Data Protection notice for mployess of our clients

Table of Contents

  1. Introduction
  2. Data controller and contact details
  3. Data categories
  4. Purposes and legal bases
    1. 4.1 You are interested in our products and services
    2. 4.2 We fulfil a contract with your employer
    3. 4.3 We inform you about our products and services
    4. 4.4 You consent to other data processing
  5. Data sources
    1. 5.1 You are interested in our products and services
    2. 5.2 We fulfil a contract with your employer
    3. 5.3 We inform you about products and services
    4. 5.4 You consent to other data processing
  6. Necessity of the data
  7. Automated decisions
  8. Data recipients
  9. International transfers
  10. Retention periods
  11. Data subject rights
  12. Right to lodge a complaint
  13. Changes

1. Introduction

This data protection notice informs you about how your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") when you are employed by a potential or current client and:

  1. you are interested in our products and services;
  2. we fulfil a contract with your employer;
  3. we inform you about our products and services; or
  4. you consent to other data processing.

2. Data controller and contact details

The data controller is:

onboard Srl
Dr. J. Köllensperger Street 10/b
39011 Lana (BZ)
South Tyrol / Italy
E-Mail: [email protected]

Our Data Protection Officer (DPO) can be contacted at [email protected] .

3. Data categories

We may collect the following categories of personal data for the purposes set out below:

"master data": any personal data such as first name and surname

"contact data": any personal data such as business postal address, e-mail address and telephone number.

"employment data": any personal data relating to your job role with a client, such as job title, location or responsibilities.

"communication data": any personal data from communication with you, such as the content and timing of the communication.

4. Purposes and legal bases

We process personal data in the following cases:

4.1 You are interested in our products and services

If you contact us via the contact form on the website or by other means (e.g. by e-mail or telephone) or if we get in touch in other ways (e.g. at a trade fair) because you are interested in our products and services on behalf of your employer, we may process your master data, contact data, employment data and communication data in order to handle your enquiry and prepare a contract with your employer. The legal basis is our legitimate interest in such purposes (Art. 6(1)(f) GDPR).

4.2 We fulfil a contract with your employer

If we have concluded a contract with your employer, we may process your master data, contact data, employment data and communication data in order to carry out all tasks associated with the fulfilment of the contract and appropriate customer care. This includes, for example, communication with you, customer support, billing, receivables management and the processing of enquiries or complaints, as well as the establishment, exercise or defence of any legal claims. The legal basis is our legitimate interest in such purposes (Art. 6(1)(f) GDPR).

4.3 We inform you about our products and services

We may process your master data, contact data, employment data and communication data in order to inform you about our products and services if you have either given your consent or it is clear from an existing business relationship with your employer or similar circumstances that you or your employer may be interested. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future, or our legitimate interests in direct marketing (Art. 6(1)(f) GDPR).

4.4 You consent to other data processing

We may also process your personal data for other purposes if you have exceptionally and on a case-by-case basis given us your consent. The legal basis for this is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.

5. Data sources

The sources of data vary depending on the purpose for which they are collected, as follows:

5.1 You are interested in our products and services

Your personal data is collected directly from you when you contact us or if we are in touch in other ways (e.g. at a trade fair). We may also collect your data from third parties (e.g. work colleagues, agents or other intermediaries) who are authorised to pass it on. In some cases, your personal data may also come from public sources (e.g. the register of enterprises).

5.2 We fulfil a contract with your employer

Your personal data is collected directly from you or from third parties, such as your work colleagues or other authorised persons. Third parties may also be commercial agents and other intermediaries who are authorised to forward data. In some cases, your personal data may also come from public sources (e.g. the commercial register).

5.3 We inform you about our products and services

Your personal data is collected directly from you or from third parties, such as your work colleagues or other authorised persons. Third parties may also be commercial agents and other intermediaries who are authorised to forward data. In some cases, your personal data may also come from public sources (e.g. the commercial register).

5.4 You consent to other data processing

Depending on your consent, we collect your personal data either directly from you or from third parties.

6. Necessity of the data

The provision of your personal data is not required by law or contract. You are not obliged to provide your personal data.

7. Automated decisions

There is no automated decision-making pursuant to Art. 22 GDPR.

8. Data recipients

If and to the extent necessary for one of the above-mentioned purposes, the following categories of recipients may become aware of your data:

  1. authorised employees (e.g. from the customer service);
  2. service providers who receive personal data as processors (e.g. IT service providers).

9. International transfers

In principle, we do not intend to transfer personal data to recipients outside the European Economic Area (EEA) or to international organisations, unless this is necessary as part of our contractual relationship. However, when using certain IT services, personal data may be transferred to countries outside the EEA, in particular to the United States. These countries are subject to an adequacy decision by the European Commission, which states that they offer an adequate level of data protection. For the United States, this is the EU-US Data Privacy Framework, which provides, among other things, for the registration of relevant recipients.

Where personal data is transferred outside the EEA for which such a decision does not exist, we will provide appropriate safeguards for data protection, e.g. by entering into European Commission standard contractual clauses, with additional safeguards where appropriate. For more information and to obtain a copy of these safeguards, please contact us (see contact details under point 2).

10. Retention period

The personal data is retained for as long as is necessary for the respective purpose. The maximum retention period depends on the following criteria

  1. the duration of the contractual relationship;
  2. accounting and tax retention obligations (Art. 2220 Italian Civil Code);
  3. limitation periods for the establishment, exercise and defence of legal claims (Art. 2946 and 2947 Italian Civil Code).

11. Data subject rights

As a data subject, you have the following rights:

  1. right of access (Art. 15 GDPR)
  2. right to rectification (Art. 16 GDPR)
  3. right to erasure/to be forgotten (Art. 17 GDPR);
  4. right to restriction of processing (Art. 18 GDPR)
  5. right to data portability (Art. 20 GDPR)
  6. right to object (Art. 21 GDPR).

Please note regarding the right to object (Art. 21 GDPR): If your data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time on grounds relating to your particular situation. In this case, we will no longer process your data unless (a) we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (b) the processing is necessary for the establishment, exercise or defence of legal claims. If your data is processed for the purpose of direct marketing, you have the right to object to the processing of your data at any time and without giving reasons. In this case, your data will no longer be processed for such purpose.

To exercise these rights, please contact us (see contact details under point 2).

12. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). In Italy, this is the Garante per la protezione dei dati personali (GPDP) based in Rome.

13. Changes

We may change this data protection notice at any time.

 

Version: 22/01/2025