Articles 12-13 of Regulation (EU) 2016/679 (GDPR)
|QCAST – QCAST SYSTEM / APPLICATION – OWNER_|
Via Risorgimento 33, 11020 – Nus (AO) – Italy
Field & Business HQ:
Via Monte Navale, 1, 10015 – Ivrea (TO) – Italy
VAT Number 01086580071
|Telephone (+39) 0165/1845290|
|Quintetto Srl (hereinafter also “Quintetto”) is a software design and development company that is part of the Special Register of “Innovative SMEs”, a public initiative of the Italian Ministry of Economic Development to promote the growth of technological innovation in all the productive sectors and increase the productivity and competitiveness of the Italian manufacturing industry.
Quintetto has obtained the qualification of “Innovative SME” by overcoming all the criteria established by the Ministry:
1. high incidence of R&D and innovation expenditure;
2. high presence of highly qualified personnel;
3. ownership of registered patents.
Quintetto is an entrepreneurial reality that carries out research and development in the field of advanced and innovative technologies of real-time multi-device communication, multi-channel streaming, artificial intelligence and holographic solutions, with the mission of making human integration ever more iOS the digital world, regardless of the scope of operation and activity carried out.
Quintetto is the home of QCast, a revolutionary multi-device, multi-channel streaming communication system.
WHAT IT IS AND HOW IT WORKS
QCast is a communication system that allows two-way communication of audio / video / data streams in real time between several people through the use of devices, such as smartphones, tablets, PCs and iOS-based devices, with the aim of:
- improve and enrich the exchange of audio / video data between people;
- allow interaction between people and process events produced within a corporate enterprise or generated in a monitored environment;
- allow interaction between process events.
Special attention in the development of QCast was paid to data security.
For the encryption of the data, open source components have been used in combination with modern encryption practices, so to reach the best balance between performance, packet size and security.
The data are combined, encoded and transmitted from the point of origin to the point of destination, where they are decoded and rendered via displays and speakers for immediate fruition of the users and / or redirected, and / or analysed and processed (by people, by IT applications, by artificial intelligence tools) and integrated into value-added applications providing specific outputs to process flow events.
For the architecture of QCast – real-time audio / video communication system specifically designed and developed for companies – Quintetto has developed a set of concepts, rules and practices that pave the way for a new paradigm shift that will help companies to meet their transformation needs by combining mobility, communication speed, interactivity, management of multiple contents while preserving the security and confidentiality of data.
The operation of QCast is ultra-secure: the internal hosting of the communication infrastructure makes all company data physically inaccessible.
THE QCAST APPLICATION
Part of the QCast software is a client APP – the QCast APP (hereinafter also “APP”) – which has to be installed on each device to make it compatible (that is QCast enabled) with all the audio / video content and data transfer mechanisms supported by the system.
Each node can operate simultaneously as a producer of real-time content and data, directly generated by the devices it controls (cameras, microphones, IoT, etc.) and / or as a retrieval of data and content available in real time on the Internet. The node is also enabled to the combining, transforming (if necessary) and assembling various contributions into a stream of data that is transmitted directly to the users’ nodes.
With QCast, a company can host the communication infrastructure on its own servers to have unique physical access rights to the personal data being processed.
The most modern cryptography techniques have been used in the design and implementation of QCast, based on widely used and appropriately configured open source components, according to the aim of adopting advanced IT protections and privacy by design / by default.
The choices adopted in the QCast software architecture had as their main objective that of obtaining maximum performance, complete control of the software components and security of the data.
The data flowing through the system are safe”, remain absolutely “private” and can only be saved on the Client’s devices. This statement holds true for the daily activities of companies and entities offering services.
From this point of view, the crucial element of the QCast system is the balance point between the security guaranteed by the security measures applied and the actual probability of potential attacks, obtaining the maximum performance on both fronts, without prioritising performance against protection or vice-versa.
Data security refers to the protection of data from unauthorized access, use, modification and disclosure. Individuals as well as businesses are in utter need of security measures to protect data from unauthorized access throughout the entire data lifecycle.
End-to-end communications within the QCast system are encrypted and technically inaccessible to malicious hackers. Also, if QCast is deployed at the Client site, it is NOT possible to access private information from the outside.
OBJECT AND PURPOSE OF PROCESSING
In QCast, all users belong to one or more domains and communications can only take place between users of the same domain, i.e. they are allowed to register as users belonging to and operating within the domain or domains generated by the direct relationship between Quintetto and the entity, company or structure that purchased QCast (hereinafter the “Client“). In this context, the same user can belong to multiple domains but only communicate within one domain at a time.
Given the above, following the download of the APP, registration to QCast can take place in two alternative ways:
- Provision of the following personal data from the Client to Quintetto: (i) name (mandatory), (ii) surname (mandatory), (iii) e-mail address (mandatory) and (iv) telephone number (optional), of the subject (natural person) who will be enabled to use QCast, within the domain activated by the Client. In this case, an access password with confirmation is generated – optional, only if you do not log in according to the following method 2.;
- Through the login credentials of Google or Facebook, directly by the subject (natural person) who will be enabled to use QCast within the domain activated by the Client.
QCast is supported by security protocols that make communications encrypted and recorded so that they cannot be recovered and decrypted in the future, and therefore remain protected from external attacks even if the certification authorities issuing the certificate have been compromised.
- For the use of QCast, therefore, Quintetto, in the first place, limits the processing of personal data to just the common personal identification data (name and surname) and e-mail, and possibly the telephone number of the users (natural persons) personal access credentials assignees, within a domain closed to the outside and operating only within the executing network of the Client who purchased the QCast system. Qcast can be only operated alternatively, on (i) servers owned by the Client or (ii) servers provided by Quintetto.
The mentioned processing is therefore carried out for the sole purpose of establishing and executing the QCast user license agreement (the “Contract”), or for the execution of all the specific services connected to the establishment and correct execution of the same Contract.
The communication of these common personal data is a necessary requirement for the establishment and execution of the Contract. For the lack of communication of these data, it will not be possible, therefore, to fully execute the Contract, and therefore to the establishment and execution of this contractual relationship.
- As for the data flows relating to audio / video communications generated and exchanged through QCast, it should be noted that the files transmitted are fully encrypted and are NOT saved or stored by Quintetto own servers or Quintetto’s servers providers.
As for the methods of processing personal data sub (1) and sub (2), Quintetto always operates as the data processor, i.e. processes the aforementioned data on behalf and on the instructions of the controller, who, in this case, is the Client, and therefore the body, company or structure that has purchased and uses QCast, according to the provisions of the Contract, in order to allow the execution of all the specific services connected to the establishment and correct execution of the existing contractual relationship as specified above, including system maintenance and updating activities.
Only if Quintetto processes personal data, for example, for the sole purposes of billing, administrative and accounting management, implementation of management systems and internal records, may it have to process, as data controller, personal data of subjects (natural persons) in their capacity of contact persons and service managers of the Client with whom it interfaces.
LAWFULNESS OF PROCESSING
The communication and processing of personal data indicated in the previous points (1) and (2), has as a prerequisite for the lawfulness of data processing provided for by art. 6, par. 1, letter b), of the GDPR, or to allow the execution of the Contract.
The processing of personal data will take place, in any case, according to principles of lawfulness, necessity, minimization, proportionality and correctness, and in such a way as to fully protect the confidentiality of the data, in compliance with the principles established by art. 5 of the GDPR.
METHOD OF PROCESSING
The personal data subject to processing carried out by means of the operations indicated in art. 4, no. 2), of the GDPR, are subjected by Quintetto exclusively to computerized and telematic processing, through the back-end service of the same QCast software, with technical and organizational methods such as to guarantee a level of security adequate to the risk pursuant to art. 32 of the GDPR, by specifically authorized and trained subjects, in compliance with the provisions of art. 29 of the GDPR, or to employees and / or collaborators of Quintetto in their capacity as authorized and / or designated subjects and / or system administrators, and / or by data processors (in the person of individual professionals and / or companies) who may perform the operations necessary to the configuration and operation of QCast, as well as the updating and maintenance of the QCast software (in any case without any access to the data stored locally by the Client), at the request of the Client, in full compliance with the provisions of the law aimed at ensuring the confidentiality and security of personal data as well as the accuracy, updating and relevance of the data with respect to the purposes and methods of treatment stated in this statement.
The security of the processing of personal data, pursuant to art. 32 of the GDPR, is ensured by the use of state-of-the-art cryptographic technology, with GCM operating mode with 128 bit key of encrypted session and exchanged over the network with RSA 2048 bit public key.
In order to allow the correct and complete functionality of QCast, the following services provided by third parties are adopted by Quintetto:
Firebase (Android) / APNS (iOS)
Management of the Cloud Messaging service on Android smartphones and APNS (Apple) on iOS smartphones to allow push notification (call alert when the user does not have the APP active or has the phone in stand-by mode);
The information provided by Google Analytics is used for the purpose of collecting statistical information collected by the APP limited to managed traffic, errors, and average latency.
The map management APIs are used to display the Google map within the APP.
The YouTube API is used to publish, with the user’s authorization via YouTube login, the live stream on their channel and to receive feedback messages, anonymously, when the stream is published.
The Facebook API is used to publish, with the user’s authorization via Facebook login, a live stream on the page related to the user, and to receive comments posted, anonymously, by other Facebook users.
Android / iOS
Access to cameras, microphone, data area
The APP asks for authorization to access the cameras, microphone and data area of the user’s smartphone. The user has the right to deny the authorization but, in this case, the services provided by the APP would not be usable by the user. Therefore, these authorizations are in fact mandatory to use the basic services provided by the APP.
The APP requires the optional authorization to allow the location of the smartphone to be geolocated. If the authorization is not granted by the user, the effect will be to not allow other users of the APP to locate the user’s position on the Google map, if the user is making a RTMP stream.
Access to the phone book
The smartphone application requires authorization to access the user’s phone book. The purpose of this request is to limit a list of users visible in the private address book managed by the App to users in common between the private address book and the telephone directory. The user has the right to deny this authorization, in which case the private address book will be displayed in its entirety, without any filter.
DATA COMMUNICATION SCOPE
In relation to the aforementioned purposes, the processed personal data may be communicated, by way of example but not limited to the following subjects and / or categories of subjects: subjects providing services for the management of the computer system and / or telecommunication networks (for example, e-mail providers and management of web portals and websites, cloud storage and hosting services, server farms); competent authorities and / or supervisory bodies for the fulfillment of legal obligations; accounting and tax consulting companies; companies and law firms for the protection of contractual rights; in general, subjects who operate such as data processors / other managers pursuant to art. 28, par. 4, of the GDPR, or in total autonomy as separate data controllers, in any case third parties (natural or legal persons) who perform or provide specific services functional to the execution of the contractual relationship in place, whose complete and detailed list is available, upon request, from Quintetto.
It should also be noted that the recorded live streaming and / or audio / video activities can be published and transmitted by users on the main streaming or video sharing platforms, such as Facebook Live, Google / Youtube Live, Instagram, Snapshot, Twitch, Vimeo etc., to whose policies and operating rules please directly you have to refer to .
Quintetto informs you that the servers on which the QCast software is supported are located in Italy, therefore within the European Economic Area / EU, and that it will not transfer the processed personal data to a third country outside the EU, nor to an international organization based outside the borders of the EU / European Economic Area. In the event that this should become necessary for any reason, Quintetto from now on ensures that the transfer of personal data will take place in compliance with the applicable legal provisions and, in particular, in accordance with articles 44 – 45 – 46 – 47 – 48 and 49 of the GDPR, and any other applicable laws.
DATA RETENTION PERIOD
In compliance with the principles of lawfulness, proportionality, necessity, minimization and limitation of purposes and data retention, pursuant to art. 5 of the GDPR, the retention period of personal data sub (1) is established for a period of time not exceeding the achievement of the purposes for which they are processed, or for the entire duration of the contractual relationship in question. At the end of the mentioned contractual relationship, the processed personal data will be immediately deleted from any database, application and / or computer archive, in which they were if necessary recorded and stored in order to ensure the proper functioning of QCast to the Client.
As for personal data under (2), only and exclusively in the event that Quintetto, in addition to the QCast software, also sells the network service on its own servers / its servers providers – the files (fully encrypted) are NOT saved or stored within the mentioned servers.
AUTOMATED INDIVIDUAL DECISION-MAKING AND PROFILING
Quintetto informs that, with regard to the processing of personal data as above specified,
- DOES NOT use automated individual decision-making processes, i.e. those aimed at making decisions solely based on technological means according to predetermined settings and criteria (i.e. without human involvement).
- DOES NOT carry out direct or indirect profiling activities, for marketing or other purposes, or aimed at using personal data to analyze or predict aspects concerning the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, etc. of the subjects to whom the data refer.
RIGHTS OF THE DATA SUBJECT
To the data subject – or to the subject, natural person, identified or identifiable, to whom the information / personal data being processed refers to – the GDPR recognizes the right to exercise the following rights within the limits specified below.
Except as indicated in the last two paragraphs of the previous chapter “OBJECT AND PURPOSE OF THE TREATMENT”, Quintetto, in order to always promote the full transparency of the methods of processing personal data aimed at the functioning of QCast, attends and assists the data controller exercising the rights of the data subject, as set out below by articles 15-22 of the GDPR.
Right of Access pursuant to art. 15 of the GDPR and Right of Rectification pursuant to art. 16 of the GDPR
The data subject, pursuant to art. 15 of the GDPR, has the right to obtain confirmation of the existence or otherwise of the processing of personal data concerning him, to obtain access to them and to all the information referred to in the same art. 15, paragraph 1, letters from (a) to (h), by issuing a copy of the data being processed in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The data subject, pursuant to art. 16 of the GDPR, also has the right to obtain the correction and / or integration of the data being processed if they are out of date and / or inaccurate and / or incomplete.
Right of erasure pursuant to art. 17 of the GDPR and right to restriction of processing pursuant to art. 18 of the GDPR
The data subject has the right to obtain, without undue delay, exclusively in the cases referred to in art. 17, paragraph 1, letters from (a) to (f), of the GDPR, the erasure of data concerning him – with the exception of the hypotheses specifically provided for by art. 17 paragraph 3.
The data subject, pursuant to art. 18 paragraph 1, letters from (a) to (d), of the GDPR, has the right to request and obtain the restriction of processing of their personal data, or that such data are not subjected to further processing and can no longer be modified, ensuring that the restriction of processing is implemented through appropriate technical devices that guarantee its inaccessibility and immutability.
Right to data portability pursuant to art. 20 of the GDPR
The data subject has the right to receive, pursuant to art. 20 of the GDPR, the personal data concerning him, the processing of which is carried out by automated means, in a structured format, commonly used and readable by an automatic device, and also has the right to transmit such data to another controller of the processing, or to obtain, where technically feasible, the direct transmission of such data to another specifically identified data controller.
Right to object to processing pursuant to art. 21 of the GDPR
The data subject has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him pursuant to art. 6, par. 1, letters e) or f), including profiling, unless controller demonstrates the existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him for these purposes, including profiling, to the extent that it is connected to such direct marketing.
The data subject also has the right to object to the processing of his personal data on grounds relating to their particular situation if they are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89, par. 1, of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
PROCEDURE FOR EXERCISING OF THE DATA SUBJECT’S RIGHTS
The data subject may exercise the rights listed above by means of a request to be sent by e-mail to the address firstname.lastname@example.org.
Quintetto will confirm receipt of the request and provide information relating to the action taken, with reference to the exercise of the rights provided for in Articles 15 to 22 of the GDPR, within 1 (one) month from the receipt of the request. If necessary and taking into account the complexity and number of requests, the deadline may be extended by 2 (two) months, subject to a motivated communication to be sent within 1 (one) month from the receipt of the request.
Quintetto will communicate any rectification, cancellation, limitation, opposition to all recipients, as identified by art. 4, par. 1, n. 9 of the GDPR, to which such data have been transmitted, unless this proves impossible and / or involves a disproportionate effort.
Following the sending of the request for rectification, cancellation, limitation, opposition, if Quintetto has reasonable doubts about the identity of the applicant, it will request further information to confirm it. Such communications will be sent by e-mail from the e-mail address email@example.com and will be processed by the person specifically authorized for the purpose.
In the event that the request is not complied with within the period indicated above, the data subject, duly informed of the reasons for the non-compliance, will have the right to lodge a complaint with the Supervisory Authority, as specified in pursuant to art. 13, paragraph 2, letter (d) and governed by articles 77 et seq. of the GDPR and 141 et seq. of the Legislative Decree 196/2003, as amended by Legislative Decree101/2018.
REGISTER of UPDATES
Summary of updates :
|Date of publication and update||Summary of updates|
|10/ April / 2021||Release of version 1.0|
|______ / ______ / 2021|
|______ / ______ / 2021|