Last update: 1 October 2023
INFORMATION ON THE PROCESSING OF PERSONAL DATA OF THE USERS WHO CONSULT THE WEBSITE OF ITA S.P.A. (COMMERCIALLY KNOWN AS ITA AIRWAYS)
INFORMATION PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
Italy Air Transport S.p.A. ("ITA S.p.A.") wishes to inform you that, pursuant to art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council concerning the protection of individuals with regard to the processing of personal data (hereinafter "European Regulation"), you need to proceed with the processing of your personal data collected automatically or provided by you through the navigation or use of the website https://www.ita-airways.com/ (hereinafter "Website").
1. DATA PROCESSOR AND DATA CONTROLLER
The Data Controller is Italia Trasporto Aereo S.p.A. "ITA S.p.A.", commercially known as ITA Airways, in the person of the legal representative, domiciled at the registered office in via XX Settembre, n. 97, in Rome (RM), 00187, C.F. and P.I. 15907661001 (hereinafter "ITA S.p.A." or "Data Controller").
In order to carry out its business, the Company may make use of third party suppliers, duly appointed as Data Processors, who present all the guarantees of the law (Article 28 of the European Regulation).
For the list of ITA S.p.A. data processors, the DPO can be contacted in the manner indicated in the following art. 2.
2. DATA PROTECTION OFFICER
Due to the processing activities carried out by ITA S.p.A., the Data Controller deemed it necessary to designate, pursuant to art. 37 of the European Regulation, a Data Protection Officer who can be contacted at the following address: via XX Settembre, n. 97, in Rome (RM), 00187 (RM), or by sending an e-mail to firstname.lastname@example.org.
3. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
To allow you to use the air transport service offered by ITA S.p.A., the website www.ita-airways.com and related services, the Data Controller needs to know and process some of your personal data.
By personal data we mean information concerning an identified or identifiable natural person, such as, for example, the name, contact details and / or data relating to the booking.
To purchase an airline ticket, the data processed will be name, surname, telephone number, e-mail address, information relating to the journey purchased, including any special assistance requests or preferences relating to meals, and payment data. Furthermore, depending on the destination, additional categories of personal data may be collected such as, for example, the date of birth (including minors), gender and passport number.
For the simple navigation of the Website, the types of data processed are specified below: for further details, please refer to the specific information for "cookies".
The computer systems and software procedures used to operate ITA S.p.A. acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This is information that is not collected to be associated with identified data subject, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified.
This category of data includes the IP addresses or domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's computer environment.
These data are used by the Data Controller for the sole purpose of obtaining anonymous statistical information on the use of the Website, the App and to check its correct functioning. The data could also be used to ascertain responsibility in the event of hypothetical computer crimes against ITA S.p.A..
Data provided voluntarily by the user
The optional, explicit and voluntary sending of e-mails to the addresses indicated on this Website and on the App entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the communication.
- CALL CENTER
Telephone calls to the Call Center numbers may involve the processing of personal data of the user aimed at providing the services requested by the same, such as, by way of example: reservations, purchase and sending of travel tickets for air transport requested by the passenger, changes o replacements of tickets already issued, refunds, after-sales assistance, special assistance and purchases of complementary services to the flight. The finalization of electronic transactions may also involve the acquisition of the credit card data of its customers, which will be treated with all the necessary precautions required by sector legislation. ITA S.p.A. can also make use of third party call centers that operate, always in full compliance with the legislation on the protection of personal data, with a specific service contract on behalf of the Data Controller, as Data Processors pursuant to Article 28 of the European Regulation. In the event that third party call centers process data for which ITA S.p.A. is the Data Controller outside the EU, ITA S.p.A. requires its suppliers to comply with the guarantees provided for by art. 46 of the European Regulation. ITA S.p.A., where it makes use of foreign call centers outside the European Union, in accordance with the provisions of current legislation, will inform its customers about the foreign country in which the operator is physically located, offering its customers / users the choice of being able to request that the service be rendered through an operator located in the national territory.
4. PURPOSE OF THE PROCESSING AND LEGAL BASIS
The personal data that the Data Controller is in possession of are exclusively those provided by you during navigation and / or during the use of our services. Therefore, personal data will be processed for:
A) Allow you to use our air ticket purchase service;
B) Allow you to use the air transport service;
C) Satisfy travel needs and offer the requested services;
D) Send communications relating to the service status of your flight in case of need;
E) Satisfy all legal requirements related to passenger air transport;
F) Directly sell products or services similar to those already purchased by the data subject, using the e-mail coordinates provided by the same when purchasing a ticket or service, provided that the data subject, adequately informed, does not refusal of subsequent communications;
G) Provide up-to-date news on ITA S.p.A. activities and promotions as well as on co-marketing promotions useful for enriching the travel experience, by sending newsletters, advertising material and / or communications and information of a commercial and direct marketing nature about our services and products, on related offers, discounts and any other promotional and loyalty initiative adopted by us, both through traditional and fully automated contact systems, such as, for example, through the residential address and / or mailing address electronic, or also via SMS messages;
H) Allow registration to the Company's loyalty program;
I) Customize the content of commercial communication and offer only dedicated products and offers, in line with the tastes and preferences expressed, as well as a better flight experience.
J) Ensure the protection of health and public safety
K) Allow the user interested in purchasing an airline ticket or an ancillary service to complete the already started purchase process, by sending a reminder e-mail to the address entered in the pre-purchase step: so-called "abandoned cart recovery". The data processing for the above-mentioned purpuse is useful forthe justified interest of ITA S.p.A. and useful for the consumers to remind them of their pending purchase processes which might not have been completed also due to possible technical problems.
In consideration of the choice to use the services provided by the Website, the legal basis on which the processing of your personal data is based, may be:
- The data provided is necessary to make reservations and purchase one or more airline tickets;
- The data provided are necessary to be able to execute the air transport contract;
- The processing of personal data is necessary to comply with the legal obligations established in the aeronautical field, applicable from time to time, depending on the destination;
- The processing of personal data may be necessary to safeguard the vital interests of one or more natural persons;
- The Data Controller has a legitimate interest in processing personal data to offer the best service and the best flight experience;
- On the basis of the specific consents that may be freely provided, carry out direct marketing and profiling initiatives.
- processing is necessary for reasons of public interest in the public health sector, such as protection from serious cross-border threats to health.
Personal data may be processed both through IT tools and on paper.
5. THE NO FLY PROGRAM
We wish to inform you that, under the Italian Code of Navigation, in its capacity as operator and through its representatives and/or officials, ITA is obliged to take rapid safety decisions in order to guarantee a high level of protection for passengers and the Company. For this reason, ITA has set up a “No FLY Program” under which it may ban from its flights listed passengers who:
(i) demonstrate an aggressive, offensive or otherwise antisocial behavior;
(ii) have damaged or attempted to damage property owned by the company;
(iii) have misused the services offered; or, generally, have engaged in conduct which may jeopardize flight safety.
Based on a comprehensive assessment of the seriousness of a passenger’s behavior, ITA may prohibit him or her from boarding any flight operated by same. The ban for passengers listed in the “No FLY Program” can last from 3 (three) to 18 (eighteen) months and, in cases of extremely serious behavior associated with the safety of flights and/or company assets, for up to a maximum of 24 (twenty-four) months. Once the ban is lifted, the passenger's name will be kept on record for a further five years for the sole purpose of providing answers to the Judicial Police Authorities or for defense in any litigation. At the end of the five-year period, the data will be permanently deleted.
6. DATA RETENTION
The Data Controller intends to keep personal data for a period of time not exceeding that necessary to achieve the purposes for which they were collected and processed.
With regard to the processing of personal data for direct marketing purposes, if it has been explicitly authorized, in compliance with the regulatory requests in force, ITA S.p.A. has established to provide for the cancellation of your personal data processed for direct marketing purposes following your explicit request. request, in compliance with the provisions of the Provision of the Guarantor for the protection of personal data of 15.10.2020. Personal data processed for profiling purposes will instead be deleted after 12 months from registration.
With regard to other personal data, not being able to accurately determine the retention period of your personal data, the Data Controller undertakes from now on to inspire the processing of your personal data to the principles of adequacy, relevance and data minimization, so as required by the European Regulation, periodically verifying the need for their conservation. Therefore, once the purposes for which they were collected and processed have been achieved, we will remove them from our systems and registers and / or we will take appropriate measures to make them anonymous, so as to prevent you from being identified.
This, except in the case in which we need to keep such data to comply with regulatory obligations, or to ascertain, exercise or defend our right in court.
7. CATEGORIES OF DATA RECIPIENTS
The data processed will not be disclosed to third parties. However, they may become aware of your data, in relation to the processing purposes set out above:
• Subjects who can access the data by virtue of the law provided for by the law of the European Union or that of the Member State to which the Data Controller is subject, including the Central Directorate of Immigration and the Border Police.
Pursuant to Article 13 of Regulation (EU) 2016/679 and following the provisions of Article 8 of Directive (EU) 2016/681 of 27 April 2016 on the use of Passenger Name Record (PNR) data, the air carriers are obliged to transfer the data of the passenger reservation code (PNR) to the database of the UIP (Passenger Information Unit) of the Member State in whose territory the flight lands or from whose territory the flight departs.
The data will be processed in accordance with the regulations in force regarding the protection of personal data and for the purpose of preventing, ascertaining, investigating and prosecuting terrorist offenses and serious crimes.
- Our employees, provided that they are previously designated as in charge of processing, as System Administrator, or as a person acting under the authority of the Data Controller or Data Processor, provided they are previously instructed to do so by the Data Controller;
- External subjects who perform functions strictly connected or instrumental to the air transport activity such as other external air transport companies or commercial partners of ITA S.p.A., as autonomous Data Controllers or Data Processors, who should be considered fundamental for the purposes of operation of ITA S.p.A. flights;
- Credit card companies and service providers for anti-fraud control connected to the payment process and (where necessary) activation of the anti-fraud control procedure;
- Third parties such as law firms and public authorities to whom we turn to ensure that the stipulated contract is respected or applied;
- Third parties such as police and national authorities to protect our rights, property or safety of you, staff and our assets;
- Public authorities and law enforcement agencies, for example customs and immigration authorities, following a validly made request;
- Subjects who perform, in total autonomy, as separate Data Controllers, or as Data Processors appointed for this purpose by ITA S.p.A., purposes auxiliary to the activities and services referred to in paragraph 4, as commercial partners, companies offering services advertising, marketing and communication, companies that offer IT infrastructures and IT assistance and consultancy services as well as design and implementation of software and Internet sites, companies that offer useful services to customize and optimize our services, including those to provide and manage customer service, companies that offer services that are useful for analyzing and developing data and processing and conducting market research.
- Any communication of personal data will take place in full compliance with the provisions of the law provided for by the European Regulation and the technical and organizational measures prepared by the Data Controller to ensure an adequate level of security.
Any communication of personal data will take place in full compliance with the legal provisions of the European Regulation and the technical and organizational measures prepared by the Data Controller to ensure an adequate level of security.
8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES AND FOR THE CONTROL OF IMMIGRATION AND FOR THE PURPOSE OF FIGHTING TERRORISM
ITA S.p.A. is a global carrier that transports passengers to a plurality of countries around the world. The Data Controller may transfer personal data to third countries for the purposes of the proper performance of ITA S.p.A.'s activities, as well as the fulfillment of the obligations arising from the requests of the data subject party. Therefore, the transfer in question is necessary for the execution of the contract concluded between the data subject and ITA S.p.A. and, in some cases, to fulfill the legal obligations to which the Data Controller is subject.
In case of transfer of the personal information of the data subjects outside the European Union, we undertake to:
- include the standard contractual data protection clauses approved by the European Commission for the transfer of personal information outside the EEA in our contracts with such third parties (these are the clauses approved under Article 46.2 of the General Data Protection Regulation ("GDPR"); or
- make sure that the country in which the personal information will be handled has been deemed "adequate" by the European Commission pursuant to Article 45 of the RGPD;
For more information on the rules for data transfers outside the EEA, including the mechanisms we rely on, please visit the European Commission website here.
9. ANY AUTOMATED DECISION-MAKING PROCESSES
The Data Controller does not use automated decision-making processes, including the profiling referred to in Article 22, paragraphs 1 and 4, of the European Regulation, without your consent. If you consent to profiling, the data provided may be used to analyze or predict preferences, behaviors and positions in order to be able to customize the content of the commercial communication and offer only dedicated products and offers in line with the tastes and preferences expressed, thus decreasing the number of commercial communications we will send, and offering a better flight experience.
Specifically, these processing activities provide for the recording, analysis and profiling (i) of your identification data, (ii) information relating to your flights, (iii) as well as data relating to your habits and consumption choices.
The aggregation and analysis of the personal data collected allow us to identify customers of the air transport service who share similar purchasing behaviors. Thanks to the results of these analyzes, the Data Controller will be able to send commercial proposals functional to their needs to those who have consented.
Furthermore, as required by art. 22, paragraph 3, of the European Regulation, the Data Controller implements all the most appropriate measures to protect your rights, your freedoms and your legitimate interests also within the profiling process, in addition to any further and legitimate right as well as better explained in Paragraph 10 ("Rights of the data subject") of this Privacy Notice.
10. NATURE OF THE PROVISION
The provision of your personal data for the purposes referred to in paragraph 4.A - 4.B - 4.C - 4.D - 4E is mandatory, as your refusal to provide the requested personal data would make it impossible for ITA S.p.A. to provide the air transport service.
The provision of personal data for the purposes referred to in paragraph 4.F is optional and the data subject always has the right to refuse such use of their personal data by the Data Controller.
The provision of personal data for the purposes referred to in paragraph 4.G is optional, but failure to provide it, while not preventing the use of the Website in any way, may not allow us to make full use of the advantages offered through the communications of an advertising, commercial and direct marketing nature, as well as to inform you about additional services, discounts and promotions offered.
The provision of personal data for the purposes referred to in paragraph 4.H is optional, but failure to provide it prevents joining the Program.
The provision of personal data for the purposes referred to in paragraph 4.I is optional, but failure to provide it may not allow us to make full use of the reserved advantages, as well as receive exclusive products and dedicated offers in line with the tastes and preferences expressed, and a better flight experience.
11. RIGHTS OF THE DATA SUBJECT
In relation to the processing of your personal data, pursuant to the European Regulation, the data subject has the right to:
- withdraw consent to processing at any time, for all further and unnecessary processing for the purpose of providing the service contract. It should be noted, however, that the withdrawal of consent does not affect the lawfulness of the processing based on consent before the withdrawal, as required by art. 7, paragraph 3, of the European Regulation;
- ask the Data Controller for access to personal data, as required by art. 15 of the European Regulation;
- obtain from the Data Controller the rectification of personal data deemed inaccurate, even by providing a simple supplementary declaration, as required by art. 16 of the European Regulation;
- obtain from the Data Controller the erasure of personal data if there is even only one of the reasons provided for by art. 17 of the European Regulation, for all further and unnecessary processing for the purpose of providing the service contract;
- obtain from the Data Controller the restriction of the processing of personal data if one of the hypotheses provided for by art. 18 of the European Regulation; for all further and unnecessary processing for the purpose of providing the service contract;
- receive from the Data Controller the personal data concerning you in a structured format, commonly used and readable by an automatic device, as well as having the right to transmit such data to another data controller without impediments, as required by art. 20 of the European Regulation;
- object at any time, for reasons related to your particular situation, to the processing of personal data carried out pursuant to art. 6, paragraph 1, letters e) or f), including profiling on the basis of these provisions, as required by art. 21 of the European Regulation;
- not be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning you, if you have not previously and explicitly consented, as required by art. 22 of the European Regulation. By way of example and not limited to, this category includes any form of automated processing of personal data aimed at analyzing or predicting aspects relating to consumption and purchase choices, the economic situation, interests, reliability, behavior;
- propose a complaint to a supervisory authority, if you believe that the processing that concerns you violates the European Regulation. The complaint can be filed in the Member State in which he habitually resides, works or in the place where the alleged violation has occurred, as required by art. 77 of the European Regulation.
To exercise each of your rights, you can contact the Data Controller, in the person of the legal representative, by sending a communication to the registered office in via XX Settembre, n. 97, in Rome (RM), 00187.
Alternatively, you can contact the Data Protection Officer by sending a communication to ITA S.p.A. Data Protection Officer, via XX Settembre, n. 97, in Rome (RM), 00187, or by sending an email to email@example.com providing us with the following data:
- Name, surname and postal address
- Details of the request
- Booking code or flight number and date
- Photocopy of a valid identity document
12. CHILD’S CONSENT IN RELATION TO THE SERVICES OF THE INFORMATION SOCIETY
To be able to use the services provided through the Website, you must be over fourteen years old: the processing of personal data of minors under the age of fourteen is lawful on condition that it is exercised by the person exercising parental authority.
13. MODIFICATIONS OF CONSENT TO THE PROCESSING OF PERSONAL DATA
You can change the consent given at any time for the following purposes:
- 4F - 4G by sending an e-mail with “revocation of consent” as subject to the following address firstname.lastname@example.org;
- 4H - 4I by sending an e-mail with “revocation of consent” as subject to the following address email@example.com.
What are cookies?
Cookies are packets of information sent by a web server (eg the site) to the user's Internet browser, which are automatically stored on the computer and automatically sent back to the server at each subsequent access to the site.
Typically cookies can be installed:
▪ Directly from the data controller and / or data processor of the website (so-called first-party cookies)
▪ by managers unrelated to the website visited by the user (so-called third-party cookies). Unless otherwise specified, please note that these cookies fall under the direct and exclusive responsibility of the manager himself. Further information on privacy and their use can be found directly on the websites of the respective operators.
This website may use, also in combination with each other, the following types of cookies classified according to the indications of the Privacy Guarantor and the Opinions issued in the European context by the Working Group pursuant to art. 29 of the GDPR:
▪ Sessions that are not stored permanently on the user's computer and are deleted when the browser is closed, are strictly limited to the transmission of session identifiers necessary to allow safe and efficient exploration of the site avoiding the use of other IT techniques potentially prejudicial to the confidentiality of users' browsing
▪ Persistent that remain stored on the hard disk of the computer until their expiration or cancellation by users / visitors. Through persistent cookies, visitors who access the site (or any other users who use the same computer) are automatically recognized at each visit. Visitors can set the computer browser to accept / reject all cookies or display a warning whenever a cookie is proposed, in order to evaluate whether to accept it or not. The user can, however, change the default configuration and disable cookies (i.e. block them permanently), by setting the highest level of protection.
▪ Technicians are the cookies used to authenticate, to take advantage of multimedia content such as flash player or to allow the choice of the navigation language. In general, it is therefore not necessary to obtain the user's prior and informed consent. This category also includes cookies used to statistically analyze accesses / visits to the site only if used exclusively for statistical purposes and through the collection of information in aggregate form.
▪ Non-technical are all cookies used for profiling and marketing purposes. Their use on users' terminals is prohibited if they have not previously been adequately informed and have not given valid consent in this regard according to the opt-in technique. These types of cookies are, in turn, grouped according to the functions they perform in:
▪ Analytics. These are cookies used to collect and analyze statistical information on accesses / visits to the website. In some cases, associated with other information such as the credentials entered for access to restricted areas (your e-mail address and password), they can be used to profile the user (personal habits, sites visited, downloaded content, types of interactions carried out, etc.).
▪ Widgets. This category includes all those graphic components of a user interface of a program, which aims to facilitate the user in interacting with the program itself. By way of example, facebook, google +, twitter cookies are widgets.
▪ Advertsing. This category includes cookies used to advertise on a site. Google, Tradedoubler fall into this category.
▪ Web beacons. This category includes code fragments that allow a website to transfer or collect information by requesting a graphic image. Websites can use them for various purposes, such as the analysis of the use of websites, control activities and reporting on advertising and the personalization of advertising and content.
The cookies currently present on the Site
Technical cookies for which consent is not required
The Data Controller will install on your device and, in particular, in your browser or will let third parties install some cookies that are necessary for us to acquire or have our partners acquire statistical information in anonymous and aggregate form relating to your navigation on the pages of the Site.
If the user does not wish to receive third-party cookies on his device, he can, through the link below, access the information and consent forms of these third parties and exclude their receipt. These cookies are not controlled directly by the Site, therefore, to revoke the consent it is necessary to refer to the websites of third parties or refer to the site https://www.youronlinechoices.com/it/ to obtain information on how to delete or manage cookies based on the browser used and to manage preferences on third-party profiling cookies.
This site uses so-called "profiling cookies". These cookies are not essential, but they help us to personalize and improve your experience on the Website. For example, they help us to indicate the airport of departure closest to your location, or to know and remember your shopping preferences. and show you relevant and personalized advertisements. They also allow us to limit the number of times each ad is shown, measure the effectiveness of the advertising campaign, remember your visit and share the collected data with third parties, such as our advertisers.
The elimination of these cookies, therefore, although it does not affect the general usability of the Website, could still lead to a limitation of some features.
Third party cookies
How to disable cookies by configuring the browser
If you wish, you can also manage cookies directly through your browser settings. However, deleting the cookies from the browser could remove the preferences you have set for the Company's sites, so it would be advisable for you to periodically visit this page to double-check your preferences.
For more information and support, you can also visit the specific help page of the web browser you are using:
- Internet Explorer: https://windows.microsoft.com/it-IT/internet-explorer/delete-manage-cookies
- Google Chrome: https://support.google.com/chrome/answer/95647
- Mozilla Firefox: https://support.mozilla.org/it/kb/Gestione%20dei%20cookie
Rights of the data subject
To exercise each of your rights, you can contact the Data Controller, in the person of the legal representative, by sending a communication to the registered office in via XX Settembre, n. 97, in Rome (RM), 00187.
Alternatively, you can contact the Data Protection Officer by sending a communication to ITA S.p.A. Data Protection Officer, via XX Settembre, n. 97, in Rome (RM), 00187, or by sending an email to firstname.lastname@example.org