Last update: 21 January 2025
Italia Trasporto Aereo S.p.A. – in its capacity as Data Controller ("ITA Airways" or "Data Controller") pursuant to Regulation (EU) No 2016/679 ("GDPR") and Legislative Decree no. 196/2003 ("Privacy Code") – is committed to protecting the confidentiality of the personal data of its website users. In accordance with articles 13 and 14 of the GDPR, the purpose of this Privacy Notice, is to inform the users of the website www.ita-airways.com ("Website") or its services, of how the personal data collected through it is processed. This Privacy Notice does not apply to any other websites accessed via the links found on the Website.
Furthermore, in accordance with article 14 of the GDPR, this Privacy Notice also applies to the personal data of other passengers provided by a data subject either when booking a flight on the Website or in relation to any other service provided on the Website, including minors or incapacitated persons, for whom the user is acting as a person exercising permanent or temporary parental authority or legal guardianship.
All personal data will be processed in accordance with the principles of fairness, lawfulness, transparency, limitation of purpose and storage, data minimisation and accuracy, integrity and confidentiality, as well as to the principle of accountability, within the meaning of article 5 of the GDPR.
“Processing of personal data” means any operation (or set of operations) regarding personal data (or sets of personal data) by automated means, or otherwise, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
2. DEFINITION AND TYPE OF PERSONAL DATA
3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
5. TRANSFER OF PERSONAL DATA OUTSIDE THE EU
8. AMENDMENTS
10. CONSENT OF MINORS IN RELATION TO INFORMATION SOCIETY SERVICES
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
For the purposes of this Privacy Notice, the Data Controller is Italia Trasporto Aereo S.p.A., in the person of its pro tempore legal representative, with registered office at via XX Settembre 97, 00187 Rome (Italy), codice fiscale (unique taxpayer reference) and Business Registry number 15907661001, which can also be contacted at the registered email address (pec): italiatrasportoaereo@legalmail.it.
The Data Protection Officer (DPO) of ITA Airways can be contacted at the offices of the Data Controller at the above address or by email at dpo@ita-airways.com.
2. DEFINITION AND TYPE OF PERSONAL DATA
The personal data processed by ITA Airways may consist of an identifier, such as name, identification number, location data, online identifier, or other specific physical, physiological, psychological, economic, cultural or social characteristics relating to an identified or identifiable person, depending on the nature of the services requested.
Below is an overview of the types of data processed in connection with the use of the Website:
a. Navigation data
Normally, the computer systems and software procedures used to operate the Website acquire the personal data of users associated with the relevant Internet communication protocols. While this information is not collected to be associated with specific data subjects, it could, by its very nature, be used to identify them through processing and association with other data held by third parties. This category of data includes the IP addresses or domain names of the computers used by users browsing the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the operating system and the user's computer environment. These data are used by the Data Controller for the sole purpose of obtaining anonymous statistical information on the use of the Website and to check that it is operating properly. The data may also be used to determine responsibility in the event of any cybercrimes committed against the Website or third parties.
b. Data provided voluntarily by the user
Unless otherwise provided elsewhere on the Website, this ITA Airways Policy Notice also applies to the processing of personal data concerning Website users, and voluntarily provided by them in connection with requests for assistance and/or information to the ITA Airways assistance team, via the contact addresses and/or call centre channels made available by the Data Controller on the Website (such as, for example, email addresses, personal details, identification data, flight information). In this case, users are requested to provide only the personal data that is strictly necessary for processing their request, thus excluding irrelevant and/or so-called “sensitive” data (within the meaning of article 9 of the GDPR, i.e. information revealing the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data capable of uniquely identifying a natural person, data concerning the data subject's health or sex life or sexual orientation), unless the “sensitive” data is strictly necessary to process requests for assistance (e.g. special assistance in cases of reduced mobility and/or disability, or special meals to meet specific dietary, medical or religious needs, etc.). The Data Controller will not process and will immediately delete personal data that are neither relevant nor strictly necessary for processing a request.
In accordance with article 14 of the GDPR, the Data Controller will inform data subjects that the above-mentioned personal data may also relate to other passengers, including minors and/or incapacitated persons, provided in connection with any requests for assistance/information.
This Privacy Notice also applies to the processing of personal data provided in connection with voluntary subscription to the ITA Airways newsletter, by means of the online form, in which case the subscriber’s personal data (such as, for example, first name(s) and last name) and contact data (in particular, an email address) will be processed.
c. Data processed in connection with online services
Unless otherwise stated elsewhere on the Website, this Privacy Notice also applies to any data provided by users in connection with online services, as follows:
- online ticketing and related administrative activities, such as sending communications with details of and updates of purchased flights, to the email address provided, in which case the following data may be processed: personal data (e.g. first name(s), last name, date and place of birth, codice fiscale/unique taxpayer identification number, nationality, passport and residence details), contact data (e.g. email address and mobile phone number), flight details (e.g. point of departure and destination, date and time of departure/arrival, seat number, checked baggage, identification codes, information on whether you are eligible for special discounts and/or concessionary schemes, and whether you are a member of the "Volare" loyalty programme), payment details (e.g. credit/debit card details, payment by gift card, bank details in the case of payment by bank transfer, etc.), including information relating to the payment transactions associated with the selected payment method, whether credit/debit card, bank transfer and/or PayPal. In this regard, and in accordance with article 14 of the GDPR, the bank or PayPal, as independent data controllers, will disclose to ITA Airways the information relating to the circumstances of the payment. Subject to the consent of the data subject, in accordance with article 9(2)(a) of the GDPR, “sensitive” data may also be processed (within the meaning of article 9 of the GDPR, i.e. information relating to health conditions that may give rise to any special needs of the interested party and/or other passengers on the flight, such as, for example, reduced mobility and/or disability, food allergies/intolerances, other health-related information, including life-saving medication and electronic medical devices and equipment), as well as information that may reveal a person’s religious affiliation, for example in connection with requests for special in-flight meals (e.g. kosher meal, Muslim meal, Hindu meal, etc.), as necessary for the booking and/or ticket management process. Pursuant to article 14 of the GDPR, the Data Controller informs the users of the Website that the personal data referred to above may also relate to other passengers, including minors and/or incapacitated persons or third parties, such as the holders of the credit cards used to purchase the flight, and provided in connection with the booking and purchase of flight tickets. Users are therefore requested to ensure that such parties have read this Privacy Notice and understood how ITA Airways processes their personal data.
-Online check-in and ticket change, refund, upgrade and price blocking services, and related administrative activities, such as sending the relevant notifications (e.g. emails containing boarding passes, information on requested changes and refunds, requested upgrades and blocked ticket prices, etc.) to the email address provided, which may include information relating to the flight purchased (e.g. booking code, ticket identification number, etc.), passenger data, contact details, may be processed.
- Online reporting and complaints service, which requires the provision of personal data, contact data, flight data (e.g. booking code, flight number, carrier number, date and time, point of departure and destination), information about lost baggage, including the relevant identification codes (P.I.R. code), and information about the reported irregularities and/or inefficiencies and any documentation provided in support of a complaint. When uploading any documentation relating to a report and/or complaint, the data subject must not provide information relating to third parties and/or information that is not relevant and/or strictly necessary for processing the request. Otherwise, the Data Controller will not process the data and will delete it immediately.
With regard to the sources of personal data, these are primarily collected when browsing the Website and when using the online services provided through the Website. In some cases, however, personal data may also be collected from third parties, such as, for example, other airlines, in connection with so-called "re-routing" and "code sharing" services, or customs and immigration authorities, who may disclose to ITA Airways the personal and contact data of the data subject, and any other passengers, flight information, such as, for example, departure and destination locations, departure/arrival dates and times, seat number, checked luggage, flight and ticket identification codes.
ITA Airways may also receive personal data from any business partners with whom a data subject interacts, provided that consent has been given for disclosure to ITA Airways.
When accessing any online services offered by ITA Airways partners through the links contained in the Website (e.g. car rental, hotel booking, airport parking, shop&fly, airport transfer, e-sim, Limoline, RadicalStorage, etc. services), it should be noted that these are generated directly by the partner websites and integrated in the Website. The use of any such services therefore entails the processing of the user’s personal details by the said partners as independent data controllers, and reference should therefore be made to their respective privacy policies by clicking on the links to the partner websites as indicated in the Website.
The reserved area accessible through the Website is reserved for users registered in the Volare Loyalty Programme (“Programme”), jointly promoted by Italia Trasporto Aereo S.p.A. and Volare Loyalty S.p.A. When users sign in to and access the Programme, through the Website, their personal data will be collected by both ITA Airways and Volare Loyalty S.p.A., as joint data controllers, in compliance with the relevant privacy notice, which reference should therefore be made.
d. Personal data of third parties
When using the online services available on the Website, users are requested not to provide any personal data relating to third parties that are not strictly necessary for ITA Airways in relation to the delivery of the requested services.
In any case, if personal data relating to third parties is provided, the person providing the data shall act as the relevant data controller and shall assume all the legal obligations and responsibilities related thereto, indemnifying and holding ITA Airways harmless from and against any and all claims, liability, actions, losses, damages, etc. received from third parties whose personal data have been processed as a result of the user’s use of the Website functions in breach of the applicable data protection regulations. In any case, should the data subject provide or otherwise process the personal data of third parties when using the Website, he or she represents, warrants and undertakes to ITA Airways that such personal data of third parties has been processed with the consent of the relevant third party or under any other legal basis for processing.
e. Cookies and other tracking technologies
For information on the cookies used by the Website, please refer to the relevant cookie privacy policy notice available here, including information on how to manage cookie preferences.
All personal data shall be referred to herein as “Personal Data”.
3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
All Personal Data will be processed, subject to the unambiguous consent of the data subject, where necessary, for the following purposes:
a) to effectively and securely navigate and use the Website (“Website Navigation Purposes”).
b) to effectively and securely use all the services made available by ITA Airways through the Website, such as, for example, the flight booking and ticketing service and, by way of example, the related online check-in, ticket changing, refund and upgrade and price blocking services, and the related contractual, administrative and accounting activities, such as payment processing and management, billing and/or complaint handling, and to enable the dedicated ITA Airways team to follow up on and manage specific requests for information and assistance, including pre-sales and after-sales support received through the email and/or telephone contacts provided on the Website, in relation to flight bookings, ticketing, ticket changes and refunds, after-sales support and special assistance and ancillary services ("Ticketing Service Purposes").
c) to effectively provide the air transport services and the management of travel-related needs and assistance services, in order to fulfil the relevant pre-contractual and contractual sales and support obligations, including the so-called "re-routing" and "code sharing" services, in relation to which ITA Airways may transfer or receive Personal Data to or from other carriers, and including service communications to the email address provided by the user containing details and updates about purchased flights and/or information that may be necessary to effectively manage ongoing health emergencies and/or facilitate passenger boarding operations ("Air Transport Purposes").
d) in cases where compulsory and/or optional travel insurance offered by the insurance partners of ITA Airways is taken out, in connection with the purchased flight, to disclose Personal Data to the said insurance companies, acting as independent data controllers, for the purpose of managing and providing the insurance services ("Travel Insurance Purposes").
e) to follow up on and process any reports and complaints received by the Data Controller through the dedicated online forms on the Website ("Reporting and Complaints Processing Purposes").
f) to send out, by email, post-flight surveys and passenger satisfaction questionnaires, to obtain feedback on the flight services provided by ITA Airways, in accordance with the General Conditions of Carriage. This will allow ITA Airways to comply with the obligations set out in article 783 of the Navigation Code and in the “Guidelines on Airline Service Quality: Standard Service Charters”, issued by ENAC, the Italian Civil Aviation Authority, for the drafting of the Airline Service Charter (“Travel Experience Survey Purposes").
The legal basis for the processing of “non-sensitive” Personal Data, for the purposes of Website Navigation, Ticketing Services, Air Transport, Reporting and Complaints Processing and Travel Experience Surveys, is article 6(1)(b) of the GDPR, because in these cases data processing is necessary to carry out the pre-contractual obligations towards the data subject, to establish the contractual relationship, to provide the services as requested and, in general, to perform and manage the contractual relationship entered into with the Data Controller, in accordance with the General Conditions of Carriage applied by ITA Airways.
With regard to the sending of post-flight passenger satisfaction questionnaires for “Travel Experience Survey Purposes”, as required by the General Conditions of Carriage, ITA Airways offers data subjects the possibility to opt out at any time, either by disabling the survey function in the communication or by sending a request to stop such communications to dpo@ita-airways.com.
Where “sensitive” Personal Data (within the meaning of article 9 of the GDPR) are processed for the purpose of Ticketing Services, Air Transport and Reporting and Complaints Processing, the relevant legal basis for the processing will be the consent given by the data subject in accordance with article 9(2)(a) of the GDPR. In the case of health data of minors and/or incapacitated persons is provided, the explicit consent for processing must be given by the person exercising permanent or temporary parental authority or legal guardianship.
Consent given for the processing of “sensitive” data, in accordance with article 9(2)(a) of the GDPR, may be withdrawn at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal.
The legal basis for the processing of Personal Data for the purposes of Travel Insurance, in the case of “non-sensitive” data, is article 6(1)(b) of the GDPR, since ITA Airways, as the policyholder of the insurance on behalf of the beneficiary passengers, is contractually obliged to disclose to the insurance company the Personal Data of the insured persons, the flight details and the information on the relevant insurance cover/schemes. In addition, ITA Airways may disclose any “sensitive” Personal Data, and in particular health data, to its insurance partners only after obtaining the specific consent of the data subject, in accordance with article 9(2)(a) of the GDPR, in order to allow the proper management of the insurance policy taken out on behalf of the beneficiary data subject.
The provision of Personal Data for the purposes referred to in letters a) to e) above is purely optional, but failure to provide such data may make it impossible for the Data Controller to initiate and provide the services requested and/or to follow up on and process any reports and/or complaints received by the Data Controller.
Once provided, Personal Data may also be processed by ITA Airways for the following purposes:
g) to fulfil its legal obligations as Data Controller, in accordance with domestic and EU legislation, including any measures imposed by the competent supervisory authorities and/or the judicial and/or administrative authorities having jurisdiction, including, inter alia, accounting and tax obligations, the obligations and controls required under the applicable regulations on the carriage of passengers by air, such as Regulation (EC) No. 261/2004 and Regulation (EC) No. 1107/2006, Legislative Decree No. 96 of 9 May 2005 ("Navigation Code"), in order to ensure the best possible protection of passengers on the basis of the so-called "NO FLY Programme" [for further details, please refer to the "NO FLY Programme" section of this Privacy Notice], as well as the applicable regulations for public health and safety, for the detection and repression of crime, for public order and civil protection, including in relation to the fight against crime and terrorism ("Compliance Purposes"). The legal basis for Compliance Purposes is the lawful processing of Personal Data pursuant to article 6(1)(c) of the GDPR and, for the possible processing of “sensitive” Personal Data, such as, in particular, information relating to the health of the data subject, pursuant to article 9(2)(g) of the GDPR and article 2-sexies(2)(u) of the Privacy Code.
h) to prevent, detect, prosecute and combat fraudulent, abusive and unlawful activities carried out against the Data Controller, in connection with the use of the Website and related services ("Anti-Fraud Purposes"). In this case, the legal basis of processing is found in the legitimate interest of the Data Controller and/or its customers in accordance with article 6(1)(f) of the GDPR, aimed at ensuring effective protection against fraudulent, abusive and unlawful activities, also in compliance with the measures issued by the competent supervisory authorities.
i) to establish, exercise or defend a legal claim in judicial or extra-judicial proceedings, including debt collection ("Litigation Defence Purposes"), for the pursuit of the legitimate interest of the Data Controller as per article 6(1)(f) and article 9(2)(f) of the GDPR, because, once the Personal Data have been provided, the relevant processing may become necessary to establish, exercise or defend a claim in court or when the competent judicial authorities exercise their functions.
j) to allow ITA Airways to email direct marketing communications for products and/or services similar to those purchased by the data subject, without the latter’s consent, in accordance with article 130(4) of the Privacy Code and article 6(1)(f) of the GDPR, and within the limits established by the measure of the Data Protection Authority of 19 June 2008. Pursuant to article 21 of the GDPR, the data subject has the right to object, at any time, initially or in subsequent communications, the processing of Personal Data concerning him or her for such purposes, easily and free of charge, also by writing to the Data Controller or the DPO at the addresses stated in section 7 of this Privacy Notice or by way of the link at the bottom of the email communications ("Soft Spam Communication Purposes").
k) to remind users who have shown an interest in purchasing an air ticket, or an ancillary service, to complete the purchase process, if initiated, by sending a reminder email to the address provided in the pre-purchase phase, known as "abandoned cart recovery".
The processing of data for this purpose is necessary for the legitimate interest of ITA Airways and of the user, in order to remind him or her of an incomplete purchase process, which may also be due to technical problems.
Furthermore, once provided, the Personal Data of a data subject may be processed, subject to his or her consent, in accordance with article 6(1)(a) of the GDPR, for the following purpose:
l) to subscribe to the ITA Airways newsletter and receive direct marketing communications by email regarding its services, products and offers ("Newsletter Subscription Purpose").
The legal basis for the Newsletter Subscription Purpose is the free and specific consent given by the data subject at the time of subscribing to the newsletter, in accordance with article 6(1)(a) of the GDPR.
If a data subject wishes to object to the processing of his or her data for the purpose of receiving newsletters, he or she may do so at any time by contacting the Data Controller and/or the DPO, at the addresses stated in section 7 of this Privacy Notice, or by using the link at the bottom of the email.
Consent given may be withdrawn at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal.
The provision of Personal Data for the purposes of subscribing to a newsletter is optional and refusal to provide such data will have no consequences and will in no way affect the services provided by ITA Airways.
Personal data may be communicated and disclosed to the following parties, for the purposes indicated in section 3 of this Privacy Notice:
- persons authorised by the Data Controller to process Personal Data in accordance with articles 29 and 32 of the GDPR and 2-quaterdecies of the "Privacy Code" (e.g. sales, administration and accounting staff, pre- and after-sales support, CRM, information systems management, boarding and reception staff, etc.).
- third parties providing various services (e.g. technology services, support & assistance services, security services, payment services, persons and/or companies and/or professional firms providing assistance and advice in accounting, administrative, legal, tax matters; persons and companies operating in the field of credit recovery and fraud prevention; technical maintenance services, partner companies providing IT infrastructure and IT assistance and consultancy services, as well as the design and creation of software and websites; companies providing services useful for customising and optimising the services offered by ITA Airways, including customer service; companies specialising in the planning and management of communication projects, in charge of managing marketing activities on behalf of ITA Airways, etc.) generally act as data processors in accordance with article 28 of the GDPR. The Data Controller keeps an up-to-date list of the relevant data processors and allows the data subject to access the list at the offices specified above or on request sent to the addresses specified in section 7 of this Privacy Notice.
- third parties, acting as independent data controllers, in the performance of functions strictly connected with or instrumental to air transport activities, to which Personal Data may be disclosed for the purpose of enabling the effective performance of pre-contractual and contractual sales and assistance obligations, including the operation of flights and "re-routing" and "code sharing" services (i.e. other air carriers; entities responsible for controlling, auditing and certifying the activities of ITA Airways, also in the interest of its customers and users; etc.).
- in the event that a flight is purchased with compulsory and/or optional insurance offered by an insurance partner of ITA Airways, Personal Data may be disclosed to the insurance companies acting as independent data controllers.
- persons, entities or authorities, including control authorities – acting as independent data controllers – to whom ITA Airways is obliged to disclose Personal Data, under the applicable law or on the instructions of the competent authorities (e.g. the Central Directorate for Immigration; the Border Police; the Passenger Information Unit (UIP) database of the Member State in which the flight lands or from where the flight departs, to which ITA Airways, as the air carrier, is obliged to transfer the passenger name record (PNR) data, for the purpose of the prevention, detection, investigation and prosecution of terrorist offences and serious crimes, etc., in accordance with article 8 of EU Directive No. 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data).
The above parties are collectively referred to as the “Personal Data Recipients”.
5. TRANSFER OF PERSONAL DATA OUTSIDE THE EU
Personal Data collected through the Website will be processed and stored in the information systems of the Data Controller, whose servers are located within the European Economic Area (EEA). ITA Airways is a global carrier transporting passengers to a number of countries around the world. Consequently, as part of its air transport services, it may need to transfer Personal Data to third countries in order to properly carry out its activities, and to meet specific requests from the data subject. The transfer of Personal Data may be necessary for the performance of the contract concluded between the data subject and ITA Airways, in some cases in order to comply with its legal obligations as Data Controller. In the event of the transfer of Personal Data to Personal Data Recipients located outside the EEA, the Data Controller assures that the transfer will be carried out strictly in accordance with article 44 et seq. of the GDPR, such as, for example, the adoption of standard clauses approved by the European Commission, the selection of subjects adhering to international programmes for the free movement of data or operating in countries considered safe by the European Commission, in accordance with the Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board (EDPB). Data subjects may request further information regarding the transfer of their Personal Data, and the relevant guarantees, from the Data Controller and/or or the DPO at the addresses stated in section 7 of this Privacy Notice.
In particular, with regard to the Ticket Services Purposes and the Air Transport Purposes referred to in section 3(b) and (c) of this Privacy Notice, the transfer of the Personal Data of passengers on flights to non-EU countries, for which no adequacy decision has been adopted in accordance with article 45(3) of the GDPR, or in the absence of adequate safeguards in accordance with article 46 of the GDPR, will be carried out in accordance with article 49(1)(b) of the GDPR, because the transfer is necessary for the performance of the contract of carriage between the data subject and the Data Controller or for the performance of pre-contractual measures adopted at the request of the data subject.
Further information may be obtained by sending a written request to the Data Controller and/or the DPO at the addresses stated in section 7 of this Privacy Notice.
All Personal Data collected will be stored in accordance with the principles of minimisation and limitation of storage referred to in article 5(1)(c) and (e) of the GDPR, for which ITA Airways has put into place appropriate security measures to prevent the loss, unlawful or incorrect use of and unauthorised access to the data.
The Personal Data processed for the purposes referred to in points a), b), c), d), e), f) of section 3 of this Privacy Notice will be stored solely for the time strictly necessary to achieve the said purposes, i.e. for the time necessary to provide the requested service, also taking into account the storage periods required by law.
For the purposes of subscribing to the newsletter referred to in letter l) of section 3 above, the personal identification and contact data of the data subject will be processed until he or she withdraws his or her consent in accordance with article 7 of the GDPR and/or until he or she objects to the processing of his or her data in accordance with article 21 of the GDPR (consistently with the decision of the Personal Data Authority of 15 October 2020).
The personal identification and contact data processed for soft spam communication purposes (as referred to in section 3(j) of this Privacy Notice) will be stored by ITA Airways until the data subject objects to their processing via the link found at the bottom of each soft spam email or by way of the other methods referred to in section 7 above. It should also be noted that the Personal Data relating to any flights and services purchased and processed within the scope of the definition of “soft spam” (as referred to in section 3(j)), will be stored for a period of 12 (twelve) months from the date of registration, without prejudice to any possible objection to the processing if made prior to the expiry of this term.
In general, the Data Controller reserves the right to store the data for the time necessary to fulfil its legal obligations, including any obligations or orders to transmit Personal Data to the competent authorities, or to meet any defence needs. With regard to the storage time of Personal Data provided in relation to the "NO FLY Programme", in accordance with the obligations set out in the Navigation Code, reference should be made to section 9 below.
Specific security measures have been adopted to prevent the loss of data and the unlawful or incorrect use of, or unauthorised access to, Personal Data. In any case, the Data Controller represents and warrants that all Personal Data will be processed in accordance with the principles of adequacy, relevance and data minimisation, as required by the GDPR, by periodically checking the need for the storage thereof.
Once the purposes for which the data were collected and processed have been fulfilled, ITA Airways will remove the data from its systems and records and/or will take appropriate measures to render them anonymous, so as to prevent the identification of the data subject.
Further information regarding the data storage period, and the criteria used to determine this period, may be obtained by sending a written request to the Data Controller and/or to the DPO at the addresses stated in section 7 of this Privacy Notice.
Data subjects may exercise their rights and/or request information on the processing of their data by contacting the Data Controller and/or the DPO at the addresses stated below, preferably by indicating the following reference: "Request to exercise data protection rights".
Data subjects may at any time exercise the following rights:
1. right to withdraw the consent given (article 7 of the GDPR) - The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on consent given prior to its withdrawal.
2. right of access (article 15 of the GDPR) – The data subject has the right to obtain confirmation as to whether or not Personal Data concerning him or her are being processed, as well as the right to obtain any information relating to the processing.
3. right to rectification (article 16 of the GDPR) – The data subject has the right to obtain rectification of inaccurate or incomplete Personal Data.
4. right to erasure (article 17 of the GDPR) – Under certain circumstances, the data subject has the right to obtain the erasure of Personal Data concerning him or her from the records of the Data Controller.
5. right to restriction of processing (article 18 GDPR) – Under certain circumstances, the data subject has the right to obtain a restriction of the processing of his or her Personal Data.
6. right to portability (article 20 of the GDPR) – The data subject has the right to transfer the Personal Data concerning him or her to another controller, in a structured, commonly used and machine-readable format.
7. right to object (article 21 of the GDPR) – The data subject has the right to object, on grounds relating to his or her particular situation, to processing of Personal Data concerning him or her. The Data Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. Furthermore, the data subject may object to and therefore stop receiving so-called “soft spam” communications by using the appropriate link at the bottom of the commercial email received. In any case, the data subject may always exercise this right by writing to the Data Controller and/or the DPO at the addresses below.
8. right to lodge a complaint with the Supervisory Authority (article 77 of the GDPR) – In accordance with the procedures indicated in the section below, if the data subject considers that the processing of Personal Data relating to him or her is in breach of the GDPR, he or she may lodge a complaint with the Supervisory Authority of the Member State in which he or she habitually resides or works, or of the place where the alleged breach occurred.
9. right to an effective judicial remedy (article 79 of the GDPR).
To exercise the above rights, the data subject may contact the Data Controller, in the person of the legal representative, by sending a communication to the registered office at Via XX Settembre 97, 00187 Rome (Italy) or, alternatively, by writing to the registered email address (pec) italiatrasportoaereo@legalmail.it.
Alternatively, the data subject may contact the Data Protection Officer by writing to the ITA Airways Data Protection Officer at Via XX Settembre 97, 00187 Roma (Italy) or by sending an email to dpo@ita-airways.com, providing with the following information:
- First name(s), last name and mail address.
- Details of the request.
- Booking code or flight number and date (if your request concerns a flight operated by ITA Airways).
The Data Controller reserves the right to modify or simply to update all or part of this Privacy Notice, also in relation to any changes in the applicable regulations. The Data Controller therefore invites users to consult this section regularly to find out about the most recent and updated version of the policy.
ITA Airways informs users that, in accordance with the Code of Navigation, it is obliged, in the capacity of operator and through its representatives and/or officials, to make fast safety decisions in order to guarantee a high level of protection for passengers and the company. For this reason, it has set up a “NO FLY Programme”, which allows it to ban from its flights passengers on a blacklist who:
a. engage in aggressive, abusive or otherwise anti-social behaviour;
b. have damaged or attempted to damage property belonging to the company;
c. have misused the services provided or, more generally, have behaved in a manner that may jeopardise flight safety.
Based on an overall assessment of the seriousness of the passenger’s behaviour, ITA Airways may ban him or her from boarding any of its flights. The ban for passengers listed in the “NO FLY Programme” may last from 3 (three) to 18 (eighteen) months and, in cases of extremely serious behaviour related to the safety of flights and/or company assets, for up to a maximum of 24 (twenty-four) months. Once the ban is lifted, the passenger's name will be kept on record for a further five years for the sole purpose of providing answers to the competent law enforcement authorities or for defence purposes, in the event of litigation. At the end of the five-year period, the data will be permanently deleted.
10. CONSENT OF MINORS IN RELATION TO INFORMATION SOCIETY SERVICES
In order to use the services offered through the Website, users must be at least fourteen years old or older. The Personal Data of minors under fourteen years of age may be lawfully processed, provided that the processing is authorised by a person exercising permanent or temporary parental authority or legal guardianship. For more information, please visit the Organise Your Trip page.
11. VIRTUAL CHAT SUPPORT ASSISTANT
A virtual chat assistance service is offered by the Website, designed to support users in consulting and navigating through the information found there. The real-time chat assistance does not process Personal Data since it is not linked to the user profiles or the ITA Airways customer management system. Therefore, no Personal Data is required to use the chat, including data relating to flight codes or information, given that the chat will not be able to help in such circumstances. We therefore advise you not to enter any Personal Data in the chatroom. Should you accidentally provide any Personal Data, the system will delete or anonymise it immediately.
The questions and answers provided in the virtual chat will be used by ITA Airways, in aggregate and anonymous format, exclusively to carry out business intelligence analysis to improve the navigability and content of the Website.