Privacy Notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 on the processing of personal data in B2B
Relationships Data Controller and Data Protection Officer
This Privacy Notice concerning the processing of personal data is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter, the “Regulation” or “GDPR”), by Italia Trasporto Aereo S.p.A., with registered office at via XX Settembre, no. 97, Rome (RM), ZIP code 00187, Tax Code and VAT no. 15907661001; registered with the Economic and Administrative Index (REA - “Repertorio Economico Amministrativo”) under no. RM-1622937, in its capacity as Data Controller (hereinafter also referred to as “ITA Airways”, the “Company” or the “Controller”).
The Data Protection Officer (DPO) of ITA Airways can be contacted at the Controller’s registered office at the address indicated above or via email at: dpo@ita-airways.com.
Categories of personal data subject to processing
The Controller will process your personal data, collected in the context of the contract entered into and/or for the purposes of its conclusion, including, by way of example but not limited to, your first name, last name, mobile phone number, email address and, more generally, your contact details, in your capacity as legal representative of the company or as the designated Point of Contact in the course of business relations conducted in the name and on behalf of the same, for the purpose of entering into the contract with ITA Airways.
Purposes, legal basis and optional nature of the processing
Your personal data will be processed for the following purposes:
a) performance of the contract and/or pre-contractual measures (“Performance of the contract”);
b) compliance with legal obligations set out by laws, regulations or EU legislation, as well as to comply with requests made by public authorities (“Compliance purposes”);
c) for defensive purposes, where necessary for the Controller to establish, exercise or defend a legal claim (“Defensive purposes”).
The legal bases for the processing for purposes a) and b) are, respectively, Article 6(1)(b) and Article 6(1)(c) of the Regulation. The legal basis for processing for purpose c) is Article 6(1)(f) of the Regulation, namely the legitimate interest pursued by the Controller, identified on the basis of a balancing of interests carried out by the latter.
The provision of your personal data for the purposes set out under points a), b), and c) above is optional; however, failure to provide such data will make it impossible to establish business relations with the supplier and/or to perform the contract.
Recipients and transfer of personal data
Your personal data may be shared with:
• Natural persons authorized by the Controller to process personal data pursuant to Article 29 of the GDPR and Article 2-quaterdecies of Legislative Decree No. 196/2003 (“Italian Privacy Code” “Codice Privacy”), in connection with the performance of their job duties (e.g. employees, system administrators, etc.);
• Service providers (such as consultants, credit institutions, etc.) who typically act as data processors pursuant to Article 28 of the GDPR;
• Persons, entities or authorities to whom your personal data must be disclosed pursuant to legal provisions or orders issued by public authorities.
The full and updated list of data recipients may be requested from the Controller using the contact details indicated above.
Your personal data may be transferred outside the European Economic Area (“EEA”). The Controller informs you that such processing will be carried out in accordance with one of the modalities permitted by Articles 44 et seq. of the GDPR.
Retention of personal data
Your personal data will be retained only for as long as is necessary for the purposes for which they are collected, in compliance with the principles of data minimization and purpose limitation referred to in Article 5(1)(c) and (e) of the GDPR. The Controller may retain certain data even after the termination of the contractual relationship, for the time necessary to fulfil contractual and legal obligations. Further information is available from the Controller and/or the Data Protection Officer (DPO) at the contact details provided above.
Methods of data processing
For the purposes indicated, personal data are processed by manual, computerized and electronic means, using procedures strictly related to the stated purposes and, in any case, in a manner that ensures the security and confidentiality of the data, as well as compliance with the specific legal obligations.
Your privacy rights
You have the right to access your personal data at any time pursuant to Articles 15 to 22 of the GDPR. In particular, you may request the rectification or erasure of your data, the restriction of processing in the cases provided for under Article 18 of the GDPR, the withdrawal of consent, and the right to data portability in the cases set out in Article 20 of the GDPR.
You may object to the processing of your personal data pursuant to Article 21 of the GDPR by submitting a request in which you explain the reasons justifying the objection. The Controller reserves the right to assess your request, which will not be accepted if there are compelling legitimate grounds for the processing which override your interests, rights and freedoms.
Requests must be submitted in writing to the Controller or to the Data Protection Officer (DPO) using the contact details provided above.
If you believe that the processing of your personal data by the Controller infringes the provisions of the GDPR, you have the right to lodge a complaint with the Supervisory Authority (“Garante per la Protezione dei Dati Personali”), as provided for under Article 77 of the GDPR, or to seek a judicial remedy pursuant to Article 79 of the GDPR.
