Data Protection Notice for onboard app users

Table of Contents

  1. Introduction
  2. Data controller and contact details
  3. Data categories
  4. Purposes and legal bases
  5. Data sources
  6. Necessity of the data
  7. Automated decisions
  8. Data recipients
  9. International transfers
  10. Retention periods
  11. Data subject rights
  12. Right to lodge a complaint

1. Introduction

This data protection notice informs you about how your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 ( "GDPR" ) when you use the onboard app for iOS or Android ( "app" ).

Please consider any other data protection notices you have received or will receive from the Data Controller (defined below) and contact that Data Controller if you have any further questions.

2. Data Controller and Contact Details

The data controller for the processing of personal data is the organisation that has authorised you to use the app ( "data controller" ). The exact details (including contact details) have already been provided to you by that data controller.

3. Data categories

The data controller may collect the following categories of personal data for the purposes set out below:

"master data": any personal data such as first name and surname

"contact data": any personal data such as business postal address, e-mail address and telephone number.

"employment data": any personal data relating to your job role with a client, such as job title,location or responsibilities.

"communication data": any personal data from communication with you, such as the content and timing of the communication.

4. Purposes and legal basis

The Data Controller processes your personal data to register you with the app, provide its functionalities, and enable its use. The legal basis is your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time with effect for the future by contacting the Data Controller.

5. Data sources

The personal data is collected directly from you.

6. Necessity of the data

Providing your personal data is neither legally nor contractually required. You are not obliged to provide us with your data. If you do not wish to provide us with your data, you will not be able to use the app.

7. Automated decisions

There is no automated decision-making pursuant to Art. 22 GDPR.

8. Data recipients

If and to the extent necessary for the purposes mentioned above, the following categories of recipients may become aware of your data:

  1. authorised employees;
  2. service providers who receive personal data as processors (e.g. Apple for iOS and Google for Android).

Please note that onboard Srl provides the app to the data controller by acting as a processor. onboard Srl may anonymise your data in order to analyse and improve its services. In this case and for this processing (i.e. anonymisation), onboard Srl acts as an independent data controller within the meaning of Art. 4(7) GDPR and you have the right to object. For further information, please refer to the relevant data protection notice anonymisation of onboard Srl .

9. International transfers

Your data may be transferred to the United States. Such transfer is based on the EU-US Data Privacy Framework.

10. Retention period

The personal data is retained for as long as is necessary for the respective purpose. The maximum retention period depends on the following criteria

  1. duration of the contractual relationship with the data controller;
  2. limitation periods for the establishment, exercise and defence of legal claims.

11. Data subject rights

As a data subject, you have the following rights:

  1. right of access (Art. 15 GDPR)
  2. right to rectification (Art. 16 GDPR)
  3. right to erasure/to be forgotten (Art. 17 GDPR);
  4. right to restriction of processing (Art. 18 GDPR)
  5. right to data portability (Art. 20 GDPR)
  6. right to object (Art. 21 GDPR).

Please note regarding the right to object (Art. 21 GDPR): If your data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time on grounds relating to your particular situation. In this case, the data controller will no longer process your data unless (a) they can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (b) the processing is necessary for the establishment, exercise or defence of legal claims.

To exercise these rights, please contact the data controller (see point 2)

12. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

 

Version: 22/01/2025