PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679

(hereinafter the “Regulation” or the “GDPR”)
“Privacy AIngel”

The Italian Institute for Privacy and Data Valorisation (Istituto Italiano per la Privacy e la Valorizzazione dei Dati, hereinafter also referred to as the “Institute” or the “Controller”) considers the protection of privacy and personal data a priority objective of its activity.

With this notice, the Institute intends to provide clear and transparent information concerning the modalities according to which personal data are processed upon access to and use of the Privacy AIngel chatbot (hereinafter, “Privacy AIngel” or the “Service”), available at the website aingel.istitutoitalianoprivacy.it (hereinafter, the “Website”).

Privacy AIngel is an advanced conversational system based on generative artificial intelligence technologies, developed with the objective of fostering the understanding of issues related to personal data protection and privacy rights. The tool is designed to assist users in clarifying doubts, enhancing awareness of the regulatory framework governing the processing of personal data, and facilitating immediate and simplified access to legal concepts that are often complex.

For the purposes of applicable legislation, “Personal Data” shall mean any information relating to an identified or identifiable natural person. An individual is deemed identifiable where he or she can be identified, directly or indirectly, by reference to identifiers such as name, identification number, location data, online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

 

This privacy notice is provided exclusively in relation to the Privacy AIngel service, accessible via the website aingel.istitutoitalianoprivacy.it, and shall be deemed supplementary to the privacy policy available at www.istitutoitalianoprivacy.it, which shall be referred to for all matters concerning the processing of personal data through the Website and not expressly covered herein.

1. Data Controller

The Data Controller is the Italian Institute for Privacy and Data Valorisation (Istituto Italiano per la Privacy e la Valorizzazione dei Dati), with registered office at Piazza San Salvatore in Lauro 13, 00186 – Rome, VAT No. 11129771009, Tax Code 97506750583.

For any request or information, the Controller may be contacted at the following electronic mail address: info@istitutoprivacy.it.

2. Personal Data Processed and Source of the Data

The Institute hereby informs you that the use of the Privacy AIngel chatbot system, made available via the Website, entails the collection and processing of personal data relating to you. In particular, by interacting with Privacy AIngel (for instance, by inputting prompts and questions in the interaction bar), the Controller collects the IP address of the device you use to access the Website and to interact with the chatbot.

It is specified that, within the context of inserting requests or prompts in the input bar of Privacy AIngel, it is not necessary to provide personal data. You are therefore invited not to enter personal data in the requests and prompts typed into the input bar, and in particular not to disclose any data belonging to special categories pursuant to Article 9 of the Regulation. Should such data be entered inadvertently, they shall be processed according to the modalities and within the limits set forth in this notice.

The personal data are collected directly from you at the time of your use of the Privacy AIngel chatbot.

The Website does not make use of cookies or other tracking tools, including those of a technical, analytical or profiling nature.

3. Purposes of the Processing, Legal Bases and Nature of Provision

The personal data provided by you shall be processed for the following purposes:

1. to enable access to and use of the Privacy AIngel chatbot service, which is based on generative artificial intelligence and made available through the Website, as well as to ensure its proper functioning, to monitor its performance, and to detect any malfunctions or instances of improper use of the system.

The legal basis for the processing of personal data for the aforementioned purpose shall be found in Article 6(1)(b) of the GDPR, insofar as the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. Specifically with regard to the access to and processing of the IP address, the processing is also based on Article 122(1) of Legislative Decree No. 196/2003 (“Privacy Code”) (“[…] technical storage or access to information already stored […] to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service”) and on Article 5(3) of Directive 2002/58/EC (“e-Privacy Directive”), as the processing is necessary to provide the chatbot service requested by the data subject.

The provision of personal data for the purpose outlined above is optional, but in some instances may be necessary for the provision of the Service. In particular, the processing of the IP address of the device used is necessary to enable the activation and provision of the Service, and in its absence the Controller may be unable to provide the requested chatbot service.

It is specified that personal data collected shall not be used for the training of the artificial intelligence models underlying the Privacy AIngel chatbot.

The Service does not provide legal advice, professional consultancy, or personalised assessments and cannot be regarded as a substitute for such services.

Once provided, personal data may also be processed for the following purposes:

1. to comply with any legal obligations established by applicable laws, regulations or European Union legislation to which the Controller is subject, or to respond to requests from competent authorities, pursuant to Article 6(1)(c) of the GDPR;
2. to establish, exercise or defend a legal claim before a court or whenever the judicial authorities exercise their jurisdictional functions, pursuant to Article 6(1)(f) and Article 9(2)(f) of the GDPR.

4. Data Retention

Your personal data shall be collected and stored in compliance with the principles of data minimisation and storage limitation set forth in Article 5(1)(c) and (e) of the GDPR, ensuring the adoption of security measures to prevent data loss, unlawful or improper use, and unauthorised access.

Personal data processed for the purposes set out in paragraph 3, letter a) of this notice shall be retained for the time strictly necessary to fulfil said purposes. Specifically, the IP address shall be deleted within 24 hours of collection; after such period, the Controller has established that your personal data shall be automatically erased. The Controller nonetheless reserves the right to retain the data for the time necessary to comply with any legal obligation to which it is subject or to meet any defence needs. Specific security measures are adopted to prevent data loss, unlawful or improper use, and unauthorised access.

For further information, a written request may be submitted to the Controller using the contact details provided in paragraph 1 of this notice.

5. Data Recipients

The Controller may share personal data with the following categories of recipients (hereinafter, the “Recipients”):

1. Data Processors: personal data may be communicated to third parties acting on behalf of the Controller in the capacity of data processors, pursuant to Article 28 of the GDPR. These entities operate within the scope of services necessary to ensure the proper functioning of the Website and the Service, including, by way of example but not limited to, development, technical maintenance, IT support and assistance.

In particular, it is hereby informed that the Privacy AIngel chatbot is based on the generative artificial intelligence system provided by OpenAI, Inc., through the OpenAI Platform API service. Accordingly, any personal data entered in the prompts typed in the input bar may also be processed by OpenAI, in its capacity as data processor, solely for the purpose of delivering the requested Service and in accordance with the instructions issued by the Controller. The processing by OpenAI is governed by a specific data processing agreement drawn up in accordance with Article 28 of the GDPR. The content of said agreement, which complies with the GDPR requirements, is available at the following link: Data processing addendum | OpenAI.

The updated list of data processors may be requested from the Controller.

1. Entities acting as autonomous data controllers: data may be communicated to entities, bodies or authorities where such communication is mandatory under the law or in compliance with orders issued by competent authorities.

III. Persons authorised to process data: personal data may be processed by persons authorised by the Institute pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Privacy Code, who have been duly instructed and are bound by appropriate confidentiality obligations (e.g. employees and collaborators of the Institute).

6. Transfer of Data Outside the EU

Personal data shall be processed and stored, in accordance with the principles of data minimisation and storage limitation set forth in Article 5(1)(c) and (e) of the Regulation, within the European Economic Area. Where necessary, data may be transferred to Recipients located in Third Countries outside the European Economic Area. In such cases, the transfer shall take place in compliance with the conditions set forth in Articles 44 et seq. of the GDPR, such as the adoption of Standard Contractual Clauses approved by the European Commission, the selection of entities adhering to international data transfer mechanisms, or entities established in countries recognised as adequate by the European Commission, in compliance with the Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board. Further information on the data transfers performed and the safeguards adopted may be requested from the Controller using the contact details provided above.

7. Rights of the data subject

As a data subject, you may exercise your rights and/or request information regarding the processing of your personal data by contacting the Data Controller using the contact details referred to in paragraph 1 of this notice.

In particular, you may, at any time, exercise the following rights:

– Right to withdraw consent (Article 7 GDPR) – the data subject has the right to withdraw consent at any time for processing activities requiring such consent, without prejudice to the lawfulness of processing based on consent before its withdrawal;

– Right of access (Article 15 GDPR) – the data subject has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, if so, to receive information relating thereto;

– Right to rectification (Article 16 GDPR) – the data subject has the right to obtain the rectification of inaccurate personal data concerning him or her, and to have incomplete data completed;

– Right to erasure (Article 17 GDPR) – under certain circumstances, the data subject has the right to obtain the erasure of personal data concerning him or her from the Controller’s records;

– Right to restriction of processing (Article 18 GDPR) – upon the occurrence of specific conditions, the data subject has the right to obtain the restriction of processing of his or her personal data;

– Right to data portability (Article 20 GDPR) – the data subject has the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format, and to have such data transmitted to another controller;

– Right to object (Article 21 GDPR) – the data subject has the right to object to the processing of personal data concerning him or her, stating the grounds for the objection. The Controller reserves the right to assess such request, which may be rejected where compelling legitimate grounds for the processing exist that override the interests, rights and freedoms of the data subject;

– Right to lodge a complaint with a Supervisory Authority (Article 77 GDPR) – if the data subject considers that the processing of personal data relating to him or her infringes data protection law, including where the Controller refuses to comply with a request, the data subject may lodge a complaint with the Supervisory Authority of the Member State in which he or she habitually resides or works or in the place where the alleged infringement occurred. In any case, where the Controller refuses to comply, the reasons for such refusal shall be duly explained;

– Right to an effective judicial remedy (Article 79 GDPR).