Privacy Policy

Serco Italia S.p.A., with registered office at viale della Tecnica 161, Cap 00144 (Rome, Italy) (“Serco” or the “Data Controller”), which can be contacted at the following email address support@onda-dias.eu, acting in its capacity of data controller is committed to protecting and respecting your privacy.

This privacy policy provides information to you about the basis on which any personal data we collect from you, or that you provide to us, will be processed by us if you are a client of the ONDA Services, as defined in the Agreement for the provision of ONDA Services (the “Agreement”), provided through the site www.onda-dias.eu (the “Site”). This privacy policy shall be read in conjunction with our cookies policy and the agreement for the provision of ONDA Services (the “Agreement”).

In this privacy policy, the terms “we”, “our”, and “us” are used to refer to the Data Controller responsible for your personal information.

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to the relevant contact above.

1. INFORMATION WE COLLECT FROM YOU

We will collect and process the following data about you from your use of our Site:

  1. Registration data and other information you give us. This is data about you that you give us when you register to use our Site, subscribe to any of the ONDA Services, use the ONDA Services provided by our Site (i.e. credit purchasing, creation of a virtual machine).The data you give us may include your name, e-mail address, billing information, details on payments and in case of companies the details of the company.
  2. Technical information. We also collect technical data, including the Internet protocol (IP) address used to connect your computer to the Internet, MAC addresses, traffic data, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and cookies, which will be collected in accordance with our cookies policy.

2. HOW WE USE YOUR INFORMATION

We use information held about you for the following purposes:

  1. to allow you to register to use our Site and use the ONDA Services such as purchase of a credit and creation of a virtual machine and therefore carrying out our obligations arising from any agreements entered into between you and us and to provide you with the information, products and services that you request from us;
  2. to carry out appropriate and necessary investigations and discharge our legal and regulatory obligations and duties, including to comply with (to the extent applicable):
        • the guidance of any relevant regulatory body;
        • the requirements of applicable legislation for the combatting of money laundering, fraud, terrorist financing, bribery, corruption, tax evasion, the provision of financial or other services to persons who may be subject to economic or trade sanctions; and
        • any other local laws, regulations, directions, codes of practice, circulars, orders notices or demands which may otherwise apply;

    (purposes from a) to b) are jointly defined as the “Contractual Purposes”)

  3. for fraud prevention purposes within the limits not already required by applicable laws as well as to defend or claim a right, also as part of court proceedings;
  4. for credit recovery procedures and credit assignment to authorized companies, also by means of third parties;
  5. for the completion of a potential merger, sale of assets or transfer of all or a material part of its business, by disclosing and transferring your personal data to the third party or parties involved in the transaction as part of the transaction;
    (purposes of letters c) to e) above are jointly referred to as “Legitimate Interest Purposes”)
  6. with your prior consent, to provide you with marketing communications by means of electronic and physical channels of communication about the services or products we offer and to run surveys;
  7. with your prior consent, to customize the ONDA Services and the marketing communications referred above on your preferences and habits.

(the purposes of letters f) and g) above are jointly referred to as “Marketing Purposes”).

3. LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA

Data protection laws require that we meet certain conditions before we are allowed to use your data in the manner described in this privacy policy. We take our responsibilities under data protection laws extremely seriously, including meeting these conditions.

The processing of your personal data is necessary with regard to the Contractual Purposes as it is essential:

  • for the performance of the Agreement between you and us. In order for us to fulfill our obligations under such contract, we will need to collect and process your personal data.
  • in order to comply with applicable guidance provided by any relevant regulatory body and the obligations under applicable legislation, including anti-money laundering/fraud legislation.

Failure to provide the data for the above purposes will unfortunately mean we cannot provide our services to you, as to allow you to use our service would mean we would be in breach of our legal obligations.

The processing of your personal data with regard to the Legitimate Interest Purposes of Section 2 letter e) is carried out pursuant to article 24, paragraph 1, letter d) of the Legislative Decree No. 196/2003 (the “Data Protection Code”) up to 24 May 2018, while the other processing activities for Legitimate Interest Purposes will not be performed up to that date. With effect from 25 May 2018, the processing activities for Legitimate Interest Purposes will be performed in compliance with article 6, letter f) of the EU General Data Protection Regulation 2016/679 (the “European Privacy Regulation”), for the pursuit of Serco’s legitimate interest to the detection of potential frauds, the recovery of debts towards to company and the performance of the economic activities referred therein, which is adequately balanced with your interest since the data processing is performed within the limits strictly necessary to their performance.

This data processing activity with regard to the Legitimate Interest Purposes is not mandatory and you can object to the data processing at any time through the modalities as per this Privacy Policy.

Finally, the data processing with regard to the Marketing Purposes is based on your prior consent. Such data processing is not mandatory however should you refuse to provide the relevant consent you will not receive marketing communications as per Section 2 letters f) and g). In any case, you can withdraw your consents at any time through the modalities as per this Privacy Policy.

4. HOW DO WE PROCESS YOUR PERSONAL DATA

Your personal data will be processed both electronically and/or manually, in any case in such a way as to guarantee the security, protection and confidentiality of the data, thanks to appropriate administrative, technical, personnel and physical measures against loss, theft and unauthorized use, disclosure or modification.

5. HOW LONG WE KEEP YOUR INFORMATION FOR

Your Personal data will be stored for the period necessary to fulfill the purposes for which the data was collected as outlined in this privacy policy. In any case the following retention periods will apply to the processing of your personal data for the purposes indicated below:

  1. data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the services plus a period of 10 years after the termination or withdrawal from the contract with us, except when the detention of the data is necessary to respond or to file a legal actions, upon request of the competent authorities or in compliance with the applicable laws;
  2. data collected for Marketing Purposes relating to the delivery of marketing communications and running of surveys is retained for the duration of the Contract and a subsequent period of 24 months;
  3. data collected for Marketing Purposes relating to the profiling of your preferences for marketing purposes is retained for a period of 12 months from the time they are collected.

6. DISCLOSURE OF YOUR INFORMATION

For the Contractual Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits as set below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide hosting cloud services or assistance and advice to Serco, with special but not exclusive reference to technology (in particular, but not exclusively analytics and search engine providers that assist us in the improvement and optimisation of our site and other selected third parties), accounting, administrative, legal, insurance, IT matters; (b) affiliates; and (c) persons and authorities whose right to access personal data is recognized by law, regulations or provisions issued by legally empowered authorities. The abovementioned recipients will process personal data as data controllers, data processors or persons in charge of processing, depending on the circumstances.

For the Legitimate Interest Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits set below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with reference to credit recovery procedures and credit assignments, (b) potential purchaser of Serco and the entities resulting from mergers or any other transformation involving Serco, (c) competent authorities.

For the Marketing Purposes, personal data may be transferred to the following categories of recipients located both within the EU and, within the limits set below, outside of the EU: (a) third parties service providers entrusted with processing activities that provide services or assistance with regard to the delivery of marketing communications.

The data processors appointed by Serco include OVH SAS. A complete list of the data processor is available upon request through the modalities as per this privacy policy.

7. YOUR RIGHTS

You have a number of rights under data protection law in relation to the way we process your personal data. These are set out below. You may contact us by sending a communication to the email address support@onda-dias.eu (or by contacting our DPO directly – details below) to exercise any of these rights, and we will respond to any request received from you within one month from the date of the request.

At any given time, you can exercise the following rights:

  1. to obtain from Serco confirmation of the existence of personal data and to be informed of its content and source, verify its accuracy and request its integration, update or amendment;
  2. to request the erasure, anonymization or restriction of the processing of personal data processed in breach of the applicable laws;
  3. to object in whole or in part, on legitimate grounds, to the processing of the data;
  4. to withdraw the consent to the processing of the data (if and to the extent such a consent is necessary).

In addition to the rights as indicated above when the European Privacy Regulation will become applicable from May 25th, 2018, you will have the right, in any given moment, to:

  1. request Serco to limit the processing of your personal data where:
    • you contest the accuracy of the personal data until Serco have taken sufficient steps to correct or verify its accuracy;
    • the processing is unlawful but you do not want us to erase your personal data;
    • Serco no longer needs your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
    • you have objected to processing justified on legitimate interests, pending verification as to whether Serco has compelling legitimate grounds to continue processing.
  2. object to the processing of your personal data;
  3. request the erasure of your personal data without undue delay;
  4. receive an electronic copy of your personal data, if the you would like to port your personal data to yourself or a different provider, when Serco is relying upon your consent or the fact that the processing is necessary for the provision of the services and the personal data is processed by automatic means; and
  5. lodge a complaint with the relevant data protection supervisory authority.

THE DATA PROTECTION OFFICER

The data protection officer appointed by Serco pursuant to section 37 of the Privacy Regulation can be contacted at the following email address: dpo@serco.com. The data protection officer will take on his role from May 25, 2018.

CHANGES TO THIS PRIVACY POLICY

Any changes to this privacy policy in the future will be posted on this page, and where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this privacy policy.

This policy was last reviewed and updated: June 2018