DigiAgriApp

INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA APP DIGIAGRIAPP

Dear User (Data Subject), pursuant to Articles 12 and following of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (General Data Protection Regulation, “Regulation” or “GDPR”), and in general in compliance with the transparency principle set forth in the same Regulation, we provide the following information about the processing of personal data (i.e., any information relating to an identified or identifiable natural person: “Data Subject”) carried out in connection with the use of the “DigiAgriApp” app.

Please note that this information does not concern other websites that the user may visit during the use of the App.

DATA CONTROLLER The Data Controller (i.e., the entity that determines the purposes and means of processing personal data, “Data Controller”) is the Fondazione Edmund Mach, represented by the legal representative pro tempore, located at "Via Mach 1, San Michele all'Adige, TN, Italy". "VATIN: 02038410227 , Phone: 0461615301, e-mail: direzione.generale@fmach.it, PEC: direzione.generale@pec.iasma.it"

For contacts specifically regarding the protection of personal data, including the exercise of the rights mentioned in point 9 below, please send any requests to the email address above.

CONTACT DETAILS OF THE DATA PROTECTION OFFICER The Data Controller has appointed, pursuant to Article 37 of the Regulation, a Data Protection Officer (DPO), who can be contacted via the following dedicated email address: dpo@fmach.it.

USER NAVIGATION DATA The IT systems and software used to operate the App collect some personal data, the transmission of which is implicit in the use of Internet communication protocols (e.g., IP addresses or domain names of computers used by users connecting to the App, URI - Uniform Resource Identifier - addresses of requested resources, request time, method used to make the request to the server, file size obtained in response, numerical code indicating the response status of the server - successful, error, etc., and other parameters relating to the user's operating system and IT environment). Although these are information not collected to be associated with identified users, they may, by their nature, through processing and association with data held by third parties, allow the identification of users. Such data is used solely to obtain statistical information not associated with any identifiable user data regarding the use of the App and to monitor its proper functioning, and is deleted immediately after processing. The data may be used to ascertain responsibility in the case of potential cybercrimes against the App. The legal basis for the processing is therefore the legitimate interest in the operation and security of the App.

PURPOSES OF THE PROCESSING, TYPES OF DATA PROCESSED, AND LEGAL BASIS Data processing occurs for the following purposes:

• To use the App that the User voluntarily chooses to download to their device and register;
• To process the data shared by the user for scientific research purposes;
• To allow the User to send information about plots, types of rows, and types of plants cultivated, along with geolocated photographs, so the Data Controller can collect information about their status (sharing georeferenced photographic images);
• To inform Users about cultivation areas.

For these purposes, the following information will be processed:

• Name and surname
• Username*
• Email address*
• Optional biography
• Optional company affiliation, address, email, phone number
• Information about the plot/row/plant
• Device ID*
• Images taken with the device where the App is installed
• Geolocation of the place where the photo was taken or of the device during the use of the App (processed anonymously).

Providing certain data in the “DigiAgriApp” (i.e., name and surname, biography, company affiliation) is optional. However, providing mandatory data (marked with *) is necessary for registration and use of the App.

The legal basis for processing is the necessity of the Data Controller to perform a contract to which the data subject is a party or to take pre-contractual steps at the request of the data subject, as well as, where applicable, to comply with a legal obligation. Please note that disabling the geolocation function will prevent the use of DigiAgriApp.

DATA VOLUNTARILY PROVIDED BY THE USER THROUGH THE APP, IN THE CONTEXT OF CONTACTS WITH THE DATA CONTROLLER In addition to the data necessary for registration and use of the App, any contact with the Data Controller, or the voluntary, explicit, and spontaneous sending of messages, emails, to the Data Controller's contact details listed on the App, will result in the acquisition of the sender's address, including email, necessary to respond to requests, as well as any other personal data entered in the communications. Such data will be used solely to follow up on the User's request and may be communicated to third parties only if necessary for that purpose. For the processing of data for these purposes, the consent of the Data Subject is not required, as the processing is necessary for the execution of a contract to which the Data Subject is a party or for the execution of pre-contractual measures taken at their request, as well as, where applicable, to comply with a legal obligation.

Personal data will be processed by authorized personnel using procedures, technical, and IT tools suitable for protecting the confidentiality and security of the data. The data will be retained for the entire duration of the contractual relationship, and after its termination - only for the data necessary at that point - for the settlement of contractual obligations and to fulfill all legal requirements and related or arising contractual protection needs; ordinarily, data will not be retained beyond 10 years after the termination of the contractual relationship. There are no automated decision-making processes.

PROCESSING METHODS AND COMMUNICATION OF DATA TO THIRD PARTIES Processing will be carried out using digital systems by subjects or categories authorized to perform their related tasks, with appropriate measures to ensure the confidentiality of the data and prevent access by unauthorized third parties. In particular, the App implements anonymization techniques that ensure no association between the user's data and the shared information, avoiding the transmission of the user's identifying data to the software hosted on the Data Controller's servers. The data saved in the service, once anonymized, will be used for the Data Controller's research activities. Additionally, all user data is encrypted using SSL technology during transmission. The data will not be disseminated. The data may be communicated to the Data Controller's collaborators, suppliers, within their related duties and/or contractual obligations regarding the execution of the contractual relationship with the data subjects. The Data Controller may use services provided by third-party entities operating either as independent Data Controllers or on behalf and according to the Data Controller's instructions, as Data Processors pursuant to Article 28 of the Regulation. These are entities that provide processing or instrumental services to the Data Controller. The Data Subject may request a complete and updated list of the appointed data processors by contacting one of the Data Controller's contacts. Access to data may then be granted to any subjects authorized by legal provisions.

TRANSFER OF DATA ABROAD It is not the intention to transfer personal data to non-EU countries or international organizations. Should the Data Controller transfer data to third countries for specific technical reasons, to ensure an adequate level of protection of the data, it will comply with the following conditions: transfer based on an adequacy decision, transfer subject to appropriate guarantees, binding corporate rules, or specific exceptions provided for particular situations.

RIGHTS OF THE DATA SUBJECT The GDPR grants the Data Subject the exercise of the following rights concerning the personal data that concerns them (the brief description is indicative; for the complete enumeration of rights, including any limitations, refer to the Regulation, particularly Articles 15-22):

• Access to personal data (the Data Subject has the right to receive free information regarding the personal data held by the Data Controller and its processing, as well as to obtain a copy in an accessible format);
• Rectification of personal data (upon the Data Subject's request, correction or integration of personal data - not involving evaluative elements - that are incorrect or imprecise, even if they have become so due to being outdated);
• Deletion of personal data (right to be forgotten) (e.g., when the data is no longer necessary for the purposes for which it was collected or processed; it has been processed unlawfully; it must be deleted to fulfill a legal obligation; the Data Subject has withdrawn consent and there is no other legal basis for processing; the Data Subject objects to processing, where applicable);
• Restriction of processing (in certain cases - e.g., contestation of the accuracy of the data, during the time required for verification; contestation of the lawfulness of processing with objection to deletion; need for data for defense of the Data Subject's rights, even if no longer useful for processing; opposition to processing, while checks are carried out - the data will be retained in such a way that it can be restored, but not consultable by the Data Controller except in relation to the verification of the validity of the request for restriction by the Data Subject or with their consent or for the assessment, exercise, or defense of a right in court or to protect the rights of another person or for public interest reasons);
• Objection, in whole or in part, for reasons related to the Data Subject's particular situation, to processing carried out on the basis of legitimate interest (and the Data Subject can always object to the processing of their personal data for direct marketing purposes, including profiling related to such marketing);
• Data portability (if the processing is based on consent or a contract and carried out by automated means, upon request, the Data Subject will receive their personal data in a structured, commonly used, and machine-readable format and can transmit it to another Data Controller, without hindrance from the original Data Controller, and, if technically feasible, request that this transmission be made directly from the original Data Controller);
• Withdrawal of consent (if processing is based on consent from the Data Subject, they may withdraw their consent at any time, without affecting the lawfulness of processing carried out before the withdrawal);
• Filing a complaint with the supervisory authority (Data Protection Authority - Garante Privacy). The Garante for the Protection of Personal Data can be contacted through the details on the Authority's website “www.garanteprivacy.it”).

EXERCISING RIGHTS The Data Subject may exercise their rights by submitting a request to the Data Controller via the following email: privacy@fmach.it, or through the other contact details of the Data Controller mentioned above.

The Data Controller may modify or update the contents of this notice in whole or in part, also in light of any changes to data protection regulations. Data Subjects are therefore invited to consult this page regularly to stay informed about processing activities.