INFORMATION ON THE PROCESSING OF PERSONAL DATA IN THE SCOPE OF THE "VOLARE" PROGRAM pursuant to Article 13 of Regulation (EU) 2016/679 ("Privacy Policy")
1. DATA JOINT CONTROLLERS
The Joint Controllers for the processing of your personal data carried out as co-promoters within the program of the loyalty program called "Volare" (the "Program”) are:
- Italia Trasporti Aereo S.p.A., in the person of its legal representative, domiciled at its registered office in via XX Settembre, No. 97, in Rome (RM), 00187, C.F. and P.I. 15907661001 (hereinafter “ITA”); and
- Volare S.p.A., in the person of its legal representative, domiciled at the registered office in Piazza San Babila, n.4/A, in Milan (MI), Tax Code and P.I. 12281660964 R.E.A. in Milan n.2651110 (hereinafter, “Volare" And, jointly with ITA, "Joint Controllers”).
2. WHAT PERSONAL DATA WE PROCESS
The Joint Controllers collect the following categories of personal data concerning you (with the term "Personal Data" meaning all the categories listed below, considered jointly):
- Personal and contact data – information relating to the name, surname, date of birth, gender, postal address, telephone number, mobile number, email address. Where necessary, such data may also refer to the holder of parental responsibility.
- Transaction data – information regarding your transactions (transaction history) relating to the flight, the services purchased, the activities carried out and transactions concluded with the Program Partners.
- Interests and data voluntarily provided by you – information you provide us about your travel preferences or other interests, the name of your company, your professional situation, how you prefer to be contacted, your participation in other airline loyalty programs or other Personal Data.
- Navigation data – information relating to the ways in which you use the Site, open or forward our communications, including the information collected through cookies (you can find our information on Cookies (called "Cookie Policy) at the following link.
3. HOW WE COLLECT YOUR PERSONAL DATA
The Joint Controllers collect and process your Personal Data in the following circumstances:
- in relation to your enrollment in the Program, using the online form, by accessing the VOLARE section of the website www.itaspa.com; or
- in relation to your registration to the mobile app of the Program, named ITA Airways, which also automatically entails your enrollment in the Program.
If you provide Personal Data on behalf of someone else – who has consented to it – you must ensure, in advance, that the interested parties have read this Privacy Notice.
Please help us keep your Personal Data updated, informing us of any changes to the contacts referred to in paragraph 12 of this Privacy Notice
4. FOR WHAT PURPOSES YOUR PERSONAL DATA MAY BE USED
Your Personal Data are processed by the Joint Controllers for one or more of the following purposes, on the basis of a legal premise indicated from time to time.
a) Operational management of your membership in the Program and purposes strictly connected to it.
The Joint Controllers collect and process your personal and contact data, data relating to transactions and your interests and the data you provide voluntarily in order to: (i) follow up and manage your application for registration to the Program, including the verification activity with respect to the data relating to the holder of parental responsibility, where applicable; (ii) send you service communications functional to your status as a Member of the Program and relating to possible deadlines and/or benefits inherent to the Program itself; (iii) to fulfill any contractual obligations and to process your requests relating to the Program (including, for example, in relation to the request for rewards or information). Furthermore, the Joint Controllers reserve the right to carry out the verification and correction of any typing errors in the context of the data provided, to the extent that this is necessary to allow it to participate in the Program.
Legal basis for the processing of data: execution of a contract of which you are a party or execution of pre-contractual measures adopted at your request, pursuant to art. 6, par. 1, letter b) of the GDPR
b) Marketing to respond to your needs and to provide you with promotional offers also in line with your preferences.
With your express and specific consent, The Joint Controllers will process your personal and contact data, as well as data relating to transactions for the purposes of marketing and advertising communication, aimed at informing you about promotional sales initiatives or for market research and statistical surveys by the Joint Controllers. The Joint Controllers will also process the aforementioned data to direct you on the promotional sales initiatives of the Program Partners, who act as independent data controllers. In relation to this, the Joint Controllers reserve the right to make available, in a dedicated page of of their website, the updated list of Program Partners, currently being defined.
The sending of marketing communication may take place either through automated contact methods (email, sms, instant messaging, social networks, push notifications and other mass messaging tools), and traditional methods of contact (for example, telephone call with operator). In this regard, you may at any time oppose the receipt of promotional communications made through one or more of the contact methods mentioned above.
Legal basis for the processing of data: your express and specific consent, pursuant to art. 6, par. 1, letter a), of the GDPR; failure to provide such consent does not preclude or entail consequences for your membership in the Program.
You may at any time revoke your consent, with effect for subsequent processing, for the receipt of messages by email or other means:
• by clicking on the appropriate option at the bottom of each email received;
• by making a request to the contacts referred to in paragraph 12 of this Privacy Notice.
c) Profiling and enrichment of data (data enrichment).
With your express and specific consent, the Joint Controllers will process your personal and contact data, the data relating to transactions and your interests, as well as the data you voluntarily provide and the navigation data for profiling purposes, through a statistical processing of the aforementioned Personal Data on the basis of the analysis of your interests, habits and purchasing choices or relating to '' use of the Site, in order to create your individual profile, also through information acquired from public sources or from Program Partners in order to develop, promote and provide services and/or products of the Joint Controllers in line with your needs and preferences to develop targeted digital campaigns.
Legal basis for the processing of data your express and specific consent, pursuant to art. 6, par. 1, letter a) of the GDPR; failure to provide it does not preclude or imply consequences on your enrollment in the Program.
You may at any time revoke your consent with effect for subsequent processing, by making a request to the contacts referred to in paragraph 12 of this Privacy Notice.
d) Purposes related to the obligations established by laws, regulations or European legislation, by provisions/requests of Authorities legitimated by the law and/or by supervisory and control bodies
The Joint Controllers may process your Personal Data to fulfill legal obligations which the Joint Controllers themselves are required to comply with.
Legal basis for the processing of data: fulfillment of legal obligations to which the Joint Data Controllers are subject, pursuant to art. 6, par. 1, letter c) of the GDPR
e) Defense of rights in the course of judicial, administrative or extrajudicial proceedings, and in the context of disputes arising in relation to the Program and related services.
The Joint Controllers may process your Personal Data to defend their rights or act or even make claims against you or third parties.
Legal basis for the processing of data: pursuit of a legitimate interest of the Joint Data Controllers in the protection of their rights, pursuant to art. 6, par. 1, letter f) of the GDPR
5. COMPULSORY OR OPTIONAL NATURE OF DATA CONFERENCE AND CONSEQUENCES OF ANY REFUSAL TO PROVIDE DATA
The provision of the Personal Data requested in the registration form to the Program, marked with an asterisk (*), is mandatory since such Personal Data is necessary for your registration to the Program; failure to provide such Personal Data will make it impossible to complete the registration itself. The provision of further Personal Data, not marked with an asterisk (*), is optional and failure to provide it will not have consequences for your registration to the Program.
The provision of Personal Data for the purposes referred to in the previous paragraph 4, letter a) of this Privacy Notice is mandatory as it is necessary for the execution of the contract; failing that, it will not be possible to allow you to enroll in the Program.
The granting of consent for the purposes referred to in paragraph 4, letters b) and c) of this Privacy Notice is optional and failure to provide it does not preclude or imply consequences regarding your membership in the Program, but would not allow us to promptly inform you of all the benefits reserved for Program members through commercial communications.
For the purposes referred to in paragraph 4, letters d) and e) of this Privacy Notice you are not required to provide a new and specific contribution, since the Joint Controllers will pursue these additional purposes, where necessary, processing the Personal Data collected for the aforementioned purposes, deemed compatible with this (also due to the context in which the Personal Data were collected, the relationship between you and the Joint Controllers, the nature of the Personal Data themselves and the adequate guarantees for their processing).
6. HOW WE KEEP YOUR PERSONAL DATA SECURE
The Joint Controllers adopt suitable security measures for the protection and maintenance of the security, integrity and accessibility of your Personal Data.
All your Personal Data are stored on secure servers (or secure paper copies) of the Joint Controllers or their respective suppliers located in the territory of the European Union, and are accessible and usable according to our standards and security policies (or equivalent standards for our suppliers).
Where the Joint Controllers have provided you (or you have chosen) one password that allows you to access your personal area of our Website, the applications or services we provide, you will be responsible for the secrecy of this password and for compliance with any other security procedure that we should indicate to you.
7. HOW LONG WE KEEP YOUR PERSONAL DATA
The Joint Controllers keep your Personal Data only for the time necessary to achieve the purposes for which they were collected or for any other legitimate related purpose. Therefore, if the Personal Data are processed for two different purposes, we will keep such Personal Data until the purpose with the longer term ceases, but we will no longer process the Personal Data for the purpose whose retention period has expired.
We limit access to your Personal Data only to those who need to process them for purposes relevant to the Program.
Your Personal Data that are no longer necessary, or for which there is no longer a legal prerequisite for its conservation, are irreversibly anonymised (and thus can be stored) or destroyed in a secure manner.
Below are the storage times in relation to the different purposes listed above:
- Personal and contact data, transaction data, data relating to your interests and data provided by you voluntarily that are processed for registration and operational management of the Program: the Joint Controllers will keep this personal data for the entire duration of your membership in the Program and in any case no later than ten years from the cancellation of the Program in fulfillment of the civil, accounting and tax obligations as required by the applicable legislation.
- Data relating to your interests, data provided by you voluntarily and data relating to transactions that are processed for profiling purposes: if you have given your consent to the processing of these personal data for profiling purposes, these data will be kept for 12 months from collection; however, it will be the responsibility of the Joint Controllers to periodically refresh your consent for this purpose in order to respect your choices.
- Personal and contact data and data relating to transactions that are processed for the purpose of marketing: in the event of processing of your Personal Data for purposes of marketing, that provides for the use of personal and contact data only, these will be kept for 24 months from collection within the marketing database; however, it will be the responsibility of the Joint Controllers to periodically refresh your consent for this purpose in order to respect your choices.
- Navigation data: such Personal Data will be kept for as long as your “Volare” profile is active. The storage times of the various cookies potentially used, can be consulted in the specific Cookies information page found at the following link.
With particular reference to the protection of rights of the Joint Controllers in court or in the event of requests from an authority, the Personal Data processed will be kept by the Joint Controllers for the time necessary to process the request or to pursue the protection of their rights.
8. WITH WHOM WE CAN SHARE YOUR PERSONAL DATA
Your Personal Data may be accessed by employees of the Joint Controllers duly authorized, as well as external suppliers of the Joint Controllers who provide support for the provision of services related to the Program, appointed, if necessary, as data processors, or who act as independent data controllers.
The following persons or entities may also become aware of your Personal Data, for the purposes specified above:
- subjects who can access Personal Data by virtue of the provisions of the law provided for by the law of the European Union or that of the Member State to which the Joint Controllers are subject;
- banks and payment companies;
- third parties such as law firms and public authorities with whom we are in contact in order to comply with or apply the Program Regulations or to safeguard any other legitimate interest of ours;
- third parties such as police and public authorities to protect our rights, or following a request validly made by them;
- companies that offer IT infrastructures and IT assistance and consultancy services as well as the design and implementation of software and internet sites;
- companies that offer useful services to customize and optimize our services, including those that provide and manage customer service;
- companies that offer useful services for analyzing and developing data and processing and conducting market research.
Any communication of Personal Data will take place in full compliance with the provisions of the GDPR and the applicable legislation on the protection of personal data. Please contact us at the contacts referred to in paragraph 12 of this Privacy Notice if you wish to ask to view the list of data processors and other subjects to whom we communicate your Personal Data.
Your Personal Data will not be disclosed to third parties.
9. TRANSFER OF PERSONAL DATA TO THIRD-PARTY COUNTRIES
To carry out some of the processing activities of your personal data, the Joint Controllers will communicate the same to external parties located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter, the "Third Party Countries") and which could guarantee a lower level of protection of your Personal Data than that guaranteed within the European Union.
The transfer, by the Joint Controllers, of your Personal Data to subjects located in Third Party Countries will in any case take place in compliance with the provisions of the applicable legislation on the protection of personal data and on the basis of one of the adequate guarantees provided for by art. 46 and following of the GDPR.
Depending on the role they play in relation to the processing, these subjects will process your Personal Data as independent data controllers, or as data processors duly designated by the Joint Controllers in accordance with art. 28 of the GDPR.
You can write to the Joint Controllers at any time, using the contact details referred to in paragraph 12 of this Privacy Notice, asking who are the subjects to whom the Personal Data is disclosed, as well as to receive a copy of the guarantees adopted for the transfer.
10. ANY AUTOMATED DECISION-MAKING PROCESSES
The Joint Controllers do not use automated decision-making processes, including profiling, in the absence of your consent.
11. YOUR RIGHTS IN THE FIELD OF DATA PROTECTION AND YOUR RIGHT TO MAKE COMPLAINTS BEFORE THE SUPERVISORY AUTHORITY
Under the conditions provided for by the GDPR, you have the right to ask any Joint Controller at any time:
- access to your Personal Data, as required by art. 15 of the GDPR,
- the correction and integration of your Personal Data owned by the Joint Controllers deemed inaccurate by you, as required by art. 16 of the GDPR,
- the cancellation of your Personal Data for which there is no longer any legal prerequisite for their processing, as required by art. 17 of the GDPR,
- the limitation of the way in which we process your Personal Data if one of the hypotheses provided for in art. 18 of the GDPR,
- the copy of your Personal Data that you have provided us, in a structured format, commonly used and readable by an automatic device for processing based on the contractual relationship (so-called portability), as required by art. 20 of the GDPR,
- not to be subjected to decisions based solely on automated processing including profiling, which produce legal effects that affect you, if you have not given your prior consent, as required by art. 22 of the GDPR,
- the withdrawal of your consent at any time, in the event that the processing is based on consent. It should be noted that any withdrawal of consent will take effect only with reference to subsequent processing, without prejudice to the lawfulness of the processing carried out prior to such withdrawal.
Right to object: in addition to the rights listed above, you always have the right to object at any time, for reasons related to your particular situation, to the processing of your Personal Data carried out for the pursuit of the legitimate interest of the Joint Controllers and for the processing carried out for the purpose of marketing, including profiling to the extent that it is connected to such marketing.
For the exercise of the aforementioned rights towards the Joint Controllers, you can direct your communication to the contacts referred to in paragraph 12 of this Privacy Policy, specifying: (i) your name and surname, (ii) your email address indicated when registering for the Program, and (iii) the details of the request.
The exercise of these rights is subject to some exceptions aimed at safeguarding the public interest (for example the prevention or identification of crimes) and our interests (for example the maintenance of professional secrecy). In the event that you exercise any of the aforementioned rights, it will be our responsibility to verify that you are entitled to exercise it and we will reply, as a rule, within one month.
If you believe that the processing of your Personal Data is in violation of the provisions of the GDPR and of the legislation on the protection of personal data, you have the right to lodge a complaint with the Guarantor for the protection of personal data, using the references available. on the website www.garanteprivacy.it or to take appropriate judicial offices.
12. CONTACTS OF THE JOINT CONTROLLERSAND THE DATA PROTECTION OFFICER ("RPD" or "DPO")
You can contact at any time the Joint Controllers at the following email address, identified as the single point of contact for the exercise of your rights: dpo@ita-airways.com, or e-mail: ITA, italiatrasportoaereo@legalmail.it; Volare, volareloyalty@legalmail.it . In this regard, we would like to point out that you may in any case exercise your rights towards and against each Joint Controller, including using the contact details referred to in Article 1 of this information.
Furthermore, for the same purposes, you can contact the Personal Data Protection Officer appointed by ITA and Volare by sending an email to the email address: dpo@ita-airways.com.
13. JOINT CONTROLLER AGREEMENT
The essential content of the joint ownership agreement signed between ITA and Volare – which is responsible for determining in a transparent manner their respective responsibilities regarding compliance with the obligations deriving from the GDPR, with particular regard to the exercise of your rights and respective functions of communication of this information – is at your disposal at the email dpo@ita-airways.com