Pursuant to Article 13 of EU Regulation no. 2016/679 and for the purposes of Italian Legislative Decree no. 196/2003, as amended by Italian Legislative Decree no. 101/2018
1. Data Controller
The Data Controller is GNV, with registered office in Palermo, Calata Marinaid’Italia, Tax Identification and VAT no. 13217910150 (hereinafter referred to as the “Data Controller”).
The Data Controller may be contacted by writing to: firstname.lastname@example.org
The Data Controller has appointed a Data Protection Officer (DPO), who may be contacted for any requests or information at the following address:
2. Types of data
The Data Controller processes, collects, and/or receives information regarding the Data Subject, such as:
||TYPES OF DATA
||first and last name, physical address, nationality, province and city of residence, home phone and/or mobile phone number, fax, tax identification number, e-mail addresses
||IBAN, bank/postal data, credit cards
|Telecommunications traffic data
||Logs, origin IP address
3. Purposes of data processing
Grandi Navi Veloci S.p.A., as controller of the processing of your personal data, hereby informs you of their use and your rights, so that you may express your consent, where requested, in an informed manner.
Your personal data (provided by yourself, by third parties or, within the limits of the law, obtained from public lists) may be processed for the following purposes:
1 − legalpurposes: or rather, in order to comply with the obligations provided for by the law, by a regulation, by community rules as well as by dispositions issued by Authorities qualified to do so by the law or by competent Supervisory or Regulatory Bodies(in this case your consent is not necessary inasmuch as the processing of data is correlated to the respecting of said obligations/dispositions);
2 − contractualand, more generally, administrative-accounting purposes: or rather, in order to fulfil obligations deriving from contracts which you are party to or to fulfil, before or after the conclusion of the contract, your specific requests, also via remote methods of communication, including a dedicated call centre and Customer Care support (in this case your consent is not required as the processing of data is necessary for the management of the relationship or the execution of the requests);
3 – managementof competitive procedures: providing your data is necessary because otherwise you will not be able to take part in the competitive procedure (therefore, refusal to provide consent will lead to applicants being excluded from the process).
4 − commercialpurposes: with your prior consent, in order to provide you with information (also via remote methods of communication such as, for example, postal correspondence, telephone calls, also using automatedcalling systems, fax, e-mail, SMS or MMS messages or other forms of message) regarding products, services or initiatives promoted by Grandi Navi Veloci S.p.A. or third parties, to promote the same, to carry out market research, even through profiling activities, and/or to verify the quality of products or services offered to you (also via telephone calls or the sending of questionnaires), to optimise said offers (also via targeted and selected analyses).
4. Fidelity Card
Data processing will only take place for the activities listed below:
issuing the Fidelity Card and managing activities which cannot be carried out anonymously but which are essential to allow users to use said card, to benefit from discounts and promotions, to take part in points collection and to access other ancillary services available via the Card;
engaging, with your express written consent, in direct marketing activities, such as sending (including via e-mail or text message) of advertising materials and communications containing information and/or promotional content about products or services supplied and/or promoted by the Controller or by its business partners;
engaging, with your express written consent, in individual or aggregate profiling activities and market research serving, for example, for analysis of consumers’ habits and choices, processing of statistics on them or assessment of the degree of satisfaction with the proposed products and services.
For the purposes outlined under letter a) of the previous point, providing your data isoptional, but it is a pre-requisite for issue of the Fidelity Card. Therefore, failure to provide data will prevent the applicant from obtaining the Card.
For the purposes outlined under letters b) and c) of the previous point, providing your data is optional and refusal to provide the data and the relative consent will make it impossible for the Controller to follow up on the direct marketing and profiling activities indicated therein, but will nonetheless allow the applicant to obtain issue of the Fidelity Card and access the benefits associated with it.
5. Access to data
Data may be made accessible to:
- respond to information requests
- collect the information needed for requirements connected to the pre-contractualphase.
Also, with explicit consent, the data will be processed to:
- send e-mails, standard post, SMS and/or make telephone calls; send newsletters, commercial communications and/or advertising materials regarding products or services offered by GNV S.p.A., and to measure the level ofsatisfaction regarding the quality of services.
6. Transfer of data
Personal data may be communicated to:
- consultants and accountants or lawyers who provide services for the purposes listed above;
- banking and insurance institutions that provide services for the purposes listed above;
- subjects that process data in execution of specific legal obligations;
- Judicial or administrative authorities to fulfil legal obligations;
- subjects that provide services related to the website.
Personal data may be sent to other countries in the European Union or outside of the European Union or to international organisations, within the purposes illustrated.
The Data Controller guarantees that the transfer of data outside of the EU will be performed in compliance with applicable laws, also through the inclusion of standard contract clauses set forth by the European Commission and through the adoption of binding company rules for intragroup transfers.
Without explicit consent, the Data Controller may communicate the data for the purposes indicated above to supervisorybodies, judicialauthorities, and insurance companies for the provisionof insurance services, as well as subjects to whom communication is mandatory by law to fulfil those purposes.
Data Subjects may choose whether or not to provide their personal data, however, failure to provide it may result init being impossible to fulfil the request.
With regard to personal data related to the execution of the contract or related to the fulfilment of a regulatory obligation (for example the obligations concerningthe keeping of accounting and tax records), failure to communicate personal data prevents the completion of the contractual relationship.
8. Processing methods and duration
It is ensured that all processing will be based on the principles established by the GDPR, with particular regard to the lawfulness, correctness, and transparency of the processing, to the use of the data for specific, explicit, legitimate purposes, in a manner relevant to the processing, and in compliance with the principles of data minimisation, accuracy, storage,restriction, integrity and confidentiality, and accountability(Article 5 of the Regulation).
Personal data are processed using the following operations: collection, recording, organisation, structuring, storage, consultation, adaptation or alteration, use, dissemination, disclosure bytransmission, recovery, alignment, combination, restriction, erasure, and destruction of data.
Personal data are subject to processingboth in paper and in electronicform.
The Data Controller will process the personal data for the time necessary to fulfil the purposes indicated above.
Our websites and apps are not designed for children. Unless a parent or guardian has provided consent (except when applicable laws allow), we will not collect, to the best of our knowledge, personal data from minors.
Individuals must have reached their sixteenth birthday in order to provide us with their personal data and their eighteenth birthday before entering into transactions on our website and apps. By entering into transactions with us,you automatically declare that you have reached your eighteenth birthday and that you are fully entitled to carry out such transactions, as well as being legally bound to respect them.
If it should come to our attention or should we find out that a minor has provided us with personal information, we will promptly erase such data.
10. Rights of the Data Subject
The Data Subject has the following informationand control rightsset forth in the GDPRregarding the processing of the data in question.
|Right to information policyArt. 13-14 Considering 58, 60
The Data Subject shall have the right to receive precise information on the processing of his or herpersonal data.
The policymust contain the following information:
- Identity of the Data Controller;
- Identity of the Data Protection Officer –DPO;
- Purposes of data processing;
- Legal basis;
- Any legitimate interests that constitute the legal basis;
- Any statutoryor contractual obligations based on which the data areprovided;
- Data circulation area (EU or extra-EU)
- Processing duration;
- (Any) decision-making on which automated processing is based
- Rights of the Data Subject: access, rectification, integration, erasure, restriction, right to object, portability, complaint witha Data Protection Authority, withdrawalof consent.
|Right to access Art.15Considering 63
||The Data Subject shall have the right to obtain from the Data Controller confirmation as towhether or not personal data concerning him or herare being processedand, where that is the case, access to the personal data.
|Right of rectificationand integration Art. 5 (1) (d), 16 Considering 39, 59, 65, 73
||The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectificationof inaccuratepersonal data concerning him or her.
Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
|Right to erasureand to be forgottenArt.17Considering 65-66, 68
||The Data Subject shall have the right to obtain from the Data Controller the erasureof personal dataconcerning him or herwithout unduedelay and the Data Controller shall have the obligation to erase personal data without unduedelay whereone of the groundsset forth in paragraph 1 of Article 17 of the Regulationapplies.
|Right to restrictionArt.18Considering 67
||The Data Subject shall have the right to obtain from the Data Controller restrictionof processing under certain circumstances.
|Right to object Art.21Considering 50, 59, 69-70, 73
||The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time toprocessing of personal data concerning him or her which is based on point (e) or (f) ofArticle 6(1), including profiling based onthose provisions.
The Data Controller shall no longerprocess the personal data, unlessthere are legitimate groundsfor the processing whichoverride the Data Subject’sright to object.
|Right to portabilityArt.20Considering 68, 73
||This is a new right.
The Data Subject shall have the right to receive the personal dataconcerning him or her, which he or she has provided toaData Controller,in a structured,commonly-used and machine-readable format.
TheData Subject shallalso have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where:
On the right to portability, a specific opinion was issued by the work group WP 29.
- the processing is based on consent pursuant to point (a) ofArticle 6(1)or point (a) of Article 9(2)or on a contract pursuant to point (b) ofArticle 6(1); and
- the processing is carried out by automated means.
|Right to objectand decisions based solely on data processing
||Wherepersonal data are processed for direct marketing purposes, the Data Subject shall have the right to objectat any time to processing of personal data concerning him or her for such marketing, which includesprofiling to the extent that it is related to suchdirect marketing.
|Article 21, paragraph 2,3Article 22Considering 70
||The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Therefore, Data Subjects have the rights set forth in Articles 15 -21 of the GDPR, as well as the right to lodgea complaint withthe competent authority pursuant to Art. 77 of the GDPR.
11. Procedure for exercising rights and communications
The Data Subject may send a formal request to exercise their rights or reportalleged non-compliance or violation, by sending an e-mail to: email@example.com
The Data Controller for personal data provides for the management and execution of requests for exercising rights in compliance with the GDPR.
- The deadline for complying with the Data Subject’s request is 30 days and may be extended by a further 60 days, if necessary, taking into account thecomplexity and number of requests. In this case, the Data Controller informs the Data Subject of the extension and reason for the delay, within 30 days of receipt of the request.
- The information provided to the Data Subject and any communication and actions taken are free of charge.
- If the Data Subject’s requests are unfounded or excessive, in particular due to their repetitive nature, the Data Controller may:
charge a reasonable fee, taking into account the administrative costs sustained to provide the information or communication and undertake the requested action; or
refuse to fulfil the request.
For any clarification or request regarding the processing of personal data, you can reach the Data Controller or DPO at the e-mail addressesindicated aboveat any time.
Last update: March 2018