Pluria User App (the Policy)
(2) We have set up and are operating Pluria Platform where Clients (employers/contractors of Users) can access Pluria Services, also to the benefit of the Users (Clients’ employees/contractors). You will be prompted about this Policy when you download Pluria User App in order to use it for reserving/cancelling Spaces signalled as available in Pluria Platform and accessing them during the booked time frame.
(3) Effective access to/engagement with Pluria Services is ensured through Pluria User App, while for providing Pluria Services/functionalities of Pluria User App and Pluria Platform, it is necessary for Pluria to collect and process your personal data. When Pluria decides the categories of personal data it processes, as well as the purposes and means of personal data processing, Pluria acts as data controller. With respect to certain processing operations, Pluria acts also as a data processor, or joint controller.
(4) This Policy applies to the processing of personal data of data subjects in EU/EES (the EES countries being the UE countries, plus Switzerland, Iceland, Liechtenstein and Norway – considered to have equivalent laws with respect to privacy law), ensured by/through the Pluria User App and/or Pluria Platform, with respect to which Pluria acts as data controller, in accordance with GDPR. In case you do not agree with any of the terms regarding the processing of your personal data, please contact us for further clarifications or do not access/use the Pluria User App/Pluria Platform.
(5) You may contact us at:
Address: 838 Walker Rd Suite 21-2, Dover, DE 19904
E-mail: [email protected]
2. General overview on personal data processing by Pluria user app
(1) Personal data is any data/information that helps us identify data subjects (Users). There is data that enables us to directly identify you (e.g. name and surname), while processing of other information leads to your indirect identification (e.g. IP of your Device) – both are categories of personal data.
(2) By this Policy, we inform you on:
Categories of personal data we process;
Why and how we process your personal data;
What is the legal basis/ground for our personal data processing;
How we retain your personal data and for what duration;
Whom we share your personal data with;
Your rights regarding personal data processing.
(3) Data processing by Pluria within the scope of your use of our Pluria User App / (indirect use of Pluria Platform)/Pluria Services can be divided into the following categories:
When you download our app, the necessary data is transmitted to the respective application store (i.e.Google Play for Android, respectively Apple App Store for iOS);
When your Account on Pluria Platform / Pluria User App is set-up;
To allow you to use the features/functionalities of Pluria User App /access Pluria Services, e.g. to find Spaces in your vicinity, our Pluria User App requires access to location function on your Device in order to deliver the functionalities your request through the Pluria User App;
When you use our Pluria User App /access Pluria Services, data will be exchanged between your Device and our server. This may also be personal data. Data collected in this way can for instance be used in order to enable Space reservation/cancelling, to correctly assign your Space reservation so you can access the Space in the reserved time frame, to correctly allocate your usage of the Space in accordance with the contractual arrangement between Pluria and the Client (e.g. your employer).
(4) Nevertheless, although mobile devices on which Pluria User App is downloaded tend to have personal data related to other individuals (than the User) stored on them, such as contact details, private communications and pictures of third parties, Pluria undertakes not to collect such data from Users and/or share such third-party personal data with Users, for further processing.
(5) Pluria, as Pluria User App’s both provider and developer, undertakes to use User’s data for the specific purposes that the data subjects have been made aware of, and for no other(s), without further consent from Users. Also, we process the minimum amount of data for specific processing, while at the same time we ensure that the security requirements of the personal data and the processing systems are met (e.g. integrity and confidentiality, as well as availability and resilience).
(6) The provisions of this Policy apply with priority against the contrary provisions in other terms issued by Pluria.
(7) User’s benefitting from the functionalities of Pluria User App is dependent on the existence of the contractual arrangement between Pluria and Client (the legal entity ensuring the provision of our specific services to your direct benefit, acting as your employer/contractor).
(9) User hereby understands that their employer (Client) does not transfer to Pluria the Client’s own responsibilities and obligations with regard to Client’s relationship with Users (e.g. responsibilities under employment relationship relating to tracking start times and end times of the work schedule, obligations relating to tracking User’s working time based on the work relationship with the Client).
(10) User may engage with Pluria User App and its functionalities by observing their obligations in accordance with T&C Pluria App.
3. Categories of Data Subjects
(1) Data subjects for which personal data processing provisions herein apply are the Users of Pluria User App, as defined in accordance with the terms of this Policy and with T&C Pluria App.
(2) Pluria User App is not addressed to, nor designed for, people under 18 years old. Pluria does not intend to process personal data of persons under 18 years old; our Pluria User App and related Pluria Services are not intended to be used by persons of age under 18 years, therefore if you are under 18 years old, do not download and/or use Pluria User App.
4. Processed Data / Purposes Of Processing / Personal Data Processing Legal Basis / Recipients
|Personal data we process / retention periods
|Purposes of processing and legal basis
|Recipients (with whom we share your data)
|Work email address, mobile phone number, company (Client) name, firstname and lastname, Pluria User App ID (unique code granted by Pluria)
|User’s completing Account registration flow*; To create Freshworks user account** Legal basis: art. 6 paragraph 1 letter b) of GDPR
|Freshworks Inc. (https://www.freshworks.com) Freshworks is a data processor bound by a DPA with Pluria. Any data that Freshdesk processes as Pluria data processor will be stored in the EU.
|Work email address Pluria User App ID
|User’s authentication in Pluria User App; Pluria sending via e-mail validation code; Legal basis: art. 6 paragraph 1 letter b) of GDPR
|The Rocket Science Group LLC, operating Mailchimp (https://mailchimp.com/legal/privacy/) Mailchimp is an online marketing platform. Mailchimp acts as Pluria data processor and undertakes, under formal agreement (including a DPA), to ensure protection, in case of transfers, of EU, UK, and Swiss data, in compliance with the Privacy Shield Principles, but also with the SCCs(https://mailchimp.com/help/mailchimp-european-data-transfers/) Mailchimp does not sell, rent, or trade user data.
|Without any action on your part, we transmit to our servers the following data: • the Device from which you start User Pluria App; • the IP address of your Device; • the date and time of access into Pluria Platform via Pluria User App; • you request for access; • the HTTP response code; • the amount of data transferred and • the app version you are using. Retention period – we temporarily store this information in a so-called log file on our servers.
|Protection of Pluria Platform and of our systems, troubleshooting, prevention of abusive or fraudulent behaviour. Legal basis: art. 6 paragraph 1 letter f) of GDPR. Our legitimate interest follows from the above-listed purposes of data processing.
|Review/ recommendation/ booking/ contacting Pluria
|Depending on the category of your query (query, reviews, ratings, etc.) and information you provide to us: • Personal details • email address • Company-employer • Your message/review/ recommendation/bookings/ cancellation of reservation, the details of the reserved Space, your opinion/review/rating/ message/recommendation regarding the Space/provision of Pluria Services/Pluria User App. Retention period – data associated with your person is retained only until we solve/close your query/provide the requested service (e.g.Space booking/cancellation). Should any excessive or irrelevant information be received from you (e.g. via “Contact Pluria”), it will be deleted upon receipt and where possible will redirect you to the correct avenue to handle such a query.
|Delivery of functionalities of Pluria User App; customer relations Legal basis: – art. 6 paragraph 1 letter b) of GDPR, – art. 6 paragraph 1 letter f) of GDPR. Our legitimate interest follows from the above-listed purpose of data processing.
|Location data (from the Device)
|Location data (GPS Coordinates from the Device) – not stored on server (collected by Pluria via Google & Apple Maps services) Retention period – data is not stored on Pluria server.
|To show your location on the Spaces Map and offer the User navigation directions. Identifying available Space within proximity/vicinity of the User. Legal basis: – art. 6 paragraph 1 letter a) of GDPR – User consent. Only if User consents to the “so-called” geo-localisation when using our Pluria User App or in the settings of your Device via the “Allow permission” dialogue/prompt for location access, asking permission for your Device to share that information with Pluria User App, the location-function is activated and Pluria collects the GPS-location information from the Device.
|Check-in & Check-out
|Location data (GPS Coordinates from the Device), timestamp in the moment of check-in and check-out (collected by Pluria via Google & Apple Maps services) After turning off location data collection, this data is retained on Pluria server only as anonymised data, for service/business improvement.
|To create a real time bookings/cancellation/management in Pluria Platform. Delivery of GPS-based functionalities of Pluria User App. Pluria Services improvement. Legal basis: – art. 6 paragraph 1 letter a) of GDPR – User consent; – art. 6 paragraph 1 letter f) of GDPR – our legitimate interest.
|Your employer (the Client) – it is necessary to make available to your employer data on your reservations/cancellations (check-in/check-out) for proper invoicing of Pluria Services; Our Partners (providers of Spaces) – it is necessary to make available to Partners operating the Space the fact that you want to access/exit, data on your bookings/cancellations (check-in/check-out) in their Space, for ensuring your access into the Space and use of facilities/accessory services therein (e.g. menu for Pluria App Users).
|Full name, work email address, mobile phone number, company (Client) name, Pluria User App ID Retention period: as long as Pluria has your consent (until you revoke your consent).
|To send you marketing (commercial) communication on latest promotions, special campaigns, news, as well as satisfaction surveys messages, on channel you indicate: work email address, SMS and/or phone Legal basis: – art. 6 paragraph 1 letter a) of GDPR – User consent.
|Pluria processors involved in sending the commercial communication: – SMS Highway (based in EU); – The Rocket Science Group LLC, operating Mailchimp (https://mailchimp.com/legal/privacy/), Hubspot (https://legal.hubspot.com/privacy-policy)
|Reporting / procedures and investigations of competent authorities
|Full name, e-mail address, telephone number, elements on the use of Pluria User App (bookings for Spaces) may be contained in documentation we may be obliged by law to provide to relevant authorities in case of investigations conducted in accordance with the law.
|Compliance with our legal obligations. Legal basis: – art. 6 paragraph 1 letter c) GDPR.
|Competent authorities, in accordance with the law
|Audit and improvement of business model
|Full name, e-mail address, telephone number, elements on the use of Pluria User App (bookings for Spaces)
|Annual financial audit, reporting and other fiscal obligations and for generating reports aimed at improving our business model Legal basis: – art. 6 paragraph 1 letter c) GDPR; art. 6 paragraph 1 letter f) of GDPR.
|Competent bodies/authorities, in accordance with the law
|Protecting our rights
|Full name, work e-mail address, telephone number, elements on the use of Pluria User App (e.g. reservations for Spaces) may be contained in documentation we may need to present in court / before relevant authorities to protect our legitimate interests
|Establishment, exercise and/or defence of our legal claims Legal basis: our legitimate interest for the establishment, exercise or defence of legal claims
|Competent authorities/courts/arbitrage courts, in accordance with the law
|Operating system, mobile device type, IP address, accessed features, errors, unique device identifier
|This information is collected anonymously for statistical and product improvement purposes (E.g.: to find out what was the most used features; to find out a bug and provide a fix as soon as possible). Legal basis: – art. 6 paragraph 1 letter f) of GDPR – our legitimate interest.
|Other Third Parties (Eg: Google Analytics, Facebook Analytics, HubSpot, Crashlytics, Cloudflare, Linode (hosting), Google for dealing with emails sent at @pluria.co).
*The set-up of your Account for Pluria User App is made by Pluria further to its direct contractual relationship with the Client. Based on such contract, we receive from the Client, via encrypted and safe connection, your office (work) e-mail address (and, indirectly, your name and surname) and the empowerment to set up your User Account in Pluria Platform/Pluria User App. Once the Account is set-up, further to downloading Pluria User App on your Device, we send you an email where we ask you, for validation purposes, to enter the code we send on your (work) e-mail address for which the Account was set up (if you do not enter the verification code, you cannot use Pluria User App/your Account); verification codes are similarly sent to you every time you login into your Account. We may use, in accordance with GDPR, a third-party processor for sending you the e-mails with the code for verification. Once profile is completed by User in User Account, the User data in „My Account” remain unchanged until further amendment by User (name and mobile telephone number) and/or the Client (for clarification, only the Client may ask Pluria to change/amend User’s email address, as data whose accuracy can be controlled only by the Client – as holder of e-mail domain address) / termination of User Account in accordance with T&C Pluria App.
**Pluria User App may integrate/use services/apps/functionalities provided by Freshworks (e.g. Freshdesk, Freshservice, Freshsales, Freshchat, Freshconnect) to carry out smoother/real time communication/chat/interraction with its Users. This involves creation of Freshworks user account that User may later effectively use (if they so decide) to engage with Pluria via Freshworks functionalities (e.g. text chatbot).
Downloading Pluria User App from app store
(1) When you download our Pluria User App from the relevant mobile application store, the following data in particular will be automatically processed by the operator of the respective application store (Apple App Store or Google Play):
user name in the App Store
the e-mail address stored in the App Store,
customer number of your App Store account,
time of the download,
the code number of the Device.
(3) Given that Pluria User App is available for free download, no payment information of the User shall be processed.
Pluria User Account
Once data is filled in by User in User Account, such User data in „My Account” remain unchanged until further amendment by User (name and mobile telephone number) and/or the Client (for clarification, only the Client may ask Pluria to change/amend User’s email address, as data whose accuracy can be controlled only by the Client – as holder of e-mail domain address) / termination of User Account in accordance with T&C Pluria App.
Your reviews/recommendations you send via Pluria User App
(1) Your reviews and ratings of Spaces are important for the Partners; if we want to send them your rating/review that also identifies you, we will do it only after you give us your consent in this respect. Otherwise, the ratings/reviews that do not lead to your identification (e.g. aggregately) will be transmitted to them without your prior consent.
(2) It may be necessary for us to forward (extracts of) your requests to our partners (e.g. our Partners for the Spaces) in order to process your request. In these cases, however, the request will be anonymised beforehand, so that the third party cannot make any connection to you. If, in individual cases, the disclosure of your personal information should be required, we will inform you about this in advance and obtain your consent.
Location-based functionalities of Pluria User App
(1) These functionalities require User to activate function of GPS location of User Device and they further work based on GPS (also provided that the Device is connected to a mobile electronic communication network).
(2) Pluria User App has been designed and implemented so as to limit its access to location sensor of Device to the bare minimum and only when clearly relevant for the proper functioning of Pluria User App, i.e. delivering the location-based functionalities of Pluria User App requested by the User (e.g. checking-in into the Space). Most importantly, location function/sensor of Device is accessed by Pluria User App only after User has provided express permission (consent) for the processing of location data on the Device via the “Allow permission” dialogue/prompt for location access, asking permission for your Device to share that information with Pluria User App. Pluria has no intention/purpose of continuously requesting / using / processing the GPS-location information of the Device, or of monitoring the GPS-location information of the Device. Nevertheless, please turn off geo-localisation, from your Device, when it is not necessary for accessing/using Pluria Services as listed herein. In addition, you prevent the risk of secret monitoring (there may be websites designed to read the location details of the users of smart mobile devices).
(3) GPS-based location information from the Device is created and collected by Pluria independently of an electronic communications network or of an electronic communications service provider, i.e. it is not location data governed by article 9 of ePrivacy Directive/corresponding implementation legislation in EU country where User accesses Pluria Services via Pluria User App (information society services are explicitly excluded from the e-Privacy directive, from the strict definition of electronic communications service).
(4) Nevertheless, we are committed to fully compliance with GDPR when processing such data. The processing of GPS-based location information from the Device (one or more calculated locations), in combination with the unique numbers of any Device, constitutes personal data processing, as it may lead to indirect identifiability of the data subject. We have considered all these aspects and assessed implications thereof, from data privacy perspective. As provider of Pluria User App (i.e. a software application capable of processing geolocation data), Pluria is the controller for the processing of such personal data resulting from the installation and use of Pluria User App.
(5) In dully application of privacy by default and privacy by design principles, Pluria User App does not use a default „ON” setting for GPS-location information from the Device. On the contrary, Pluria User App starts processing GPS-location information from the Device only after User specifically consents to such processing.
(6) Pursuant to User’s consent, GPS-location information is collected by Pluria via Google & Apple Maps services.
(7) Pluria is not responsible for the processing of the GPS-based location information from the Device performed by controllers of geolocation infrastructure (e.g. Google & Apple Maps services) or other by other parties handling such data under their own responsibility (e.g. the developer of the operating system of the Device).
Marketing (commercial communication)
(1) Only if you have consented to receive marketing materials from Pluria, by opting-in for receiving such marketing by indicating your consent via Pluria User App, Pluria may send you such marketing materials via email, phone, SMS (depending on your choice).
(2) You can withdraw/revoke your consent at any time, from your My Account settings or by contacting Pluria at our contact details. When you revoke your consent, we will stop sending you marketing materials (certain details will need to be retained in order for us to know that you’ve revoked your consent and we are no longer allowed to send you marketing materials on the channels you have revoked consent for).
5. Technical Measures and Confidentiality
(1) Pluria implements all technical and organizational measures necessary so as the collection, processing and retention of your personal data to be accomplished securely, including against unauthorised access to/use of your personal data. Among our measures:
We have implemented reasonable Security measures to protect the loss, misuse, and alteration of the information that we obtain from you and we will take all reasonable steps to secure and safeguard this information. We have taken adequate technical and organizational measures to safeguard the security of your personal information:
We store the personal information that we process on a secure database that is protected by technical access controls.
We encrypt most of our data communication using SSL.
We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
We restrict access to personal information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
Please be advised that while we make continuous efforts to protect your personally identifiable data, we make no guarantees or assurances about our ability to prevent any such loss, access, or misuse and are not responsible in the event that such loss or misuse occurs.
Adequate administrative and organisational measures to ensure storage and maintaining by the persons entrusted by Pluria (only on a need to know-basis) with access to your personal data (such persons are trained and bound by confidentiality obligations);
Flows and operational procedures for ensuring data subjects’ exercise of rights;
Access to your personal data is limited strictly to the persons allowed to have access for ensuring the delivery of Pluria Services/Pluria User App functionalities in accordance with the personal data processing purposes mentioned in this Policy;
Period review of processes and procedures for your personal data collection, processing and retention;
Rigorous evaluation and selection of our service providers.
(2) In the cases where Pluria acts as data processor for your personal data, information on such processing shall be ensured by the entity acting as controller of your personal data.
6. Recipients of Data
(1) In addition to the provisions above, please note that when we are dealing with your requests from you, the recipient of your data is you (the data subject).
(2) We may share your data with third party contractors (providers) effectively involved in processing your data for performance of tasks/services related to Pluria User App/Pluria Platform, as indicated in the table under Section 4 above. We use specific and strict rules when selecting our partners/third party contractors, to ensure protection of personal data and compliance with data privacy rules, including GDPR rules, including by concluding data processing agreements in accordance with art. 28 of GDPR.
(3) If we undergo a reorganization or a purchase/sale procedure, we may share your data with third parties involved in such procedures (including auditors, consultants), during audits performed on our activities / business / company. We will ensure such third parties are obliged to keep data secure and implement necessary measures to ensure security of data and that their access is limited only to the data necessary to be processed.
(4) Currently, we seek to keep your personal data within locations in EU countries. If the transfer of Users data to providers/subcontractors/partners in non-EES countries is necessary, or in situations where the place for storing our data or the location of our providers/subcontractors/partners is outside EES boundaries, we will always ensure that a proper legal contract covering such transfer is in place, in accordance with the standards adopted by the European Commission to this end. Nevertheless, should such a third party not have laws equivalent to the UE data protection standards, we shall ask such third-party recipient to enter into a binding agreement reflecting these standards.
7. Retention of Your Personal Data
(1) Unless otherwise provided in the Policy, User personal data is kept only for the completion of the purpose of their collection/processing.
(2) Given the direct contractual relationship between Pluria and the Client (User’s employer) from which your Account stems, only the Client can pursue deletion of your Account, in accordance with the terms of the contract between Client and Pluria. Nevertheless, User can initiate deletion of their personal data in accordance with section 8 below. Pluria shall involve also the Client in the procedure for deletion, without affecting User’s rights. Your data in the Account is anonymised in case the Client’s account is deactivated as per the contract between Client and Pluria. User is hereby informed that the deletion of the Account (in any case) shall automatically trigger the final and irreversible deletion of all information and data related thereto and Pluria shall not be held liable for non-retention of such information and data. The Account cannot be restored after its deletion date.
(3) Accounts that are not used for a 12-month period are de-activated and the corresponding personal data is deleted / anonymized (so that the data subject can no longer be identified), unless we are obliged by law or our legitimate interests to do otherwise. We shall notify the User in advance of the deactivation of their Account.
(4) As regards the data used with the prior consent of the data subject, we will process this data for that purpose only until the User withdraws their consent, unless we are obliged to keep such data for a longer period, according to law, for investigations made by relevant authorities or in order to defend our rights.
(5) Pluria may retain certain data (check-in/ckeck-out, bookings, Puria User ID) in anonymised / aggregate form, for business purposes, with no purpose of identifying individuals (data subjects).
8. Data Subjects’ Rights
(1) In order to make sure that each User is in control of their personal data, we ensure that each data subject may operate their Account and amend / delete / edit personal data in accordance with the Policy.
(2) Also, in your capacity as data subject, according to GDPR, Users enjoy the rights detailed below (Users may be asked to prove their identity and quality as Account holder, in order for their requests be analysed). We try to answer requests without delay and no later than 30 days after the request being made (or in another reasonable term, as per GDPR).
(3) Your rights:
Right to access their personal data. The User is entitled to access their data we process about them; we will not charge for initial requests. If the User requests copies of the data already provided, we may charge a reasonable fee, to reflect the administrative costs associated with the provision of such data. We reserve the right to refuse excessive and/or repeated requests.
The request for access right must be sent by the User at:
•E-mail: [email protected]
Right to rectification. The User who identifies that the personal data we process about them is incorrect, incomplete or inaccurate, may:
•Send us a request for rectification at e-mail[email protected]
Right to object to direct marketing. The User may object at any time or un-scribe from our direct marketing materials. They may do this only by choosing accordingly in the app, in My Account menu.
Right to erasure (right to be forgotten).
The User is entitled to request the deletion of their personal data in any of the following situations: (a) personal data is no longer necessary for accomplishing the purposes for which it has been processed, (b) User withdraws consent where processing has been based on consent, and we do not have other legal ground for continuing the processing, (c) the User objects to processing based on our legitimate interest and we cannot show a reason why our legitimate interest prevails over their interests, rights and freedoms, (d) personal data is processed contrary to the law; (e) personal data must be deleted in order to comply with legal requirements.
Right to erasure is not an absolute right. We may deny the request if (i) we are obliged by law to keep the data; or (ii) the data is necessary for attesting, exercising or protecting our rights in a court of law. In certain cases, data deletion is in fact controlled by the Client, as direct contractual party of Pluria, ensuring the User benefits the Pluria Services/access to Pluria Platform/Pluria User App as presented in this Policy and in the T&C Pluria User App.
Right to ask for restriction of processing. The User has the right to obtain from us the restriction of processing in any of the situations below: (a) when the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) when the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) when we no longer need the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; (d) when the data subject has objected to processing based on our legitimate interest, pending the determination whether the legitimate grounds of the controller override those of the data subject (User).
Right to data portability. When User personal data is processed based on their consent or based on contractual obligations, the respective User is entitled to request the transfer of their personal data: (a) to the User or (ii) to another controller chosen by the respective User. The User may request the transfer only of the personal data the User themselves provided to us directly and actively (except for any data that we generated or created/determined).
Access, erasure, rectification or portability shall not affect data of other parties/data subjects.
Right to file complaint with the National Data Protection Authority. If you consider yourself harmed by the processing of your data as per the terms herein, you may write to the National Data Protection Authority. For example, in Romania this is A.N.S.P.D.C.P. available at no. 28-30 G-ral. Gheorghe Magheru Blvd., Sector 1, postal code 010336, Bucharest, http://www.dataprotection.ro.
Responsible person with data privacy. We will answer in accordance with the law to any request for information with regard to this Policy. You may contact us by e-mail, at: [email protected], where your request shall be undertaken by persons entrusted with responsibility with data privacy aspects.
Definitions under GDPR shall apply accordingly, e.g.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
Consent – means the free, specific, informed agreement of the User, where they unequivocally agree to their data being processed by us for the specific purpose they are consenting to.
Art. 6 paragraph 1 letter b) of GDPR – processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.
Art. 6 paragraph 1 letter c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject
Article 6 paragraph 1 letter f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, that are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.