Data Protection notice for visitors to our website

Table of contents

  1. Introduction
  2. Data controller and contact details
  3. Data categories
  4. Purposes and legal bases
    1. 4.1 You visit our website
    2. 4.2 You use the contact form
  5. Data sources
  6. Necessity of the data
  7. Automated decisions
  8. Data recipients
  9. International transfers
  10. Retention periods
  11. Data subject rights
  12. Right to lodge a complaint
  13. Changes

1. Introduction

This data protection notice informs you about how your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") when:

  1. you visit our website https://www.onboard.org or
  2. you use the contact form.

2. Data Controller and Contact Details

The data controller is:

onboard Srl
Dr. J. Köllensperger Street 10/B
39011 Lana (BZ)
South Tyrol / Italy
E-Mail: [email protected]

Our Data Protection Officer (DPO) can be contacted at [email protected].

3. Data categories

We may collect the following categories of personal data for the purposes set out below:

"log data": technical information that your browser automatically sends to the web server when you access our website, such as the IP address of your device, time of access, requested page or file, http status code (e.g. "200" for a successful request), amount of data transferred (in bytes), browser type and operating system.

"master data": any personal data such as first name and surname.

"contact data": any personal data such as business postal address, e-mail address and telephone number.

"employment data": any personal data relating to your job role with a client, such as job title, location or responsibilities.

"communication data": any personal data from communication with you, such as the content and timing of the communication.

4. Purposes and legal bases

We process personal data in the following cases:

4.1 You visit our website

When you visit our website, we process the log data in order to provide access to the website and ensure its stability and security. The legal basis is our legitimate interest in achieving these purposes (Art. 6(1)(f) GDPR).

4.2 You use the contact form

If you use the contact form, we may process your master data, contact data, employment data and communication data in order to process your enquiry and provide you with appropriate support. If you are the client, the legal basis is the performance of pre-contractual measures (Art. 6(1)(b) GDPR). If, on the other hand, you are acting on behalf of a client, the legal basis is our legitimate interest in achieving these purposes (Art. 6(1)(f) GDPR).

5. Data sources

The personal data is collected directly from you.

6. Necessity of the data

Providing your personal data is neither legally nor contractually required. However, certain master data, contact data, employment data and communication data are required so that we can process your enquiry via the contact form.

7. Automated decisions

There is no automated decision-making pursuant to Art. 22 GDPR.

8. Data recipients

If and to the extent necessary for one of the above-mentioned purposes, the following categories of recipients may become aware of your data:

  1. authorised employees (e.g. from the sales department);
  2. sales partners (e.g. agents), if this is necessary for further processing your enquiry;
  3. service providers who receive personal data as processors (e.g. IT service providers for website hosting).

9. International transfers

When you visit the website or use the contact form, personal data may be transferred to the USA and the United Kingdom. These countries benefit from an adequacy decision by the European Commission, which provides that they offer an adequate level of data protection. For the United States, this is the EU-US Data Privacy Framework, which provides, among other things, for the registration of relevant recipients.

Where personal data is transferred outside the EEA for which such a decision does not exist, we will provide appropriate safeguards for data protection, e.g. by entering into European Commission standard contractual clauses, with additional safeguards where appropriate. For more information and to obtain a copy of these safeguards, please contact us (see contact details under point 2).

10. Retention periods

We retain log data (see point 4.1) for seven days, unless it has to be retained for longer in the context of criminal investigations by judicial authorities.

Personal data in connection with any enquiry (see point 4.2) will be retained for as long as is necessary for the relevant purpose. The maximum retention period depends on the following criteria:

  1. duration of the contact and support;
  2. limitation periods for the establishment, exercise and defence of legal claims in connection with the enquiry (Art. 2947 Italian Civil Code).

11. Data subject rights

As a data subject, you have the following rights:

  1. right of access (Art. 15 GDPR);
  2. right to rectification (Art. 16 GDPR);
  3. right to erasure/to be forgotten (Art. 17 GDPR);
  4. right to restriction of processing (Art. 18 GDPR);
  5. right to data portability (Art. 20 GDPR);
  6. right to object (Art. 21 GDPR).

Please note regarding the right to object (Art. 21 GDPR): If your data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time on grounds relating to your particular situation. In this case, we will no longer process your data unless (a) we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (b) the processing is necessary for the establishment, exercise or defence of legal claims.

To exercise these rights, please contact us (see contact details under point 2).

12. Right to lodge a complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). In Italy, this is the Garante per la protezione dei dati personali (GPDP) based in Rome.

13. Changes

We may change this data protection notice at any time.

 

Version: 22.01.2025