PRIVACY POLICY ON PROCESSING PERSONAL DATA WITHIN THE "VOLARE" PROGRAM pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") ("Privacy Policy")
This Privacy Policy is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), by Italia Trasporto Aereo S.p.A. ("ITA Airways" or the "Company") and Volare Loyalty S.p.A. ("Volare" or the "Company") as joint controllers, and specifically addresses the processing of your personal data within the "Volare" loyalty program managed by both Companies, for which you can register through the dedicated landing page on the ITA Airways website ("Website") and/or through the ITA Airways mobile app.
Please also note that the processing of personal data is based on the principles of fairness, lawfulness, transparency, limitation of purposes and storage, minimization and accuracy, integrity and confidentiality, as well as on the principle of accountability referred to in Article 5 of the GDPR.
'Data processing' means any operation or set of operations carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise, alignment or combination, restriction, erasure or destruction.
1. Joint controllers
The joint controllers for the processing of your personal data carried out as co-promoters of the "Volare" loyalty program (the "Program") are:
- Italia Trasporto Aereo S.p.A., in the person of its legal representative, domiciled at its registered office in Via XX Settembre 97, Rome (RM), 00187, Tax Code and VAT No. 15907661001 (hereinafter "ITA Airways"); and
- Volare Loyalty S.p.A., in the person of its legal representative, domiciled at the registered office of Viale Giulio Richard 3/A, Milan (MI), Tax Code and VAT no. 12281660964, Milan Economic and Administrative Index (R.E.A.) no. 2651110 (hereinafter, "Volare").
In this Privacy Policy, ITA Airways and Volare are also referred to individually as "Joint Controller" and jointly as "Joint Controllers", having jointly determined the purposes and means of processing attributable to the Program by means of an arrangement between them, pursuant to Article 26 of the GDPR.
Moreover, the Joint Controllers have also appointed a Data Protection Officer (hereinafter the "Data Protection Officer" or "DPO") who can be contacted at the following addresses:
- By e-mail, at dpo@ita-airways.com
- By ordinary mail, at the address of Italia Trasporto Aereo S.p.A., with registered office in Rome (RM), Via XX Settembre no. 97, 00187, to the attention of the Data Protection Officer.
2. What personal data we process
The Joint Controllers collect the following categories of personal data concerning you (with the term "Personal Data" meaning all the categories listed below, considered jointly):
• Personal and contact details – information relating to your name, surname, date of birth, gender, postal address, telephone number, e-mail address, username of your personal account to access the section of the ITA Airways website dedicated to the Program. Where necessary, such data may also refer to your parent/legal guardian.
• Transaction data – information regarding your transactions (transaction history) relating to flights taken, services purchased, activities carried out and transactions concluded with the Program Partners.
Interests and data voluntarily provided by you – information you provide us about your travel preferences or other interests, the name of your company, your professional situation, how you prefer to be contacted, your participation in other airline loyalty programs or other Personal Data.
• Navigation data – information relating to the ways in which you use the Website or open and forward our communications, including information collected through cookies (you can find our Cookie Policy at the following link).
With reference to the source of the aforementioned Personal Data, it should be noted that, as a rule, Personal Data is collected directly from you. However, in some cases, the Joint Controllers may obtain such data from independent data controllers. For example, as part of the Program, ITA Airways may share with Volare information collected in its capacity as an independent data controller, such as the data of Minor Members provided by you as an Adult Member, or data relating to your transactions with ITA Airways or flights taken by you. Similarly, your Personal Data may be acquired by the Joint Controllers through third parties, such as the Program Partners
3. How we collect your personal data
The Joint Controllers collect and process your Personal Data in the following circumstances:
• upon your enrollment in the Program, using the online form, by accessing the VOLARE section of the website www.ita-airways.com (the "Website"); or
• upon your registration in the mobile app of the Program, named ITA Airways, which also automatically entails your enrollment in the Program.
If, as a member of the Program, you provide the Personal Data of third parties with their consent, you must ensure, in advance, that said third parties have read this Privacy Policy. This may happen, for example, if through your restricted area of the section of our Website relating to the Program you communicate information to the Joint Controllers that may contain Personal Data of other persons such as, for example, Minor Members and/or other Family members.
Please help us keep your Personal Data updated, informing us of any changes to the contact details referred to in paragraph 12 of this Privacy Policy.
4. Purposes and legal bases for processing your personal data
Your Personal Data is processed by the Joint Controllers for one or more of the following purposes, according to the legal basis indicated case by case.
a) Operational management of your membership in the Program and purposes strictly connected to same.
The Joint Controllers collect and process your personal and contact details, data relating to your transactions and your interests, and the data you provide voluntarily in order to: (i) follow up and manage your application for registration in the Program (such as checking the data of the parent/legal guardian, where applicable); (ii) send you service communications functional to your status as a Member of the Program and relating to possible deadlines and/or benefits inherent in the Program; (iii) fulfill any contractual obligations and process your requests relating to the Program (such as requests for rewards or information). Moreover, the Joint Controllers reserve the right to verify and correct any typing errors in the data provided, to the extent that this is necessary to allow you to participate in the Program.
Legal basis for processing: processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
b) Direct marketing.
For the Joint Controllers to send promotional and marketing communications, including newsletters, promotional offers, loyalty programs, discounts, commercial initiatives, advertising material, direct sales and market research, concerning the products and services of the Joint Controllers, as well as co-marketing commercial initiatives and promotions carried out with third-party commercial partners – belonging to sectors such as telecommunications, distribution, energy, food, financial, automotive, textile and fashion, transport – through automated tools (e-mail, sms, mms, fax, WhatsApp, push notifications, automated phone calls, use of social networks) and non-automated tools (ordinary mail and live phone call).
Legal basis for processing: your express and specific consent, pursuant to Article 6(1)(a) of the GDPR; failure to provide such consent does not preclude or entail consequences for your membership in the Program.
It should be noted that for the purpose of direct marketing, the Joint Controllers collect a single consent for the use of both automated and non-automated tools, pursuant to the General Provision of the Italian Data Protection Authority "Guidelines on promotional activities and the fight against spam" of July 4, 2013, for which you will be able to exercise the right to object pursuant to Article 21 of the Regulation or to withdraw your consent pursuant to Article 7 of the Regulation, also in part, for example by only objecting to withdrawing your consent for the sending of communications through automated tools.
If you wish to object to the processing of your data for marketing purposes, including the sending of newsletters, you may do so at any time by contacting the Joint Controllers and/or the DPO at the addresses indicated in paragraph 12 of this Privacy Policy or using the link at the bottom of each marketing email.
c) Profiling and data enrichment.
Subject to your express and specific consent, the Joint Controllers will process your personal and contact details, data relating to transactions and your interests, as well as the data you voluntarily provide and navigation data collected online via trackers (e.g. cookies, pixel tags, etc.) on the Program’s Website or on third-party websites, for service personalization via profiling. This is achieved through the statistical processing of the aforementioned Personal Data based on an analysis of your interests, habits and purchasing choices or related to the use of the Website, in order to create your individual profile – also through information acquired from public sources or from Program Partners – with a view to developing, promoting and providing the services and/or products of the Joint Controllers in line with your needs and preferences, and to developing targeted digital campaigns.
Legal basis for processing: your express and specific consent, pursuant to Article 6(1)(a) of the GDPR; failure to provide it does not preclude or imply consequences on your enrollment in the Program.
You may revoke your consent at any time, with effect from any subsequent processing, by making a request via the contact details referred to in paragraph 12 of this Privacy Policy.
d) Purposes related to the obligations established by laws, regulations or European legislation, by provisions/requests of Authorities legitimated by the law and/or by supervisory and control bodies.
The Joint Controllers may process your Personal Data to comply with legal obligations with which the Joint Controllers are required to comply.
Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Joint Controllers are subject, pursuant to Article 6(1)(c) of the GDPR.
e) Defense of rights in the course of judicial, administrative or extrajudicial proceedings, and in the context of disputes arising in relation to the Program and related services.
The Joint Controllers may process your Personal Data to defend their rights or to act or make claims against you or third parties.
Legal basis for processing: processing is necessary for the purposes of the legitimate interests pursued by the Joint Controllers in defending their rights, pursuant to Article 6(1)(f) of the GDPR.
5. Compulsory or optional nature of data provision and consequences of any refusal to provide data
Provision of the Personal Data requested in the Program registration form and marked with an asterisk (*) is mandatory since such Personal Data is necessary to complete your registration; failure to provide such Personal Data will make it impossible to complete said registration. The provision of further Personal Data, not marked with an asterisk (*), is optional, and failure to provide it will not have consequences for your registration in the Program.
The provision of Personal Data for the purposes referred to in paragraph 4(a) of this Privacy Policy is mandatory as it is necessary to allow you to enroll in the Program.
The granting of consent for the purposes referred to in paragraphs 4(b) and 4(c) of this Privacy Policy is optional and failure to provide it does not preclude or imply consequences regarding your membership in the Program.
For the purposes referred to in paragraphs 4(d) and 4(e) of this Privacy Policy, you are not required to provide new or specific data, since the Joint Controllers will pursue these additional purposes, where necessary, by processing the Personal Data collected for the purposes mentioned above, as deemed compatible with this Privacy Policy (also by virtue of the context in which the Personal Data was collected, the relationship between you and the Joint Controllers, the nature of said Personal Data, and adequate guarantees for their processing).
6. How we keep your personal data secure
The Joint Controllers adopt appropriate security measures for the protection and maintenance of the security, integrity and accessibility of your Personal Data.
All your Personal Data is stored on secure servers (or secure hard copies) of the Joint Controllers or their suppliers located in the territory of the European Union, and is accessible and usable according to our standards and security policies (or equivalent standards for our suppliers).
Where the Joint Controllers have provided (or you have chosen) a password that allows you to access your personal area of our Website or the applications or services we provide, you will be responsible for the secrecy of this password and for compliance with any other security procedure that we should indicate to you.
7. How long we retain your personal data
The Joint Controllers keep your Personal Data only for the time needed to achieve the purposes for which it was collected or for any other legitimate and related purpose. Therefore, if the Personal Data is processed for two different purposes, we will keep such Personal Data until the purpose with the longer term ceases, but we will no longer process the Personal Data for the purpose in relation to which the retention period has expired.
We restrict access to your Personal Data exclusively to those who need to process it for purposes relevant to the Program.
Any Personal Data belonging to you that is no longer necessary, or for which there is no longer a legal prerequisite for its conservation, is either irreversibly anonymized (and thus can be stored) or destroyed in a secure manner.
Below are the retention periods for the different purposes listed above:
- Personal and contact details, transaction data, data relating to your interests and data provided by you voluntarily, processed for registration in and operational management of the Program: the Joint Controllers will keep such Personal Data for the entire duration of your enrollment in the Program and in any case for no more than 10 years following cancellation of the Program in fulfillment of statutory, accounting and tax obligations, as required by applicable law.
- Data relating to your interests, data provided by you voluntarily and data relating to transactions, processed for profiling purposes: if you have given your consent to the processing of such Personal Data for profiling purposes, this will be kept for 12 months from collection, unless you exercise your right of withdrawal before this deadline; in any case, the Joint Controllers will periodically reobtain your consent for this purpose in order to respect your choices
- Personal and contact details and data relating to transactions, processed for marketing purposes: in the event of processing your Personal Data for marketing purposes, which provides for the use of personal and contact details only, this will be kept for 24 months from collection within the marketing database, unless you exercise your right of withdrawal before this deadline; in any case, the Joint Controllers will periodically reobtain your consent for this purpose in order to respect your choices.
- Browsing data: such Personal Data will be stored for as long as your "Volare" profile is active. The storage times of the various cookies used may be consulted in the Cookie Policy at the following link.
With particular reference to the protection of the Joint Controllers' rights in court or in the event of requests from an authority, the Personal Data processed will be kept by the Joint Controllers for the time necessary to process the request or to pursue the protection of its rights.
8. Whom we may share your personal data with
Your Personal Data may be shared with:
• persons authorized by the Joint Controllers to process personal data, pursuant to Articles 29 of the GDPR and 2-quaterdecies of the Italian Data Protection Act (e.g. personnel responsible for managing information systems, etc.);
• entities or authorities to which it is mandatory to communicate your Personal Data by virtue of legal provisions under EU law or under the law of the Member State to which the Joint Controllers are subject;
• banks and payment companies;
• third parties such as law firms and public authorities whom we contact in order to comply with or apply the Program Regulations or to safeguard all our legitimate interests;
• third parties such as the police and public authorities, in order to protect our rights, or following a request validly made by same;
• subjects who, in providing the services, typically act as data processors, pursuant to Article 28 of the GDPR (e.g. companies that offer IT infrastructures and IT assistance and consultancy services, as well as the design and implementation of software and websites;
companies that offer services useful for customizing and optimizing our services, including those providing and managing our customer service; companies that offer services useful for analyzing and developing data and processing and conducting market research). The Joint Controllers keep an updated list of all data processors, available to data subjects for consultation at the registered offices indicated above and upon sending a written request to the Joint Controllers at the addresses indicated in paragraph 12 of this Privacy Policy.
Any Personal Data communication will take place in full compliance with the provisions of the GDPR and of applicable legislation on the protection of Personal Data. Please contact us at the contact details referred to in paragraph 12 of this Privacy Policy if you wish to view the list of data processors and other parties to whom we communicate your Personal Data.
Your Personal Data will not be disclosed to third parties.
9. Transfer of personal data to third countries
To perform some of the processing activities involving your Personal Data, the Joint Controllers may communicate the same to external parties located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter, "Third Countries") and which could guarantee a lower level of protection of your Personal Data than that guaranteed within the European Union.
Any transfer, by the Joint Controllers, of your Personal Data to parties located in third countries will in any case take place in compliance with the provisions of applicable legislation on the protection of Personal Data and on the basis of one of the adequate guarantees provided for by Article 44 et seq. of the GDPR, such as, for example, the adoption of Standard Clauses approved by the European Commission, or the selection of subjects adhering to international programs for the free flow of data or operating in countries considered safe by the European Commission, in compliance with the 01/2020 recommendations adopted on November 10, 2020 by the European Data Protection Board. You can request more information on the transfer of data and on the guarantees adopted for this purpose from the Joint Controllers and/or the DPO at the addresses indicated in paragraph 12 of this Privacy Policy.
Adoption of the aforementioned Standard Clauses will take place depending on the role these parties play in relation to processing. Said parties will process your Personal Data as independent data controllers, or as data processors duly appointed by the Joint Controllers in accordance with Article 28 of the GDPR.
You may write to the Joint Controllers at any time, using the contact details provided in paragraph 12 of this Privacy Policy, asking to whom Personal Data is disclosed and to receive a copy of the guarantees adopted with regard to data transfers.
10. Automated decision-making processes
The Joint Controllers will not use automated decision-making processes, including profiling, without your consent.
11. Your data protection rights and your right to lodge a complaint before the supervisory authority
Under the GDPR, you have the right to ask each Joint Controller, at any time:
• for access to your Personal Data, as provided for by Article 15 of the GDPR;
• for the rectification and integration of inaccurate personal data concerning you held by the Joint Controllers, as provided for by Article 16 of the GDPR;
• for the erasure of your Personal Data where there is no longer any legal basis for its processing, as provided for by Article 17 of the GDPR;
• for restriction of processing of your Personal Data where one of the hypotheses provided for in Article 18 of the GDPR applies;
• for a copy of the Personal Data concerning you that you have provided us, in a structured, commonly used and machine-readable format, for processing based on a contract (so-called "data portability"), as provided for by Article 20 of the GDPR;
• not to be subjected to decisions solely based on automated data processing, including profiling, having legal repercussions for you, if you have not consented in advance, as established by Article 22 of the GDPR;
• for the withdrawal of your consent at any time, in the case of processing based on consent. It should be noted that any withdrawal of consent will take effect only with reference to subsequent processing, without prejudice to the lawfulness of processing carried out prior to such withdrawal.
Right to object: in addition to the rights listed above, you always have the right to object at any time to the processing of your Personal Data carried out for the pursuit of the legitimate interest of the Joint Controllers, and to processing carried out for marketing purposes, including profiling to the extent that it is connected to such marketing.
To exercise the aforementioned rights towards the Joint Controllers, you can direct your communication using the contact details referred to in paragraph 12 of this Privacy Policy, specifying: (i) your name and surname, (ii) the e-mail address used to register for the Program, and (iii) the details of the request.
Exercise of these rights is subject to certain exceptions aimed at safeguarding the public interest (e.g. the prevention or identification of crimes) and our own interests (e.g. maintenance of the obligation of professional secrecy). Should you exercise any of the aforementioned rights, it will be our responsibility to verify that you are entitled to exercise same and we will reply, as a rule, within one month.
If you believe that the processing of your Personal Data is in violation of the provisions of the GDPR and of the legislation on the protection of Personal Data, you have the right to lodge a complaint with the Italian Data Protection Authority, using the references available on the website www.garanteprivacy.it, or to bring an action before the appropriate judicial authorities.
12. Contact details of the joint controllers and of the data protection officer ("dpo")
You may contact the Joint Controllers, at any time, at the following email address dpo@ita-airways.com, identified as the single point of contact for exercising your rights, or:
- for ITA Airways, at italiatrasportoaereo@legalmail.it;
- for Volare, at volareloyalty@legalmail.it.
In this regard, please note that you may in any case exercise your rights towards and/or against each Joint Controller, also using the contact details referred to in article 1 of this Privacy Policy.
Moreover, for the same purposes, you may contact the Data Protection Officer ("DPO") appointed by ITA Airways and Volare by emailing dpo@ita-airways.com.
13. Joint controllership agreement
The essential content of the joint controllership agreement signed between ITA Airways and Volare – which deals with transparently determining their respective responsibilities regarding compliance with obligations under the GDPR, particularly as regards the exercising of your rights and their respective communication obligations regarding this Privacy Policy – is available upon request from dpo@ita-airways.com.
14. Changes to this policy
The Joint Controllers reserve the right to change or simply update the content of this Privacy Policy, in whole or in part, also following changes in the applicable legislation. You will be informed of such changes as soon as they are introduced.
