PRIVACY POLICY – website
Information document pursuant to and for the purposes of articles 13/14 Regulation (EU) 2016/679 (GDPR)
This information applies to the website www.weroad.co.uk the "Site" and to its users, both visitors and travellers who purchase one or more trips ("Users").
DATA CONTROLLER
WeRoad UK Limited, company number: 13313382 and registered office address at WeWork Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT, United Kingdom is the controller and responsible for the Users Personal Data (collectively referred to as the “Owner” in this Privacy Policy. We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If the User has any questions about this privacy policy, including any requests to exercise legal rights. Please content the data privacy manager using the details set out below.
Email Address: [email protected]
Address: WeWork Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT, United Kingdom
The User has the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). The Owner would, however, appreciate the chance to deal with the Users concerns before the User approaches the ICO so please contact the Owner in the first instance.
TYPE OF DATA PROCESSED
We may process the following personal data:
Access and navigation data (for example: information on the browser used by the User, pages visited, date, time and duration of each visit, as well as other parameters relating to the operating system and the User's IT environment).
Contact details (email and/or telephone)
Personal data: Name, surname, place and date of birth, tax code, sex (gender), passport and/or identity document (number, date of issue, expiry date)
License and willingness to drive
other personal data transmitted voluntarily: In some areas of the Site ( https://www.weroad.it/contatti,https://www.weroad.it/become-our-partner) it is possible to contact the Data Controller by email at address [email protected], by telephone or WhatsApp, via the Owner's Facebook® group or via the Owner's Instagram profile, to request information or clarifications relating to WeRoad trips and the possibility of creating partnerships.
Data relating to User preferences collected following the booking of a trip and relating to age, gender, and purchasing preferences shown by Users.
Payment data such as credit card / IBAN ("Bank Data")
Data relating to the round-trip flight purchased by the user
Image and/or voice
Contact details in case of emergencies (of a family member/friend)
Data contained in surveys
Data of the beneficiary of the gift card/voucher
Data relating to facts/incidents that occurred during the trip, including any behavior in violation of the law or the WeRoader Manifesto (part of the travel agreement with each User participating in a trip)
Cookies For all information on the cookies active on the Site and on the related processing of personal data, we invite you to read the relevant information in the "Cookie policy" section of our Site.
In some cases we may also process some particular data:
allergies and intolerances, state of health, special needs communicated voluntarily by the User;
Data contained in the medical certificate in case of cancellation of the booking.
("Personal data")
PURPOSE AND LEGAL BASIS OF THE PROCESSING
NAVIGATION OF THE SITE: Personal Data may be processed for the collection of anonymous statistical data on the use of the Site by Users, as well as for monitoring the functioning of the Site. The legal basis is the legitimate interest of the Data Controller in making it work. and to control the Site and obtain data on its use or your consent (Art. 6, par. 1, letter f) GDPR). The interest of the Owner has been balanced with that of the User who will thus be able to benefit from an increasingly high-performance and optimized Site. The provision of Personal Data is optional, but failure to provide it, by disabling cookies in the browser, could prevent you from accessing all the functions of the Site. The Data does not persist for more than 4 weeks and is deleted immediately after its aggregation (except any need for ascertainment of crimes by the competent Judicial Authority). Our cookie policy is available in the "Cookie policy" section on our Site.
RESPONDING TO CONTACT REQUESTS: it is possible to contact the Owner, via email at [email protected], by telephone or WhatsApp or via the Owner's Facebook® group, to request information or clarifications relating to WeRoad trips and the possibility of creating partnerships and in general in relation to the services offered; to respond to various requests from Users (for example through the Notify Me, Newsletter, participation in AperiRoad and WeMeet services). The legal basis is the execution of pre-contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). The provision is necessary to follow up on the request. In case of failure to provide Personal Data, WEROAD will not be able to respond to the request. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the closing date of the management of the request. WeRoad may store tickets in anonymous and aggregate form for internal reporting purposes (by tickets we mean the requests we receive).
RESPOND TO A REQUEST ABOUT A TRAVEL SHIFT ("NOTIFY ME"): You may request to receive information about a travel shift. The legal basis of the processing is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). The provision of Personal Data is necessary to follow up on the interested party's request. In case of failure to provide this information, WEROAD will not be able to follow up on the interested party's request to be notified about the confirmation of a travel shift. The data will be kept for the time necessary to achieve the purpose pursued and in any case for a maximum of 1 year from the provision.
BOOKING A TRIP: finalizing the booking of a trip through the Site and managing the reservation made. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). With reference to any particular data provided (for example the state of health, any allergies), it is the express consent of the interested party (art. 9, par. 2, letter a) GDPR). The provision is necessary to follow up on the booking request. In case of failure to provide the Data, WEROAD will not be able to follow up on the request and finalize the purchase and, with reference to particular data, will not be able to follow up on the specific needs requested. The Data is stored until the execution of the purchase contract and, in any case, for 3 years (or in any case within the limit of the ordinary limitation period). The particular data will be retained until the execution of the contract and for a further 6 months, unless a further period is necessary to exercise or defend a right.
USE THE “MYWEROAD” PERSONAL AREA: the user who has booked a trip has the possibility of accessing a personal area within MyWeRoad, protected by a password chosen by the User, which allows, for example, to manage and check the status of the booking and/or modify the data provided when booking a trip. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR). With reference to any particular data provided (for example, any allergies and/or intolerances), it is the express consent of the interested party (art. 9, par. 2, letter a) GDPR). The provision is optional. In case of failure to provide the Data, the user will not be able to use the personal area. The Data is retained until the interested party cancels their account and in any case no later than 5 years from the last access. The interested party can update their data at any time.
BE INCLUDED IN THE WHATSAPP GROUP OF THE TRIP YOU ARE PARTICIPATING IN: Users who have purchased a trip are included in a WhatsApp group made up of the other participants and the coordinator. The group is used to exchange organizational communications relating to the trip and is activated before departure. The legal basis of the processing is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to allow better organization of the trip and communications between the trip participants and the coordinator. The interest of the Owner has been balanced with that of the Interested Party who will be able to keep himself updated through communications within the group. The interested party can object to the processing at any time, either by leaving the WhatsApp group or by sending their request to the Data Controller. There will be no negative repercussions on the user in case of opposition to the treatment.
CONTACT USERS WHO HAVE ADDED A TRIP IN THE CART: in the event of an unfinished booking, contact the relevant Users by email. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to contact the User to ask if he still has an interest in finalizing the purchase or if he needs more information in relation to a particular goal. A maximum of three communications are sent. The interest of the Owner has been balanced with that of the user who will thus be able to complete, at a later time, the booking of a trip that has not yet been completed. The interested party can object to the processing. There will be no negative repercussions on the interested party in case of opposition to the treatment. The data will be stored for 6 months.
CANCELING A RESERVATION: in the event that a user requests a cancellation of a reservation. The legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR) and of the data contained in the medical certificate, consent (art. 9 , par. 2, letter a) GDPR). The provision is necessary to follow up on the cancellation request. WEROAD will delete the data once the booking cancellation procedure has been completed, except for any legal disputes or pre-disputes.
COMMUNICATIONS IN CASES OF EMERGENCY: in order to manage communications for extraordinary emergency cases. The interested party is invited to submit this information also to his family members whose contact details are provided. The data processing is carried out in the legitimate interest of the Data Controller to allow the best management of emergencies, pursuant to article 6, par. 1, letter. f) GDPR. WEROAD will delete the data once the trip ends and in any case after 1 month from the return.
SENDING OF COMMERCIAL/PROMOTIONAL COMMUNICATIONS: for direct marketing purposes, such as sending newsletters, information and commercial communications, updates on the latest launches, offers and promotions relating to WEROAD services, via newsletter, via email or telephone, also by automated means (SMS, social media). The legal basis is the consent of the interested party (art. 6, par. 1, letter a) GDPR). The provision is optional. In case of failure to provide the Data, WEROAD will not be able to regularly update the interested party on its offers and promotions. The interested party can revoke the consent given at any time by clicking on the "unsubscribe" link included in the marketing email received or by sending an email to [email protected]. The Data processed for this purpose will be stored and processed for 5 years, without prejudice to the revocation of consent by the interested party.
In the event that the interested party has contacted WEROAD, WEROAD may contact or send the interested party communications of a commercial nature relating to the request received. In this case the legal basis of the processing is the legitimate interest of WEROAD to promote its services to the interested parties pursuant to article 6, par. 1, letter. f) GDPR. The provision is necessary for the pursuit of the legitimate interest of the Data Controller which is equally balanced with the legitimate interest of the interested parties. The processing is not mandatory and the interested party may object to said processing at any time by sending an email to [email protected]. WEROAD will delete the Personal Data processed to respond to requests within 1 year from the closing date of the management of the request. WEROAD may contact the interested party again within this period.
SOFT-SPAM: The email address could be processed to send interested parties emails relating to the promotion of WEROAD services similar to the services already purchased. The legal basis is the legitimate interest of the Data Controller to promote its services to existing customers. The interested party can object to the use of their e-mail address at any time by clicking on the "unsubscribe" link in the e-mail received or by sending an e-mail to [email protected]. WEROAD will no longer use the e-mail address after 24 months from the date of the last commercial contact with the data subject.
It is possible to revoke the consent given for marketing and commercial purposes at any time, without prejudice to the lawfulness of the processing carried out before the revocation based on the consent.
USER SEGMENTATION: for sending personalized commercial communications based on age and type of trip purchased. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to improve its commercial offer. The interest of the Owner has been balanced with that of the user in being able to receive commercial communications in line with their interests. The provision is optional. There will be no negative repercussions on the user in case of opposition to the treatment. The data will be kept for 12 months from collection.
CONDUCTING SATISFACTION SURVEYS: Users who have completed a trip will receive an email communication regarding a satisfaction survey. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to evaluate and improve the quality and satisfaction with the services offered. The provision is optional. Failure to provide the Data, however, will not allow us to evaluate customer expectations and satisfaction with the services offered by the Owner. The Data will be stored for 1 year from the time of collection and will subsequently be anonymized and aggregated.
PUBLICATION OF IMAGES OF INTERESTED PARTIES ON THE SITE OR SOCIAL CHANNELS OF WEROAD: the images/videos collected during the trip made with WEROAD may be published by the Owner on the Site or on social channels and/or in travel diaries. The basis of the processing is the legitimate interest of the Data Controller to promote its business (art. 6, par. 1, letter f) GDPR). The travel participant is informed of the taking of photographs/videos both in the contractual context and during the trip and has the possibility to abstain and request not to be photographed during the trip. The interested party can object at any time either by asking not to participate in the shots/filming, or by requesting the removal of the published contents by writing to [email protected]. The interest of the Owner has been balanced with that of the user in being part of the filming of group. The provision is optional. There will be no negative repercussions on the user in case of opposition to the treatment. The data will be kept for 5 years from the publication of the images.
REPORTS RELATING TO FACTS/ACCIDENTS AND/OR NON-COMPLIANT BEHAVIOURS: the Data Controller may collect and process data relating to facts, incidents, behaviors referable to the Traveling User, which do not comply with the legislation or the WeRoader Manifesto . The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR) to verify that the travel experience complies with the company's standards and monitor/report non-compliant facts and/or behaviors with theWeRoader Manifestoor the law. The report can be made through the trip coordinator, travel companions and local partners. The travel participant is informed of this possibility as soon as the travel contract is signed. Furthermore, the participant is notified in the event that there is a report from the coordinator that concerns him and he has the possibility to object and lodge a complaint. The data will be kept for 18 months from the collection of the report.
MANAGEMENT OF ANY CLAIMS AND DEFENSE IN COURT: the legal basis is the execution of pre-contractual and contractual obligations of which the interested party is a party (art. 6, par. 1, letter b) GDPR) as well as the legitimate interest of the Data Controller (art. 6, par. 1, letter f). The provision is necessary both to allow the Data Controller to respond to requests made by interested parties and to defend their rights against the interested party or third parties before the competent authorities. The Data is stored for the duration of the claim and in any case within the limitation periods indicated by the law (usually 3 years without prejudice to a possible longer period, if related to personal injury).
CORPORATE OPERATIONS: Sharing personal data in connection with, or during negotiations of extraordinary operations of all or a portion of WEROAD's business. The legal basis is the legitimate interest of the Data Controller (art. 6, par. 1, letter f) GDPR). Data processing is necessary for WEROAD's legitimate interest in following up on the negotiation and execution of corporate transactions. The data stored for this purpose will be deleted at the end of the operation.
Furthermore and without prejudice to the above, the Data Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their conservation for a period of time not exceeding that required by the purposes for which the data were collected and processed. The Data Controller may retain Personal Data to comply with the law or to exercise or defend any rights or claims in legal proceedings. Once the purposes for which the Personal Data were collected and processed have been achieved, the Data Controller will implement appropriate measures to make them anonymous, so that the interested party cannot be identified.
RECIPIENTS OF THE DATA
The Data will be processed by employees and collaborators of the Data Controller expressly authorized to process the Data on the basis of the instructions and after adopting suitable measures to protect the Data in relation to all the purposes indicated above.
The following subjects may become aware of the Data in relation to the processing purposes envisaged by this privacy policy and may process the Data both as independent data controllers and as data processors duly appointed by the Data Controller (the list of such managers and independent data controllers are available upon request via e-mail to be sent to [email protected]):
subjects that carry out activities functional to achieving the aforementioned purposes, i.e. companies that provide IT infrastructures and IT support and consultancy services, companies that provide data analysis and development services, as well as law, accounting and auditing firms;
other companies that belong to the Group to which WEROAD is part and which provide services to WEROAD;
hotels and other accommodation facilities, car rentals, airlines, companies that provide travel insurance policies and other third parties who provide the services necessary for the realization of the booked trip;
travel coordinator;
local tourism partners, for example, local travel agencies, tourist guides;
companies offering payment and booking services;
insurance companies.
DATA TRANSFER TO A NON-EU COUNTRY
Personal data may be transferred to non-EU countries, for example if the travel destination is a non-EU country.
The Data Controller undertakes to transfer personal data to third countries if necessary:
ensuring that the country to which the personal data will be sent guarantees an adequate level of protection, as required by Article 45 of the GDPR; or
complying with the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA (these are clauses approved pursuant to Article 46 (2) of the GDPR).
DATA PROCESSING METHODS
The Data will be processed in compliance with the principles of correctness, lawfulness and transparency, through manual and automated methods and through the use of paper and electronic means, in any case within the limits of the purposes of the data processing(s) established by this information and, in any case, always guaranteeing the security and confidentiality of the Data.
RIGHTS OF INTERESTED PARTIES
The interested party may at any time exercise the following rights under the conditions and within the limits established by Articles 12-22 of the GDPR by sending an email to [email protected]:
Right of access: the interested party has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed and, in this case, to obtain access to the personal data (Article 15 GDPR) ;
Right to rectify inaccurate personal data and to obtain integration of incomplete personal data (Article 16 GDPR);
Right to erasure of personal data: the interested party may request that their data be erased if they are no longer necessary for the aforementioned purposes, in the event of revocation of consent or opposition to the processing, in the event of unlawful processing, or there is an obligation legal cancellation (Article 17 GDPR);
Right to limit processing: the interested party has the right to obtain the limitation of processing when one of the following hypotheses occurs: the interested party contests the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data personal; the processing is unlawful and the interested party opposes the deletion of the personal data and requests instead that their use be limited; although the Data Controller no longer needs them for the purposes of the processing, the personal data are necessary for the interested party to ascertain, exercise or defend a right in court; the interested party has objected to the processing, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the interested party (Article 18 GDPR);
Right to object to processing: the interested party may object at any time to the processing of their data, unless the Data Controller demonstrates the existence of compelling legitimate reasons to proceed with the processing which prevail over the interests, rights and freedoms of the interested party or for the establishment, exercise or defense of a right in court, pursuant to Article 6(1), letters (e) or (f), of the GDPR, including profiling (Article 21 GDPR);
Right to portability: the interested party has the right to receive the personal data concerning him or her provided to a data controller in a structured, commonly used and machine-readable format and has the right to transmit such data to another data controller processing without impediments by the data controller to whom it was provided if: the processing is based on consent, or on a contract (article 20 GDPR);
Right to lodge a complaint with the supervisory authority (Article 77 GDPR).
In the event that you believe that the processing of personal data carried out by the Data Controller occurs in violation of the provisions of Regulation (EU) 2016/679, the interested party has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in which where he habitually resides or works or in the place where the alleged violation of the regulation occurred (in Italy the Privacy Guarantor https://www.garanteprivacy.it/), or to take action in the appropriate judicial offices.
Where the legal basis of the processing is express consent, the interested party has the right to withdraw consent at any time. The revocation of consent does not affect the lawfulness of the processing based on consent before the revocation.