Processing of personal data

IGPDecaux - Privacy Statement relating to the "bikeMi" Bicycle Sharing System

Privacy Policy for the users of the bike sharing service bikeMi

Version of 1 November 2024

IGPDecaux S.p.A., in its capacity as data controller, wishes to inform the users (hereinafter the "Users", or "you") of the bikesharing service bikeMi (hereinafter the "Service"), regarding the processing of their personal data, pursuant to Italian Legislative Decree no. 196/2003, as subsequently amended and supplemented (hereinafter the "Privacy Code") and to the General Data Protection Regulation 679/2016/EU (hereinafter the "GDPR").

The Service allows Users to rent a bicycle after registering through (i) the website www.bikemi.it, (ii) the smartphone application, or (iii) any other registration mechanism made available by IGPDecaux S.p.A. from time to time. The Service is governed by the "Terms and Conditions of Use for bikeMi", available at the following link: Terms and Conditions of Use for bikeMi - BikeMi and reserved for Users over the age of 14. Therefore, IGPDecaux S.p.A. will not collect personal data referring to Users under 14 years of age. Should IGPDecaux S.p.A. inadvertently collect personal data of Users under the age of 14 years, it shall delete the same.

  1. Who is the data controller?

IGPDecaux S.p.A., with registered office in Assago, Centro Direzionale Milanofiori Strada 3 Palazzo B10, Milano P.IVA 00893300152 (hereinafter referred to as the "Data Controller", or "we") is the data controller with respect to the personal data of Users processed within the scope of the Service.

The Holder may be contacted at the following e-mail address/PEC: amministrazione@pec.igpdecaux.it

  1. What data is processed?

Your data, collected by us as part of your use of the Service, is as follows:

"Identifying data' such as:

first and last name;

e-mail address;

telephone number;

domicile/residence;

year of birth;

gender;

"Billing data' such as:

e-mail address of the card holder;

last four digits of the credit card number;

billing address

any further information required for the handling of payments;

"Customer Service Data' such as:

name of the social media profile of the User contacting Customer Support;

'Service usage data' such as:

date, time and duration of use of the Service by the User;

geographical location of the User in the context of using the Service;

withdrawal modes (ios, android, card).

(hereinafter jointly referred to as the 'Data').

  1. Why do we process your Data?

Your Identification Data will be processed for the following purposes:

provide you with the Service, by executing a contract to which you are a party ('Contractual Purposes');

comply with any legal and regulatory obligations ('Legal Purposes');

send commercial communications and invitations to events, through traditional and remote means of communication including e-mail, SMS, social networks, instant messages, mobile applications, banners, mail and telephone, for the promotion and/or sale of products and/or services marketed by the Controller ('Marketing Purposes');

to carry out activities in connection with the sale of companies and business units, acquisitions, mergers, demergers or other transformations and for the execution of such transactions, as well as to assert and defend the rights of the Controller against you and third parties in any litigation ("Purposes of Legitimate Business Interest").

Your Billing Data will be processed for the following purpose:

provide you with the Service, by executing a contract to which you are a party ('Contractual Purposes');

Your Customer Service Data will be processed for the following purposes:

manage and process any request for assistance made by the User ("Customer Support Purposes"); and

improving the Service ('Legitimate interest in improving the Service').

Your Service Usage Data will be processed for the following purposes:

provide you with the Service, by executing a contract to which you are a party ('Contractual Purposes');

manage and process any request for assistance forwarded by the User ("Customer Service Purposes");

monitoring the proper use of the Service by the User and preventing unauthorised use or fraud ("Security Purposes"); and

anonymisation for the purpose of processing statistical data on the Service ('Statistical Purposes').

  1. What is the legal basis for the processing of your Data?

The processing of Data for Contractual and Customer Service Purposes is based on Article 6(1)(b) of the GDPR and is necessary for the performance of a contract to which you are a party or the performance of pre-contractual measures taken at your request. Therefore, if you do not want your Data to be processed for this purpose, you will not be able to use the Services offered by the Controller and/or it will not be possible for the Controller to follow up on any requests you have made.

The processing of Identifying Data for the Purposes of Law is based on Article 6(1)(c) of the GDPR and is mandatory, as it is necessary to fulfil a legal obligation to which the Controller is subject.

The processing of Identifying Information for Marketing Purposes is optional and subject to your prior consent pursuant to Article 6(1)(a) of the GDPR. Failure to provide consent will result in the inability of the Controller and/or its group companies and authorised agents and retailers to keep you updated on new products or services, promotions, and to invite you to events.

The processing of Data for Statistical Purposes, Legitimate Business Interest Purposes, Service Improvement and Security Purposes is in pursuit of a legitimate interest of the Data Controller, appropriately balanced against your interests in the light of the limits imposed on such processing and is not mandatory and is based on Article 6(1)(f) of the GDPR. You will have the right to object to the processing for such purposes, in the manner set out in paragraph 7 below, subject to our overriding interest in continuing the processing and except where the processing is necessary for exercising or defending a right of ours in court.

  1. How do we handle your Data?

In relation to the aforementioned purposes, the processing of Data shall take place both through IT tools and on paper and, in any case, through tools suitable to guarantee security and confidentiality through the adoption of the security measures prescribed by the GDPR.

We will proceed to the deletion and/or removal of the Data if there is no need to process the Data in an identifiable form for the purposes of processing and upon expiry of the retention period indicated in paragraph 8 below.

  1. Can Data be communicated or transferred abroad?

We may disclose your Data for the purposes set out in paragraph 3 to the following categories of recipients: (i) collaborators and employees of the Data Controller and of the entities indicated below in this paragraph 6, within the scope of their respective duties, as data processors; (ii) third party providers of assistance and consultancy services with reference to activities in the areas of, but not limited to, marketing, technological, accounting, administrative, legal, insurance, as data processors or autonomous data controllers; (iii) entities and authorities whose right to access the Data is expressly recognised by law, regulations or measures issued by the competent authorities, as autonomous data controllers.

In addition, with regard to the Identifying Data, the Controller may also communicate them to the following categories of recipients: (i) subjects who are the transferees of a company or a business unit, companies resulting from possible mergers, demergers or other transformations of the Controller, as autonomous data controllers; (ii) companies belonging to its group, as well as its agents and authorised dealers, as data processors.

Your data will not be disseminated.

Your Data may, in accordance with applicable regulations, be transferred abroad to countries belonging to the European Economic Area. Any transfer of your Data to countries outside the European Economic Area will take place, in any case, in accordance with the appropriate and adequate safeguards for such transfer, pursuant to articles 44 et seq. of the GDPR.

  1. What are your rights?

You have, at any time and free of charge, the right to:

obtain confirmation of the existence or non-existence of Data concerning you, and to know its content and origin, verify its accuracy or request that it be supplemented or updated, or corrected;

to request the deletion, transformation into anonymous form or blocking of Data processed in breach of the law;

to object in any case, for legitimate reasons, to their processing;

request the restriction of the processing of the Data where (i) you dispute the accuracy of the Data, for the period necessary for the Controller to verify the accuracy of such Data; (ii) the processing is unlawful and you object to the deletion of the Data, but request instead that its use be restricted (iii) although the Data Controller no longer needs it for the purposes of the processing, the Data is necessary for the establishment, exercise or defense of a legal claim; (iv) you have objected to the processing pursuant to Article 21(1) of the GDPR pending verification as to whether the Data Controller's legitimate reasons prevail over those of the User;

obtain Data portability;

revoke, at any time, consent to the processing of data, without in any way affecting the lawfulness of the processing based on the consent given before revocation.

In the event of your death, the aforementioned rights in respect of your Data may be exercised by those persons having an interest in your Data or acting in their capacity as authorised representative, or for family reasons worthy of protection. You may expressly prohibit the exercise of some of the rights listed above by your successors in title by sending a written declaration to the Controller at the e-mail address below. The declaration may subsequently be revoked or amended in the same manner.

The relevant requests may be addressed directly to the Controller by sending an e-mail to amministrazione@pec.igpdecaux.it

You also have the right to lodge a complaint with the Garante per la Protezione dei Dati Personali: https://www.garanteprivacy.it/

  1. How long do we keep your Data?

We will process your Data for the period necessary to fulfil the purposes for which it was collected in accordance with paragraph 3 above.

In any case,

Data collected for Contractual Purposes are retained for the duration of the contract and/or Service;

Data collected for Purposes of Legitimate Business Interest shall be retained for a period of 10 years from the time of collection in the case of processing for the purpose of asserting and defending the Controller's rights vis-à-vis you and third parties in any litigation, whereas with respect to processing for the purpose of carrying out activities functional to transfers of business and business units, acquisitions, mergers, demergers or other transformations and for the performance of such operations, the retention periods listed above shall apply with respect to the main processing that takes place;

Data collected for the Purposes of Law are kept for a period equal to the duration prescribed for each type of data by law;

Data processed for Marketing Purposes are kept for 24 months after the collection of the relevant consent, without prejudice to your right to object to such processing at any time;

Data processed for the Purposes of Legitimate Interest in the Improvement of the Service are retained for the duration of the contract and/or the Service;

Data processed for Security Purposes are kept for the duration of the contract and/or the requested Service.

Once the above-mentioned periods have expired, the Data may be deleted, anonymised and/or aggregated.

  1. Changes and updates

This Privacy Policy is valid as of its effective date. However, we may need to make changes and/or additions to this Privacy Policy, including as a result of any subsequent regulatory changes and/or additions. You will be notified in advance of any such changes or updates.