Information on the processing of personal data pursuant to and for the purposes of Article 13 of EU Regulation 2016/679 (hereinafter “GDPR”).

Version 2 of 01.05.2020

ARTICLE 1- Data processed
The company SWAG OÜ, with registered office in Harju Maakond, Tallin – Mustamae linnaosa – Laki, tn 30-23, 12915, Estonia, in the person of the Managing Director P.T. (hereinafter referred to as “DATA CONTROLLER” or “Company”) informs you, pursuant to art. 13 EU Regulation 2016/679 which collects among your data, inter alia, (a) the Contact Data such as the billing address,(fiscal code in Italy), the address of residence and shipping address of the Services, e-mail and telephone numbers; (b) Financial data of transactions that include the bank account number in your name, credit card details, your eWallet account, your tax returns; (c) Technical browsing data including IP address, log-in, types and versions of “plug in” Browser, operating system, domain name and web addresses from which the Company’s website is accessed; (d) Profile information including your identification document (passport and/or ID card), proof of address, username, preferences, feedback, and survey responses provided by you and your facial image for the purpose of processing withdrawal requests; (e) Usage data that includes information on how you use the Company’s website and its services. (f) Marketing and communication data that includes your preferences regarding the receiving of commercial communications from the Company and third parties as well as your preferences regarding the channels for sending such communications. (g) Aggregate data, such as statistical and demographic data. (i) Information on transactions, carried out on our services such as the name of the beneficiary, the amount, the account statement. The Company points out that not all the data listed above can be subsumed in the Personal Data, when they do not reveal either directly or indirectly your identity.

ARTICLE 2- Purpose of the processing and period of retention of Personal Data
Your Personal Data will be processed in the manner and for the purposes related to the conclusion, management and execution of the general conditions of contract to fulfil the purposes set out below..

Purpose of the processing Legal basis for the processing Data retention period
A) for mere pre-contractual purposes such as navigation and access to the website owned by the Company, for the creation of your profile and for the opening of your User Account ex art.6 par. 1 lett. b) of GDPR 10 years after withdrawal/resolution
B) fulfilment of contractual and fiscal obligations arising from the performance of the general terms and conditions of contracts in particular:
– processing of orders to supply services;
– In exercising the Company’s rights (i.e. defence in
court);
– drafting of the reports relating to the accounting of
commissions and bonuses of Promoter/Digital
Franchisees and related upline, in compliance with
the related legislative requirements and/or related to
statutory and accounting regulations;
– cooperation in the case of investigations and/or
inquiries by the competent authorities, including
those relating to public security.
– planning of meetings and training events.
Art. 6 par. 1 lett. c) of GDPR 10 years after withdrawal/resolution
C) in regard to IP addresses, geolocation
techniques, the collection of Financial Data from
transactions, for the purpose of fulfilling the
regulatory obligations of complete and formal
identification of Account holders (in order to fulfil the
obligations prescribed by anti-money laundering
legislation) and the prevention of fraudulent and
illegal activities
Art. 6 par. 1 lett. c) of GDPR 10 years after withdrawal/resolution
D) for the following marketing purposes: to
respond to the request for information sent after
filling in the registration form to send you
information material and to use the services
connected to the Platform, to send you e-mails,
mail, sms, newsletters, commercial
communications and advertising and promotional
material on the services offered by the Company
and to measure the level of satisfaction with the
quality of services
Art. 6 par. 1 lett. a) of GDPR 2 years from registration until opposition
E) to send you e-mail, mail, sms, commercial and
promotional communications from third parties such
as Service Providers (ewallet providers, exchange
providers, banks, etc.).
Art. 6 par. 1 lett a) of GDPR 2 years from registration until opposition

ARTICLE 3- Purpose of the processing and transmission of data
The Company processes the Personal Data communicated by you when signing the general conditions of contract, for the provision of Services. Failure to provide the data for purposes A), B) and C) will make it impossible to use the services described. The provision of data for purposes D) and E) is optional. Failure to provide consent will prevent you from receiving communications, newsletters, commercial communications and advertising material relating to the services offered by the Data
Controller and Third Parties, but will not cause any prejudice for the other purposes.

ARTICLE 4- Modes of processing
Personal Data will be processed electronically and automatically and entered into the relevant databases to which the data processors and external data processors may have access, and will be processed electronically in compliance with the security measures provided for by law aimed at ensuring protection against possible unauthorized access in order to exclude or reduce the risks of loss or destruction, even accidental, and their unlawful use. The processing may also be carried out by third parties who provide specific processing, administrative or instrumental services necessary to achieve the above purposes. All data processing operations are carried out in such a way as to guarantee the integrity, confidentiality and availability of personal data.

ARTICLE 5- Transfer of Personal Data
Your data may be transferred:
a) to employees, collaborators and system administrators of the Data Controller and of the Group Companies, associated and/or affiliated, in Italy and abroad, who need access to your Personal Data in the performance of their duties and in order to comply with the obligations provided for by the laws and regulations in force;
b) to employees, collaborators and/or system administrators of third parties who outsource CRM services on behalf of the Data Controller;
c) to agents, consultants, professional firms, suppliers, accountants or lawyers who offer the Data Controller and/or its associated and affiliated companies, shipping, accounting, payment processing, fraud prevention, administrative, marketing, promotional, printing services, Electronic Money Institutions (IMEL), Prepaid Card Issuing Institutions, Banking Institutions, Financial Institutions, distribution centres, auditors, trustees and insurance companies.
d) Promoter and Digital Franchisee to access its information in order to monitor commercial development and to account for commissions
(e) public security and/or supervisory authorities, tax and revenue authorities, regulatory authorities and other public offices (including municipal offices and security authorities).
f) To any assignees in case of sale, merger, change of control, sale of company assets, restructuring and liquidation of the Company.

ARTICLE 6- Scope of communication and dissemination of data
In relation to the purposes indicated in point C of article 2 of this statement and without your express consent, the Data Controller may communicate your personal data to the Tax Authorities and the Judicial Police in compliance with the regulations in force, and only for uses permitted by law or in fulfilment of regulatory obligations. The subjects belonging to the above-mentioned categories will operate in total autonomy as separate Data Controllers.

ARTICLE 7- Data transfer to a third country and/or an international organisation
The personal data provided are stored on servers located within the European Union at the Company’s data centre. As part of the contractual relations between the Company and its subsidiaries, as well as between the subsidiaries themselves, your personal data may not be transferred outside the EU, including by entering them in databases shared and managed by third companies whether or not they are part of the Data Controller’s control perimeter. The management of the database and the processing of such data are bound to the purposes for which they have been collected and are carried out in full compliance with the standards of confidentiality and security set out in the applicable laws on the protection of personal data..

Article 8 – Rights of the data subject – complaint Supervisory authority
As a data subject, you are entitled to the following rights regarding the personal data collected and processed by the Data Controller and in particular
a) Revoke the consent to the processing of your Personal Data previously expressed at any time;
b) Oppose the processing of your Data when it is done on a legal basis other than consent.
c) Access to their own Data, requesting information on the Data processed by the Company, on certain aspects of the Processing and to receive a copy of the Data processed.
d) Verify the correctness of their Data and ask for rectification, updating or correction;
e) Obtain the limitation of the Data processing. In this case, the Data Controller will not process the Data for any other purpose than their storage;
f) Obtain the cancellation or removal of their Personal Data, when the conditions set forth in art. 17 GDPR are met.
g) Receive your Data in a structured format, of common use and readable by automatic device and where compatible with technological implementations, to obtain their transfer to another Data Controller.
h) Submit a complaint to the Guarantor for the Protection of Personal Data, without prejudice to any other administrative and judicial recourse, if it considers that the processing of the Data violates the provisions of article 15 letter f) of GDPR.
Your personal data are stored in the Data Controller’s databases and will be processed exclusively by authorized personnel. The latter will be provided with specific instructions on the methods and purposes of processing. Such data will also not be communicated to third parties, except as provided for above and, in any case, within the limits indicated therein.
Finally, we remind you that your personal data will not be disclosed, except in the cases described above and/or provided for by law.

Article 9- Procedures for the exercise of rights
As interested party, you may exercise at any time the rights set forth in art. 8 of this information notice by sending an e-mail to [email protected].

Article 10- Amendment of Privacy Policy
The Data Controller reserves the right to modify, update, add or remove parts of this privacy policy at its own discretion and at any time. In order to facilitate such verification, the policy will contain in epigraph the indication of the date of update.

Article 11- Data Controller, Data Protection Officer and Data Processors
The Data Controller is SWAG OÜ, with registered and administrative office in Harju Maakond, Tallin – Mustamae linnaosa – Laki, tn 30-23, 12915, Estonia registered in the Tallin Company Register under number 14762080;
The DATA PROTECTION RESPONSIBLE (RPD/DPO- DATA PROTECTION OFFICER) is domiciled for the position at the Legal and Administrative Office of the Data Controller in Estonia, Harju Maakond, Tallin – Mustamae linnaosa – Laki, tn 30-23, 12915 and can be found at [email protected].
The list of Data Processors is constantly updated and made available at the Company’s registered office.