1. GPDR - Evaluation
Identification of all data, associated applications and storage
The Live Cartel service, for its basic operation, needs to acquire the following data from users:
- First name
- Surname
- Email address
- Shipping address
- Billing address
If the Live Cartel user sells paid products, and / or if he chooses to activate a paid subscription, Live Cartel acquires further data:
- user’s Stripe account address, necessary for the user to be able to sell their products and / or to subscribe to a paid subscription;
- billing profile of the user (Name, Surname, Tax Code and / or VAT number) necessary to be able to sell the products and to receive a commercial invoice for the paid subscription signed with Live Cartel.
If the Live Cartel user uses the customer management service, Live Cartel acquires contact data (Name, Surname, Email address) which are uploaded to the platform.
The data is acquired via desktop / mobile browser and / or via app, and is stored in the Live Cartel database hosted on the Compose service (www.compose.io)
Live Cartel can also acquire information on the user’s geographical location, through a request for consent to be provided on a desktop / mobile browser and / or on the app.
Determination of personal information that directly or indirectly identifies a subject
The data that can identify a subject are:
- First name
- Surname
- Email address
- Billing Profile
- Stripe account
Determination of the supervisory and / or processing authority of Identifiable Personal Information
Within Live Cartel, the control and / or processing authority of Identifiable Personal Information is assigned to Ferdinando Caruso who assumes the role of DPO.
The DPO was designated on the basis of professional qualities, and the ability to fulfill their duties.
The DPO is promptly and adequately involved in all matters concerning the protection of personal data by both the data controller (the company Live Cartel SRL) and the data controller and interested parties can contact the data protection officer for all related matters to the processing of their personal data and to the exercise of their rights deriving from the GPDR.
The DPO enjoys ample autonomy and does not receive any instructions regarding the execution of its duties.
Identification of business processes through the use of Identifiable Personal Information
The internal business processes of Live Cartel that involve the use of Identifiable Personal Information are:
- user registration
- user login
- sale of products
- issue of product sales invoices
- sending emails
- sending service communications
- shipment of products
- refund of the products
Identification of the people who interact with the Identifiable Personal Information
Access to Identifiable Personal Information is allowed only to Live Cartel technical staff, who access it only for purposes related to service maintenance and user support. Access to non-technical personnel and third parties unrelated to the Live Cartel service is not allowed.
2. GPDR - Identification of compliance priorities
The categories of data, business processes and their characteristics are managed in Live Cartel in a combined manner to ensure compliance with the GDPR.
In this regard, we have identified the following categories of data:
- Name and surname of the user
- User email
- User tax code
- User VAT number
- User Stripe account address
- Name and Surname of people contacted by the user
- Email address of people contacted by the user
- Messages sent and received by the user
- Other data of a varied nature collected by the user through questionnaires, interviews and collection forms through the Live Cartel service
Some of these categories fall under Personally Identifiable Information:
- Name and surname of the user
- User email
- User tax code
- User VAT number
- User Stripe account address
- Name and Surname of people contacted by the user
- Email address of people contacted by the user
The others, on the other hand, represent non-identifiable information, nor viewed for the execution of the service, unless explicitly requested for support received by the user.
The business processes affecting the categories of information are:
- new user registration
- user login
- sale of products
- sending email communications
- user support
- sending technical communications to the user
- sending service communications to the user
- sending promotions to the user
The user who subscribes to the Live Cartel service explicitly approves each point of this list of use, in a clear and informed manner.
The priority followed in updating the service was in fact to provide a simple and safe understanding system for each of the listed operations, with the possibility of joining only some. Of course, there are operations (eg acquisition of VAT number) that are necessary for the execution of the service itself (eg sale of products).
3. GPDR - Data Protection Impact Assessment (DPIA: Data Protection Impact Assessment)
We performed an impact assessment on any process at risk of violating the data privacy rights of the data subject. The purpose of the assessment was to allow us to mitigate the identified risks as much as possible.
The evaluation report described below concerns:
- Description of the control and / or processing activities of Identifiable Personal Information
- Evaluation of the impact on the rights of the interested parties
- Measures taken to limit the impact
We have identified the critical activities from the moment the first data considered as Identifiable Personal Information is acquired: the user’s email address, and their name and surname.
This information is acquired exclusively at the time of the user’s voluntary registration to the Live Cartel service.
We have reviewed the data acquisition process, providing the user with greater clarity of how the data is acquired, and the use that such data will be made within the Live Cartel Service.
We have carried out a thorough checkup of our services to ensure that during the data acquisition phase no third parties are involved who may “steal” the data provided by the user.
We use the HTTPS protocol on every page of the livecartel.it site in order to secure the transmission of information between users and the platform, both through desktop and mobile browsers.
We do not store sensitive financial data, such as the number and expiry date of the user’s credit card, within Live Cartel and the services included. For reasons of superior security, we do not provide an internal gateway for managing financial transactions related to the sale, refund and payment of ticket commissions. We only use clearly identifiable third party services: Stripe. The user is fully informed about the possible use of third party services. The connection between Live Cartel and third party services takes place securely. For further information it is possible to consult the Privacy Policy of third party services.
The Live Cartel user is therefore unscathed from the risks associated with the theft of financial data, because such data is not included among those acquired, processed and stored by Live Cartel.
With regard to the data collected from Live Cartel users, through the Live Cartel service, we have further improved the warning and protection systems we offer, both to our users and to our users’ users.
In particular, we have improved the procedures for identifying spam actions carried out by our users, through the Live Cartel service, towards their contacts and / or users, providing both a clearer explanation of what is allowed and what is not allowed. through the Live Cartel service, both by providing a reporting channel which third parties can access to request checks on certain behaviors.
4. GPDR - Declaration of conformity
At the effective date of the GPDR, the Live Cartel service is to be considered compliant with the required specifications.