PRIVACY POLICY – Coordinators

Information document pursuant to and for the purposes of Articles 13/14 of Regulation (EU) 2016/679 (GDPR)

This policy applies to the coordinators of WeRoad SAGL (“Coordinators”).

DATA CONTROLLER

WeRoad Swiss SAGL, Via Maestri Comacini, 4 Chiasso, Switzerland (and which we will henceforth refer to as “WEROAD” or “Data Controller”).

Contacts:

TYPE OF DATA PROCESSED

We may process the following personal data:

  • Personal data (such as surname, residence, date of birth, place of birth, tax code) and contact details (telephone, email)
  • Identity document and/or passport
  • Skills and career data
  • Data on the results of the coordinator’s performance review process
  • Tax, bank and payment data
  • Professional image and profile, inserted in our systems or on company materials and/or on company social channels
  • Number and list of countries visited
  • travel preferences, availability for travel; frequency of trips
  • Driver’s license
  • Contact details of family members.

Special data:

  • Special categories of data such as disability/disability, illness, pregnancy, injury, allergies or food preferences

(“Personal Data”)

PURPOSE AND LEGAL BASIS OF THE PROCESSING

The following treatments are carried out:

LEGAL OBLIGATIONS: for the fulfilment of the obligations provided for by law, regulations and, in general, by the legislation applicable from time to time to the relationship with WEROAD. The processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Art. 6, para. 1 lit. c) GDPR). The provision is necessary to comply with legal obligations. Any refusal to provide the requested data or their inaccuracy may make it impossible to establish and/or continue the relationship with the Data Controller. The data will be kept for the period prescribed by applicable laws and in any case for no longer than 10 years after the end of the relationship with WEROAD.

RELATIONSHIP MANAGEMENT: to ensure the training of the coordinator; to establish, manage and terminate the relationship with WEROAD; for any administrative and accounting obligations related to the relationship with WEROAD; to draw up documents and reports for business reasons, including valuation reports. For example, for the processing and payment of fees, for the evaluation of your aptitude and professional performance, provision of training courses, to allow the provision of the travel and business trip booking service, to manage expense reports, to know availability. The processing is necessary for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the data subject (Art. 6(1)(b) GDPR). With reference to any special data processed (e.g. food allergies) the legal basis is the consent of the Data Subject (art. 9 par. 2 lett. a) GDPR) The provision is necessary, any refusal to provide the requested data or their inaccuracy could make it impossible to establish and/or continue the relationship with the Data Controller. The data will be kept for the period prescribed by applicable laws and in any case for no longer than 10 years after the end of the relationship with WEROAD.

TRAVEL ASSIGNMENT: to assign a Coordinator to a specific trip and assess his/her suitability according to certain parameters including availability, travel preferences also with respect to the destination of interest; average of the evaluation received on previous trips; refusal of any trips in the past and possession of a driving license (once a Coordinator has given his/her availability). The processing is necessary for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same (art. 6, par. 1, lett. b) GDPR). The coordinators who have spontaneously made themselves available are classified on the basis of certain parameters also on the basis of an automated process, for this processing the legal basis is the pursuit of the legitimate interest of the Data Controller for the assignment of travel shifts in an efficient manner (art. 6, par.1 lett. f) GDPR). The interest has been balanced with the rights of the data subject and the impact deriving from the use of automated processes has been appropriately assessed by the Data Controller and deemed not to be detrimental to the data subjects. The provision of personal data is necessary for the pursuit of the legitimate interest of the Data Controller, which is equally balanced with the legitimate interest of the data subjects, as the processing of personal data is limited to what is necessary for the regular performance of the relationship with WEROAD and in particular for the assignment of the trip. The assignment takes place with a first manual phase (request for self-assignment of the coordinator to a trip), a second phase of automated screening, and finally the final choice of assignment by the WEROAD staff. The processing is necessary for the assignment of the trip to which the existing contractual relationship refers. Automated processing is not mandatory and the data subject may object to such processing at any time by writing to WEROAD at the addresses indicated above. The data subject can also always object to the decision concerning him or her based on the automated process, it being understood that the final decision on the assignment of a trip is always made by the WEROAD team. To learn more, you can read the section below “automated decision-making process” The data will be stored for the period necessary to achieve the purpose.

EVALUATION AT THE END OF EACH TRIP: TO KNOW THE DEGREE OF SATISFACTION OF THE PARTICIPANTS IN A TRIP, AT THE END OF THE SAME; TO ALLOW WEROAD TO MAINTAIN THE APPROPRIATE LEVEL OF ITS SERVICES. Evaluation is one of the parameters that is taken into account in the assignment of trips, as indicated above. The processing is necessary for the pursuit of the legitimate interest of the Data Controller in verifying the satisfaction of its services and for the best selection of the coordinators to whom each trip is assigned (Article 6, paragraph 1 letter f) GDPR). The legitimate interest of the Data Controller is fairly balanced with the rights and interests of the data subjects. The evaluation parameters are: courtesy and availability; ability to work as a group; organizational skills. The provision of data is necessary for the pursuit of the legitimate interest of the Data Controller, which is equally balanced with the legitimate interest of the data subjects, as the processing of personal data is limited to what is necessary for the regular performance of the relationship with WEROAD. The processing is not mandatory and the data subject may object to such processing at any time. The data will be stored for the duration of the collaboration with WEROAD. Thereafter, the data will be kept for the period prescribed by applicable laws and in any case for no longer than 10 years after the termination of the relationship with WEROAD. The data contained in the evaluation result will be stored for 1 year, to be updated if the relationship between WEROAD and the employee is still in place.

CHECKS AND DEFENCE OF RIGHTS: TO VERIFY THE CORRECT FULFILMENT OF THE OBLIGATIONS SET OUT IN THE CONTRACT WITH WEROAD AND THE CONDUCT OF THE Coordinator and compliance with company procedures in general; to ensure the protection of company assets related to the regular performance of work; for disciplinary purposes and in order to verify and prevent the performance of illegal activities; to assert or defend a right, towards the Data Subject or third parties, in judicial or extrajudicial proceedings, as well as in administrative proceedings or in arbitration and conciliation procedures in the cases provided for by laws, EU legislation, regulations. The processing is necessary for the pursuit of the legitimate interest of the Data Controller in verifying the regular performance of the service and the non-commission of offences (Article 6, paragraph 1 letter f) GDPR). The provision of data is necessary for the pursuit of the legitimate interest of the Data Controller, which is equally balanced with the legitimate interest of the data subjects, as the processing of personal data is limited to what is necessary for the regular performance of the relationship with WEROAD and for the execution of the company’s economic operations. The processing is not mandatory and the data subject may object to such processing at any time. The data will be kept for the period prescribed by applicable laws.

CREATION OF MATERIAL FOR MARKETING PURPOSES AND USE OF IMAGES/VOICE: for the creation, updating and publication of the professional profile on the company Intranet and/or in presentations also available on video at the company headquarters, for the purposes of organization and internal management of personnel; for marketing and communication activities both for internal company and external purposes, including use in corporate documents reserved for customers and suppliers of the Data Controller – such as reports, presentations, etc. both online and offline. The processing of data is carried out in the legitimate interest of the Data Controller for the purposes of organization and internal management of personnel as well as to allow company interaction and to allow the communication of its activities both inside and outside the company by creating complete and accurate materials, pursuant to Article 6, paragraph 1, letter f) GDPR. The processing is necessary for the pursuit of the legitimate interest of the Data Controller, which is fairly balanced with the legitimate interest of the data subjects, as the processing of personal data is limited to what is strictly necessary for the regular performance of the relationship with WEROAD and for the execution of the company’s economic operations. The processing is not mandatory and the data subject may object to such processing at any time. The processing is optional and the data subject may object to such processing at any time. The data will be stored for the duration of the collaboration relationship with WEROAD and subsequently deleted.

COMMUNICATIONS IN CASES OF EMERGENCY: in order to manage communications for extraordinary cases of emergency. The Data Subject is invited to submit this information also to his/her family members whose contact details are provided. The data processing is carried out in the legitimate interest of the Data Controller to allow the best management of emergencies (art. 6, par.1 lett. f) GDPR). The provision is necessary for the pursuit of the legitimate interest of the Data Controller, which is equally balanced with the legitimate interest of the data subjects. The processing is not mandatory and the data subject may object to such processing at any time. WEROAD will delete the data once the collaboration relationship has ended.

CORPORATE TRANSACTIONS: to share personal data in relation to, or during the negotiation of extraordinary transactions of all or part of WEROAD’s business. The legal basis is the legitimate interest of the Data Controller (Article 6, paragraph 1, letter f) GDPR). The data processing is necessary for WEROAD’s legitimate interest in following up on the negotiation and execution of corporate transactions. The data stored for this purpose will be deleted after the operation is completed.

Furthermore and without prejudice to the above, the Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their storage for a period of time not exceeding that required by the purposes for which the data were collected and processed. The Data Controller may retain Personal Data to comply with the law or to exercise or defend any rights or claims in legal proceedings. Once the purposes for which the Personal Data were collected and processed have been achieved, the Data Controller will implement appropriate measures to anonymise them, so that the data subject cannot be identified.

DATA RECIPIENTS

The Data will be processed by employees and collaborators of the Data Controller expressly authorized to process the Data on the basis of the instructions and subject to the adoption of suitable measures to protect the Data in relation to all the purposes indicated above.

The following subjects may become aware of the Data in relation to the processing purposes provided for in this privacy policy and may process the Data both as independent data controllers and as data processors duly appointed by the Data Controller (the list of such data processors and independent data controllers is available upon request via e-mail to be forwarded to [email protected]):

  • IT service providers for the management of contact and e-mail databases, digital service providers and IT consultants who provide technical assistance to WEROAD;
  • subsidiaries of the Data Controller that are part of the so-called WeRoad Group that provide intra-group services;
  • a company of the WeRoad Group that manages the trip to which the coordinator is assigned;
  • accounting consultants, legal consultants, offices that provide payroll services;
  • central and peripheral bodies of the Public Administration, local authorities and their peripheral bodies;
  • Judicial Authorities and Public Security Authorities;
  • banking and financial intermediaries, custodian banks, insurance companies;
  • travel agencies;
  • transport companies, air and sea carriers; Hotels.

DATA TRANSFER TO A NON-EU COUNTRY

The data processing will be carried out on servers and/or archives located within Switzerland and/or the European Union or in countries that provide adequate guarantees of personal data protection.

Your data may also be transferred to countries outside the EEA if the travel destination is a country located in this area.

The Data Controller undertakes to transfer personal data to third countries if it is necessary:

  • ensuring that the country to which the personal data will be sent ensures an adequate level of protection, as required by Article 45 of the GDPR; or
  • complying with the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA (these clauses are approved under Article 46 (2) of the GDPR).

The Data Controller cannot predict in advance in which countries the content published on social networks will be visible, but will take care to use platforms and channels that declare themselves compliant with the requirements of the GDPR, to whose privacy policy reference is made.

AUTOMATED DECISION-MAKING

The Data will be used through an automated decision-making process during the process of assigning a travel shift. Decision-making is used in the intermediate screening phase. In particular, the Data Controller first asks the coordinators about their availability to make a trip. The algorithm classifies the coordinators who have made themselves available on the basis of some parameters including: availability, travel preferences also with respect to the destination of interest; average of the evaluation received on previous trips; refusal of any travel in the past and possession of a driving license.

The final choice is made directly by the WEROAD team and is not bound to the suggestion defined with the automated process. The data subject can always submit his or her comments and object to automated decision-making at any time. Comprehensive information on the selection process is available at any time and is communicated during the selection process.

The data subject has the right to request human intervention and to express his/her observations on the decision and/or contest it by sending an email to [email protected].

METHODS OF DATA PROCESSING

The Data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing(s) established by this policy and, in any case, always guaranteeing the security and confidentiality of the Data.

RIGHTS OF THE DATA SUBJECTS

The data subject may at any time exercise the following rights under the conditions and within the limits provided for by Articles 12-22 of the GDPR by sending an email to [email protected]:

  • Right of access: the data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, if so, to obtain access to the personal data (Article 15 GDPR);
  • Right to rectification of inaccurate personal data and to obtain the completion of incomplete personal data (Article 16 GDPR);
  • Right to erasure of personal data: the data subject may request that his or her data be erased, if it is no longer necessary for the aforementioned purposes, in the event of withdrawal of consent or objection to processing, in the event of unlawful processing, or if there is a legal obligation to erase (Article 17 GDPR);
  • Right to restriction of processing: the data subject has the right to obtain the restriction of processing when one of the following cases applies: the data subject contests the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead that their use be limited; although the Data Controller no longer needs them for the purposes of the processing, the personal data are necessary for the data subject to ascertain, exercise or defend a right in court; the data subject has objected to the processing, pending verification of whether the legitimate reasons of the Data Controller prevail over those of the data subject (Article 18 GDPR);
  • Right to object to processing: the data subject may object at any time to the processing of his or her data, unless the Data Controller demonstrates the existence of compelling legitimate reasons for proceeding with the processing that prevail over the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, pursuant to Article 6(1), letters (e) or (f) of the GDPR, including profiling (Article 21 GDPR);
  • Right to portability: the data subject has the right to receive the personal data concerning him or her that he or she has provided to a data controller in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which he or she has provided them if: the processing is based on consent, or on a contract (Article 20 GDPR);
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR).

In the event that the data subject considers that the processing of personal data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, the data subject has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State where he or she habitually resides or works or in the place where the alleged violation of the regulation occurred (in Italy the Privacy Guarantor https://www.garanteprivacy.it/), or to bring the appropriate courts.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The data subject has the right to obtain human intervention from the controller, to express his or her opinion and to contest the decision pursuant to Art. 22, par. 2 GDPR.

Where the legal basis for the processing is express consent, the data subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Updated: August 2025