process or transmit content or Announcements designed based on user behavior online and/or through the App and/or other social media or the use of the Newsletter. The Platform does not profile you, nor does it monitor your use of online resources or email outside of the luganoeventi.ch domain (other than being told of the online resource from which you come to the Site). The Platform does not sell, rent, trade and/or lend Personal Data to third parties. It is recommended that you do not transmit information and/or documents containing personal and/or confidential information by e-mail, as this is an insecure means of communication and does not guarantee the protection of confidentiality. The City of Lugano is willing to provide secure electronic communication channels for transmitting sensitive data at your request.

Duty to provide data; alternatives to digital communication

Apart from what is specified for the data necessary to make possible, respectively optimize, the use of the Platform, the user is free to provide or not to provide Personal Data. Failure to provide the necessary data, for example, generalized blocking of cookies or failure to provide an e-mail address as part of the Newsletter subscription or even failure to fill in the mandatory data required by the online event reporting form, will result in the impossibility of obtaining what has been requested or taking full advantage of the digital services offered by the Controller. In general, the Data Controller emphasizes that the data subject has the option of using ordinary channels of communication, such as telephone and regular mail, should he or she not wish to take advantage of electronic channels. The Newsletter, on the other hand, is provided only electronically for reasons of economy.

Data transfer to a third country and/or international organization

Personal Data is in principle processed and stored by the Data Controller through its own IT services and infrastructure located in Switzerland. Where appropriate, taking into account the purpose of the processing, albeit within the limits of what is strictly necessary, Personal Data may be transferred abroad (with respect to Switzerland), limited to the European Union or to countries that provide adequate protection of Personal Data (with respect to Swiss law) as per the List established by the Federal Authority (link), respectively the European Authority competent in relation to data processing (exceptionally) subject to the GDPR. The data subject has the right to obtain a copy of such data, stating the reason and proving his or her legitimacy. In the case of transfer to non-European countries, in particular the United States, whose level of data protection has not been deemed generally adequate by the EU and CH Authorities, personal data may only be transferred to individuals, entities and companies that have adhered to specific international agreements and/or instruments having as their object the protection of personal data (for example: Swiss / EU - US Privacy Shield). The data subject will be able to obtain information about the guarantee measures taken for the transfer of Personal Data by addressing a request to the Data Controller by e-mail, stating the reason and proving their legitimacy.

Period of retention of personal data

The Platform retains Personal Data as long as their retention is necessary in view of the purposes for which the data were collected, respectively to the extent that there is a legal obligation to retain them (as a rule 10 years) (see table under (e) above). The exercise of any rights of the user to early deletion of Personal Data is reserved. Once the purpose of the collection of Personal Data has lapsed, respectively the retention obligation established by law has expired, at the latest within 30 days, the Data Controller shall provide for the definitive and secure deletion of the data or, alternatively, their anonymization. Access to the detailed and up-to-date policy on the retention of Personal Data can be requested from the Data Controller by e-mail, stating the reason and proving its legitimacy.

Event reporting form

The Site provides an online event reporting form, based on a third-party plug-in. The plug-in is set up to automatically send the data entered in the form via e-mail to the Owner, without retaining a copy. The Owner has no power of intervention over the developer and/or the service, so the Owner is not in a position to issue any information and/or guarantees on quality and with regard to the processing of personal data. The user can assume all relevant information by visiting the developer's site (https://contactform7.com/). If the user does not wish to accept the service of a third party, the user can opt out of the online form and submit a report by referring to the various tools/contact details specified in Paragraph A above.

Newsletter

The Newsletter is a service made available free of charge to the population. The Newsletter is sent only to those who have registered for this purpose by providing their e-mail address. Immediate unsubscription from the list of recipients is possible at any time and with immediate effect by activating the dedicated link placed at the bottom of each e-mail. Non-subscription to the Newsletter or deletion from the recipient list does not affect or in any way reduce the usability of the Platform. The Owner does not transfer users' e-mail addresses to third parties, with the exception of the external provider of the Newsletter service, which receives recipients' e-mail addresses functionally to manage the Newsletter. The latter must be established in Switzerland, the EU or the USA (in the latter case only if it has joined the US - CH/EU Privacy Shield).

Social media

The Owner holds and operates pages and profiles on major social media, such as Facebook, Instagram, Twitter, and YouTube The Platform allows the user to share content via social media through the activation of so-called widgets (see section D below). The user's attention is drawn to the fact that social media collect, process, and disclose to third parties, including third parties established in states that do not adequately protect personal data (with respect to Swiss law), extensively, personal data about the user. By using these resources, over which the Owner has no power of control, the user acknowledges and agrees that the privacy and data protection provisions issued by the individual social media and valid at the time of access (in particular: Facebook, Instagram, and Twitter,) apply. The user agrees to refrain from using social media if he/she does not agree with the rules established by the relevant providers.

App for mobile devices

By downloading the App to your device, you give the following permissions to acquire personal information through your mobile device in connection with the operation and use of your device:

location: approximate location by analysis of the IP address provided by the Internet access provider;

Photo/media/file/storage space: read/edit/delete USB memory contents;

other: receiving data from the Internet, displaying network connections, full network access, and preventing the device from going into standby.

Data related to minors

Processing justified by the consent of the data subject is lawful where the child who has given consent is at least 16 years old. Where the child is under the age of 16, the processing of personal data is lawful only and to the extent that consent is given or authorized by the legal representative. The Controller will make every reasonable effort and in consideration of available technology to verify that the consent given by the legal representative is effective. However, it will not be in any way responsible for any misrepresentation that may be provided by the minor and, in any case, if it ascertains that the statement is false, it will immediately delete any personal data and any material acquired. The Holder will facilitate requests concerning the personal data of minors coming from the legal representative.

Data controllers, recipients or categories of recipients, access to data

The Personal Data you provide may be disclosed to recipients who will process the data as Data Processors and/or as individuals acting under the authority of the Data Controller or Data Processor. Where they operate fully independently, the individuals assume the position of separate Data Controllers. Subject to the data transmissions required by law, the data may be communicated to recipients belonging to the following categories:

entities that provide services for the management of information and telecommunications systems used by the Data Controller for the provision of the Platform and for the organization, planning, implementation and execution of activities related to the Platform;

Individuals who provide services to the Data Controller, such as in the legal, accounting, administrative, tax, and auditing fields.

As part of the operation of the Platform (in particular: Newsletter, maintenance, translation, hosting and Internet access), the Data Controller uses external providers of goods and/or services established and active in Switzerland, the EU or the USA (in the latter case only if the provider has joined the US - CH/EU Privacy Shield). External providers have access to the data only to the extent strictly necessary for the proper and efficient performance of their tasks, subject to the assumption, by agreement, of an obligation of confidentiality and non-use in relation to the Personal Data. The complete and updated list of Data Processors is available for viewing at the company's registered office to interested parties who have indicated in writing the reason for the request and proven their legitimacy. For information security reasons, certain information may be anonymized or masked.

E-mail communications, risks

The user is advised that (i) the use of e-mail does not ensure the confidentiality and integrity of data in transit, (ii) many e-mail service providers are located or hold their data in countries that do not guarantee adequate protection of personal data (e.g. the USA, see updated official list downloadable here), (iii) the use of such an e-mail service results in the transfer and storage of data in a country that does not guarantee adequate protection of such data. The user authorizes the Owner (including bodies, auxiliaries, proxies and proxies) to transmit by regular (non-certified and/or encrypted) e-mail documents and/or information, including those containing personal and/or confidential data, using the e-mail address provided by the user in response to user requests received by mail, telephone or e-mail. The user, in full awareness of the aforementioned risks, releases the Owner from any liability in the event of unauthorized access by third parties to documents and/or personal and/or confidential information transmitted or received via e-mail by the Owner and/or its organs and auxiliaries.

Links to third-party resources

The Platform contains links to sites, services, products and other Internet resources referable to third parties (including social media and plug-ins). The Owner is in no way responsible for the content, security, or usability of such resources; in particular, the Owner does not verify the policy, nor does the Owner make any guarantees regarding privacy and data protection by such third parties.

Security

The Platform implements security measures reasonably imposed by the circumstances and proportionate to the risks against unauthorized access, use, transmission, alteration, loss, unavailability or destruction of Personal Data. Such measures include technical and organizational measures. However, given the nature of the Internet as an "open network," the Data Controller cannot guarantee or warrant that data in transit will not be intercepted or acquired by unauthorized third parties.

User Rights

Within the limits set by the DPA, the data subject may, in particular:

Obtain correction of inaccurate personal data (Art. 5 para. 2 DPA);

To ask free of charge and with a written response whether data concerning him or her are being processed (Art. 8 para. 1 DPA);

To have consent to the processing of personal data discontinued or revoked (Art. 12(2)(b) DPA);

have an unlawful processing of personal data stopped (Art. 12(2)(a) DPA);

prevent, in the absence of justification, the disclosure to third parties of personal data worthy of special protection or personality profiles (Art. 12(2)(c) DPA);

request that data processing be stopped, that disclosure to third parties be prevented, or that personal data be corrected or destroyed (Art. 15 para. 1 DPA);

if neither the accuracy nor the inaccuracy of the personal data can be proven, request that a mention be added to the data noting its disputed character (Art. 15 para. 1 DPA);

Request that the rectification, destruction, blocking, especially that of disclosure to third parties, as well as the mention of the disputed character or the ruling be disclosed to third parties or published (Art. 15 para. 3 DPA);

Have personal data unlawfully collected, stored, or used destroyed;

To have the illegality of personal data processing established.

 If the data processing falls within the territorial scope of Article 3 GDPR, the data subject may assert the rights as expressed in Articles 15, 16, 17, 18, 19, 20, 21, 22 GDPR by contacting the Data Controller or the Data Processor. The text of the GDPR can be consulted by activating this link. You have the right, at any time, within the limits and under the conditions established by the GDPR, to request from the Data Controller access to, rectification, erasure of, or restriction of the processing of your personal data concerning you or to object to its processing, as well as to exercise the right to portability of such data. Where the processing is based on Article 6(1)(a) or Article 9(2)(a) GDPR, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on the consent given before the withdrawal. The user has the right to lodge a complaint with the competent supervisory authority. In the case of a request for data portability, the Data Controller shall provide the user, in a structured, commonly used and machine-readable format, with the personal data concerning the user, subject to paragraphs 3 and 4 of Article 20 GDPR.