INTERESTED PARTIES / END CUSTOMERS POLICY FOR THE META TRAK SERVICE

PURSUANT TO EU REG. NO. 2016/679 ("GDPR")

IDENTITY AND THE CONTACT DETAILS OF THE CONTROLLER

QTE S.r.l. located in via Meuccio Ruini 10, 42124 Reggio Emilia, tax code and VAT number

02650440353 (hereafter “QTE”)

CONTACT DETAILS OF THE DATA PROTECTION OFFICER

Communications with the DPO are confidential and must be addressed to:

dpo@qtelematics.eu, or to QTE S.r.l., via Meuccio Ruini 10, 42124 Reggio Emilia, at

support@qtelematics.eu c.a. DPO

TYPES OF DATA, PURPOSE OF THE PROCESSING

Types of data processed:

• identification data: name, surname, tax code, etc.

• contact details: telephone number, e-mail, address, etc.

• bank details: IBAN, credit card number, etc.

• other personal data: Vehicle plate

• geolocation data: data relating to the location and location of the vehicle

For the following purposes:

a) Establishment, execution of the contract for the chosen service and sending e-mail of

commercial communications in the context of the contractual relationship (known as

“soft-spam”)

b) Fulfil obligations under applicable regulations and legislation

c) If necessary, to ascertain, exercise or defend the rights of the owner in court or out

of court

d) Marketing: e.g. SMS and e-mails, telephone calls with operator and traditional mail

for promotional and commercial proposals relating to services / products offered by

the Company or reporting of corporate events, as well as carrying out market studies

and statistical analyzes, also through the reference dealer

LEGAL BASIS AND PROCESSING METHODS

The legal bases of the applicable processing identified by the GDPR are:

• Execution of a contract to which you are a part (eg provision of the service,

communication of access credentials)

• Need to fulfil legal obligations

• Legitimate interests pursued by the controller or by a third party for easier

management of the work activity (eg communication with the customer through

contact details for information on the status of the service, imminent expiry of the

contract, management of the service in general)

• Optional and revocable consent at any time without prejudice to you also in relation

to the treatments based on the consent given before the revocation

DATA RETENTION OR THE CRITERIA FOLLOWED TO ESTABLISH SUCH PERIOD The

data retention period is:

• 10 years after the termination of the contract for administrative and accounting data

in compliance with the legal obligation that requires retention

• the number of months established in the contract with the Customer for geolocation

data, and for a further 30 days after the conclusion of the contract

• In the event of a dispute for the duration of the dispute and for the terms of appeal

• For marketing purposes: until recession by the subscriber

Once the aforementioned storage terms have elapsed, the data will be destroyed,

deleted or made anonymous, compatibly with the state of the art and implementation

costs.

OBLIGATION TO PROVIDE DATA

The provision of data for the purposes referred to in letters a), b) and c) above are

mandatory. In case of failure to provide data, it will not be possible to proceed with the

contractual relationship.

THIRD PARTIES ADDRESSED TO THE DATA

The data can be transmitted to subjects other than the Data Controller, also autonomous

Data Controllers.

The data can also be transmitted to subjects who process them on behalf of the Data

Controller as Data Processors on the basis of a legally binding agreement to protect data

protection.

Categories of subjects, e.g.

a) IT providers (e.g. data back-up services, e-mail, WEB / cloud computing, hosting,

network monitoring, e-mail sending, website maintenance, etc.)

b) consultants (e.g. payroll, competent doctor, workplace safety, professionals, etc.)

c) supervisory and control authorities, public or private subjects who have the right to

request data

TSP / DEALER with which the Customer of the META TRAK service signs the contract for the

service is a data processor.

SUBJECTS AUTHORIZED TO PROCESSING DATA

The data may be processed by workers in relation to their job, expressly authorized and

adequately instructed in the processing.

TRANSFER OF DATA TO THIRD COUNTRIES (EXTRA EU / EEA)

Personal data will be processed on servers located within the European Union.

In any case, it is understood that the Data Controller, if necessary, will have the right to

transfer these data abroad to non-European countries.

In this case, the Data Controller ensures as of now that the transfer of non-EU data will take

place in accordance with the applicable legal provisions.

Specifically, the data will be transferred abroad to non-European countries, only if the level

of data protection of the Third Country has been deemed adequate by the European

Commission pursuant to art. 45 of the GDPR or after the adoption of adequate guarantees

pursuant to art. 46, 2, lett. c) and d) GDPR (binding corporate clauses, standard contractual

clauses, code of conduct, certification mechanism).

In the absence of an adequacy decision, the transfer of data can be carried out in the

presence of one of the derogations provided for by art. 49 of the GDPR (e.g. consent,

transfer necessary for contractual or pre-contractual purposes in relation to a contract

entered into with the interested party or in his favor, ascertainment, exercise or defense of

a right in court, etc.).

DATA SUBJECT'S RIGHTS AND COMPLAINTS TO THE SUPERVISORY AUTHORITY

Data subjects have the following rights:

a. access, for:

• knowing if a data processing is in progress, for what purposes, on which data,

recipients or categories of recipients to whom the personal data have been or

will be communicated, when possible, the retention period of the personal

data provided or, if it is not possible, the criteria used to determine this

period, what the rights of the interested party are, information on their origin,

if an automated decision-making process is in progress, including profiling (at

least in such cases with significant information on the logic used, importance

and consequences of this process), what are the appropriate guarantees if the

data is transferred to a third country

• obtain a copy of the personal data being processed without affecting the

rights and freedoms of others

b. correction of incorrect data and integration taking into account the purposes of the

processing,

c. cancellation in the following cases: a) personal data are no longer necessary with

respect to the purposes for which they were collected or otherwise processed; b) the

interested party revokes consent if there is no other legal basis for the processing; c)

the interested party opposes the processing in the absence of prevailing contrary

rights or obligations; d) personal data have been unlawfully processed; e) there is a

legal obligation in this sense for the Data Controller f) personal data have been

collected in relation to the offer of services on the internet

d. limitation to the processing for disputing the accuracy of the data, for illegal because

excessive treatment, for the assessment, exercise or defense of a right in court

(even if the Controller no longer needs the data), in the event of opposition (pending

verification of the existence of this right in practice)

e. opposition (in the case of processing necessary for the execution of a public interest

task or for the legitimate interest of the Data Controller, including profiling) for

reasons related to the particular situation of the interested party, except for the

prevalence of other public interest rights or obligations of law

f. opposition to the receipt of commercial communications with automated methods (e-

mail, etc.) for treatment for direct marketing purposes, including profiling

g. portability of data in common and interoperable electronic format, also directly to

another Operator if technically possible, in case of treatment with automated tools

In the cases referred to the letters b), c) and d), the data controller informs each of the

recipients which personal data have been transmitted of any corrections or cancellations or

the processing of changes unless this proves impossible or involves a disproportionate

effort.

For the exercise of his rights, the interested party can contact the Data Controller through

the contacts indicated in this statement.

Data subjects have the right to lodge a complaint with the Competent Control Authority in

the Member State in which they habitually reside or managed or in the State in which the

alleged regulation is verified.

SOURCE FROM WHICH THE PERSONAL DATA ORIGINATE

Personal data are collected from the interested party by the TSP / DEALER / INSTALLER and

entered on the META TRAK portal.

GEOLOCALIZATION DATA

The processing of these Data is necessary for the performance of a contract to which the

data subject is party or in order to take steps at the request of the data subject prior to

entering into a contract.

HAVING READ THE POLICY

□ I declare that I have received and read the Privacy Policy.

PROVISION OF CONSENT OF THE AFFECTED PARTY

□ Having read the above Privacy Policy, aware that my consent is purely optional, as well

as revocable at any time, I consent to the processing of my data by the Data Controller for

the marketing purposes indicated above: sending commercial / promotional

communications, through automated contact methods (such as SMS or MMS) and traditional

(e.g. phone calls with operator and traditional mail) on their products and services,

reporting of corporate events, detection of the degree of customer satisfaction, as well as

implementation of market research and statistical analysis.

LAST UPDATED: MAY 2023