PERSONAL DATA PROCESSING NOTICE
UTU Pte Ltd, based in Singapore (398007) – 229 Mountbatten Road #01-01, Mountbatten Square, e-mail address firstname.lastname@example.org, and its subsidiaries (collectively, “UTU Group” or “UTU”) hereby inform Users that personal data collected and provided while browsing, consulting and using the UTU Website and App will be processed in accordance with applicable data protection laws.
UTU Group reserves the right to modify or update, in whole or in part, this document at any time at its discretion including to take into account changes in the provisions of laws and regulations relating to the protection of personal data and will notify Users of the Website/App of any such changes.
UTU Group informs Users that the content of this document does not apply to websites and apps owned or managed by third parties and declines any liability for any request and/or release of personal data to third party websites and in relation to the management of authentication credentials provided by third parties.
A. Data Controllers are the Companies of the UTU Group , including UTU Pte Ltd, UTU Technologies Pte Ltd, UTU Points Pte Ltd, UTU Tax Free Pte Ltd, UTU Rewards Pte Ltd, UTU Rewards S.r.l., UTU Rewards France SAS.
B. Data Protection Officer can be contacted at the following address email@example.com.
C. Information collection, use and disclosure
1. This Notice describes how UTU processes personal data collected, used, disclosed, shared and stored through its platforms managing the UTU Website www.utu.global and the UTU Application, by accessing the Website or downloading the App or while shopping in the UTU Tax Free Shops Members.
2. The data provided will be kept only for the time necessary to carry out the activities and to achieve the purposes specified below and further stored for the period provided for the fulfillment of legal obligations on Data Controllers or expressly permitted by laws and regulations in force for the protection of personal data or until the consent given for processing, where applicable, is withdrawn.
D. Type and source of personal data
1. Data provided by Users
UTU processes personal data provided by Users asking for information on UTU Tax Free services and products, registering on the UTU Website/App, purchasing UTU Tax Free services and products, creating an UTU account, asking for the activation of VAT refund procedures, filling in the customer form when shopping in UTU Tax Free Shops Members.
With regard to the services, products or functionalities asked by Users, from time to time personal data collected will relate to:
- identification data, such as first name, last name, date of birth, nationality, place of residence/domicile, mobile number, e-mail address, passport number and expiry date, credit/debit card details to start, enter and complete VAT refund procedures;
- registration and authentication data, such as creation and access to UTU Member account, for the successful registration to UTU Website/App and the use of its services;
- data on transactions, including date and time, amounts paid, payment instruments and expiry date, current account/credit card, e-mail address and other details relating to transactions, for delivering UTU products and services.
2. Data collected automatically
The computer systems and software procedures functional to the UTU Website/App acquire, during their operations, some personal data whose disclosure to UTU is implicit in the use of Internet communication protocols. This category of data includes: IP addresses, type of browser used, operating system, domain name and websites addresses, page visits, time of access, single page visit staying, analysis of internal path and other parameters relating to the operating system and Users computer/devices environment.
E. Purposes of data processing
1. Users personal data will be processed by UTU for the following purposes:
- to deliver UTU Tax Free services and products; to answer and give informations about the Website/App use and UTU Tax Free products and services purchasing; to manage Members account opening, access, cancellation and communicate with Users through the account; to commence VAT refund procedures in accordance with national tax laws; to manage the operation of the digital customs validation system, the administration and management of refunds, the optical or digital storage of FTFs (Tax Free Invoices); to provide administrative and accounting communications; to assist Users in managing UTU Tax Free services and products provided, while accessing UTU Website/App or while shopping in UTU Members Shops, in order to fulfill contractual obligations;
- to control and prevent the risk of fraud and the credit risk; to promptly report to the competent authorities any situation that may encourage abuse or illegal and improper use of the tax-free refund system, in compliance with the obligations of laws, regulations and the provisions of the Supervisory and Control Authorities;
- to ensure, within the legitimate interest of the UTU Group, the compliance with the Website/App use terms, the security of the UTU Website/App and its Users, the protection of the rights and/or assets of the UTU Group Companies; to ensure the management, maintenance and control of the proper functioning of UTU Application and Website;
- to comply with the obligations stated by accounting, tax and anti-money laundering Laws and the other obligations stated by national and international laws and regulations on VAT refund and on protection of personal data, in force and later into force;
- to use the personal data in court or in the previous steps in the event of an establishing lawsuit against Users illecit use of the Website/App or the related services; to investigate the liability in the event of any computer crimes against the Website/App, in order to protect the rights and legitimate interests of the UTU Group.
The provision of personal data for the above purposes is essential to provide the services or products requested or to allow the access to the functionality required, so the personal data are necessary for the exact fulfillment by UTU of contractual obligations, for the proper application of laws provisions and regulations, for the exercise of its legitimate interests. Failure to enter such data may result in the inability to complete the registration as a User or the inability to receive such services or products or to benefit from the functionality required.
2. In order to improve its services and products, UTU may process Users personal data as following:
- for marketing purposes: to send Users, with prior consent, promotional information on the services and products of UTU Group and/or third parties (by mail, e-mail, SMS, via internet, newsletter, other electronic means), to verify the degree of Users satisfaction, to communicate commercial promotions and special offers on products and services that may be of interest to Users, to carry out surveys or market research, including direct marketing using the results of analysis;
In the event of explicit consent to the purposes described above (marketing and profiling), personal data will be made visible and stored in a single computer file for managing customer relations, so-called Customer Relationship Management (CRM) and Customer Service accessible to all Group Companies, so the updating, rectification and/or deletion of data provided will have effect for all the UTU Group Companies.
Each of the above activities and communications may be carried out only upon a specific consent which can be explicited by ticking or Opting in at consent boxes.
Such consents shall be optional and can be always withdrawn by writing to the following address firstname.lastname@example.org. It is therefore understood that any refusal of one or more of these consents does not affect in any way the establishment and the management of the contractual relationship and the requested services and products providing.
Users have the right to object at any time to the processing of personal data for direct marketing and profiling purposes.
F. Special categories of personal data – minors
1. It may happen that the UTU Group, in the performing of its activities and in the pursuit of the purposes listed above, must treat particular categories of data, such as data revealing gender, racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic data, biometric data intended to uniquely identify the person of the User, as well as personal data disclosing health, sex life or sexual orientation, for the processing of which a written expression of consent is required.
2. Failure to give consent to the processing of particular categories of data will make it impossible for the UTU Group to carry out the activities involving the processing. The particular personal data, so-called “sensitive”, will be processed until the User decides to withdraw the consent, except for the storage period for the performing of services agreement and under the provisions of laws and regulations.
3. UTU Group does not process personal data of individuals under the age of 18 years.
G. Methods of data processing
1. Personal data may be processed by UTU using paper, computer and digital tools, with organisational methods and with logic strictly related to the purposes indicated and, in any case, in a manner that guarantees safety, confidentiality, integrity and availability, in in accordance with the current provisions on the processing of personal data.
2. Within the UTU Group, personal data are accessible by any unit/entity that needs to process them in order to fulfil contractual obligations and/or legal obligations and to exercise legitimate interests. All data processing operations will be carried out by personnel appointed by the Data Controller and properly trained to comply with the provisions in force on data protection. The persons in charge of the processing of UTU are those persons, belonging to the staff of UTU, who materially provide for the processing of personal data under the supervision of the relevant Head of Internal sector. Personal data information may be received by third parties appointed by UTU Group to provide services to UTU Group for the provision of the services requested for by the Users.
H. Security measures
1. In accordance with the provisions on the protection of personal data, the UTU Group has implemented appropriate technical and operational measures adequate to ensure a level of security appropriate to the risk.
2. These measures include, in particular, ensuring the confidentiality, integrity and availability of data through the control of physical access, inclusion and disclosure. Furthermore, UTU Group undertakes to take account of data protection from the outset of the development or selection of hardware, software and technical procedures, in accordance with the principle of data protection by design and protection by default.
3. In this regard UTU informs all Users that the provided credit/debit card information are encrypted and tokenised upon successful verification and acceptance of Users credit/debit cards on the UTU App. Tokenisation is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Thereafter, UTU will only use tokenised information to identify Users registered credit/debit cards on the UTU App. Tokenisation is generally not reversible by third parties (PCI DSS V3.2.1)
I. International Transfer of personal data
1. In order to operate a global business, UTU and its subsidiaries may process, transfer and store Users personal data within the Group Companies or with their services providers located in and outside the European Economic Area (EEA).
2. The management of databases, the processing of personal data and their storage are bound to the purposes for which such data are collected and processed and are carried out in compliance with the standards of confidentiality and security in accordance with the Laws and regulations in force on the protection of personal data applicable. To this end, UTU Group undertakes to implement all appropriate and necessary contractual measures and the due steps to ensure the adequate level of protection of Users personal data, where data protection laws may not be as comprehensive as the EEA.
J. Information Sharing
UTU will share personal information only with Users consent or as required or permitted by applicable laws, such as with:
- other UTU Group Companies and UTU appointed service providers whose responsibilities and business activities are defined in respective contracts with UTU;
- UTU Tax Free Services Shops Members;
- competent tax authorities, customs officers, national and international refund offices;
- services providers: for the processing and storage of personal data, for the management and application of anti-money laundering legislation; for banking, financial, insurance and credit card payment management, for the processing and storage of accounting and administrative documents;
- qualified consultants and professionals for auditing and certification of financial statements, debt collection management, tax and fiscal consultancy and assistance;
- judicial authorities and courts; regulatory authorities and governmental agencies;
- lawful recipients, including third parties in the event of mergers, acquisitions, sale of business for the trading activity.
K. Users Rights
With regard to the above described processing of personal data, Users have the right to:
- access to personal data, having confirmation that their data are being processed or not and, in this case, to request a copy;
- rectification of any inaccurate personal data or their integration if incomplete;
- erasure of personal data without undue delay where: personal data are no longer necessary for the purposes of processing; the given consent is withdrawn and there is no other legal ground for processing; personal data have been unlawfully processed;
- withdraw at any time any given consent, without prejudice to the processing based on consent given before withdrawal;
- restriction of processing personal data where the accuracy of personal data is contested; the processing is unlawful or objected;
- ask for data portability at any time and receive it in a structured commonly used and readable format;
- object at any time the processing of personal data based on Data Controller legitimate interest and/or the processing for marketing purposes, including profiling;
- lodge a complaint with the competent Guarantor Authority for the Protection of Personal Data.
The rights listed above can be exercised by writing to the following address email@example.com.