1. DATA CONTROLLER
The data controller is Zani Viaggi (VAT NUMBER 02594070167), located in via Magni 2/A - 24125 Bergamo - Italy, acting by its legal representative, Mr. /Mrs.Giovanna Marilena Zani.
2. DATA PROCESSING AND PURPOSES OF THE PROCESSING
1. Personal data are processed according to GDPR, lawfully, fairly and in a transparent manner in relation to the data subject.
2. Processing is any operation or set of operations which is performed on personal data such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, restriction, erasure, destruction. Processing can also be automated, including profiling.
3. Personal data are processed for the following purposes:
3. MARKETING PURPOSE
1. With your consent, personal data can be processed for direct marketing purposes such as doing market research, sending advertisement, offers and promotions, subscribing to our newsletter.
2. Consent is optional according to direct marketing purposes, with no consequences for the processing of travel reservations and other above-mentioned purposes.
3. Company philosophy is inspired by permission marketing: our communications are sent under your consent and they shall not be invasive.
4. The data subject shall have the right to object at any time to processing of personal data concerning him or her for direct marketing purposes according to article 21 GDPR.
4. LEGAL BASIS FOR THE PROCESSING
The legal basis for processing personal data are:
- that the processing is necessary for the performance of a contract to which the traveller is a party, according to purposes 2.a), 2.c), 2.f);
- that the processing is necessary for fulfilling the steps request by the traveller for entering into a contract, according to purpose 2.b);
- data subject’s consent according to purposes 2.d), 2.e) and also for processing special categories of personal data according to article 9 GDPR
- that the processing is necessary for compliance with a legal obligation to which the controller is subject according to the purpose 2.g)
- that the processing is necessary for the purpose of a legitimate interest pursued by the controller or by a third party, except when this legitimate interest is overridden by the data subject’s interests, fundamental rights, freedoms.
Except for what concerns direct marketing purposes, data communication is a contractual requirement in order to satisfy traveller’s requests and to process travel reservations and other above-mentioned purposes. Data subject is obliged to provide personal data: the failure in providing such data could prevent the above-mentioned performances.
5. RIGHT TO WITHDRAW THE CONSENT
The data subject shall have the right to withdraw his or her consent at any time according to article 7 GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
6. DATA RETENTION
The controller retains personal data for as long as necessary to fulfil the purposes it was collected for (e.g. processing travel reservations). The controller shall also retain personal data for the period of limitation set by law for the exercise or defence of legal claims and for the period imposed by law, to satisfy any legal requirements (e.g. 10 years according to fiscal legislation).
7. CATEGORIES OF PERSONAL DATA CONCERNED BY THE PROCESSING
1. The processing concerns personal data such as name, surname, address, telephone number, fiscal code, bank details.
2. The processing may also concern special categories of personal data according to article 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
3. The processing may also concern data relating to criminal convictions and offences according to article 10 GDPR.
8. WHO IS PERSONAL DATA SHARED WITH
1. The controller can share personal data with:
- third parties involved in the transaction, other industry stakeholders (e.g. IATA, travel companies, ...) and partners who act on their behalf, as necessary to perform the contract that the controller has with travellers
- software providers
- technology services, security services, legal, financial/accounting and other similar professional advisers
- banks and financial institutions to perform business process (such as payment, credit card processing,...)
- insurance companies
- Authorities appointed in the protection of natural persons with regard to the processing of personal data or in other matters which involve personal data (e.g. finance police, Garante per la protezione dei dati personali,...).
2. Sharing personal data could involve transferring data outside the EU, such as data transmission to a hotel set in a third Country.
3. The data subject approves his or her personal data transmission to the above-mentioned individual, even if they’re set in a third Country. The data subject is informed that towards third Country legal rights established by GDPR may not be exercised.
9. DATA SUBJECT’S RIGHTS. RIGHT TO OBJECT.
1.The data subject shall have the following rights:
- right of access (article 15 GDPR): to obtain information about the personal data under processing, such as the purpose of the processing, the timing of data retention; to obtain a free copy of personal data
- right of rectification of inaccurate personal data, without undue delay (article 16 GDPR)
- right to erasure (right to be forgotten) of personal data concerning him or her, without undue delay (article 17 GDPR)
- right to restriction of processing such as when data subject contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data (article 18 GDPR)
- right to data portability: to receive personal data which the data subject has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (article 20 GDPR)
- right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject (article 22 GDPR)
- right to lodge a complaint with a supervisory authority (e.g. Garante per la protezione dei dati personali) (article 77 GDPR)
- right to an effective judicial remedy against a supervisory authority or against a controller or processor (article 78,79 GDPR).
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her (article 21 GDPR). Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing: the personal data shall no longer be processed for direct marketing purpose.
To exercise the above-mentioned rights please contact Privacy dept. at firstname.lastname@example.org or write a mail to Zani Viaggi – Privacy dept, via Magni 2/A, 24125 Bergamo – Italy.
Our Company designed the Data Protection Officer according to article 37 of GDPR in the person of Mr. Massimo Colaianni. You can contact him at the following addresses: Piazza Indipendenza n. 2, 20900 Monza - e-mail email@example.com.