In compliance with the privacy legislation, we inform you that your personal data will be processed in accordance with the principles of lawfulness, fairness, transparency, purpose limitation and storage limitation, data minimization and confidentiality, as well as to the principle of accountability pursuant to Article 5 of the Regulation.
1. DATA CONTROLLER AND CONTACTS
2. THE PROCESSING OF YOUR PERSONAL DATA
The personal data processed may consist of an identifier such as name, an identification number, an online identifier (username), address and billing data, address and shipping data, age, gender and photographic image of your account, purchase history and IBAN (hereinafter the "Personal Data").
The following categories of data are additionally processed by the Website:
a) Browsing data
Computer systems and software procedures used to operate the Website obtain, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This information is not collected with the intent of associating it with identified users but, by its nature, it could lead to the identification of users by processing and associating them with data held by third parties. IP addresses or domain names of computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply given by the server (successful, error, etc.) and other parameters regarding the user's operating system and computer environment fall into this category. This Personal Data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website to check its correct functioning, to identify anomalies and/or abuses; in any case it is deleted immediately after the processing itself. The data may be used to ascertain responsibility in the event of hypothetical cybercrimes against the Website or third parties.
b) Data voluntary provided by the user
c) Data of third parties provided by the user
If while using our services of the Website, you provide Personal Data of third parties to the Data Controller (such as, for example, in the case of purchase of a journey or making travel arrangements for family members or third parties) such Personal Data also will be processed. With respect to the abovementioned circumstance, we will assume you have their consent to transfer to the Data Controller such data. You undertake to indemnify and hold the Data Controller harmless from any action, request, dispute, claim for damages, that may be raised against the Data Controller by third parties whose personal data have been processed through your use of the services of the Website or our services, in violation of the applicable law on the protection of Personal Data. In any case, if you provide or otherwise process personal data of third parties while using the Website, you guarantee, assuming all related responsibilities, that such processing is legal and, where necessary, grounded on the prior third party's consent to the processing of data concerning such third party.
d) Cookie and additional tracking technologies
A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the website again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services may not function properly without cookies. Some people find the idea of a website storing information on their computer or mobile device a bit intrusive, particularly when this information is stored and used by a third party without them knowing. Although this is generally quite harmless you may not, for example, want to see advertising that has been targeted to your interests. If you prefer, it is possible to block some or all cookies, or even to delete cookies that have already been set; but you need to be aware that you might lose some functions of that website. Please see section 3 below for further information on the cookies used by the Website.
There are various types of cookies, depending on their characteristics and functions, and these can remain on a user’s computer or mobile device for different periods of time: session cookies, which are automatically deleted when the browser is closed; persistent cookies, which remain on a user’s device until a pre-established expiry date.
• analytics cookies (anonymous statistics cookies), if tools are adopted that reduce the identifying power of cookies and the third-party supplier does not cross-reference the information collected with other information already available, used directly by the website operator to collect information, in aggregate and anonymous form, on the number of users and how they visit the website;
• browsing or session cookies that guarantee normal browsing and use of the website (allowing users, for example, to make a purchase or log in to access restricted areas);
• functionality cookies, which enable users to browse according to a series of criteria aimed at improving the service provided.
Conversely, for profiling cookies - aimed at identifying user preferences in order to improve and customize their browsing experience and/or send them marketing communications in line with the preferences expressed while browsing - as well as for analytics cookies, if tools that reduce the identifying power of cookies are not adopted and the third party cross-references the information collected with other information already available, prior consent from the user is required.
a) Information that we collect
We collect information to provide better services to all of our users. We store your preferences mainly to switch between desktop version and mobile version. The Website uses the following types of cookies:
• Technical - browsing or session - cookies strictly necessary for the functioning of the website or to enable users to use the contents and services they request.
• Technical functionality cookies, used to activate specific functions of the website and a series of selected criteria in order to improve the service provided.
• Cookies or other anonymous analytical/statistical identifiers from first and third parties, used to collect information, in an anonymized form, on the way in which users visit the website, and to keep track of traffic to and from the website, for functional website operation purposes. The information collected by these cookies is processed in an aggregate and anonymous form, without any information being collected on the specific user, therefore, the use of these cookies does not involve the processing of personal data and the prior consent of users is not required.
• Cookies or other first-and third-party profiling trackers, aimed at observing the use of the website and its contents by users to detect their preferences and to outline profiles relating to the users, in order to create commercial communications and a browsing experience in line with the preferences expressed by users which browsing the web. These cookies are used to offer targeted advertising and communications that are more relevant to your interests. It should be noted that Access Travel S.r.l. may also use technical, functionality and analytics cookies that are not anonymous (in particular, Google Analytics cookies) for tracking and profiling purposes only to the extent that users have given the relative consent for the activation and use of profiling cookies.
It should be noted that the aforementioned third parties process personal data as data processors on behalf of Access Travel S.r.l., pursuant to specific agreements for the processing of data pursuant to Article 28 of Regulation (EU) 2016/679.
The third parties also act as independent data controllers of the data collected through the cookies they send, therefore users must refer to their personal data processing policies, information notices and any consent collection forms (for the selection and de-selection of the respective cookies).
b) Cookie settings
Users can make a choice and specifically indicate which cookies to authorize the first time they access the website, using the appropriate cookie banner. In any case, users can review their choices regarding cookie settings at any time. The choices made by users in relation to website cookies will be recorded in a specific technical cookie, with the characteristics shown in the appropriate cookie table. User preferences regarding cookies will be reset if different devices or browsers are used to access the website.
4. PURPOSES OF THE DATA PROCESSING
Your Personal Data will be processed with your consent where necessary, for the following purposes:
(i) to allow browsing the Website and to provide you with the services offered by the Data Controller, including the management of the security of the Website, as well as contractual and administrative-accounting relations;
(ii) to address the requests, you send to the Data Controller, including customer support requests;
(iii) to fulfil any obligations stipulated by applicable laws, regulations or European legislation, or to satisfy requests from authorities;
(iv) to conduct direct marketing by e-mail for services and products which are alike those you have already purchased, pursuant to art. 130 (4) of legislative decree no. 196/2003, unless you expressly refuse to receive such communications upon registration to the Website, subscription or at any later time;
(v) to send you commercial communications and marketing material, including newsletters and market research, through automated tools (sms, mms and e-mail) and other means (paper mail, telephone with operator); please note that the Data Controller collects a single consent for marketing purposes, in accordance with the provision issued by the Italian Data Protection Authority "Guidelines on promotional activities and obstructing spam" dated July 4th 2013; if you wish to object to the processing of your Personal Data for marketing purposes carried out as specified here, you have the right to contact the Data Controller at any time using the contact details indicated in the section “Data Controller and Contacts”, without prejudice to the lawfulness of the processing based on the consent given before the opt out;
(vi) to share your Personal Data with the other Access network’s partners in order for them to send you marketing notices, newsletters and market research, through automated tools (sms, mms and e-mail) and other means (paper mail, telephone with operator);
(vii) to analyze your preferences, habits in order to send you information of your interest and personalized offers;
(viii) for statistical purposes, without tracing your identity.
Specific security measures are observed to prevent data loss, illegal or incorrect use and unauthorized access.
5. LEGAL BASIS AND OPTIONAL AND MANDATORY NATURE OF THE PROCESSING
For the purposes under points 4(i) e 4(ii), the legal basis for the processing of your Personal Data is represented by art. 6 (1)(b) of the Regulation that states that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, as processing is necessary for the provision of services. The provision of Personal Data for these purposes is optional, but failure to provide it would make it impossible to provide you with the services requested.
The legal basis for the purpose under point 4(iii) is art. 6 (1)(c) of the Regulation according to which “processing is necessary for compliance with a legal obligation to which the controller is subject”. Indeed, once Personal Data have been provided, the processing of such data is mandatory to fulfil with a legal obligation to which the Data Controller is subjected.
The legal basis for the purposes of profiling, marketing and communication to partners of Access network under points 4(v), 4(vi) and 4(vii), is art. 6 (1)(a) of the Regulation, under which “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” and to art.22(2)(c) of the Regulation. The provision of your Personal Data for these purposes is optional and does not affect the provision of the services. You have the right to object to the processing of your Personal Data for marketing or communication purposes by contacting the Data Controller at any time at the e-mail: firstname.lastname@example.org.
With respect to the purposes under point 4(iv), please note that pursuant to art. 130 (4) of the Code, the Data Controller may use the email address provided by the data subject while purchasing the product or service, without the prior specific consent of the data subject if such communication pertain to products or services of the same kind of those purchased by the data subject, unless the data subject, properly informed, refuses at the moment of purchase or on the occasion of later communications such processing.
The purposes referred to in point 4 (viii) is not carried out on Personal Data and, therefore, can be freely performed by the Data Controller.
6. RECIPENTS OF PERSONAL DATA
The privacy of the customer is crucial to the Data Controller. For this reason, the Data Controller does not transfer your Personal Data to third parties for commercial purposes. Your Personal Data are processed exclusively by the Data Controller and partner companies, if you give your consent.
Your Personal Data may be shared exclusively with the following recipients (the “Recipients”), for the abovementioned purposes:
(i) subjects that typically act as data processors pursuant to 28 of the Regulation, namely: i) persons, companies or professional firms that provide assistance and advice to the Data Controller on accounting, administrative, legal, tax and financial issues; ii) subjects delegated to carry out technical maintenance activities on the Website and the information system; iii) providers of services used by the data processors to achieve the purposes referred to in point 5 (e.g. app developers and service providers of server hosting, mailing list sending, electronic communication systems, chatbots, couriers), always in compliance with the principle of minimization by limiting the processing to those data that are necessary to achieve this specific purposes;
(ii) persons, entities or authorities who require the communication of your Personal Data as mandated by law or by order of the authorities;
(iii) persons authorized by the Data Controller, pursuant to art. 29 of the Regulation, to process Personal Data necessary to carry out activities strictly related to the provision of services and products, who are under the obligation to keep your Personal Data confidential;
(iv) travel guides, tour operators, hotels, transportation companies and Access network’s partners as may be required in order to provide you with the service purchased;
(v) Access network’s partners, only for the purposes under point 4(vii), with your prior explicit consent (as specified under point 5).
The complete list of data processors is available by sending a written request to the Data Controller.
7. DATA RETENTION PERIOD
The Personal Data processed for the purposes set out at points 4(i) and 4(ii) will be retained for the time strictly necessary to achieve their purposes. In any case, for the purposes under point 4(i), since Personal Data is processed for the provision of services, Personal Data will be retained by the Data Controller for the period of time envisaged and permitted by Italian law to protect his own interests (Art. 2946 of the Italian Civil Code).
The Personal Data processed for the purposes set out at point 4(iii) will be kept up until the time stipulated by the specific obligation or applicable law.
The Personal Data processed for the purposes set out at point 4(iv) will be retained until you object to its processing.
For the purposes set out in points 4(v), 4(vi) and 4(vii), your Personal Data will be retained for a maximum of 5 years after the last interaction on the Website or with the Data Controller or in any case until your consent to the processing for such purposes is revoked.
In any case, the Data Controller is granted the possibility to keep your Personal Data for the period of time provided and allowed for by Italian law to protect his interests (Art. 2947 (1)(3) of the Italian Civil Code).
8. TRASFER TO THIRD COUNTRIES
Some of the recipients indicated under art. 6 are entities based in Third Countries and therefore may process data in such third countries. When choosing our service providers or data processors, we regard the establishment in a County within the European Economic Area as an element of preference. In the event we choose an entity based in a Third Country, or in all cases where we disclose data to entities based in a Third Country, we assess the adequacy of the measures taken by the recipient to ensure an adequate level of data protection and we enter into the Standard Contractual Clauses.
9. RIGHTS OF THE DATA SUBJECT
Pursuant to Articles from 15 to 22 of the Regulation, you have the right to access your Personal Data at any time, to verify the accuracy and ask for its integration and update, or rectification; you have the right to limit the processing in cases provided for under Article 18 of the Regulation, when it is technically possible; to obtain erasure of your Personal Data in cases as referred to in Article 17 of the Regulation; to receive your Personal Data in a structured, commonly used and machine-readable format, in cases as referred to in Article 20 of the Regulation; as well as the right to object to the processing in cases as referred to in Article 21 of the Regulation.
We remind you that you have the right to file a complaint with the supervisory authority (the Italian Personal Data Protection Authority) pursuant to Article 77 of the Regulation, if you consider that the processing is contrary to the legislation currently in force.