PRIVACY POLICY
Extended information on the processing of personal data pursuant to art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("General Data Protection Regulation - GDPR")
Updated: March 30, 2026
Information and contact details of the data controller
Data Controller
Westport Fuel Systems Italia s.r.l., with registered office at Via La Morra n. 1, 12062, Cherasco (CN), VAT number 00525960043
Contact details of the Data Controller
Tel: 0172 48681 Mail: info.cherasco@wfsinc.com
Contact details of the Data Protection Officer
Westport Fuel Systems Italia srl , as Data Controller of your personal data (hereinafter also “ WFSI srl ” or “ Data Controller ”), informs you, pursuant to articles 12 and 13 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to for brevity as “ GDPR ” ), that your personal data will be processed by specifically authorised persons and limited to the purposes and in the manner specified below.
The GDPR is a regulation aimed at strengthening and unifying data protection for all individuals within the European Union. It requires a high level of transparency regarding how personal data is collected, stored, used, and more generally processed, and imposes strict limits on its use. |
PURPOSE AND OBJECTIVE OF THE PROCESSING
The Data Controller informs the user that it will process, specifically, his/her common personal data, namely name and surname, address of residence/domicile, VAT number, email address, telephone number, identifiers/IP addresses , according to the purposes and methods defined and specified below.
The Data Controller specifies that personal data belonging to special categories pursuant to Art. 9 of the GDPR are not voluntarily collected and, except as provided below , requests the user not to provide such data and/or information from which they could be inferred (for example, in requests or applications) or, in general, to provide personal data that is not strictly necessary.
In particular, the personal data provided to the Data Controller due to interaction with the Site’s features will be processed for the pursuit of the following purposes :
- To follow up on specific requests addressed to the Data Controller by the user through the Site and its communication tools, in particular through the ” Contacts ” form aimed at conveying requests for information of any kind.
- CVs /unsolicited applications by the user through the “ Work with us ” function.
- To ensure the proper functioning of the Site and all related technical features, and to provide users with the best possible browsing and purchasing experience of the services offered on the Site, the Data Controller reserves the right to verify the proper functioning of its services, measure user satisfaction levels, and improve the quality of customer care processes and more effectively train staff responsible for this service. This is done by conducting statistical surveys on aggregate and anonymous data, and by submitting free questionnaires and customer satisfaction surveys to users and subscribers of paid services, making them available on the Site and/or through other methods. Participation in these surveys is always optional.
The data requested only following the user’s optional consent may be used:
- For the sending of commercial communications by the Data Controller using automated tools (e.g., email, SMS, MMS, fax, telephone without an operator, posts on social network accounts) and/or non-automated tools (e.g., sending paper communications), including any subscription to the ” Newsletter ” and participation in surveys and/or market analyses belonging to the Data Controller’s sales network or third parties and/or through the conduct of surveys, including statistical ones, aimed at monitoring needs, market research and/or satisfaction surveys regarding the quality of services provided and the activity carried out through personal or telephone interviews and/or questionnaires.
. The data provided by the user will be processed, including through automatic collection during navigation, for the purposes of verifying and/or controlling access to the Site and/or for the sole purpose of improving its functionality, in order to ensure a better browsing experience.
Regarding the processing of IP addresses, as well as all user browsing data, carried out by the Data Controller for the purposes indicated above, please refer to the Cookie Policy
LEGAL BASIS FOR PROCESSING
The communication by the user to the Data Controller of the personal data specified above has the following legal bases as prerequisites for the lawfulness of the processing , in relation to each purpose indicated above:
- 6, paragraph 1, letters b), c), and f); Art. 9, paragraph 2, letter b) (see point 2) of the GDPR (performance of a contract; fulfillment of a legal obligation; legitimate interest; employment and social security law) for the purposes referred to in points 1 to 3 above.
- 6, paragraph 1, letter a) of the GDPR (consent) for the purposes referred to in point 4 above.
The provision of personal data is therefore necessary for the full fulfillment of the purposes set out in points 1 to 3 above. Consequently, any refusal by the user to provide personal data may result in the Site not being able to provide the aforementioned services and functions, preventing all or part of its functionality.
With specific reference to data belonging to special categories pursuant to Art. 9 of the GDPR, the Data Controller informs that it will process only information strictly relevant and limited to the analysis and assessment of the working capacity referred to in point 2 of the purposes, and based on the tasks and/or specific professional profiles requested, refraining from processing unnecessary sensitive information. In any case, data will be processed in accordance with the principles of lawfulness and fairness and in a manner that fully protects confidentiality.
Providing data is optional for the full fulfillment of the purpose referred to in point 4 above. Therefore, refusal by the user to provide personal data will not prevent the Site from providing the aforementioned services and features, nor will it prevent all or part of its functionality. The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn as easily as it was granted by contacting the Data Controller at privacy.italia@wfsinc.com or dpo.italia@wfsinc.com , or by registered mail to the registered office address indicated above, ” Privacy Office .”
Soft Spam. Pursuant to applicable law (Article 130, paragraph 4, of the Privacy Code), the Data Controller also reserves the right to use the email address provided by the user when purchasing a service and/or product from the Site to offer similar products and/or services to those already purchased. However, if the user does not wish to receive such communications, they may object to this by notifying the Data Controller at any time, writing to the address indicated below or directly using the link provided in the email communications received (so-called ” opt-out “). In this case, the Data Controller will immediately discontinue this activity. The legal basis for sending promotional communications is the data controller’s legitimate interest pursuant to Article 6, paragraph 1, letter f) of the GDPR.
METHOD OF PROCESSING
The processing of personal data provided by the user is carried out through the operations indicated in art. 4, no. 2) of the GDPR, namely: ” collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, communication, erasure and destruction of data .”
The personal data provided by the user will be automatically processed by the Data Controller for the time strictly necessary to achieve the purposes for which they were collected, using technical and organizational methods designed to prevent data loss, unlawful and/or improper use, and unauthorized access. These methods, therefore, ensure a level of security appropriate to the risk pursuant to Art. 32 of the GDPR. This processing will be carried out by specifically authorized persons, in compliance with the provisions of Art. 29 of the GDPR, or by employees and/or collaborators of the Data Controller in their capacity as authorized persons and/or system administrators. These persons may consult, use, process, compare, and perform any other appropriate operations in compliance with the legal provisions necessary to ensure, among other things, the confidentiality and security of the data, as well as the accuracy, updating, and relevance of the data in accordance with the stated purposes and methods.
The personal data provided by the user will be processed only for the purposes and in the manner specified above. Therefore, they will not be disclosed. Pursuant to Art. 13, paragraph 1, letter (e), they may be processed only by authorized persons and/or by any external data processors pursuant to Art. 28 of the GDPR (individual professionals and/or complex professional associations), and/or by entities acting as independent data controllers, including, explicitly, hosting companies and/or technical personnel responsible for managing and/or maintaining the website, but only and exclusively for the purposes expressly and specifically indicated above.
SCOPE OF DATA COMMUNICATION
In relation to the purposes indicated above, the data may be communicated to the following subjects and/or to the categories of subjects indicated below , or may be communicated to companies and/or individuals who provide services, including external ones, on behalf of the Data Controller.
For greater clarity, these include , but are not limited to, entities providing IT and telecommunications network management services (including email and web portal and website management, cloud storage, and hosting services); professionals and consultants, including associates; banks; debt collection agencies; credit insurance companies; legal, administrative, and tax consulting firms; competent authorities and/or supervisory bodies for the fulfillment of legal obligations; entities performing control, auditing, and certification of the activities carried out by the Data Controller, who act as external data processors pursuant to Art. 28 of the GDPR, or independently as entities separate from the Data Controller.
With exclusive reference to browsing data and IP addresses, the Site may share some of the data collected with services located outside of Italy and the European Union. Should this become necessary for any reason, the Data Controller hereby ensures that the data transfer will be carried out in accordance with applicable laws and, in particular, Articles 44, 45, 46, 47, 48, and 49 of the GDPR and other applicable laws.
A plugin with advanced user privacy protection features is installed on the Site. These plugins do not send cookies or access the cookies present on the user’s browser when the page is opened, but only after the plugin is clicked.
The collection and use of information by these third parties are governed by their respective privacy policies, to which we ask you to refer.
- Linkedin https://www.linkedin.com/
DATA RETENTION PERIOD
In compliance with the principles of lawfulness, purpose limitation, retention, and data minimization, pursuant to Article 5 of the GDPR, the retention period for the user’s personal data is established for a period of time no longer than is necessary to achieve the purposes for which they were collected and processed above, or for the entire duration of the aforementioned purposes. Therefore, once the purposes of the processing have been fulfilled, the processed data will be deleted from all physical and electronic media.
Specifically, personal data will be retained for the retention periods required by mandatory laws for administrative and accounting purposes and for the time necessary to fulfill technical and management purposes, except for further periods required by law and/or upon request from public authorities, and/or for legal defense purposes. The retention period will last until consent is revoked and/or the right to object is exercised, and in any case, no longer than 24 months for commercial purposes. The data controller reserves the right, before the expiration of this period, to request the user to renew their consent and/or update their data.
With specific reference to CVs, it is specified that if they do not correspond to profiles of interest to the Data Controller, they will be immediately deleted. If they are of potential current or future interest to the Data Controller, they will be retained for a maximum of 1 (one) year from receipt, within which period the Data Controller can evaluate the applications and select personnel. Once this specific processing purpose has been fulfilled, in the event of a negative outcome of the selection process, your data will be deleted from all physical and electronic media.
AUTOMATED DECISION-MAKING AND PROFILING
The Data Controller informs the user that, for the purposes of processing personal data, it does not use automated decision-making processes, i.e., those aimed at making decisions based solely on technological means according to predetermined criteria (i.e., without human involvement), nor does it perform profiling activities, i.e., those aimed at using your personal data to analyze or predict aspects concerning your professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, etc.
RIGHTS OF THE DATA SUBJECT
Right of Access pursuant to Article 15 and Right of Rectification pursuant to Article 16 of the GDPR
As a data subject, pursuant to Art. 15 of the GDPR, the user has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, to obtain access to the data and to all the information referred to in the same Art. 15, paragraph 1, letters (a) to (h), by providing a copy of the data undergoing processing in a structured, commonly used, machine-readable, and interoperable format.
Pursuant to Article 16 of the GDPR, the user also has the right to obtain from the Data Controller the rectification and/or integration of the data being processed if it is out of date and/or inaccurate and/or incomplete.
Right to erasure pursuant to Article 17 and Right to restriction of processing pursuant to Article 18 of the GDPR
As a data subject, the user has the right to obtain the erasure of data concerning him or her, exclusively in the cases referred to in Article 17, paragraph 1, letters (a) to (f), of the GDPR—with the exception of the cases specifically provided for in Article 17, paragraph 3.
As a data subject, pursuant to Art. 18, paragraph 1, letters (a) to (d), of the GDPR, the user has the right to request and obtain from the Data Controller restriction of the processing of their personal data, meaning that such data will not be subjected to further processing and will no longer be subject to modification. The Data Controller ensures that the restriction of processing is implemented using appropriate technical devices that guarantee their inaccessibility and unalterability.
Right to data portability pursuant to art. 20 of the GDPR
As a data subject, pursuant to Art. 20 of the GDPR, the user has the right to receive from the Data Controller the personal data concerning him or her, processed by automated means, in a structured, commonly used, and machine-readable format. The user also has the right to transmit such data to another data controller or, where technically feasible, to obtain from the Data Controller the direct transmission of such data to another specifically identified data controller.
Right to object to processing pursuant to art. 21 of the GDPR
The user has the right to object at any time, for reasons relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6, paragraph 1, letters e) and f), including profiling, based on those provisions. The Data Controller will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Where personal data are processed for direct marketing purposes, the user has the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing.
If the user objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
HOW TO EXERCISE THE ABOVE RIGHTS
The user may exercise the rights listed above by sending a request by email to privacy.italia@wfsinc.com or dpo.italia@wfsinc.com or by registered mail to the indicated address of the registered office, ca “ Privacy Office ”.
The Data Controller will confirm receipt of the request and provide information regarding the action taken, with reference to the exercise of your rights under Articles 15 to 22 of the GDPR, within one (1) month of receiving the request. If necessary, and given the complexity and number of requests, the Data Controller may extend this period by two (2) months, upon reasoned communication to be sent within one (1) month of receiving the request.
The Data Controller will communicate any rectification, erasure, limitation, or objection to all recipients, as identified in Article 4, paragraph 1, no. 9 of the GDPR, to whom such data has been transmitted, unless this proves impossible and/or involves a disproportionate effort.
Following the user’s submission of a request for rectification, deletion, limitation, or objection, if the Data Controller has reasonable doubts regarding the user’s identity, he or she will request further information to confirm it. These communications will be sent via email from the aforementioned address and will be processed by the person specifically authorized for this purpose.
Finally, please remember that you have the right to lodge a complaint with the Supervisory Authority (the “Italian Data Protection Authority”), as specified in Article 13, paragraph 2, letter (d) and governed by Articles 77 et seq. of the GDPR and 141 et seq. of Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.