Privacy Policy regarding the processing of Personal Data pursuant to Regulation (EU) 2016/679 (GDPR)

Gewiss S.p.A. wishes to inform you, as data subject, of the purposes and methods of the processing of your Personal Data in relation to the use of HOME GATEWAY APP (hereinafter referred to as the “App”), which allows you to control, monitor, supervise and parameterise a Home & Building Automation system (hereinafter referred to as a “Smart Home”), connected to the cloud through the Gewiss “Home Gateway” device.

This document has been drawn up in accordance with art. 13 of European Regulation 2016/679 on the protection of individuals with regard to the processing of Personal Data (hereinafter referred to as the “GDPR”).

1. Data Controller

The Data Controller is Gewiss S.p.A. (the “Controller” or “Gewiss”), tax code and VAT number 00385040167, with registered offices in Via A. Volta, 1 - 24069 Cenate Sotto (BG) - Italy, email address: privacy@gewiss.com.

2. Contact details of the Gewiss Data Protection Officer (DPO)

The Data Controller has appointed a Data Protection Officer (“DPO”), pursuant to articles 37 - 39 GDPR. If necessary, the DPO may be contacted at the following email address: dpo@pec.gewiss.com.

3. Purpose and methods of processing

The Controller will process the following Personal Data that you have communicated (hereinafter referred to as the “Personal Data”):

a) Registration Data: this is Personal Data provided by you or collected by Gewiss for the purposes of registration and use of the App (such as, for example, name, surname, email, date of birth, address), necessary to complete registration with the App and to use the relative services. You can also access the reserved area of the App by using credentials provided by the social networks Facebook, Google and Apple (“social login”).

b) App Usage Data: this is Personal Data collected when you use the App and includes:

- the IP address or ID of your device.

- the model and brand of your device.

- the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to make the request to the server, the size of the file received in response, the numerical code indicating the status of the response provided by the server (successful, error, etc.), and any other parameters regarding the operating system and the information technology environment of your device.

- information on the statuses and changes in status of Smart Home devices.

- electrical measurement data (e.g. energy, power) and related graphs summarising trends over time.

- data relating to the parameterisation of functions performed by the Home Gateway, such as logic functions, timers, scenes, irrigation, load control, thermoregulation profiles.

- information on your interaction with the App, including commands for Smart Home device activations.

- email addresses or telephone numbers used to send notifications following events.

- geolocation of your device, i.e., mobile sensor data generated by the movement or orientation of your device.

4. Purpose of processing and legal basis

The Data Controller will process your Personal Data for the fulfilment of specific purposes and in the presence of a specific legal basis as provided for by the GDPR.

In particular, the purposes for which your Personal Data are processed by the Controller and the legal basis of the processing thereof are listed below:

a) Personal data used : App registration and usage data.

- Purpose of data processing : Access to and use of the App by the user.

- Legal basis for processing : Performance of a contract to which the data subject is party.

b) Personal data used : App registration and usage data.

- Purpose of data processing : Communications with you (e.g., if you contact Gewiss by email or otherwise, Gewiss may use your Personal Data to answer questions or solve problems).

- Legal basis for processing : Performance of a contract to which the data subject is party.

c) Personal data used : App usage data.

- Purpose of data processing: Direct marketing. For example: sending - via automated contact methods (such as SMS, MMS and email) and traditional methods (such as telephone calls with operator and traditional mail) - promotional and commercial communications relating to services/products offered by Gewiss or notification of company events, the carrying out of market studies and statistical analyses, as well as the sending of questionnaires to users for the purpose of verifying the degree of customer satisfaction regarding the quality of the services rendered.

- Legal basis for processing : Consent (optional and revocable at any time)

d) Personal data used : App usage data.

- Purpose of data processing : Profiling: analysis of your preferences, habits, behaviour or interests in order to send you personalised offers and commercial communications.

- Legal basis for processing : Consent (optional and revocable at any time)

5. Mandatory nature of the provision of Personal Data

The provision of your Personal Data is necessary in all cases where processing is carried out on the basis of a legal obligation or to perform a contract to which you are party. Your refusal may render it impossible for Gewiss to carry out the purposes for which the Personal Data is collected.

The provision of consent for the purposes of direct marketing and profiling, on the other hand, is optional and therefore does not affect the performance of the service.

6. Period of storage

With reference to the period of storage of personal data, the following is specified:

- Storage period for data relating to points 4 a) and b): duration of the contract plus 10 years from termination of the same.

- Storage period relating to point 4 c): 24 months from registration and until revocation of consent.

- Storage period relating to point 4 d): 12 months from the provision of the profiling data and until consent is revoked.

In the case of legal disputes, the data will be held for the entire duration of the same and until the end of the time limits for the exercising of appeals.

At the end of the aforementioned periods of conservation, the Personal Data will be destroyed, erased or rendered anonymous.

7. Method of processing

The processing of Personal Data is governed by the principles of fairness, lawfulness, transparency and data minimisation (privacy by design).

The processing of Personal Data may be carried out either manually or by automated means for the storage, processing and transmitting of the same and shall be carried out by means of technical and organisational measures that are appropriate, insofar as reasonably necessary and in accordance with the state of the art, to ensure, among other aspects, the security, confidentiality, integrity, availability and resilience of the systems and services, avoiding the risk of loss, destruction, unauthorised access or disclosure or otherwise unlawful use, as well as by means of reasonable measures to promptly delete or rectify data that are inaccurate in relation to the purposes for which they are processed.

8. Recipients of personal data

The Personal Data, within the scope of the aforementioned purpose, may be communicated to one or more of the categories of subjects appointed as Data Processors as indicated in detail below, such as, for example:

- professional firms.

- external companies offering emailing services.

- external companies offering hosting services or carrying out tasks of a technical nature.

- external companies offering support in carrying out market studies.

- external telecommunications companies.

- a Gewiss Group company.

The Data may be communicated to external subjects acting as autonomous Data Controllers, for example authorities and supervisory and control bodies, other companies in the Gewiss Group and, in general, subjects, either public or private, entitled to request the Data.

9. Transfer of Personal Data outside the European Economic Area (EEA)

Personal Data will be processed within the EEA. If, for technical and/or operational reasons, it is necessary to use parties located outside the EEA, processing will be regulated in accordance with the GDPR, and therefore all necessary precautions will be taken in order to ensure the protection of the Data, pursuant to Article 46 of the GDPR.

10. Persons authorised to carry out processing

The Personal Data may be processed exclusively by employees of the business functions charged with the fulfilment of the purposes indicated above, who are expressly authorised for the processing and have received appropriate operating instructions.

11. A Data Subject’s rights

The Data Subject, in relation to the personal data provided, has the right to exercise at any time and in accordance with the provisions of the GDPR the rights established by the latter and shown below:

- Right to withdraw consent (art. 7, paragraph 3, GDPR): the right to revoke consent without prejudice to the lawfulness of processing based on consent granted before revocation.

- Data subject’s right of access (art. 15 GDPR): the right to obtain confirmation of the existence or otherwise of one’s Personal Data, and a copy thereof in intelligible form.

- Right to correction (art. 16 GDPR): the right to correct inaccurate Personal Data.

- Right to erasure, the “right to be forgotten” (art. 17 GDPR): the right to the erasure of one’s personal data.

- Right to the limitation of processing (art. 18 GDPR): the right to obtain the limitation of the processing of one’s Personal Data, e.g. if the accuracy of the data is disputed or in the case of unlawful processing.

- Right to data portability (art. 20 GDPR): the right to receive in a structured, commonly used and machine-readable format one’s Personal Data provided to the Controller and the right to transmit said data to another Controller if the processing is carried out on the basis of consent or a contract and by automated means.

- Right to object (art. 21 GDPR): the right to object to the processing of one’s Personal Data.

- Right not to be subject to automated decision-making (art. 22 GDPR): the right not to be subject to a decision based solely on automated processing.

These rights may be exercised by the Data Subject by contacting the Controller at the following email address: privacy@gewiss.com.

The Data Subject also has the right to lodge a complaint to the Italian Data Protection Authority.

12. Processing of Personal Data by installer or administrator users

If, as part of a business or professional activity, a natural person (installer or administrator user) makes the App and the related service available to users with whom they have a professional or collaborative relationship (e.g. the installer or administrator is the manager of a company and the users are its employees or collaborators), the installer user will in turn assume the role of Data Controller with regards to the respective users. They will therefore be obliged to comply with all obligations imposed on the latter pursuant to the GDPR, including the obligation to provide a privacy policy to data subjects pursuant to art. 13 of the GDPR concerning the processing of information associated with user profiles in the event that it can be traced back to individual persons (their collaborators/employees).

13. Amendments to the Privacy Policy

Gewiss reserves the right to update or amend this Policy periodically and at any time. In this case, Gewiss will provide you with a clearly visible notice that, depending on the circumstances, may for example be displayed within the App or transmitted by email. You are therefore invited to read these notices carefully.