26.02.2024
RETAIL CUSTOMER PRIVACY POLICY
Information pursuant to and for the purposes of the New European Regulation - GDPR 2016/679 - (protection of personal data)
Dear Sir/Madam
Please find below some information about the processing of your personal data.
The data controller is Cartour S.r.l. which can be contacted at:
- e-mail address: privacy.gruppo@carontetourist.it
- telephone number: 090/9038201
The company has appointed a Data Protection Officer, in accordance with Article 39 of Regulation (EU) 2016/679, who can be contacted at the data controller's head office or by e-mail at dpo@carontetourist.it.
Type of data collected
The processing concerns the following personal data referred to in Art. 4, no. 1, GDPR, referring to the Customer and/or to the Passenger:
- personal and identifying data (full name, tax code, place and date of birth);
- contact data (home address, e-mail address, billing address, telephone number);
- data on bookings and/or trips made;
- any special customer requests;
- any complaints made by the customer
- any requests, from the passenger, for special care and assistance that may be needed in case of emergency;
- any emergency contact number, if requested by the passenger.
Purpose and legal basis of processing
Your data are processed for the following purposes:
|
Purpose |
Legal basis for processing |
a) |
|
Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR) |
b) |
|
Processing necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) |
c) |
Formation of the passenger list and transmission to the competent authorities in accordance with Directive (EU) 2017/2109 and Legislative Decree 28/2020 |
Processing necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) |
d) |
Implementation of customer satisfaction surveys |
Consent-based processing (Art. 6(1)(a) GDPR) |
e) |
Implementation of generic marketing initiatives |
Consent-based processing (Art. 6(1)(a) GDPR) |
f) |
Implementation of profiling and profiled marketing initiatives |
Consent-based processing (Art. 6(1)(a) GDPR) |
g) |
Fulfilment of regulations related to the contractual relationship (e.g. tax obligations) |
Processing necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) |
Necessity or Optional Nature of Processing
The provision of personal data for the purposes set out in points a), b), c) and g) is necessary for the establishment of the relationship with the Company/data controller, therefore any refusal to provide such data in whole or in part may result in the Company being unable to conclude the contract.
The provision by the passenger of any requests for special care and assistance that may be needed in an emergency or the emergency contact number is voluntary and therefore optional.
Providing data for the purposes set out in points d), e) and f) above is optional; failure to do so will prevent the company from carrying out “customer satisfaction” surveys, implementing generic marketing initiatives and implementing profiling and profiled marketing initiatives, respectively.
Recipients of personal data
Personal data may be disclosed, strictly in relation to the above-mentioned purposes, to the following subjects or categories of subjects:
- Natural persons authorised in writing by the Company/data controller pursuant to Art. 29 of the Regulation by reason of the performance of their work duties (e.g. employees in the General Secretariat, Administration, IT area);
- subjects in relation to which current legislation (e.g. tax and accounting) provides for mandatory reporting, including public bodies
- Public authorities within the meaning of Ministry of Infrastructure and Transport Memorandum No. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master's office and port authority);
- Competent authorities in accordance with Directive (EU) 2017/2109 and Legislative Decree 28/2020;
- Judicial and law enforcement authorities;
- Ticket offices, terminals and maritime agencies for the organisation of embarkation/disembarkation activities;
- Law firms, in case any disputes arise;
- Insurance companies both when booking tickets and when making claims;
- Experts during complaint procedures;
- Companies providing other services that are essential to the provision of the shipping service or the performance of marketing activities, also subject to your express consent, such as the hosting of websites and web systems, e-mail services, marketing, sponsorship of sweepstakes and other promotions, auditing services, data analysis, conducting market research and approval surveys.
Processing methods
Personal data are collected at the time of booking/purchasing the ticket or contractualisation, in written or computerised form. The processing is carried out using paper and IT tools in compliance with the provisions on the protection of personal data and, in particular, with the appropriate technical and organisational measures referred to in Article 32.1 of the Regulation, and with the observance of all precautionary measures to ensure the integrity, confidentiality and availability of the data.
Personal data stored on computer databases are only accessible to identified persons (the person in charge and his/her appointees), by means of personal access keys.
In case of processing for marketing purposes, purchase data will be processed for a period of 24 months for generic marketing initiatives and for a period of 12 months for profiling and profiled marketing initiatives.
Data retention period
Your travel data will be stored until 31 December of the second year following the trip.
Your data for administrative-accounting purposes will be stored for 10 (ten) years after collection.
The passenger list, prepared in compliance with Legislative Decree 38/2020, will be stored for the period of 72 hours from the time when the data have been declared in the single national interface and the voyage of the ship in question is safely completed.
At the end of the period indicated, your Personal Data will be deleted from the database and from any other archiving media, whether paper or computerised.
In the event that a dispute arises between the Company/data controller and the person concerned, the retention period will be extended for the duration of that dispute and for 10 years following its final settlement (e.g. settlement agreement or final judgment).
Rights of the data subject under Articles 15-22 of the EU Regulation - GDPR 2016/679
Pursuant to the relevant legislation, your rights and how to exercise them are listed below.
- Right of access - The data subject may ask at any time what kind of data is held by the data controller; the origin, purposes, categories of data; the recipients; the existence of a profiling process; the retention period.
- Right of rectification - The data subject may at any time request the rectification and/or supplementation of his or her data, and it shall be the duty of the data controller to communicate such changes to third parties to whom the data may have been transmitted.
- Right to be forgotten - The data subject may at any time request the deletion of the data if: the purpose of the processing has been fulfilled; consent has been withdrawn; an objection to the processing has been made; the data has been processed in breach of the law. It will be the obligation of the holder to communicate such changes to third parties to whom the data may have been transmitted.
- Right of restriction of processing - The data subject may at any time request that processing be restricted: in the case of inaccurate data until rectification; in the case of a dispute until clarification; upon request, as an alternative to erasure.
- Right to object - The data subject has the right to object to the use of personal data for automated processing.
- Right to portability - The data subject may exercise this right only with regard to data processed for contractual purposes and by automated means, and unless it infringes the rights and freedoms of others.
Methods of the data subject's request
The data subject may exercise the above rights at any time by sending an e-mail to privacy.gruppo@carontetourist.it.
The data subject is entitled to lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority) on the basis of the indications given at https://www.garanteprivacy.it/garante/doc.jsp?ID=4535524 or to any other supervisory authority.
Cartour S.r.l.