POLICY FOR THE PROCESSING OF PERSONAL DATA UNDER ART. 13 GDPR 2016/679
Aeroviaggi S.p.A., with registered offices in Viale Andrea Doria, 7 – 20124 Milan (Italy), with VAT number: IT00260390828, as the data controller (hereinafter “Controller”), hereby informs you, pursuant to Article 13 EU Regulation 679/2016 (“GDPR”), that your data will be processed in the manner and for the purposes described below:
1. Subject of the processing
The Controller processes the personal identifying data (hereinafter “Data”) that you provide when purchasing or subscribing to services or, in general, your existing contractual relationship with the Controller. In some cases, the processing may also involve personal data falling within the “sensitive” list (e.g., possible membership to political parties or trade unions, religious beliefs, health status).
2. Cookies and website tracking
3. Purposes and legal basis for the processing
Your persona data are processed, without your prior consent (Art. 6, lett. b), c) GDPR), for the sole purposes of managing and fulfilling pre-contractual and contractual relationships; the requirements related to administrative and accounting management; the obligations prescribed by laws, regulations or EU legislation or imposed by the Authorities; for the protection of the Controller’s rights in court and management of any litigation; for the prevention and suppression of illegal acts.
3.1. Other purpose of the processing
The data collected, your prior free and explicit consent (Art. 6, lett. a) GDPR), may also be used for the additional purposes set forth below under the terms and conditions specified therein: (a) Marketing: to send you promotional material and commercial communications, through both automated (e.g., email, SMS) and traditional (paper mail) forms of contact; (b) to send you newsletters to the contacts that you indicated; (c) Disclosure of data to third parties (e.g. business partner companies) that produce or market goods or services pertaining to the requested services, parties engaged in the promotion of goods or services, or parties engaged in the processing of such data anonymously for statistical purposes, in accordance with applicable laws and regulations.
4. Method of processing and preservation
The processing will be carried out by means of the operations indicated in Article 4 GDPR and may take place either by means of computer systems (cloud, internet, intranet, computers and mobile devices) and automated processes, or in paper-based mode (archives). Your data will be kept in the Controller’s databases for only as long as is strictly necessary to achieve the purposes for which it was collected and processed, in accordance with the law and as specified above, except in cases where applicable regulations require your data to be kept for longer periods. Rel. 1 of 15/02/2019 Should you decide to close your account, the Controller will retain the personal data provided for administrative purposes only from the termination of the contractual relationship (10 years), except for any other needs for which their prolonged retention is granted and/or required by specific legal requirements.
5. Nature of data provision and consequences of refusal
The provision of personal identification data is optional but mandatory for the execution of the contractual relationship and obligations arising from the fulfilment of laws, regulations or EU legislation. Any refusal will result in the impossibility of the total or partial fulfilment of the requested services or benefits. It is understood that if you do not wish to give your consent to the processing of your data for the purposes mentioned above, this will not prevent you from accessing the site and using the available features linked to your personal account.
6. Data access
Your data will be processed for the above-mentioned purposes by employees and/or collaborators of the Controller in their capacity as data processors and/or internal data processors and/or system administrators; by third parties (e.g., suppliers, professionals, banks, affiliates) where they perform outsourced activities on behalf of the Controller, in their role as external data processors.
7. Data communication
Without your express consent (under art. 6 lett. b), c) GDPR), the Controller may communicate your data to public bodies in order to comply with the obligations prescribed by laws, regulations or EU legislation or laid down by the Authorities, which will process them in their role as autonomous data controllers. They may also be communicated to third parties (e.g., suppliers, partners, and group companies), who will process the data to carry out activities related to the services requested and the above-mentioned purposes. The selected service providers operate through data centres located within the European Union. If your data is transferred to non-EU countries, even for the purpose of technical management of the data collected, this will only occur in full compliance with the European GDPR regulation, to companies adhering to the Privacy Shield (USA) or to third countries for which there are adequate guarantees of protection of the transfer or specific contractual clauses on the protection of personal data have been signed.
8. Rights of the data subject
You may at any time exercise your rights towards the Controller, pursuant to Articles 15-22 of EU Regulation 2016/679, and in particular the rights of access, rectification, integration and, where permitted, the portability of the data provided,as well as having the right to erase, restrict or object to the processing of the data for legitimate reasons and to object to automated decision-making, including profiling. As well as the right to complain to the Data Protection Authority, by contacting the Controller or the DPO, if appointed, by the following methods: by sending a registered letter to the above-mentioned address of the Controller; by sending an email to [email protected] or to [email protected] to contact the appointed DPO. In order to ensure the protection of the data subject’s personal information, we may need to request further specific information confirming the identity of the data subject in question and thus guarantee the right to access the information (or to exercise any of the other rights) only to persons entitled to receive such communications. This is another appropriate security measure for the protection of personal data. Requesting access to your personal information (or to exercise any of the above rights) is free of charge. If, however, the request is clearly unfounded or excessive, we may charge a reasonable fee taking into account the administrative costs incurred in providing the information or refuse to comply with the request in such circumstances.
9. Data controller and data protection officer (DPO)
The data controller is: AEROVIAGGI S.p.A. – Viale Andrea Doria, 7 – 20124 Milan – www.aeroviaggi.it. The data protection officer (DPO) appointed is Neo Studio 2000 S.r.l. (Reference Michele Sabatino) who can be contacted at the address: [email protected]