Pursuant to Article 13 of EU Regulation no. 2016/679 and for the purposes of Italian Legislative Decree no. 196/2003, as amended by Italian Legislative Decree no. 101/2018

1. Data Controller

The Data Controller is GNV, with registered office in Palermo, Calata Marinaid’Italia, Tax Identification and VAT no. 13217910150 (hereinafter referred to as the “Data Controller”).

The Data Controller may be contacted by writing to: direzione@pec.gnv.it

The Data Controller has appointed a Data Protection Officer (DPO), who may be contacted for any requests or information at the following address:

e-mail: dataprotection@gnv.it

2. Types of data

The Data Controller processes, collects, and/or receives information regarding the Data Subject, such as:

Personal information first and last name, physical address, nationality, province and city of residence, home phone and/or mobile phone number, fax, tax identification number, e-mail addresses
Bank data IBAN, bank/postal data, credit cards
Telecommunications traffic data Logs, origin IP address

3. Purposes of data processing

Grandi Navi Veloci S.p.A., as controller of the processing of your personal data, hereby informs you of their use and your rights, so that you may express your consent, where requested, in an informed manner.

Your personal data (provided by yourself, by third parties or, within the limits of the law, obtained from public lists) may be processed for the following purposes:

1 − legalpurposes: or rather, in order to comply with the obligations provided for by the law, by a regulation, by community rules as well as by dispositions issued by Authorities qualified to do so by the law or by competent Supervisory or Regulatory Bodies(in this case your consent is not necessary inasmuch as the processing of data is correlated to the respecting of said obligations/dispositions);

2 − contractualand, more generally, administrative-accounting purposes: or rather, in order to fulfil obligations deriving from contracts which you are party to or to fulfil, before or after the conclusion of the contract, your specific requests, also via remote methods of communication, including a dedicated call centre and Customer Care support (in this case your consent is not required as the processing of data is necessary for the management of the relationship or the execution of the requests);

3 – managementof competitive procedures: providing your data is necessary because otherwise you will not be able to take part in the competitive procedure (therefore, refusal to provide consent will lead to applicants being excluded from the process).

4 − commercialpurposes: with your prior consent, in order to provide you with information (also via remote methods of communication such as, for example, postal correspondence, telephone calls, also using automatedcalling systems, fax, e-mail, SMS or MMS messages or other forms of message) regarding products, services or initiatives promoted by Grandi Navi Veloci S.p.A. or third parties, to promote the same, to carry out market research, even through profiling activities, and/or to verify the quality of products or services offered to you (also via telephone calls or the sending of questionnaires), to optimise said offers (also via targeted and selected analyses).

4. Fidelity Card

Data processing will only take place for the activities listed below:

For the purposes outlined under letter a) of the previous point, providing your data isoptional, but it is a pre-requisite for issue of the Fidelity Card. Therefore, failure to provide data will prevent the applicant from obtaining the Card.

For the purposes outlined under letters b) and c) of the previous point, providing your data is optional and refusal to provide the data and the relative consent will make it impossible for the Controller to follow up on the direct marketing and profiling activities indicated therein, but will nonetheless allow the applicant to obtain issue of the Fidelity Card and access the benefits associated with it.

5. Access to data

Data may be made accessible to:

Also, with explicit consent, the data will be processed to:

6. Transfer of data

Personal data may be communicated to:

Personal data may be sent to other countries in the European Union or outside of the European Union or to international organisations, within the purposes illustrated.

The Data Controller guarantees that the transfer of data outside of the EU will be performed in compliance with applicable laws, also through the inclusion of standard contract clauses set forth by the European Commission and through the adoption of binding company rules for intragroup transfers.

Without explicit consent, the Data Controller may communicate the data for the purposes indicated above to supervisorybodies, judicialauthorities, and insurance companies for the provisionof insurance services, as well as subjects to whom communication is mandatory by law to fulfil those purposes.

7. Consent

Data Subjects may choose whether or not to provide their personal data, however, failure to provide it may result init being impossible to fulfil the request.

With regard to personal data related to the execution of the contract or related to the fulfilment of a regulatory obligation (for example the obligations concerningthe keeping of accounting and tax records), failure to communicate personal data prevents the completion of the contractual relationship.

8. Processing methods and duration

It is ensured that all processing will be based on the principles established by the GDPR, with particular regard to the lawfulness, correctness, and transparency of the processing, to the use of the data for specific, explicit, legitimate purposes, in a manner relevant to the processing, and in compliance with the principles of data minimisation, accuracy, storage,restriction, integrity and confidentiality, and accountability(Article 5 of the Regulation).

Personal data are processed using the following operations: collection, recording, organisation, structuring, storage, consultation, adaptation or alteration, use, dissemination, disclosure bytransmission, recovery, alignment, combination, restriction, erasure, and destruction of data.

Personal data are subject to processingboth in paper and in electronicform.

The Data Controller will process the personal data for the time necessary to fulfil the purposes indicated above.

9. Minors

Our websites and apps are not designed for children. Unless a parent or guardian has provided consent (except when applicable laws allow), we will not collect, to the best of our knowledge, personal data from minors.
Individuals must have reached their sixteenth birthday in order to provide us with their personal data and their eighteenth birthday before entering into transactions on our website and apps. By entering into transactions with us,you automatically declare that you have reached your eighteenth birthday and that you are fully entitled to carry out such transactions, as well as being legally bound to respect them.
If it should come to our attention or should we find out that a minor has provided us with personal information, we will promptly erase such data.

10. Rights of the Data Subject

The Data Subject has the following informationand control rightsset forth in the GDPRregarding the processing of the data in question.

Right to information policyArt. 13-14 Considering 58, 60 The Data Subject shall have the right to receive precise information on the processing of his or herpersonal data.

The policymust contain the following information:
  • Identity of the Data Controller;
  • Identity of the Data Protection Officer –DPO;
  • Purposes of data processing;
  • Legal basis;
  • Any legitimate interests that constitute the legal basis;
  • Any statutoryor contractual obligations based on which the data areprovided;
  • Data circulation area (EU or extra-EU)
  • Processing duration;
  • (Any) decision-making on which automated processing is based
  • Rights of the Data Subject: access, rectification, integration, erasure, restriction, right to object, portability, complaint witha Data Protection Authority, withdrawalof consent.
Right to access Art.15Considering 63 The Data Subject shall have the right to obtain from the Data Controller confirmation as towhether or not personal data concerning him or herare being processedand, where that is the case, access to the personal data.
Right of rectificationand integration Art. 5 (1) (d), 16 Considering 39, 59, 65, 73 The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectificationof inaccuratepersonal data concerning him or her.
Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasureand to be forgottenArt.17Considering 65-66, 68 The Data Subject shall have the right to obtain from the Data Controller the erasureof personal dataconcerning him or herwithout unduedelay and the Data Controller shall have the obligation to erase personal data without unduedelay whereone of the groundsset forth in paragraph 1 of Article 17 of the Regulationapplies.
Right to restrictionArt.18Considering 67 The Data Subject shall have the right to obtain from the Data Controller restrictionof processing under certain circumstances.
Right to object Art.21Considering 50, 59, 69-70, 73 The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time toprocessing of personal data concerning him or her which is based on point (e) or (f) ofArticle 6(1), including profiling based onthose provisions.
The Data Controller shall no longerprocess the personal data, unlessthere are legitimate groundsfor the processing whichoverride the Data Subject’sright to object.
Right to portabilityArt.20Considering 68, 73 This is a new right.
The Data Subject shall have the right to receive the personal dataconcerning him or her, which he or she has provided toaData Controller,in a structured,commonly-used and machine-readable format.
TheData Subject shallalso have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where:
  • the processing is based on consent pursuant to point (a) ofArticle 6(1)or point (a) of Article 9(2)or on a contract pursuant to point (b) ofArticle 6(1); and
  • the processing is carried out by automated means.
On the right to portability, a specific opinion was issued by the work group WP 29.
Right to objectand decisions based solely on data processing Wherepersonal data are processed for direct marketing purposes, the Data Subject shall have the right to objectat any time to processing of personal data concerning him or her for such marketing, which includesprofiling to the extent that it is related to suchdirect marketing.
Article 21, paragraph 2,3Article 22Considering 70 The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Therefore, Data Subjects have the rights set forth in Articles 15 -21 of the GDPR, as well as the right to lodgea complaint withthe competent authority pursuant to Art. 77 of the GDPR.

11. Procedure for exercising rights and communications

The Data Subject may send a formal request to exercise their rights or reportalleged non-compliance or violation, by sending an e-mail to: dataprotection@gnv.it
The Data Controller for personal data provides for the management and execution of requests for exercising rights in compliance with the GDPR.
Note that:

For any clarification or request regarding the processing of personal data, you can reach the Data Controller or DPO at the e-mail addressesindicated aboveat any time.

Last update: March 2018