PRIVACY POLICY
Information pursuant to and for the purposes of the New European Regulation - GDPR 2016/679 -
(personal data protection)
Dear Sir/Madam,
Below we provide some information about the processing of your personal data.
The personal data controller is Caronte & Tourist S.p.A., which can be contacted at:
- e-mail address: privacy.gruppo@carontetourist.it
- phone number: 090/3718511
The company has appointed a Data Protection Officer, pursuant to Art. 39 Regulation (EU) 2016/679, who can be contacted at the data controller's office or via the e-mail address dpo@carontetourist.it.
Type of data collected
The processing concerns the following personal data pursuant to Article 4, No. 1, GDPR:
- personal and identification data (full name, tax code, place and date of birth);
- contact data (residential address, e-mail address, billing address, telephone number);
Purposes and legal bases of processing
Your data is processed for the following purposes:
|
Purpose |
Legal basis for data processing |
a) |
|
Processing necessary for the execution of a contract to which the data subject is party or for the execution of pre-contractual measures (Article 6, paragraph 1, letter b, GDPR) |
b) |
|
Processing necessary to fulfil a legal obligation to which the data controller is subject (Article 6, paragraph 1, letter c, GDPR) |
c) |
Implementation of customer satisfaction surveys |
Processing based on consent (Article 6, paragraph 1, letter a, GDPR) |
d) |
Implementation of generic marketing initiatives |
Processing based on consent (Article 6, paragraph 1, letter a, GDPR) |
Necessity or Optionality of the Processing
The provision of personal data for the purposes referred to in letters a) and b) above is necessary for the purpose of completing the travel contract, therefore any refusal to supply it in whole or in part may result in it being impossible for the Company to conclude the contract.
The provision of data for the purposes referred to in letters c) and d) above is optional; failure to provide data will prevent the company, respectively, from carrying out customer satisfaction surveys and implementing generic marketing initiatives.
Recipients of personal data
Personal data may be communicated, strictly related to the purposes indicated above, to the following entities or categories of entities:
- Individuals authorised in writing by the Company/data controller pursuant to Article 29 of the Regulation due to the performance of their work duties (e.g. employees in the General Secretariat, Administration, IT);
- entities in relation to which the current legislation (for example tax and accounting) involves the obligation of communication, including public bodies
- Public authorities pursuant to Ministry of Infrastructure and Transport Circular No. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master's office and port authority);
- Judicial authorities and law enforcement agencies;
- Ticket offices, terminals and maritime agencies for the organisation of embarkation/disembarkation activities;
- Law firms, in the event that disputes should arise;
- Insurance companies both when booking tickets and when making complaints;
- Experts in the complaint phase;
- Companies providing other services essential to the provision of the maritime transport service or the performance of marketing activities, also subject to your explicit consent, such as site hosting and web systems, e-mail services, marketing, sponsorship of prize competitions and other promotions, audit services, data analysis, market research and satisfaction surveys.
Processing methods
Personal data is collected at the time of booking/purchasing the ticket, in written or electronic form. The processing is carried out with paper methods and IT tools in compliance with the provisions regarding the protection of personal data and, in particular, the appropriate technical and organisational measures pursuant to Article 32.1 of the Regulation, and with the observance of every precautionary measure that guarantees its integrity, confidentiality and availability.
Personal data stored on a computer database is accessible only to the individuals identified (the manager and their appointees), through personal access keys.
Data retention period
Your data will be kept until 31 December of the second year following the trip, for administrative and accounting reasons.
At the end of the indicated period, your Personal Data will be deleted from the database and from any other paper or electronic archiving device.
In the event that a dispute arises between the Company/data controller and the data subject, the retention period will be extended for the entire duration of this dispute and for the 10 years following its definitive resolution (e.g. settlement agreement or final ruling).
Rights of the data subject pursuant to Articles 15-22 of EU Regulation - GDPR 2016/679
Pursuant to the relevant legislation, your rights and the way these are exercised are listed below.
- Right of access - The data subject can ask at any time what kind of data the data controller possesses; the origin, the purposes, the categories of data; the recipients; the existence of a profiling process; the retention period.
- Right of rectification - The data subject may request the rectification and/or integration of their data at any time, and the data controller will be obliged to communicate these changes to third parties to whom the data has been transmitted.
- Right to be forgotten - The data subject may request the deletion of data at any time if: the purpose of the processing has been concluded; consent has been revoked; there has been opposition to the processing; it has been processed in violation of the law. The data controller will be obliged to communicate these changes to third parties to whom the data has been transmitted.
- Right to limitation of processing - The data subject may at any time request limitation of the processing: in the case of inaccurate data until rectification; in the case of dispute until clarification; on request, as an alternative to deletion.
- Right of objection - The data subject has the right to object to the use of personal data for automated processing.
- Right of portability - The data subject can exercise this right only regarding data processed for contractual purposes and with automated means, and except when it damages the rights and freedoms of others.
Data subject request procedures
The data subject may exercise the above rights at any time by sending an e-mail to: privacy.gruppo@carontetourist.it.
The data subject has the right to complain to the Data Protection Authority on the basis of the indications referred to in the link https://www.garanteprivacy.it/garante/doc.jsp?ID=4535524 or to any other supervisory authority.