top of page

Privacy Policy

Upsilala Studio
Data Protection Policy

a.    This Data Protection Policy sets out Upsilala Studio’s obligations when it processes personal data. It also sets out what Upsilala Studio’s employees and contractors must do when they handle Upsilala Studio personal data.
b.    This Policy applies to Upsilala Studio’s European operations and to others at Upsilala Studio who receive data from Upsilala Studio’s European operations. It also applies to Upsilala Studio’s operations outside Europe if they monitor individuals in Europe (for example for online advertising) or they intend to provide goods or services to individuals in the EU.



a.    Personal data is any information about an identifiable living individual. You may see documents which talk about “data subjects”: this is what data protection law calls individuals. An individual is identifiable where:
i.    Upsilala Studio holds clear direct identifiers – such as name, contact details and/or full postal address; and/or
ii.    It is reasonably likely that Upsilala Studio can identify the individual by other reasonable means. For example, where customer support can identify an individual by linking their name or customer reference number with their address and/or contact number.
b.    Online identifiers – such as cookie IDs and device IDs – are also covered by the law, as are, decisions made about individuals and subjective opinions held about people.
c.    Sensitive personal data is any information about health, religion, sex life or orientation, racial or ethnic origin, political opinions, trade union membership, genetic data or biometric data used to uniquely identify a person (such as fingerprints or facial recognition). Information about criminal convictions, or alleged criminal activity is governed by very similar rules, so where this Policy refers to sensitive personal data this also includes criminal offence data.
d.    Personal data may be collected in a variety of ways, such as: from recruitment agents, correspondence with employees, third party collaborations, and/or through existing customers.



Processing is any use that Upsilala Studio makes of personal data. This includes obtaining or creating personal data, amending it, storing it, sharing it, or even accessing, anonymising or deleting it.
Upsilala Studio must comply with the General Data Protection Regulation (“GDPR”) and laws such as the Italian Personal Data Protection Code. Upsilala Studio’s obligations under these laws are set out in this Policy.
All employees and, where applicable, contractors of Upsilala Studio must comply with this Data Protection Policy and any additional policies which Upsilala Studio introduces. Failure to comply with this Policy may result in disciplinary action. The Annexes to this Policy contain supplemental notes. 



Upsilala Studio follows these data protection principles when processing personal data:
a.    Lawfulness, Fairness and Transparency
Informing individuals how Upsilala Studio will use their personal data
i.    Individuals must understand how their personal data will be collected and used. When developing a new product or activity that will involve personal data, Upsilala Studio considers how individuals will be informed.
ii.    When Upsilala Studio collects personal data directly from individuals, it provides notice at the time of such collection.
iii.    When Upsilala Studio collects personal data from another source, it provides notice within a reasonable period, but no later than a month, after the data was obtained by Upsilala Studio. If Upsilala Studio intends to communicate with the individual, or disclose the data to a third party, then the information is provided no later than that communication or disclosure.
iv.    The privacy notice contains the information listed in Annex 1.
v.    Upsilala Studio ensures that privacy notices are: concise, intelligible, use clear and plain language, which is suitable for the audience; easily accessible; and provided in writing (which can include electronic means), unless the individual asks for the information to be provided orally.
vi.    If the purposes for processing personal data change, Upsilala Studio provides a further privacy notice before the new processing takes place.


Justifying all processing

i.    Upsilala Studio only processes personal data where it can meet one of the grounds for processing in the legislation. These include:

  • a.    The individual has given consent to the processing;

  • b.    The processing is necessary to perform a contract with the individual, or to take steps at the request of the individual before entering into a contract;

  • c.    The processing is necessary for compliance with a legal obligation to which Upsilala Studio is subject; or

  • d.    The processing is necessary for Upsilala Studio’s legitimate interests or those of a third party, unless the interests of the individual override those interests.

ii.    The Annexes have guidance on the relevant grounds for each Upsilala Studio business area.
iii.    Upsilala Studio does not process sensitive personal data. 

b.    Purpose Limitation

i.    Upsilala Studio only processes personal data for purposes which are legitimate and which Upsilala Studio has told the individual about, as part of the Transparency principle and in the Record of Processing.
ii.    Upsilala Studio must not process personal data for any incompatible purpose.

c.    Data Minimisation and Accuracy

i.    Upsilala Studio makes sure that personal data is adequate and relevant for the purposes for which it is processed and limited to what is necessary for the purpose of processing. Upsilala Studio does not collect more personal data than needed just because it may turn out to be useful later.
ii.    Upsilala Studio also makes sure that personal data is accurate and, where necessary, kept up to date; and takes all reasonable steps to correct or delete inaccurate personal data.

d.    Storage Limitation

i.    Upsilala Studio determines for how long it needs to process personal data for a particular purpose and only keeps personal data for this period. At the end of this period, Upsilala Studio erases the personal data, or ensures that the data doesn’t allow individuals to be identified.
ii.    Upsilala Studio maintains the personal data for not longer than 6 years.

e.    Integrity and Confidentiality

i.    Upsilala Studio keeps all the personal data it processes secure, and protected against ‘unauthorised or unlawful processing and accidental loss, destruction or damage’. It does this by implementing various security measures such as password encryption, multi-layer encryption, key locks, anti-virus protections, and monitoring procedures; and also implementing the measures which it imposes on its data processors.
ii.    Upsilala Studio also implements a data breach response programme so that it can log, remediate and report any data breaches as required by law. 

f.    Accountability

i.    Privacy by Design and Default: Upsilala Studio is able to demonstrate its compliance with this Policy and with applicable data protection law. Upsilala Studio ensures that privacy issues have been considered from an early stage in implementing services and procedures (privacy by design), and that, by default, only the minimum amount of personal data necessary is being processed (privacy by default). 

ii.    Data Protection Impact Assessment: In certain cases – high risk processing – Upsilala Studio may be required to carry out a data protection impact assessment (DPIA). A DPIA is a check conducted on a specific area of an organisation’s operations to identify and minimise non-compliance risks.

iii.    Record of Processing: Upsilala Studio is not required to keep a formal record of its processing activities.



Upsilala Studio deals promptly with requests from individuals to exercise their data protection rights. If you receive a request from an individual please forward it to
Individuals have the following rights:

  • a.    Access: to obtain (i) confirmation whether Upsilala Studio processes their personal data; (ii) a copy of the personal data (in a commonly-used electronic form, if the request is made electronically); and (iii) provision of supporting explanatory information.

  • b.    Portability: to request that their personal data is “ported” (i.e. transferred) to a specified third party, or to the individual him or herself, in a machine-readable and structured format (e.g. CSV files). There are exemptions – for example, this only applies to personal data which has been provided by the individual or collected automatically from the individual, which is held in digital format, and which Upsilala Studio processes with the individual’s consent or to fulfil a contract with that individual.

  • c.    Rectification: to request correction of inaccurate personal data.

  • d.    Objection: to object to: (i) processing for direct marketing purposes; (ii) profiling based on direct marketing; and/or (iii) processing based on Upsilala Studio’s legitimate interests.

  • e.    Erasure (a.k.a. the “right to be forgotten”): to request that personal data is erased in certain situations, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised a right to object and wishes the data to be erased.

  • f.    Restriction: to request that personal data is “restricted” (i.e. block/pause) whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.

  • Individuals also have rights not to be subject to decisions taken solely on the basis of automated processing of personal data of an individual (i.e. no human involvement in the decision) which produce legal effects, or have similarly significant effects, unless taking such decisions is permitted by law. There are limited exceptions to this. Upsilala Studio does not use automated individual decision-making technology. 


a.    Data processors are other organisations which process personal data on behalf of a controller. Upsilala Studio may appoint processors to help it process personal data (e.g. a payroll provider, Printify, Zoom and Stripe).
b.    When appointing any data processor to collect, store or use personal data on Upsilala Studio’s behalf, Upsilala Studio must:
i.    Before Engagement: Ensure that the data processor provides satisfactory assurances about their data protection practices; and
ii.    On Engagement: Sign the data processor up to specified data processing terms; and
iii.    Post Engagement: Confirm on an appropriate periodic basis that the assurances provided before engagement about their data protection practices remain valid.
c.    Where Upsilala Studio transfers personal data to data processors or data controllers which are based outside the EEA (which includes data processors accessing the personal data from outside the EEA), a data transfer mechanism is put in place unless that country has been deemed adequate by the European Commission. Please contact us if you suspect that personal data is being transferred outside the EEA, for example, as part of your team’s activities, a project you are involved in or a system that you use.



Upsilala Studio provides training on this Policy and Upsilala Studio’s other data protection-related policies, procedures and obligations to all employees and contractors when they join Upsilala Studio, and then on an annual basis. 



Upsilala Studio audits compliance with this Policy and other data protection-related policies; and will implement appropriate corrective actions to rectify any non-compliance. If you think that this Policy is not being complied with in any way at Upsilala Studio, please bring this to our attention.



Upsilala Studio is responsible for communicating changes to this Policy, and will also provide a brief explanation of the reasons for any notified changes to this Policy.



Upsilala Studio will publish this Policy and any other amendments to it at 

EFFECTIVE DATE: [20.02.24]

Contact: You can raise any questions or concerns in relation to this Policy by contacting: You should also contact us if you think you need an exception to a rule in this Policy. 


1.    Information which must be provided to individuals when collecting their personal data directly from them:
a)    The identity and the contact details of Upsilala Studio;
b)    The purposes and the legal basis for the processing;
c)    The legitimate interests of Upsilala Studio, where applicable;
d)    The recipients or categories of recipients of the personal data;
e)    Any international data transfers, including the location of any recipients and the methods used to ensure the adequate protection of those transfers (and how to obtain details of those methods);
f)    Data retention periods;
g)    Their rights under data protection rules;
h)    The process available to individuals to withdraw any consent;
i)    Whether the individual is obliged to provide the personal data and the possible consequences of failure to provide such data; and
j)    The existence of automated decision-making, including profiling, and the logic involved.

2.    Information which must be provided to individuals when collecting their personal data another source:
a)    All of the information stated in paragraph 1 of this Annex 1 above;
b)    The categories of personal data obtained from the third party; and
c)    The sources of the personal data – information must be as precise as possible (e.g. identify whether this source is a private or public source; and the type of organisation/industry/sector).




  1. Grounds for processing personal data

Upsilala Studio HR can collect and process personal data where it is necessary for the following purposes.

Type of data
New Ground for processing
Type of data
Ground for processing
Normal data: e.g. names, contact information, time schedule, job title, bank card details, audio and video recording etc. Essential and functional cookies: e.g. user-input, authentication and user-centric cookies etc.
Necessary to perform a contract
Artistic activities such as art coaching, promotional work, product development and sales etc.
Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law
Processing payroll data, administering benefits and pensions, processing payments, managing third party mobility, facilitation management, disciplinary procedures etc.
Newsletters, promotional material, conducting interviews and uploading video and audio material on social media platforms.
Legitimate interest
Debt recovery procedures, to ensure network and information security, and sharing data with collaborations for internal administrative procedures.

2. Transparency

Upsilala Studio has prepared privacy notices for applicants and employees.

bottom of page