Privacy Policy

As required by the UK General Data Protection Regulation, as incorporated into the law of the United Kingdom under the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (“UK GDPR”), RH3OVA (the “Company” or the “Controller”) hereby provides the following information regarding the processing of personal data (“Data” or “Personal Data”) carried out in connection with the browsing of the website www.rh3ova.com (the "Website") and the use of the services offered therein (the "Services").

  1. Data Controller
  2. The Data Controller is RH3OVA, with registered office at Eni House, 10 Ebury Bridge Road, London, England, SW1W 8PZ, United Kingdom.

  3. Personal Data processed
  4. Personal Data processed are:

    • browsing and technical Data (e.g., IP address, information on devices used, etc.) collected during the use of the Website;
  5. Purposes and legal basis of processing
  6. Browsing data
    Personal Data are processed for the following purposes:

    1. legal purposes – processing necessary for compliance with a legal obligation (Art. 6(1)(c) UK GDPR);

      Data may be processed where necessary to comply with obligations arising from laws and/or to handle requests from competent authorities.

      Due to the mandatory nature of providing Data for the above purpose, failure to provide such Data will make it impossible to access and receive the requested Website Services.

    2. contractual purposes – processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) UK GDPR);

      Data will be processed, including through technical Cookies, to enable the use of the Website and the provision of the requested Services, as well as enabling the Controller to manage the website for operational and technical reasons and to ensure its cybersecurity.

      Due to the mandatory nature of providing Data for the above purpose, failure to provide such Data will make it impossible to access and receive the requested Website Services.

    3. Additional purposes – processing necessary for the purposes of the legitimate interests pursued by the Controller or third parties (Art. 6(1)(f) UK GDPR)

      Data may also be processed:

      • in the context of extraordinary transactions such as mergers, transfers or sales of business units, in order to carry out due diligence activities, based on the Controller's legitimate interest in the continuation of its business activities;
      • to establish, exercise or defend a right of the Controller or a third party in judicial and/or out-of-court proceedings, as well as for related preparatory activities, based on the legitimate interest of the Controller and/or third parties in protecting their rights.

      Due to the mandatory nature of providing Data for the above purpose, failure to provide such Data will make it impossible to access and receive the requested Website Services.

  7. Means of the processing
  8. The processing of Personal Data may also be carried out by electronic or automated means, using tools suitable to ensure their security and confidentiality, and will include any operation or set of operations necessary for such processing.

  9. Persons authorised to process and recipients of Personal Data
  10. For the purposes indicated in paragraph 4 above, Personal Data are processed by personnel authorized by the Controller. In addition, the Controller may disclose Personal Data, where required or permitted by law, to competent authorities and to the following categories of recipients, solely for the purposes indicated in paragraph 4 above:

    • companies participating in the Controller JV and their respective subsidiaries;
    • companies providing IT services to the Controller, including development, management and technical support of the Website;
    • web measurement service providers (web traffic analytics);
    • professional and advisory firms engaged in connection with ordinary business and litigation.

    Such recipients may act, depending on the case, as data processors (and in such case will receive appropriate instructions from the Controller) or as independent data controllers. In any case, Personal Data will not be disseminated, unless required by law.

  11. Transfer of Personal Data outside the European Economic Area
  12. Where this serves the purposes described in paragraph 4, Personal Data might also be transferred to a third country. The processing of such data shall be bound to the purposes for which the data was collected and take place in complete compliance with the standards of confidentiality and security pursuant to applicable personal data protection laws. Each time Personal Data is transferred internationally, the Data Controller will take all contractual measures suitable and necessary to guarantee a suitable level of protection of the personal data, in accordance with that specified in this personal data processing disclosure.

  13. Data retention period
  14. Personal Data will be stored in the Controller’s IT systems and protected by appropriate security measures for the time necessary to achieve the purposes set out in paragraph 4, after which they will be deleted. Personal Data may be retained for a longer period in the event of disputes, requests from competent authorities, or where required by applicable law.

  15. Data subjects’ rights
  16. Where applicable, and within the limits set by the UK GDPR, data subjects are entitled to:

    • obtain confirmation from the Data Controller as to whether or not their Personal Data are being processed, and, where that is the case, access to the information listed in article 15 UK GDPR;
    • obtain from the Data Controller the rectification of inaccurate Personal Data, or, taking into account the purposes of the processing, have incomplete Personal Data completed in accordance with article 16 UK GDPR;
    • obtain from the Data Controller the erasure of Personal Data, where one of the grounds listed in article 17 UK GDPR applies;
    • obtain from the Data Controller the restriction of processing of Personal Data in the cases listed in article 18 UK GDPR;
    • receive - in a structured, commonly used and machine-readable format - the Personal Data provided to the Data Controller, so that the Data Subject may transmit those data to another data controller without hindrance, in accordance with article 20 UK GDPR;
    • object to the processing of their Personal Data on the basis of their particular situation, unless there are compelling legitimate grounds for the processing that override their interests, rights and freedoms or compelling legitimate grounds for the establishment, exercise or defence of legal claims, in accordance with article 21 UK GDPR.
    • withdraw any consent given, without affecting the lawfulness of processing based on consent before its withdrawal.

    These rights may be exercised by emailing the following address info@rh3ova.com.

    Without prejudice to their right to initiate other administrative or judicial proceedings, data subjects also have the right to lodge a complaint with the competent supervisory authority if they believe that there has been a breach of their rights with regard to the protection of their Personal Data