INFORMATION ON THE PROCESSING OF PERSONAL DATA
- PERSONAL DATA PROCESSED
1.1. For the negotiation, establishment and management of the contractual relationship with the customer/ data subject, the Company/controller processes personal data of the customer/data subject, in particular of natural persons related to it, which include: full name, date and place of birth, details and/or copies of the identity documents and fiscal code, contact data (telephone, e-mail, address), residence address, banking data and other data necessary or useful for the management, also from a fiscal perspective, of the relations with the customer/data subject. Each subject with whom the Company/ controller interacts, declares to be authorized or, in any case, to have the power to lawfully transmit to the Company/ controller, personal data necessary for the establishment, management and execution of the travel contract, in particular those of the other travellers.
- PARTICULAR CATEGORIES OF PERSONAL DATA
2.1. The Company / controller, always with the purpose of the establishment and management of the contractual relationship with the data subject, may process information belonging to the particular categories of personal data described in art. 9 of the Regulation, which include:
- The state of health – for example in the case in which the customer /data subject communicates particular allergies or food intolerances that the Company / controller must take into account in the management of the travel package, or other needs related to health issues;
- Data revealing religious or philosophical beliefs – for example in the event that the customer/ data subject communicates particular nutritional needs related to religion, or requires that the days off coincide with specific religious holidays;
- Data revealing the racial or ethnic origin – as may appear, for example, from identity documents or other material provided by the customer/data subject for the signature, management and fulfillment of the contract with the Company.
2.2. With regard to employees, as for data processed by the occupational doctor who is responsible for carrying out the tasks provided for by Legislative Decree 81/08 and the other provisions on hygiene and safety in the workplace, for fulfilling the prior and periodic medical assessments, such data will be processed only by the same doctor as an independent data controller.
- PURPOSES OF THE PROCESSING AND ITS LAWFULNESS
3.1. Pursuant to the principles of correctness, lawfulness and transparency, the Company/controller collects personal data for the management of the relationship with the customer/data subject in the pre-contractual and contractual phases, for the purposes and on the basis of the conditions of lawfulness indicated below.
Management and execution of pre-contractual and contractual obligations, stemming from the travel contract with the customer/data subject, including but not limited to, the management of the personal data file, the organization and the support to the customer/data person during the trip. Legal Basis: Processing permitted as necessary for the implementation of a contract of which the data subject is a party, or for the execution of pre- contractual measures adopted at the request of the same – art. 6.1. (b) of the Regulation.
Fulfillment of legal obligations
(i.e. processing and filing of accounting documents relating to the relationship with the customer/data subject, communications to the competent bodies) to which the Company/controller is subject to, according to national and international, regulations relating, for instance, to tax, administrative accounting and anti-money laundering matters. Legal Basis: Processing permitted as necessary to fulfill a legal obligation to which the controller is subject to – art. 6.1 (c) of the Regulation. Direct marketing activities by sending communications or material (eg via e-mail) regarding products / services similar to those already provided by the Company / controller to the customer / data subject. Legal Basis: Processing permitted, as necessary for the pursuit of a lawful interest of the controller – art. 6.1. (f) of the Rules. The lawful interest of the controller is represented by the promotion of its activity through direct marketing – see Recital no. 47 of the Regulation.
- MANDATORY OR OPTIONAL PROCESSING
4.1. The provision of personal data by the customer/data subject, or by the natural persons connected to it for the purposes described in articles 3 .1 (a) and 3.1. (b) is optional but is necessary for establishing, managing and executing the contractual relationship with the Company/controller. Any refusal to supply the data, in whole or in part, may cause the impossibility for the Company/controller to give rise to, or execute the contract, or to correctly perform all the obligations related to the contract.
4.2. The provision of personal data by the customer/data subject, or by the natural persons connected to it, for the purposes referred to in art. 3.1.c., is optional. Any refusal to supply them in whole or in part does not adversely affect the possibility for the Company/controller to give rise to, or execute the contract, or to correctly perform all the obligations related to the contract.
- CATEGORIES OF RECIPIENTS
5.1. Personal data may be communicated, exclusively for the purposes indicated above, to the following subjects or categories of subjects: subjects to whom the communication is necessary for the establishment, management and fulfillment of the contract by the Company/controller: a. natural persons authorized in writing by the Company/controller pursuant to art. 29 of the Regulation in order to perform their job responsibilities (e.g. employees, system administrator, etc.);
- professionals and collaborators which support the Company for the activities performed for the data subject (eg tourist guides / tour leaders, companies that deal with transportation, hotels, business partners of the Company / controller who have organized all or part of the trip);
- c) professionals and service companies for the administration and management of the Company/controller, which operate on behalf of the Company/controller for its internal purposes (e.g. accountants, consultants);
- d) subjects, entities, authorities to whom is mandatory to communicate the data of customers /data subject, according to law provisions and orders of the authorities.
5.2. With regard to paragraphs a, b), c) of art. 5.1, the Company/controller undertakes to rely on subjects that provide adequate guarantees regarding data protection, and to appoint such subjects, to the extent this is advisable, as data processors under art. 28 of the Regulation.
- DATA TRANSFER
6.1. Personal data may be transferred outside the European Union solely for the fulfilment of the requests of the customer / data subject and when such transfer is necessary for the management and fulfilment of contracts with the customer / data subject, with regard to travels of the customer / data subject in non-European countries. Transfers of personal data of the customer/data subject outside the European Union shall occur: with regard to business partners, accommodation facilities, tour leaders, tourist guides, transport companies and other external operators which support the Company / controller for the management and fulfilment of contracts with the customer/ data subject (eg for the management of customers traveling with travel packages organized by the partners). The Company / controller organizes trips and has stable partnerships with commercial partners situated in non-European countries.
With regard to recipient countries, please note that for certain countries listed below, following an appropriate analysis, the European Commission has issued a decision about the adequacy of the level of protection of personal data guaranteed in such countries: (Andorra, Argentina, Canada, Faer Oer, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and, in the context of ad hoc international agreements, Australia, Uruguay and USA. Other recipient countries may present potential risks for the protection of personal data in relation to regulatory, cultural or socio-political factors in place in the country.
6.2. In all cases of transfer of personal data outside the European Union, the Company/ controller agrees:
- to transmit only the data necessary for the purposes described above;
- to obtain from the recipient the appropriate security and confidentiality obligations with respect to the personal data transmitted, a commitment to use such data exclusively for the implementation of the relations with the Company/controller, besides the appropriate protections for the exercise of the rights to which the collaborator/ data subject is entitled, as well as for the case of data-breach;
- PROCESSING METHODS
7.1. Personal data are stored in the archives of the Company/controller and are processed using paper and electronic means, without prejudice to the adoption of appropriate security measures to avoid unlawful processing.
7.2. Processing of personal data is based on the principles of minimization, correctness and transparency. Only personal data necessary for the purposes described will be processed, and will be accessible only to the staff involved in the activities necessary for the purposes described.
- TERM OF CONSERVATION OF PERSONAL DATA
8.1. Personal data is kept for the entire duration of the contractual relationship with the customer/data subject, and also subsequently, for the 10-year term from the termination of this relationship, in consideration of the mandatory term for keeping the accounting records and of the expiration period of any claims arising from the relation between the Company / controller and the customer/data subject, as required by law.
8.2. In the event that litigation arises between the Company/controller and the customer/data subject, the retention period will be extended for the duration of the dispute and for the 10 years following its final settlement (e.g. settlement agreement or final judicial decision).
- RIGHTS OF THE DATA SUBJECT
9.1. At any moment, any data subject may exercise towards the Company/controller, the rights provided for in art. 15 to 22 of the Regulation, i.e. the right to ask for:
- access to personal data, or to be informed by the Company/controller of his/her personal data held by the Company/controller, the purposes for which these data are processed, their origin and other information required by art. 15 of the Regulation;
- the rectification of personal data in case of inaccuracy of the same;
- the cancellation of personal data (so- called ‘right to be forgotten’);
- the limitation of the processing of personal data, or the right to obtain the suspension of the processing of personal data for the period necessary to verify the request for rectification of personal data, or in other cases provided for by art. 18 of the Regulation. Furthermore, the data subject is entitled to the following rights:
- the right to the portability of data, i.e. the right to receive personal data
in a structured, commonly used and machine-readable format – even by requesting the direct transfer to another controller (with respect to data whose processing is carried out by automated means);
- the right to lodge a complaint with the Data Protection Authority, or with the Control Authority of the place where he/ she resides, works or where the violation took place, if he/she considers that the processing of personal data occurred in violation of the Regulation.
9.2. Requests must be sent in writing to the Company/controller or to the Data Protection Officer (DPO) at the addresses indicated below.
- DATA CONTROLLER
- CONTACT DETAILS OF THE DATA PROTECTION OFFICER
11.1.The Person in charge for the protection of data (DPO – Data Protection Officer) as provided for in article 37 of the Regulation may be contacted at the address:
Estramurale a Levante 146, 70017 Putignano (BA)
tel. 0039 0802051187 firstname.lastname@example.org
The contact information, continuously updated by the DPO is available on the Website in the appropriate section.