Information for Treatment of Personal Data of the ICOC-CERT Platform
powered by Artvise Ltd

DISCLOSURE PURSUANT THE REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Last update: April 2022

This Privacy Policy contains information concerning the treatment of your personal data by Commissione Internazionale permanente per lo studio degli Ordini Cavallereschi in pursuance and for the purposes of art. 13 of EU Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”).

Commissione Internazionale permanente per lo studio degli Ordini Cavallereschi (hereafter also ‘we’ or ‘ICOC’) respects your privacy and wants to help you understand how we collect, process and share your data.

We inform you that some activities could be carried out through suppliers, specifically appointed Data Processors, also residing outside the European Union.

1. Definitions

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

‘data subject’ means an identified or identifiable natural person (“you”).

2. Data controller

ICOC, Piazza Caiazzo 2, Milan (MI), Italy (registered office), Via Baronio, 14 - 47899 Serravalle, Republic of San Marino (secretariat), in the person of the pro tempore legal representative Pier Felice degli Uberti, Tax ID code: DGLPFL55B28B885G is the Data Controller of personal data collected in accordance to this Privacy Policy.

The Data Controller does not fall within the cases provided for by Art. 37 c. 1, for this reason no Data Protection Officer (DPO) has been appointed.

3. Categories of personal data processed

ICOC may process the following categories of data subjects’ data.

Information shared directly by you:

- Personal data: any information relating to an individual, identified or identifiable, even indirectly, by reference to any other information including a personal identification number; identification data, personal data that allow direct identification (such as but not limited to name, VAT number, address, email address, phone number, etc. and in particular, data relating to your family tree, the history of your family, coats of arms and membership of any order of chivalry, see art. 4, par. 1, no. 1 GDPR)

- Payment data: we use the paid services of Artvise Ltd, named external data processor, for the IT-technical work/certificate generation on documents and the recording of data on the blockchain. In order to use the services, the data processor may request personal data or extract it from the tools used, as described after.

Information from public and historical documents:

- We have these documents available within our offices or we request them under license from archives and other sources, to create the contents necessary for our analysis. In particular, your personal data are processed to request the chancelleries of Chivalry Orders to verify your belonging to them and to the Heralds. These documents may include public information about you.

Navigation data: the personal data acquired by computer systems and software procedures used to operate this Website or the Platform during their normal operation, whose transmission is implicit in the communication protocols of the Internet. This information is not collected to be associated with identified people; however, by their nature through processing and association with data held by third parties they may allow to identify users.

This category of data includes IP addresses or domain names of computers used by users connecting to the site, URI (Uniform Resource Identifier) ​​of requested resources, time of request, the method used to submit the request to the server, the file size obtained in response, the numerical code indicating the status of response from the server (successful, error, etc.) and other parameters regarding the operating system and computer environment. These data are used only to obtain anonymous statistical information about the website (most visited pages, number of daily visitors, geographical areas of origin, etc.) and to check its correct functioning and is deleted immediately after processing.

System logs: For needs related to operation and maintenance, this Platform and any third-party services may collect system logs, which are files that record interaction between computer systems – including navigation information – and which may also contain personal data, such as IP Address.

Navigation data aimed at profiling: supplied indirectly by the User through the use of the services, or obtained and analyzed following the User’s consent provided with the use of the Website or the Service.

4. Purposes of the processing

ICOC is a non-profit association that offers an historical analysis and research service for those who request it to fight the forgery of honors and to certify the family coat of arms and genealogy with the purpose of registering, thanks to blockchain technology, the Certificate of membership to an Order of Chivalry recognized by ICOC (the updated register can be downloaded from the footer of the Website), the Coat of Arms (provided it is already certified by a State King of Arms) and the genealogy to each entitled person, through this Platform.

Artvise Ltd, as external data processor and our Technology Partner, deals with the IT-technical work on User data and data recording thanks to blockchain technology for the services rendered by the ICOC-CERT Platform. The Certificate is cryptographically signed by ICOC-CERT and notarized on the Bitcoin network with OpenTimestamps. The validity of the issued certifications can be verified at any time through the mobile App, able to read the QR code, that embeds the encrypted signature, and thus displaying the authenticated document. Please read carefully the Terms and Conditions of ICOC-CERT powered by Artvise Ltd, available at the following link https://www.icoc-cert.com/terms-and-condition/, before accepting this Privacy Policy.

ICOC will process your personal data for the achievement of specific purposes and only in the presence of a specific legal basis provided for by the applicable law on privacy and protection of personal data. Your personal data may be processed, pursuant to art. 6 letters a), b), c) and f) GDPR, for the following purposes:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• processing is necessary for the performance of a contract to which the data subjects is a party or in order to take steps at the request of the data subject prior to entering into a contract;

• processing is necessary to comply with a legal obligation to which the controller is subject;

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

The following table lists the purposes for which your personal data are processed by ICOC and the legal basis on which the processing is based.

The provision of your personal data is necessary and your consent is mandatory. Your refusal could make it impossible for ICOC to implement the purpose for which the personal data are collected.

5. Modalities of the processing

The processing of your personal data is carried out using the modalities described in art. 4, no. 2 and in accordance with art. 32 of the GDPR. through automatic or manual methods.

6. Recipients of the data

In pursuance of artt. 28 and 29 of the GDPR, your personal data will not be disclosed, but may be communicated where necessary for the provision of the service to employees and collaborators of the Data Controller in Italy and abroad involving the data transfer outside Europe, or to other subjects appointed, if necessary, as Data Processors by ICOC for technical or organizational tasks. Data may be communicated also to third-party companies, associations (such as the Registers of Chivalry Orders) or other subjects providing assistance and advice appointed external data processors, if necessary.

Artvise Ltd Lumaneri House Blythe Gate, Blythe Valley Park, Solihull, West Midlands, United Kingdom, B90 8AH 12731513 is the external data processor.

Furthermore, your data may be communicated to competent authorities to execute the relevant laws and/or regulations, on request or when the communication is mandatory by law for the fulfilment of the mentioned purposes.

7. Data retention period

ICOC, in compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 of the GDPR, keeps your data in GDPR compliant servers for the duration of your consent, the contract, or that other retention period as required by law (e.g., accounting requirements).

Below are the legal bases and the respective retention times of personal data:

a) Contract: for the entire duration of the contractual relationship;

b) Consent: as long as the consent is not revoked;

c) Legal obligation: for the entire duration of the contractual relationship and for the terms provided for by specific legal obligations;

d) Legitimate interest: as long as the data subject does not object.

8. Data transfer

Your personal data will be processed by ICOC in San Francisco, CA, United States.

We communicate your data outside the EU for purposes indicated in this Privacy Policy and we transfer some of the data collected to technical systems and services managed in the cloud and located outside the European Union area. The treatment is regulated by the California Consumer Privacy Act (CCPA) and in accordance with the provisions of Chapter V of the GDPR and authorized on the basis of specific decisions of the European Union. The proception of your data will therefore be guaranteed by: a) decision of adequacy of such third country as published by the European Commission; b) an adequate guarantee expressed by the recipient third party pursuant to art. 46 of the Regulation, in particular, application of binding corporate rules, so-called Corporate Binding Rules (BCRs) or standard data protection clauses approved by the Commission

9. Rights of data subjects

Pursuant to the GDPR, you can exercise some rights towards the Data Controller, such as obtaining from the Data Controller the cancellation of your data (right to be forgotten), the limitation, updating, rectification, portability, or right to oppose to the treatment of your personal data. More in detail, you can exercise the following rights (as set forth by articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR):

• to access to your personal data (article 15), i.e., confirmation of whether or not the processing of your personal data is being processed and, in this case, have access to the data;

• to demand, to the data controller, a correction (article 16) and/or integration of your personal data;

• to ask the data controller to delete your personal data (art. 17) without undue delay;

• to ask the data controller to limit the processing of your personal data (Article 18), i.e., to obtain a confirmation that the processing of your personal data is limited to what is necessary for storing purposes;

• to ask for data portability (article 20), that is to obtain in a structured common and legible format your personal data;

• to object to their processing (article 21) or, at any time, to oppose, for any reason connected with your particular situation, the processing of your data;

• with regard to automated decision-making processes (article 22), the right not to be subjected to a decision based uniquely on automated data processing without your explicit consent;

• to cancel your personal data (Article 17), i.e. the right to obtain, in the cases provided for by the Regulations, the cancellation of your personal data;

• to file a complaint with the Supervisory Authority (Article 77) for the protection of your personal data (for more info, please see www.garanteprivacy.it, email: garante@gpdp.it).

Furthermore, at any time, you may revoke the consent on which the treatment carried out is based. The withdrawal of your consent does not affect the lawfulness of the processing that took place on the basis of the consent given before the revocation.

10. More information about the exercise of your rights

Any request for information or clarification about your rights and their execution can be addressed to the Data Processor by sending:

• a registered mail to: ICOC, Piazza Caiazzo 2, Milan (MI), Italy (registered office), Via Baronio, 14 - 47899 Serravalle, Republic of San Marino (secretariat);

• e-mail: privacy@icoc-cert.com

11. Changes to information

The Data Controller reserves the right to modify, update, add or remove portions of this Privacy Policy at its discretion and at any time. The user should check it periodically. In order to facilitate the changes, it will be mentioned the date of such changes. Your use of the website, after the changes have been published will constitute acceptance of them.

Acceptance

By accepting this Privacy Policy, I, the undersigned, give my consent governed by art. 7 of the GDPR to the processing of my personal data listed in paragraph 4. The withdrawal of consent does not affect the lawfulness of the processing that took place on the basis of the consent given before the withdrawal.

Cookie Policy of www.icoc-cert.com

This document informs Users about the technologies that help this Application to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with this Application.

For simplicity, all such technologies are defined as "Trackers" within this document – unless there is a reason to differentiate.

For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User's consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

This Application only uses Trackers managed directly by ICOC (so-called “first-party” Trackers).

The validity and expiration periods of first-party Cookies and other similar Trackers may vary depending on the lifetime set by ICOC. Some of them expire upon termination of the User’s browsing session.

1. Activities strictly necessary for the operation of this Application and delivery of the Service

This Application uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

2. How to manage preferences and provide or withdraw consent

There are various ways to manage Tracker related preferences and to provide and withdraw consent, where relevant:

Users can manage preferences related to Trackers from directly within their own device settings, for example, by preventing the use or storage of Trackers.

Additionally, whenever the use of Trackers is based on consent, Users can provide or withdraw such consent by setting their preferences within the cookie notice or by updating such preferences accordingly via the relevant consent-preferences widget, if available.

It is also possible, via relevant browser or device features, to delete previously stored Trackers, including those used to remember the User’s initial consent.

Other Trackers in the browser’s local memory may be cleared by deleting the browsing history.

3. Locating Tracker Settings

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

• Google Chrome

• Mozilla Firefox

• Apple Safari

• Microsoft Internet Explorer

• Microsoft Edge

• Brave

• Opera

Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

4. Owner and Data Controller

ICOC, Piazza Caiazzo 2, Milan (MI), Italy (registered office), Via Baronio, 14 - 47899 Serravalle, Republic of San Marino (secretariat), in the person of the pro tempore legal representative Pier Felice degli Uberti, Tax ID code: DGLPFL55B28B885G.

Owner contact email: privacy@icoc-cert.com

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by this Application.

5. Definitions and legal references

“Personal Data (or Data)”: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

“Usage Data”: information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

“User”: the individual using this Application who, unless otherwise specified, coincides with the Data Subject.

“Data Subject”: the natural person to whom the Personal Data refers.

“Data Processor (or Data Supervisor)”: the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

“Data Controller (or Owner)”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

“This Application:” the means by which the Personal Data of the User is collected and processed.

“Service”: the service provided by this Application as described in the relative Terms (https://www.icoc-cert.com/terms-and-condition) and on this site/application.

“European Union (or EU)”: unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

“Cookie”: cookies are trackers consisting of small sets of data stored in the User's browser.

“Tracker”: tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.

6. Legal information

This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

This privacy policy relates solely to this Application, if not stated otherwise within this document.