Onework has also appointed Amity Europe S.r.l. as Representative in the EU according to Article 27, GDPR. It has been duly authorized to represent the Controller for issues relating to compliance with the GDPR, including dealing with any EU supervisory authorities and data subjects. Therefore, if you are an EU citizen you may also contact the Representative to receive further information on the processing of your personal data and rights under the GDPR.
When we talk about personal data, we refer to all the information relating to an identified or identifiable natural person. Therefore, when we refer to your personal data, we refer to any information that allows us to identify you, directly or indirectly (the “Personal Data”).
We collect the following categories of Personal Data through your use of our Services or when you are surfing our Websites:
We collect your Personal Data either when you provide it voluntarily (for instance, when you fill-in a form on our Websites to file a request) or automatically, while you are using our Services (for instance, when using our chat tool).
For some of our Services, you will be invited to access and use them by an organization (e.g. your employer or another third party), which acts as a customer of the Controller (the “Customer”). In these cases, you will be an authorized end user (“Authorized End User”) and your Personal Data will be provided to us by the Customer in order to allow you to use our Services.
Unless otherwise specified, we only collect the Personal Data that are necessary to provide our Services. Therefore, unless differently stated, all the information requested when using the Services are mandatory, and the failure to provide them may make it impossible for the Services to function. When it is specifically stated that some data are not mandatory, you are free to decide not to share them with us without any consequence on the availability or functioning of the Services.
Onework processes your Personal Data for the purposes and according to the legal bases described below.
1. Execution of the Contract and Performance of the Services
The Controller processes your Personal Data to allow you to use our Services.
Depending on whether you have a direct contractual relationship with Onework or you have been provided access to our service by a Customer, the legal basis for these processing activities is the necessity to perform an existing agreement and/or for any pre-contractual obligations with you (Art. 6, par. 1, let. c), GDPR) or the legitimate interest of the Controller to execute the agreement concluded with the Customer (Art. 6, par. 1, let. f), GDPR).
Please find below more detailed information on how we process your Personal Data depending on the different type of Service you are requesting.
Onework offers a workplace management service that can be used as a standalone app or integrated with the company’s existing app. To offer this service, Onework collects your personal data such as first name, last name, email, mobile number, and more. Onework also processes your Personal Data, which include your interaction with the system and user profile.
2. Marketing and Advertising
Onework may contact you at your business email or phone number to introduce you to our products and Services and offer you our support to your business.
The Controller will contact you only when we reasonably believe our Services may support your goals or you may be interested based on the industry you are operating in. Moreover, we will contact you with marketing and advertising emails and calls if you have asked for information or begun a search for a service or product we provide.
The legal basis for this processing activity is the legitimate interest of the Controller to conduct direct marketing activities (Art. 6, par. 1, let. f), GDPR and Recital 47, GDPR).
Object to Processing of Personal Data for Direct Marketing.
You have the right to object to the processing of your Personal Data for Direct Marketing activities at any moment contacting the Controller or replying to our emails.
3. Management of the Websites
To operate the websiteand offer you all the connected services, the Controller processes the Personal Data whose transmission is implicit in the use of Internet communication protocols. These data include IP addresses, domain names of your device, the timing and method of your request, the file transmitted, and information on your operative system and device.
These data are also anonymized and used to have statistical information on the use of the Websites to ascertain their correct functioning and the possibility of cyber crimes.
The legal basis for this processing activity is the legitimate interest of the Controller to manage the Websites and protect you from possible cyber crimes (Art. 6, par. 1, let. f), GDPR).
4. Managing Your Requests
You can contact the Controller through the specific form in our Websites or our phone numbers.
To manage your requests, the Controller needs to process the provided Personal Data such as your name, contacts and the content of your message. Accordingly, we suggest you provide us only the information that we need to comply with your request.
The legal basis for this processing activity is the legitimate interest of the Controller to comply with your requests (Art. 6, par. 1, let. f), GDPR).
5. Compliance with Legal Obligations
The Controller may need to process your Personal Data to comply with legal obligations connected to its activities and/or the Services provided to you and the Customer.
The legal basis for this processing activity is the necessity to comply with legal obligations (Art. 6, par. 1, let. c), GDPR).
To carry out the processing activities described in previous paragraph 5), your Personal Data will be accessed by the necessary employees and collaborators of the Controller.
Moreover, your Personal Data will be shared with other companies that support Onework to provide the Services. These companies include the other companies of the Group that offer the requested service; companies that support the Controller to set up and manage the ICT infrastructure; companies supporting Onework for archiving purposes; mail carriers; hosting providers; communications agencies; subjects that provide legal and/or tax consultancy.
Moreover, Onework uses Amazon Web Services’ cloud platform to securely store your Personal Data. In particular, we asked Amazon to store your Personal Data in servers located in your country.
Where required by the applicable legislation, these companies have been appointed data processors by the Controller in compliance with Article 28 GDPR to guarantee that your Personal Data are protected also when processed by third parties.
You are entitled at any time to request the Controller an updated list of all such third parties that process your Personal Data.
Onework is a multinational company. Hence, it operates in several countries and your Personal Data may be transferred where the Controller has its operating offices as well as in foreign countries where the company and / or third party providers are located.
To ensure that your Personal Data receive always the same degree of protection, when they are processed outside the UK and the EU/European Economic Area (EEA), Onework ensures that the receiving companies are bound by the Standard Contractual Clauses, which establish similar obligations to that imposed by the UK Data Protection Act 2018 and the GDPR.
You are entitled at any time to request the Controller an updated list of all the countries where your Personal Data may be transferred as well as the safeguards established by Onework.
Onework processes and stores your Personal Data only as long as required by the purpose they have been collected for.
Accordingly, depending on the processing activity, your Personal Data will be deleted within 10 years from:
1. the end of the contractual relationship with you or our Customer;
2. your decision to opt-out to our marketing activities. In any case, upon your opting-out, we will immediately stop sending you marketing communications and we will retain your data only when necessary to comply with a legal obligation or perform a contract;
3. the end of your surfing session on our Websites;
4. our compliance with your requests.
The Controller may be obliged to retain your Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an Authority.
Once the retention period expires, Personal Data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
You may exercise certain rights regarding your Personal Data processed by the Controller. In particular, you have the right to:
Withdraw Consent at Any Time. You have the right to withdraw the consent you have previously given to the processing of your Personal Data.
Object to Processing of Personal Data. You have the right to object to the processing of your Personal Data if the processing is carried out on a legal basis other than consent.
Access Your Personal Data. You have the right to learn if the Controller is processing your Personal Data, to obtain disclosure regarding certain aspects of the processing and to obtain a copy of the Personal Data undergoing processing.
Verify and Seek Rectification. You have the right to verify the accuracy of your Personal Data and ask for them to be updated or rectified.
Restrict the Processing of Personal Data. You have the right, under certain circumstances, to restrict the processing of your Personal Data. In this case, the Controller will not process that Personal Data for any purpose other than safely storing it.
Have Personal Data Deleted or Removed. You have the right, under certain circumstances, to obtain the erasure of your Personal Data.
Receive Personal Data and Transfer Them to Another Controller. You have the right to receive your Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
Lodge a Complaint. You have the right to bring a claim before their competent Data Protection Authority. For the controversies arising directly in the UK, the competent Data Protection Authority is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.