INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO EU REGULATION
Pursuant to and for the purposes of Articles 13 and 14 of EU Regulation 2016/679, General Data Protection Regulation (hereinafter, the “GDPR”), we inform you that Wora S.r.l., with registered office in Via Alberico Albricci 8, 20122, Milan (MI), Tax Code and VAT number 11446000967 (hereinafter, the “Company”), will process, as “data controller” of the processing, some personal data concerning you (if you are an individual entrepreneur or a professional) or your contractual representatives, managers, partners, administrators and, in general, your staff, collected and processed within the scope of the services offered by the Company (hereinafter, the “Wora Services”) through the application for mobile devices (hereinafter, the “Wora App”), which allows both the individual entrepreneurs or the professionals, as clients of the Company that downloads Wora App, to manage and organize products’ transportation services for the benefit of their final customers (hereinafter, the “Final Customers”).
- Collection of Personal Data
Personal data is any information referring to an identified or identifiable natural person.
Within the scope and context of the Wora Services and the use of the Wora App, the Company may collect and process certain personal data about you (hereinafter, collectively, the “Personal Data”), and in particular:
- Personal Data provided during registration for the Wora Services, such as name, surname, email address, password and cell phone number.
- Any Personal Data relating to the location of the product pickup location.
In addition, the Company collects and processes any Personal Data that originates from the device(s) on which the Wora App was downloaded and with which you use the Wora Services, including:
- Identifiers: unique identifiers, device IDs, and other identifiers.
- Device signals: Bluetooth signals and information about nearby Wi-Fi access points.
As part of the provision of the Wora Services, personal data of Final Customers, such as name, surname, address and telephone number, will also be collected through the Wora App. Such personal data will be processed by the Company in its capacity as data processor pursuant to Article 28 of the GDPR appointed by the client company, which is required to provide Final Customers with adequate information pursuant to Articles 13 and 14 of the GDPR.
- Legal basis and purpose of Data processing
Personal Data will be acquired and processed by the Company as specified below:
- For the fulfilment of contractual and pre-contractual obligations:
- Performance of all activities necessary for the proper management and execution of existing contractual agreements and for the proper fulfilment of the Company’s obligations in this regard and, in general, the full provision of the Wora Services.
- Purposes strictly connected and/or necessary to the satisfaction of requests that may be made from time to time to the Company, in light of contractual agreements in force.
- For the fulfilment of a legal obligation:
Purposes connected with the obligations provided for by applicable laws, regulations and Community legislation, as well as provisions issued by authorities empowered to do so by law and by supervisory and control bodies.
- On the basis of a legitimate interest of the Company:
- Communication of Personal Data, in anonymous form, to third parties and, for statistical and research purposes.
- To defend a right or interest of the Company before any competent authority or body, including expressly for the purpose of debt recovery.
- To carry out statistical analysis for the improvement of the services offered by the Company.
- Methods of processing Personal Data
Personal Data shall be processed by the Company in compliance with the GDPR and all applicable regulations in a lawful, fair, confidential manner and shall be carried out for specific, explicit, legitimate and not exceeding the aforementioned purposes, with manual, electronic and computer tools, including in the cloud, with logic strictly related to the aforementioned purposes, as well as, in any case, in such a way as to ensure the security and confidentiality of Personal Data through appropriate procedures that avoid the risk of loss, unauthorized access, misuse and dissemination of Personal Data.
- Provision of Personal Data and consequences in case of withdrawal of consent
The provision of Personal Data for the purposes set forth in paragraph 2 above is purely optional. However, since such processing is necessary for the provision by the Company of the Wora Services, failure to provide the Personal Data in question, in part or inexactly, may make it impossible, depending on the case, to use all or part of the Wora Services and, in general, to proceed with the contractual relationship established or established with the Company and/or to fulfil the obligations as provided for by the contract or by the applicable law or, again, to fulfil your specific requests, or in any case to pursue your legitimate interests (such as the defence of your rights in court).
- Authorized Persons and Recipients of Personal Data
Within the structure of the Company, your Personal Data will be processed – each one for what is strictly within its competence – by authorized subjects related to our management, commercial, administrative and technological functions. Each of these subjects will be expressly authorized to the treatment (under obligation of confidentiality or professional secrecy) as well as instructed about the correct treatment of Personal Data and their security.
Any IT service providers who may – for reasons of assistance, maintenance or rescue – come into contact with Personal Data will be expressly authorized by the Company and will operate under strict contractual constraints or as data controllers pursuant to Article 28 of the GDPR.
Likewise, the Company, in order to provide the Wora Services provided through the Wora App, will use third party technology providers.
For the purposes of achieving the purposes set out in this statement, your Personal Data may be communicated, including abroad, to the subjects or categories of subjects indicated below and always only in connection with the implementation of the purposes referred to in paragraph 1 above:
- Public authorities, administrations and/or bodies for the fulfilment of legal obligations, secondary or community regulations.
- Any suppliers, such as, for example, those in charge of transporting the products, subcontractors, business partners, collaborators in various capacities of the Company; these subjects may operate as autonomous data controllers or managers designated by the Company pursuant to Article 28 of the GDPR.
- External subjects who carry out specific tasks on behalf of the Company in Italy or abroad (such as, for example, certification of financial statements, invoicing and filing of invoices, shipping of documents and materials, insurance coverage, debt collection, professional legal, accounting and/or tax advice, crediting and/or debiting of fees). These subjects may act as autonomous data controllers or managers designated by the Company pursuant to Article 28 of the GDPR.
The intermediation service for sending and receiving electronic invoices to and from the Revenue Agency’s Interchange System as well as the electronic invoice storage service are entrusted to an external company appointed as data processor pursuant to Article 28 of the GDPR.
The list and identity of the data processors who process your Personal Data on behalf of the Company can be retrieved by contacting the Company at the contact details indicated in the paragraph of this policy.
Your Personal Data will not be disclosed.
- Transfer of personal data outside the EU
In carrying out the company’s activities as they are structurally or occasionally organized, your personal data may occasionally be transferred to subjects or companies located outside the EU or the European Economic Area (EEA). In these cases, or if the need arises to use other types of non-EU suppliers who have access to some of your personal data, the Data Controller will provide you with full information and will ensure that every measure (contractual or otherwise) is taken (including anonymization) that is appropriate and necessary to ensure an adequate level of protection of your personal data, in accordance with and in the manner indicated in Chapter V of the GDPR and, in any case, the current legislation on the protection of personal data. In any case, you can always request more information on the identity of non-EU third parties who may know/process your data and the activities carried out by them by making a request to the Data Controller, who can be reached at email@example.com.
Your Personal Data will be retained for the time strictly necessary for the timely fulfilment of the purposes set forth in paragraph 1 and to ensure the proper provision of the Wora Services, as well as the exact compliance with all civil and tax provisions, currently in force or that may come into force in the future, or, for cases where this is provided for, in the peremptory terms provided by law.
In particular, your Personal Data will be kept for the entire duration of the contractual relationship and, subsequently, for the maximum time provided for by the applicable legal provisions on the subject of prescription of rights and/or forfeiture of action and, in general, for the exercise/defence of the Company’s rights in disputes promoted by public authorities, public subjects/bodies and private individuals.
At the end of the period mentioned above, your Personal Data will be removed from the archives compatibly with the technical and back-up procedures or will be anonymized.
- Rights of the interested party
The GDPR grants data subjects the exercise of specific rights.
Therefore, within the limits of the processing of Personal Data conducted by the Company as described in this policy, you may exercise the following rights:
Right of access: you have the right to obtain confirmation as to whether or not processing is being carried out on your Personal Data and, if so, to access such data and specific information about the processing, such as the purposes, the categories of data being processed, the recipients or categories of recipients of the data, the retention periods (or the criteria underlying them), the existence of the right to request rectification or erasure, restriction or opposition to processing, the right to lodge a complaint with the Supervisory Authority and information as to the origin of the data; the existence or otherwise of an automated decision-making process concerning the data.
Right of rectification: you have the right to request and obtain the rectification of Personal Data concerning you and/or the integration of your incomplete Personal Data.
Right to erasure: you have the right to obtain the erasure of your Personal Data, without undue delay, if, inter alia, (i) such data is no longer necessary for the purposes for which it was collected, (ii) the consent that was the basis for the processing has been withdrawn (unless there is no other legal basis for such processing), (iii) you object to the processing of the data (as set out below) and there is no other overriding legitimate reason for the processing, or if you object to the processing of the data for marketing or profiling for marketing purposes, (iv) the data are processed unlawfully, (v) the data must be erased pursuant to a legal obligation. This right does not apply if the data processing is necessary, inter alia, for the fulfilment of a legal obligation or for the establishment, exercise or defence of legal claims.
Right of limitation: you have the right to obtain, in the cases provided for in Article 18 of the GDPR, the limitation of processing.
Right to portability: you have the right to receive personal data in a structured, commonly used and machine-readable format and to transmit them to another data controller in relation to cases where the data processing is based on consent or concerns special categories of personal data processed on the basis of consent or where the processing is based on the performance of a contract and such processing is carried out by automated means.
Right to object: you have the right to object at any time to processing based on a legitimate interest of the data controller, unless the data controller demonstrates compelling legitimate grounds for processing which override the interests, fundamental rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
You also have the right to lodge a complaint with the Supervisory Authority (whose webpage is the following: www.garanteprivacy.it) in the cases referred to in Article 77 of the GDPR, i.e., when you believe that your Personal Data is processed in violation of the provisions of the GDPR itself.
- Data controller and contact details
The data controller is the Company, i.e., Wora S.r.l., with registered office in Via Alberico Albricci 8, 20122, Milan (MI), Tax Code and VAT number 11446000967. You can contact the Company, as far as you are interested, at the following email address: firstname.lastname@example.org.