Privacy policy
pursuant to Article 13 of Regulation (EU) 2016/679
With this document (“Privacy Policy”), the Data Controller, as defined below, wishes to inform you about the purposes and methods of processing your personal data, as well as the rights granted to you under Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”). This Privacy Policy may be supplemented by the Data Controller if any additional services you request involve further data processing.
Data Controller
FastWay S.p.A. S.B., with registered office at Via Enrico Forlanini 23, 20134 Milan (MI), VAT No. 12511460961, Certified Email (PEC): fastwayspa@legalmail.it
Data Protection Officer / DPO
The Data Controller has appointed a Data Protection Officer (DPO).
Email address: privacy@fastway.energy
Types of Data Processed
The Data Controller will process common personal data, hereinafter collectively referred to as “Personal Data,” collected during the use of the services offered by the application. Such data may include, by way of example:
- Personal details: first and last name, date of birth, residential address;
- Contact details: such as email address and mobile phone number;
- Data required for billing purposes: tax code/VAT number, billing address;
- Login data: email address and password.
Categories of Data Subjects
The processing activities are intended for the following categories of data subjects: Customers, Users.
Purpose, Legal Basis, and Retention Period
| Purpose | |Legal Basis | |Retention Period |
|---|---|---|
| Purpose: Personal data are processed to allow registration and the creation of a personal account necessary to access and use the Application, as well as to ensure the provision of any services requested through it (including the delivery of prepaid cards). | Legal Basis: The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request, pursuant to Article 6(1)(b) of Regulation (EU) 2016/679. Retention Period: [Please specify – typically “for the duration of the contractual relationship and, subsequently, for the time necessary to fulfill legal obligations or for the protection of rights.”] | Retention Period: Personal data will be retained until consent is withdrawn and in full compliance with the principles of the GDPR, as set out in Article 5. Data will be stored for an additional 10 years as required by applicable legal provisions. |
| Purpose: Personal data, such as the IP address and the identification code of the device used by the user, are processed to ensure the proper functioning of the App, enabling access to and provision of the services offered, as well as to improve technical performance and ensure the security of the platform. | Legal Basis: Common data – Legitimate interest pursuant to Article 6(1)(f) of Regulation (EU) 2016/679. | Personal data will be retained for the entire duration of the user account activity and use of the app. In any case, data will not be stored for more than 10 years. |
| The processing of personal data is necessary to allow the Data Controller to issue an invoice following payment for the electric vehicle charging service used at the designated charging stations, if requested by the data subject. | Common data – The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request, pursuant to Article 6(1)(b) of Regulation (EU) 2016/679. | Personal data will be retained for the time necessary for the Data Controller to fulfill the purposes for which they were collected and to issue the requested invoice. In any case, data will not be stored for more than 10 years. |
| Personal data are processed to allow the data subject to use the customer support service by accessing the features made available through the application. This processing is carried out to ensure the assistance requested by the data subject in relation to the services provided — including the Charge Back service — in compliance with the specified purposes and the applicable data protection regulations. | Common data – The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request, pursuant to Article 6(1)(b) of Regulation (EU) 2016/679. | Personal data will be retained for the time necessary for the Data Controller to fulfill the purposes for which they were collected and to issue the requested invoice. In any case, data will not be stored for more than 10 years. |
| Personal data will be processed to comply with legal obligations arising from tax, accounting, or anti-money laundering regulations. | Common data – The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request, pursuant to Article 6(1)(b) of Regulation (EU) 2016/679. | Personal data will be retained for the time necessary for the Data Controller to fulfill the purposes for which they were collected and to issue the requested invoice. In any case, data will not be stored for more than 10 years. |
| Personal data will be processed to comply with legal obligations arising from tax, accounting, or anti-money laundering regulations. | Common data – Legal obligation pursuant to Article 6(1)(c) of Regulation (EU) 2016/679. | Personal data will be retained for the time necessary for the Data Controller to fulfill the purposes for which they were collected and to issue the requested invoice. In any case, data will not be stored for more than 10 years. |
| The Data Controller, where necessary, reserves the right to process the personal data of Data Subjects in order to establish, exercise, or defend its rights in out-of-court and/or judicial proceedings, or whenever judicial authorities exercise their functions. | Common data – Legitimate interest, pursuant to Article 6(1)(f) of Regulation (EU) 2016/679. | Personal data will be retained for the period strictly limited to the duration of the dispute, until the expiration of the time limits for exercising appeal actions. |
| Personal data will be processed, subject to the explicit consent of the data subject, for marketing, promotional, and communication purposes via email. | Common data – Consent of the data subject, pursuant to Article 6(1)(a) of Regulation (EU) 2016/679. | Data will be retained until consent is withdrawn, and in any case in full respect of the legitimate expectations of the data subject, in accordance with the latest provisions of the Data Protection Authority and EDPB Guidelines 5/2020. |
Methods of Processing
Personal data are processed using electronic means.
Data Transfer Outside the EU
Personal data are processed exclusively within the European Union.
Recipients of the Processing
Personal data may be shared with service providers strictly related and functional to the activities of the Data Controller, who typically act as data processors pursuant to Article 28 of the GDPR. The complete list can be obtained by contacting the Data Controller at the addresses provided above.
Payments
The App allows users to make payments through external payment service providers, who act as independent data controllers.
- During the payment process, the user is redirected to platforms managed by the payment providers (PayPal, Google Pay, or banking institutions).
- The App does not process or store banking data or information related to payment instruments (such as credit card numbers, security codes, or IBANs).
- Payment providers collect and process the necessary data in accordance with their own privacy policies, which users are encouraged to review at the time of the transaction.
Data Subject Rights – Complaint to the Supervisory Authority
In relation to the processing activities described in this Privacy Policy, as a data subject you may, under the conditions provided for by the GDPR, exercise the rights set out in Articles 15 to 22 of the GDPR and, in particular, the following rights:
- Right of access – Article 15 GDPR: the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, if so, to gain access to your personal data.
- Right to rectification – Article 16 GDPR: the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the completion of incomplete personal data.
- Right to erasure (right to be forgotten) – Article 17 GDPR: the right to obtain, without undue delay, the erasure of personal data concerning you. This right does not apply to the extent that processing is necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, or for the establishment, exercise, or defense of legal claims.
- Right to restriction of processing – Article 18 GDPR: the right to obtain restriction of processing when:
a) the data subject contests the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the personal data are required by the data subject for the establishment, exercise, or defense of legal claims;
d) the data subject has objected to processing pending the verification of whether the legitimate grounds of the data controller override those of the data subject. - Right to data portability – Article 20 GDPR: the right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance, where the processing is based on consent and carried out by automated means. This right also includes the ability to have your personal data transmitted directly from one controller to another, where technically feasible.
- Right to object – Article 21 GDPR: the right to object, at any time, to the processing of personal data concerning you when such processing is based on the legitimate interest legal basis, including profiling, unless there are compelling legitimate grounds for the Data Controller to continue the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
- Right not to be subject to automated decision-making – Article 22 GDPR: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless such processing is necessary for entering into or performing a contract, or you have given your explicit consent. In any case, automated decision-making must not involve your personal data, and you shall have the right at any time to obtain human intervention from the Data Controller, express your point of view, and contest the decision.
- Right to lodge a complaint with the Data Protection Authority: http://www.garanteprivacy.it
- to withdraw the consent given at any time and with the same ease with which it was provided, without affecting the lawfulness of the processing based on consent before its withdrawal.
The above rights may be exercised with respect to the Data Controller by contacting the references provided above.
The exercise of your rights as a data subject is free of charge pursuant to Article 12 of the GDPR. However, in the case of manifestly unfounded or excessive requests, including due to their repetitive nature, the Data Controller may charge you a reasonable fee based on the administrative costs incurred to process your request, or may refuse to act on your request.
Lastly, please note that the Data Controller may request additional information necessary to verify the identity of the data subject.
