Travel Coordinators Privacy Policy

Privacy policy pursuant to Articles 13/14 Regulation (EU) 2016/679 (GDPR)

WeRoad S.r.l.
a company belonging to OneDay Group, which has its registered office in Milan, Viale Cassala, 30, 20143, Italy, Tax Code and VAT 10380820968

JOINTLY CONTROLLERS:

WeRoad Italia Srl
Viale Cassala 30, 20143, Milano, Italy – PIVA 12474100968

WeRoad UK Ltd
Alphabeta Building 18, Finsbury Square, London, England, EC2A 1AH

WeRoad France SAS
Rue D’Amsterdam 57, 75008, Paris, France – SIREN 917797789

WeRoad Viajes S.L.
Calle Escalinata 3, 28013, Madrid, Spain

WeRoad Germany GmbH
Rudi-Dutschke-Straße 23, 10969, Berlin, German

WeRoad Swiss Sagl

Via Lugano 13, 6982, Agno, Switzerland

(“Joint Controller”).

The Joint Data Controllers have signed a data joint controller agreement, pursuant to art. 26 of the GDPR, whose essential content can be viewed by interested parties upon request to be sent by email.

Contacts:

CATEGORIES OF DATA PROCESSED

Personal Data

  • Identification and contact data
  • Data contained in the CV
  • Data contained in the video presentation
  • Data on the data subject’s skills
  • Data inherent in the results of the Coordinator’s performance evaluation process*.
  • Tax, banking and payment information*
  • Professional image and profile, uploaded our systems or on company materials and/or company social channels*
  • Data shared in the personal presentation*
  • Number of countries visited*
  • Family members’ contact details of *

Particular Data

  • Special categories of data such as conditions of disability/inability, illness, pregnancy, accidents, health data referring to suitability for certain jobs, membership in protected categories etc.

(“Data”)

* for candidates who have passed the selection stage and become Coordinators.

1. COMPLIANCE WITH A LEGAL OBLIGATION

Purpose of Processing:

  • For the fulfillment of obligations under the law, regulations and, in general, the legislation from time to time applicable to its relationship with WEROAD.

Legal Basis:

  • The processing is necessary for the fulfillment of a legal obligation to which the Data Controller is subject (Art. 6(1)(c) GDPR).

Nature of the provision:

  • Necessary to fulfill legal obligations. Refusal to provide the requested Data or its inaccuracy may result in the impossibility to establish and/or continue the relationship with WEROAD.

2. SELECTION AND EVALUATION OF THE APPLICANT’S PROFESSIONAL PROFILE

Purpose of Processing:

  • To review the application
  • To contact the applicant, including in the Group Interview and Bootcamp phases.

Legal Basis:

  • The processing is necessary for the performance of a contract to which you are a party or for the execution of pre-contractual measures taken at your request (Art. 6(1)(b) GDPR).

Nature of the provision:

  • Necessary. Refusal to provide the requested Data or its inaccuracy may result in your inability to be evaluated for a position by WEROAD.

3. RELATIONSHIP MANAGEMENT

Purpose of Processing:

  • To ensure the training of the Coordinator;
  • To establish, manage, and terminate the relationship with WEROAD;
  • For any administrative and accounting requirements related to the relationship with WEROAD;
  • To prepare documents and reports for business reasons, including evaluation reports.
  • For example, for processing and payment of compensation, evaluation of your aptitude and professional performance, provision of training courses, travel and travel booking services, managing expense reports, and to know your availability.

Legal Basis:

  • The processing is necessary for the performance of a contract to which you are a party or for the execution of pre-contractual measures taken at your request (Art. 6(1)(b) GDPR).
  • With regard to any special data processed (e.g., food allergies), the legal basis is the consent of the Data Subject (Art. 9(2)(a) GDPR).

Nature of the provision:

  • Necessary. Refusal to provide the requested Data or its inaccuracy may result in the impossibility to establish and/or continue the relationship with WEROAD.

4. SELECTION AND ASSIGNMENT OF TRIPS

Purpose of Processing:

  • To check the availability of a Coordinator to be able to take part in a trip
  • To select and assign a Coordinator to a particular trip and evaluate his/her suitability according to certain parameters

Legal Basis:

  • The processing is necessary for the performance of a contract to which you are a party or for the execution of pre-contractual measures taken at your request (Art. 6(1)(b) GDPR) and the pursuit of the legitimate interest of the Controller for the allocation of travel rosters (Art. 6(1)(f) GDPR).

Nature of the provision:

  • Necessary for the pursuit of the legitimate interest of the Controller which is fairly balanced with the legitimate interest of the Data Subjects, as the Data processing activity is limited to what is necessary for the smooth conduct of the relationship with WEROAD and in particular to check availability and to assign travel shifts to Coordinators.
  • The selection is made via automated means only in the first screening phase; the final decision-making choice of assignment is made by WEROAD staff.
  • The provision of Data is also necessary for the assignment of the trip to which the existing contractual relationship refers.
  • This data processing activity is not compulsory, and the Data Subject may object to such processing at any time.
  • The Data Subject can also always object to the decision concerning him/her and based on algorithmic processes, with the understanding that the same is also always evaluated by a member of the A&C Team.

5. EVALUATION AT THE END OF EACH TRIP

Purpose of Processing:

  • To know the degree of satisfaction of participants in a trip
  • To enable WEROAD to maintain the appropriate level of its services
  • Evaluation is one of the parameters that is taken into consideration when assigning trips.
  • In particular, WEROAD uses only partially automated processes. In fact, trip assignment is based on a number of parameters (including preferences, data entered by the Coordinator and evaluation). The final decision and trip assignment is made by the A&C Team.

Legal Basis:

  • The processing is necessary for the pursuit of the legitimate interest of the Data Controller in the verification of the regular performance of work and for the best selection of Coordinators to be assigned to each trip (Art. 6(1)(f) GDPR). The legitimate interest of the Data Controller appears to be fairly balanced with the rights and interests of the Data Subject, and the impact resulting from the use of automated processes has been appropriately assessed by the Data Controller and deemed not to be detrimental to Data Subjects.

Nature of the provision:

  • Necessary for the pursuit of the legitimate interest of the Data Controller which is fairly balanced with the legitimate interest of the Data Subjects, as the Personal Data processing activity is limited to what is necessary for the smooth execution of the relationship with WEROAD and for the execution of business operations.
  • The processing is not mandatory and the Data Subject may object to the processing at any time. The data subject may also always object to the decision concerning him or her based on algorithmic process, it being understood that the same is also always evaluated by a member of the A&C Team.

6. AUDITS AND ADVOCACY

Purpose of Processing:

  • To verify the proper fulfillment of obligations under the agreement with WEROAD and the Coordinator’s conduct and compliance with company procedures in general;
  • To verify and prevent illegal activities;
  • To assert or defend a right, against the Data Subject or a third party, in judicial or extrajudicial proceedings, as well as in administrative proceedings or in arbitration and conciliation procedures in cases provided for by laws, Community legislation or regulations.

Legal Basis:

  • The processing is necessary for the pursuit of the legitimate interest of the Controller in the verification of the regular performance of work and overseeing possibly unlawful acts (art. 6, (1)(f) GDPR).

Nature of the provision:

  • Necessary for the pursuit of the legitimate interest of the Data Controller which is fairly balanced with the legitimate interest of Data Subjects, as the Personal Data processing activity is limited to what is necessary for the smooth execution of the relationship with WEROAD and for the execution of business operations.
  • Processing is not compulsory, and the data subject may object to such processing at any time.

7. CREATION OF CONTENT FOR MARKETING PURPOSES AND USE OF IMAGES/VOICE

Purpose of Processing:

  • Creation, upload and publication of the professional profile on the Controller’s website, at presentations also available on video at the company’s headquarters, for internal personnel organization and management purposes;
  • Marketing and communication activities for both internal corporate and external purposes, including use in confidential corporate documents to Controller’s customers and suppliers – such as reports, presentations, etc. – both online and offline, and posting content that includes the Data Subject on Controller’s social media profiles.

Legal Basis:

  • Data processing is carried out in the legitimate interest of the Data Controller for purposes of internal organization and personnel management as well as to enable business interaction and to enable communication of its activities both inside and outside the company by creating complete and accurate materials, pursuant to Art.6(1)(f) GDPR.

Nature of the provision:

  • Necessary for the pursuit of the legitimate interest of the Data Controller which is fairly balanced with the legitimate interest of Data Subjects, as the Personal Data processing activity is limited to what is strictly necessary for the smooth execution of the relationship with WEROAD and for the execution of business operations.
  • Processing is not compulsory, and the Data Subject may object to such processing at any time.

8. EMERGENCY COMMUNICATIONS

Purpose of Processing:

  • In order to handle communications in extraordinary emergency cases.
  • The Data Subject is also invited to submit this notice to their family members whose contact details are provided.

Legal Basis:

  • Data processing is carried out in the legitimate interest of the Data Controller to enable the best management of emergencies, according to Art.6(1)(f) GDPR.

Nature of the provision:

  • Necessary for the pursuit of the legitimate interest of the Controller which is fairly balanced with the legitimate interest of Data Subjects.
  • Processing is not compulsory, and the Data Subject may object to such processing at any time.

9. CORPORATE TRANSACTIONS

Purpose of Processing:

  • Sharing personal data in connection with or during negotiations of extraordinary transactions of all or part of our business by or in another company.

Legal Basis:

  • The legitimate interest of the Controller (Art. 6(1)(f) GDPR).

Nature of the provision:

  • Data processing is necessary for the legitimate interest of WEROAD in negotiating and executing corporate transactions.

DATA RETENTION PERIOD

Data will be processed and stored for as long as the position for which the application was sent is still open. Thereafter, the Data will be retained for the 2 years following the end of the selection phase, or for a period of five years for purposes of judicial defense of the Controller’s rights.

Coordinators’ data, including any data contained in feedback by travelers, will be processed and stored for the duration of the relationship with WEROAD. Thereafter, the Data will be retained for the period provided for by applicable laws and in any case for no more than 10 years after the termination of the relationship with WEROAD. Family members’ data will be deleted upon termination of the relationship with WEROAD.

The data contained in the algorithmic evaluation results will be retained for 1 year, to be then updated if the relationship between WEROAD and the Coordinator is still in place.

In addition and without prejudice to the foregoing, the Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the necessity of their retention for a period of time not exceeding that required by the purposes for which the Data were collected and processed. The Data Controller may retain Personal Data to comply with the law or to exercise or defend any right or claim in legal proceedings. Once the purposes for which Personal Data was collected and processed have been achieved, the Data Controller will implement appropriate measures to anonymize it so that the Data Subject cannot be identified.

RECIPIENTS/CATEGORIES OF DATA RECIPIENTS

Data will be processed by employees of the Data Controller expressly authorized and instructed to process the Data and after taking appropriate measures to protect the Data in connection with all of the above purposes.

The following parties may become aware of the Data in connection with the processing purposes set forth in this privacy policy and may process the Data both as autonomous data controllers and as data processors, duly appointed by the Data Controller (the list of such autonomous data controllers and data processors is available upon request by e-mail to [email protected]):

  • IT service providers for managing contact and email databases, digital services providers, and IT consultants who provide technical assistance to WEROAD;
  • Subsidiaries of the Company that are part of the so-called OneDay Group that provide intra-group services;
  • Accounting consultants, legal consultants, offices that provide payroll services;
  • Public administrations, local authorities and their peripheral organs;
  • Judicial Authorities and Public Security Authorities;
  • Banking and financial intermediaries, custodian banks, insurance companies;
  • Travel agencies, transportation companies, hotels

DATA TRANSFER TO A COUNTRY OUTSIDE OF THE EU

The data will be processed at OneDay S.r.l. ‘s offices and the data will be stored on servers and/or archives located within the European Union or in countries that provide adequate safeguards of personal data protection.

The Data Controller undertakes to transfer personal data to third countries:

  • Ensuring that the country to which personal data will be sent guarantees an adequate level of protection, as required by Article 45 GDPR; or
  • Complying with the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA (i.e. clauses approved under Article 46(2) GDPR).

The Data Controller cannot predict a priori in which countries the content posted on social networks will be visible, but it will make sure to use platforms and mediums that assert to be compliant with the requirements under the GDPR, and to whose privacy policies you should refer.

DATA PROCESSING METHODS

The Data will be processed in accordance with the principles of fairness, lawfulness and transparency, through manual and automated means and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing established by this policy and, in any case, always ensuring the security and confidentiality of Data.

AUTOMATED DECISION MAKING

The Data will be processed through an automated decision-making process during the phases screening and assignment of travel rosters. The decision-making process is used in the first phase of the screening and verification of availability. In particular, the Data Controller uses an algorithm that checks for available Coordinators in a selected time period (trip code). In addition, the algorithm, after verifying availability, suggests and ranks the available Coordinators based on certain parameters including: availability, travel preferences including with respect to the destination of interest; average rating received on previous trips; rejection of any trips in the past; and suitability to drive (driver’s license).

The final choice is made directly by the WEROAD Team and is not bound to the suggestion given by the automated process. The Data Subject can always submit his/her comments and object to the automated decision-making process at any time.

Comprehensive information about the selection process is available at any time and communicated during the selection process.

The data subject has the right to request human intervention and to comment on the decision and/or challenge it by sending an email to [email protected].

DATA SUBJECTS’ RIGHTS

The Data Subject at any time exercises the following rights under the conditions and within the limits of Articles 12-22 of the GDPR by sending an email to [email protected].

  • Right of access (Article 15 GDPR);
  • Right to rectify inaccurate personal data and to obtain supplementation of inaccurate personal data (Article 16 GDPR);
  • Right to erasure of personal data (Article 17 GDPR);
  • Right to restriction of processing (Article 18 GDPR);
  • Right to object to processing under Article 6(1) (e) or (f) of the GDPR, including profiling (Article 21 GDPR);
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR).

In the event that the Data Subject believes that the processing of Data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, he/she has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State where the Data Subject normally resides or works or in the place where the alleged violation of the regulation occurred (in Italy, the Garante Privacy https://www.garanteprivacy.it/), or to bring the matter to the appropriate judicial venues.

The Data Subject has the right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects concerning him or her or that significantly affects him or her in a similar way. The Data Subject has the right to obtain human intervention by the Data Controller, to express his/her opinion, and to challenge the decision under Article 22(2) GDPR.

Update date: August 2023