Data Protection Notice for our lients

Table of contents

  1. Introduction
  2. Data controller and contact details
  3. Datenkategorien
  4. Purposes and legal bases
    1. 4.1 You are interested in our products and services
    2. 4.2 We fulfil a contract with you
    3. 4.3 We inform you about our products and services
    4. 4.4 We maintain a partnership-based contact with you
    5. 4.5 You consent to other data processing
  5. Data sources
    1. 5.1 You are interested in our products and services
    2. 5.2 We fulfil a contract with you
    3. 5.3 We inform you about our products and services
    4. 5.4 We maintain a partnership-based contact with you
    5. 5.5 You consent to other data processing
  6. Necessity of the data
  7. Automated decisions
  8. Data recipients
  9. International transfers
  10. Retention periods
  11. Data subject rights
  12. Right to lodge a complaint
  13. Changes

1. Introduction

This data protection notice informs you about how your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") when you are our potential or current client and:

  1. you are interested in our products and services;
  2. we fulfil a contract with you;
  3. we inform you about our products and services;
  4. we maintain a partnership-based contact with you; or
  5. you consent to other data processing.

2. Data controller and contact details

The data controller is:

onboard Srl
Dr. J. Köllensperger Street 10/b
39011 Lana (BZ)
South Tyrol / Italy
E-Mail: [email protected]

Our Data Protection Officer (DPO) can be contacted at [email protected] .

3. Data categories

We may collect the following categories of personal data for the purposes set out below:

"master data": any personal data such as first name and surname

"contact data": any personal data such as business postal address, e-mail address and telephone number.

"communication data": any personal data from communication with you, such as the content and timing of the communication.

"contract data": any personal data in connection with contracts, such as contract numbers, products and services purchased (including support services), terms, conditions, queries and complaints.

"tax and billing data": any personal data required to fulfil tax obligations and to process payments, such as tax number, VAT identification number, bank details, invoice and payment data.

4. Purposes and legal basis

We process personal data in the following cases:

4.1 You are interested in our products and services

If you contact us (e.g. by e-mail or telephone) or if we get in touch in other ways (e.g. at a trade fair) because you are interested in our products and services, we may process your master data, contact data, communication data, contract data, tax and billing data in order to process your enquiry and prepare a contract. The legal basis is the implementation of pre-contractual measures (Art. 6(1)(b) GDPR).

4.2 We fulfil a contract with you

If you have concluded a contract with us, we process your master data, contact data, communication data, contract data and tax and billing data. We need this data in order to perform all tasks required to fulfil the contract. This includes, for example, communication with you, the delivery of products and services, customer support, billing, receivables management, the processing of enquiries or complaints, as well as the establishment, exercise or defence of any legal claims. The legal basis is the fulfilment of the contract (Art. 6(1)(b) GDPR).

4.3 We inform you about our products and services

We may process your Master Data, Contact Data and Contract Data in order to inform you about our products and services if you have either given your consent or it is clear from an existing business relationship or similar circumstances that you may be interested. The legal basis is therefore your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future, or our legitimate interests in direct marketing (Art. 6(1)(f) GDPR).

4.4 We maintain a partnership-based contact with you

We may process your master data, contact data, communication data and contract data in order to send you Christmas cards or other greeting cards if we assume that you would appreciate this. The legal basis is our legitimate interest in maintaining a collaborative relationship with our clients (Art. 6(1)(f) GDPR).

4.5 You consent to other data processing

We may also process your personal data for other purposes if you have given us your consent to do so in individual cases. The legal basis for this is therefore your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.

5. Data sources

The sources of personal data differ depending on the purpose for which they are collected, as follows:

6. Necessity of the data

Providing your personal data is neither legally nor contractually required. You are not obliged to provide us with your data. If you do not wish to provide us with your data, you will not be able to use the app.

7. Automated Decisions

There is no automated decision-making pursuant to Art. 22 GDPR.

8. Data recipients

If and to the extent necessary for one of the above-mentioned purposes, the following categories of recipients may become aware of your data:

  1. management, supervisory board and authorised employees (e.g. employees from the areas of sales, customer service, accounting or information security);
  2. sales partners (e.g. commercial agents), if this is necessary for further processing of your enquiry;
  3. service providers who receive personal data as processors (e.g. IT service providers for hosting and CRM);
  4. service providers who receive personal data as independent controllers (e.g. lawyers, business consultants, auditors, insurance companies);
  5. public authorities, e.g. if we are obliged to transmit tax and accounting data to the tax authorities, in which case such a transfer is based on a legal obligation (Art. 6(1)(c) GDPR).

9. International transfers

In principle, we do not intend to transfer personal data to recipients outside the European Economic Area (EEA) or to international organisations, unless this is necessary in the context of our contractual relationship. However, when using certain IT services, personal data may be transferred to countries outside the EEA, in particular to the USA, the United Kingdom and Switzerland. These countries are subject to an adequacy decision by the European Commission, which states that they offer an adequate level of data protection.

Where personal data is transferred outside the EEA for which such a decision does not exist, we will provide appropriate safeguards for data protection, e.g. by entering into European Commission standard contractual clauses, with additional safeguards where appropriate. For more information and to obtain a copy of these safeguards, please contact us (see contact details under point 2).

10. Retention period

The personal data is retained for as long as is necessary for the respective purpose. The maximum retention period depends on the following criteria

  1. duration of the contractual relationship and post-contract phase;
  2. accounting and tax retention obligations (Art. 2220 Italian Civil Code);
  3. limitation periods for the establishment, exercise and defence of legal claims (Art. 2946 and 2947 Italian Civil Code).

11. Data subject rights

As a data subject, you have the following rights:

  1. right of access (Art. 15 GDPR)
  2. right to rectification (Art. 16 GDPR)
  3. right to erasure/to be forgotten (Art. 17 GDPR);
  4. right to restriction of processing (Art. 18 GDPR)
  5. right to data portability (Art. 20 GDPR)
  6. right to object (Art. 21 GDPR).

Please note REGARDING the right to object (Art. 21 GDPR): If your data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time on grounds relating to your particular situation. In this case, we will no longer process your data unless (a) we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (b) the processing is necessary for the establishment, exercise or defence of legal claims. If your data is processed for the purpose of direct marketing, you have the right to object to the processing of your data at any time and without giving reasons. In this case, your data will no longer be processed for such purpose.

To exercise these rights, please contact us (see contact details under point 2).

12. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). In Italy, this is the Garante per la protezione dei dati personali (GPDP) based in Rome.

12. Changes

 

Version: 22/01/2025