INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO THE ARTICLES 13 AND 14 REGULATION (EU) 2016/679 (GDPR)

Lombardini22 S.p.A., as Data Controller, recognises the importance of the processing of personal data and invites the participant in the "Neuroscience Experiment" to read the following information carefully:

1. PERSONAL DATA CONTROLLER

Pursuant to the Article 4.7 of the GDPR, the Data Controller is the person who "determines the purposes and means of the processing of personal data". The Data Controller is: LOMBARDINI22 S.P.A., with registered office in Via Lombardini no. 22, 20143 Milan (MI), VAT no. 05505600964, e-mail info@lombardini22.com, T. +39 0236596200, F. +39 0283201397 (from now on also referred to as "Lombardini 22").

2. PERSONAL DATA PROTECTION OFFICER

The Data Protection Officer is a figure envisaged by the Article 37 of the GDPR to perform support and control, advisory, training and information functions in favour of the Data Controller. Lombardini22 S.P.A. has appointed BRIOLA&PARTNERS S.R.L., with registered office in Via Podgora n. 11, 20122 Milano (MI), P.IVA 10579350967, as DPO, with the contact person identified as AVV. MARIKA FARDO. The DPO can be reached at the following contacts: e-mail dpo@l22.it, T. +39 0255180585, F. + 39 0255182047.

3. TREATMENT CHARACTERISTICS

Lombardini22 is designing, on behalf of the Salone del Mobile in Milan, a new trade fair experience, easier in orientation and space usability. 

By means of EEG* (electroencephalography) Lombardini22 will observe the electrical activity of the brain and with ECGs will analyse the autonomic nervous system (heartbeat) of no. 100 participants in the experiment in order to record their neurophysiological reactions to the experience and, by means of neuroscientific tests, thus receive real-time information on how the space, the route and the stands affect the visit.  The data acquired through EEG, ECG and neuroscientific tests are anonymised as they are only associated with a session number attributed to the participant and not the participant's name.

The aim of the experiment is to understand whether the new exhibition layout generates better visitor experiences. Based on this aggregated data, the next editions of the Salone del Mobile.Milano will be planned!

The life cycle of data processing is as follows:

  1. registration of participants in the event, by means of a link to a reserved area of the Lombardini22 website, indicating their name, surname, e-mail address and company position;
  2. the aforementioned names, once collected, will be associated with 'session numbers' (e.g. Mr. Rossi = number 1 of 100), without the association key being recorded/stored;
  3. submission to the participants for their signature of the "Déclaration écrite de consentement à participer à l'étude" ("Written declaration of consent to participate in the study") required by the MySpace Research Centre, Department of Neuroscience, University of Lausanne;
  4. the experiment by Lombardini22, consisting of the collection of health data (brain waves, heartbeat) and impressions of the experience by means of an ECG bracelet, EEG helmet and neuroscientific testing of the data subjects. The data will be associated with the session number assigned to each subject in the previous phase;
  5. once the experiments are completed, the data from the devices used for the experiment, in the anonymised version, and the paper media (test and consent statement) will be saved on Lombardini's server22;
  6. transmission of the health data (in the anonymised version) and the 'Déclaration écrite de consentement à participer à l'étude' ('Written declaration of consent to participate in the study') completed and signed by each participant, via an FTP channel, to the University of Lausanne. The data can thus be downloaded by the Swiss scientists using the user name and password that Lombardini22 will communicate to them, for the purposes of data analysis (i.e. comparison between neurophysiological reactions and declared impressions of the experience);
  7. once the University of Lausanne has acquired the data, Lombardini22 will close the FTP channel opened for this purpose and the data will be permanently removed from the Lombardini22 server. The paper questionnaires will be securely removed;
  8. receipt of analysis results (i.e. anonymous aggregated data);
  9. transmission of health data (anonymous aggregated data) on websites, social networks, also shared with Salone di Milano.

4. LEGAL BASIS FOR PROCESSING

The processing of the aforementioned data will take place solely on the basis of the consent expressed by the participant in the event. Failure to give consent will prevent the execution of the experiment.

5. METHODS OF TREATMENT

Personal Data shall be processed in accordance with the principles of fairness, loyalty and transparency laid down in the applicable legislation on the protection of personal data and by protecting the confidentiality of the Data Subject through technical and organisational security measures to ensure an adequate level of security. The processing will be carried out by means of the operations or set of operations indicated in Article 4.2 of the GDPR. 

Below are the characteristics of the devices used:

  • EEG Helmet: Unicorn Hybrid Black The Unicorn Brain Interface is a consumer-grade biosignal amplifier kit. It allows developers, artists and makers to integrate signals from the human body into their designs, from simple signal visualisation to the design and control of attached devices and interaction with art installations, toys, computer programmes or applications and more. The Unicorn Brain Interface acquires EEG from eight Unicorn Hybrid EEG electrodes. The Unicorn Brain Interface consists of Unicorn Brain Interface Hybrid Black, Unicorn C Size M, Unicorn Hybrid EEG electrodes, Unicorn USB charging cable and a Unicorn Bluetooth dongle to acquire data on a computer. The Unicorn Suite is the software environment, consisting of standalone applications and APIs to interface the Unicorn Brain Interface, acquire and process data and run BCI paradigms.
  • EKG bracelet : Polar verity Sense Polar Verity Sense is a versatile, high-quality optical heart rate sensor that measures your heart rate from your arm or temple. You can record your workouts in the sensor's internal memory and later transfer the data to your phone or connect it to a compatible device and track your heart rate in real time during your workout. Polar Verity Sense transfers data via Bluetooth and ANT+. You can use the sensor with dozens of leading fitness apps, including the Polar Flow app, and with Bluetooth and ANT+ compatible training devices. You can transmit your heart rate simultaneously to two different Bluetooth receiving devices and as many ANT+ devices as you want.
  • Neuroscientific tests: STAI (State Trait Anxiety Inventory, BIG 5, Memory Tasks) on a paper stand.

6. IMPACT ASSESSMENT

The Data Controller conducts an Impact Assessment concerning the processing of health data acquired in the manner described above. In the event of unwanted access, data subjects could suffer a psychological impact from a sense of privacy violation. According to a prudential approach, Lombardini22 assessed that there are studies, albeit at an experimental stage, according to which it is possible to derive a unique parameter from the ECG (electrocardiogram) tracing - with the right tools - which can then be used to identify individuals in a safe and unambiguous manner. In view of future scientific developments that make this information technically 'biometric data', appropriation by non-legitimised parties may lend itself to fraudulent actions and compromise the effectiveness of systems based on biometric recognition using ECGs. 

However, the risk is limited considering (i) that the current use of ECG traces for identifying persons is minimal and (ii) that the data are acquired anonymously, so there is no association between the health data and a person's name. Moreover, the technical and organisational security measures employed greatly reduce the risk.

7. DATA RETENTION

The anonymised data acquired by means of an ECG bracelet, EEG helmet and neuroscientific testing are conversed until confirmation of their correct receipt by the University of Lausanne. Thereafter, they are securely deleted.

Lombardini22 does not record or store data on the association between the data subjects' identification data and session numbers. 

Lombardini22 retains common personal data (first name and surname, contact details) of experience participants until the end of the event and up to 24 months thereafter for marketing purposes (e.g. invitations to similar events).

8. COMMUNICATION AND DISSEMINATION OF PERSONAL DATA

Data acquired by means of an ECG bracelet, EEG helmet and neuroscientific testing, in any case in the anonymised version, are communicated to the University of Lausanne for the purpose of data analysis. The University of Lausanne is appointed External Data Processor in accordance with Article 28 GDPR. Personal data will in any case not be disseminated for advertising and/or marketing purposes, nor will it be sold, rented or transferred to unspecified third parties.

9. TRANSFER OF PERSONAL DATA ABROAD

The data (in an anonymised version anyway) are transferred to Switzerland. In the Report of 15 January 2024, the European Commission decreed that 'Swiss data protection law continues to meet European standards', so personal data can be transferred to Switzerland without the need for additional guarantees.

10. RIGHTS OF THE DATA SUBJECT TO PROCESSING

The Data Subject may exercise his/her rights vis-à-vis the Data Controller, using the following contact details available to the Data Protection Officer: dpo@l22.it, T. +39 0255180585, F. + 39 0255182047. In order to ensure the proper exercise of rights, he/she must make him/herself unequivocally identifiable. The Data Controller undertakes to provide feedback within 30 days and, should it be impossible to comply with these deadlines, to justify any extension thereof. The response will be free of charge except in cases of unfoundedness (e.g. no data concerning the interested party making the request) or excessive requests (e.g. repetitive in time) for which a fee may be charged not exceeding the costs actually incurred for the search carried out in the specific case. At any time you may exercise, pursuant to Articles 15 to 22 of the GDPR, the right to:

  1. request confirmation of the existence or otherwise of their personal data;
  2. obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the storage period;
  3. obtain rectification and deletion of data;
  4. obtain restriction of processing;
  5. obtain portability of data, i.e. receive them from a data controller, in a structured, commonly used and machine-readable format, and transmit them to another data controller without hindrance;
  6. object to the processing at any time and also in the case of processing for direct marketing purposes pursuant to Article 130 of the Privacy Code;
  7. oppose automated decision-making concerning natural persons, including profiling.
  8. to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning him or her, or to object to their processing, in addition to the right to data portability;
  9. revoke consent at any time without affecting the lawfulness of the processing based on the consent given before revocation.

The data subject may also lodge a complaint with a supervisory authority if he/she considers that personal data are being processed in breach of data protection legislation.