PRIVACY STATEMENT AND COOKIE POLICY

SKY ALPS Ltd. with registered office in Bolzano, Kornplatz 3, postal code 39100, tax number, VAT number and registration number in the Register of the Chamber of Commerce of Bolzano 03067170211 - REA BZ-229344 (hereinafter referred to as “Sky Alps” or as “Data Controller”) is constantly committed to protecting the online and offline privacy of its users. This document has been prepared pursuant to Article 13 of the EU Regulation 2016/679 (hereinafter: "Regulation"), as well as pursuant to Legislative Decree 196/2003 as amended by Legislative Decree 101/18 (hereinafter, together with the Regulation, the "Applicable Legislation") in order to allow you to be informed of our privacy policy, to understand how your personal information is handled when you use our website (https://www.skyalps.com hereinafter collectively "Site") and, where applicable, to give your express and informed consent to the processing of your personal data. The information and data provided by you or otherwise acquired as part of the use of the services of Sky Alps, such as: the flight booking procedure, or travel packages, and/or other ancillary services; the management of the reservation; the check-in procedure; the sending of communications relating to the status of the service in case of need; access to the restricted area of the Site; as well as the sending of updated information on activities and promotions, including co-marketing, newsletters, etc. (hereinafter the "Services") will be processed in accordance with the provisions of the applicable legislation and the obligations of confidentiality that inspire the activity of Sky Alps.

According to the rules of the Regulation, the data processing carried out by Sky Alps are based on the principles of lawfulness, fairness, transparency, purpose limitation and conservation, data minimization, accuracy, integrity and confidentiality.

TABLE OF CONTENTS

1. Data Controller

2. The person responsible for data processing - Data Protection Officer

3. Personal Data subject to processing

a. Browsing data

b. Special categories of Personal Data

c. Data volunteered by Data Subjects

d. Cookies

4. Purposes of data processing

5. Lawful basis and mandatory or optional nature of data processing

6. Disclosure of Personal Data

7. Transfer of Personal Data

8. Retention of Personal Data

9. Any automated decision-making processes

10. Your rights

11. Amendments

1. Data Controller

In relation to the data processing carried out through our Site, the Data Controller as defined above is Sky Alps.

For any information regarding the processing of Personal Data by the Data Controller, including the list of Data Processors, please write to the following address privacy@skyalps.com.

2. The person responsible for data processing - Data Protection Officer

Due to the processing activities carried out by Sky Alps, the Data Controller has deemed it necessary to designate, pursuant to Article 37 of the Regulation, a Data Protection Officer or DPO who can be contacted by sending an e-mail to dpo@skyalps.com.

3. Personal Data subject to processing

Please be informed that as a result of browsing the Website, Sky Alps will collect and process Personal Data that may consist of information like name and surname, identification number, online identifier, mail address, e-mail address, landline and/or mobile telephone number or information on one or more physical, physiological, psychological, financial, cultural or social features relating to an identified or identifiable person (hereafter “Personal Data”).

The following Personal Data is processed through our Website:

a. Browsing data

During normal operation, the computer systems and software used to operate our Website acquire some Personal Data the transmission of which is implicit in the Internet communication protocols. The collection of this information is intended to be associated with identified parties; however, the data collected might by its nature allow users to be identified through processing and association with data held by third parties. This category of data includes IP addresses or domain names of computers used by users who connect to the Website, URI (Uniform Resource Identifier) of requested resources, the time of request and method used to submit it to the server, the size of the file obtained in reply, the numerical code indicating the server response status (successful, error, etc.) and other parameters relating to the user's operating system and IT environment. This data is used for the sole purpose of obtaining anonymous statistical information on the use of the Website and to ensure its correct functioning by identifying any anomalies and/or abuses and are therefore deleted immediately after processing. The data could be used to ascertain responsibility in the event of possible computer crimes against Sky Alps or third parties; except for this possibility, the data collected from the Website is removed within a short period of time.

b. Special categories of Personal Data

If you send us your application through our Website, “Jobs and Careers” section, you might provide us with Personal Data that falls within special categories as set forth in art. 9 of the Regulation, namely: “… personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and … genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”. Please do not disclose this type of data unless it is strictly necessary. Please be informed that if you do choose to provide this type of data without giving your specific consent to the processing (e.g., by sending a CV), the processing on our part will relate to data made manifestly public by the Data Subject, as provided for by art. 9(1)(e) of the Regulation. Therefore, the Data Controller will be released from any liability or dispute whatsoever in connection with the processing of such data. As previously mentioned, explicit consent to the processing of special categories of Personal Data is fundamental if you do choose to disclose such information.

Please be also informed that Sky Alps may view any social media profiles made openly available on professional networking sites or platforms (e.g., LinkedIn).

c. Data volunteered by Data Subjects

We may process Personal Data of third parties that you send to Sky Alps when using certain services on our Website (e.g. in the 'Hotel' section). In these cases, you act as independent Data Controller, thereby assuming all the obligations and liabilities set by law. In this sense, you release Sky Alps from any and all responsibilities and obligations with respect to any dispute, claim, compensation for damages etc. that may be received from third parties whose Personal Data has been processed through the Website functions in violation of applicable data protection laws. In any case, if you provide or process Personal Data of third parties while using our Website, you warrant – assuming full liability – that processing has a lawful basis in compliance with art. 6 of the Regulation.

d. Cookies

Definitions, characteristics and application of the legislation

Cookies are small text files that the websites visited by the user send and record on their computer/mobile device, so that they can be resent to the same sites the next time the user logs on. It’s precisely thanks to cookies that a website can remember the user’s actions and preferences (such as login details, preferred language, font size, other visual settings, etc.) so that the user doesn’t have to set these preferences again the next time they visit the website, or even when they move to a different page on the same website. Therefore, cookies are used for authentication purposes, to monitor sessions and to memorize the data regarding user activities when browsing a website. They may contain a personal identification code that makes it possible to track the user’s activities within the website for statistical or advertising purposes. While navigating on a website, the user’s computer may receive cookies from websites or web servers other than those used by the website being visited (so-called “third-party cookies”). Some operations may be impossible to perform without the use of cookies, as in some cases they are vital to the technical functioning of the website.

Various types of cookies exist, with different characteristics and functions, and they may remain on the user’s device for varying lengths of time: “session cookies”, which are automatically deleted as soon as the browser window is closed, and “persistent cookies”, which stay on the user’s computer until a previously established length of time has elapsed.

According to Italian legislation, for cookies to be used, it is not always necessary for the website user to give their express consent. In particular, “technical cookies” i.e., those used for the sole purpose of completing the transmission of information on an electronic communication network, or to the extent that is strictly necessary to respond to Inquiries explicitly made by the user – are used without express consent. In other words, technical cookies are those which are vital to allow the website to function or in order to carry out the user’s requests.

Among the technical cookies that do not require express consent in order for websites to make use of them, the Italian Personal Data Protection Authority (see the edict ‘Individuazione delle modalità semplificate per l’informativa e l’acquisizione del consenso per l’uso dei cookie“’ published on May 2014 and the subsequent clarifications regarding the same; henceforth simply “Edict”) lists:

- “analytics cookies”, when they are used directly by the website administrator to gather aggregated statistical information about the number of hits and how users browse the site;

- navigation or session cookies (for authenticating users);

- technical cookies, which allow the user to navigate on the site according to a series of selected criteria (e.g., language, products selected for purchase) in order to improve the Website.

For “profiling cookies” on the other hand – i.e., cookies designed to create a profile of the user that are used in order to send commercial messages in line with the preferences shown by said user when surfing the web in general – the express consent of the user must previously be obtained.

Types of cookies used by the Website and option to (de)select

The Website uses the following cookies that may be deselected, except for the third-party cookies: for these you will have to refer directly to the relative methods of selection and deselection for each cookie, for which we provide the relevant links:

- Navigation or session technical cookies which are strictly necessary either to allow the Website to function or to allow you to access content and receive answers to the inquiries you made.

- Functional cookies, i.e. those used to activate specific Website functions as well as a series of selected criteria (for example, language) in order to enhance the Website.

N.B.: by turning off technical and/or functional cookies, you may render the Website unusable, or certain services or functions provided by the Website may become unavailable or fail to function correctly, therefore forcing you to modify or manually insert certain information or preferences each time you visit the Website.

- Third-party cookies, i.e., cookies from websites and web servers other than Sky Alps’, used for the purposes of those third parties. We would like to point out that these third parties, listed below with the respective links to their privacy policies, are generally independent data controllers for the data gathered through the cookies they serve; therefore, you will have to refer to their data processing policies, notices and consent forms (selection and deselection of their respective cookies), as stipulated in the aforementioned Edict. We furthermore inform you that Sky Alps does everything in its power to trace cookies on its own Website. These cookies are regularly updated on the table below, where we state with total transparency which cookies are sent directly by Sky Alps and what their respective purposes are. As for the third parties who send cookies through our Website, we have provided links to their respective privacy statements below: as mentioned before, the responsibility to inform users and obtain their consent is theirs, as foreseen by the Provision. This responsibility is not only for the cookies sent directly by the third parties, but also to any cookies sent through our Website during its utilization, of which said third parties avail of. Regarding these cookies, which are sent by service providers to the aforementioned third parties, Sky Alps has no control over them, and does not know either their characteristics or purposes.

Below are the links to the relevant information on third-party cookies:

AeroCRS - www.aerocrs.com/about-aerocrs/cookie-policy/

Booking South Tyrol- www.bookingaltoadige.com/privacy/

Trentino Holidays - www.thol.it/privacy-policy/

Cookie settings

You can block or remove technical and functional cookies (either wholly or partially) by using specific functions provided by your browser. Nevertheless, we inform you that, if you do not authorise the use of technical cookies, it may be impossible for you to utilize the Website, view all the contents and make use of the available functions of the Website. Blocking technical cookies could lead to certain services or functions provided by the Website being unavailable or failing to work correctly, and you may be forced to amend or manually insert either information or preferences every time you visit the Website.

The choices you make regarding the cookies used by the Website will in turn be recorded on a specially designated cookie. In certain circumstances, however, this cookie may not work correctly; if this happens, we recommend that you delete or block the unwanted cookies through your browser.

If you subsequently use a different device or browser to access the Website, you will have to reset your cookie preferences.

How to view and make changes to cookies using a browser

Every browser has functions allowing you to authorize, block or remove cookies (either wholly or partially). For more information on how to set your cookie preferences through your preferred browser, you can consult the relevant instructions below:

- Internet Explorer

- Firefox

- Chrome

- Safari

- Edge

4. Purposes of data processing

The processing we intend to carry out, with your specific consent where necessary, has the following purposes:

a. To enable the provision of the Services you have requested, i.e.: (i) the flight booking procedure; (ii) the management of the booking (modification or cancellation of the booking, etc.); (iii) the check-in procedure; (iv) to send communications relating to the status of the service when necessary; (v) access to the reserved area of the Site;

b. to respond to requests for assistance or information;

c. to analyse applications and CVs and re-contact candidates who have submitted their applications via the "Jobs and Careers" section;

d. fulfil legal, accounting and tax obligations.

e. provide updated information on the activities and promotions of Sky Alps, as well as co-marketing promotions useful to enrich the travel experience, by sending newsletters, advertising material and/or communications and information of a commercial and direct marketing nature on our services and products, on related offers, discounts and any other promotional and loyalty initiatives adopted by us, both through traditional and fully automated contact systems, such as, for example, through the address of residence and/or e-mail, or even through SMS messages.

f. record, analyse and profile your identification data, information relating to your flights and data relating to your consumption habits and choices.

5. Lawful basis and mandatory or optional nature of data processing

The lawful basis for the processing of Personal Data for the purposes referred to in section 4 (a-b-c) is art. 6(1)(b) of the Regulation (performance of a contract) as the data is necessary to provide the services required and/or to respond to requests from the interested party. Giving your Personal Data for these purposes is optional, but indispensable to activate the services provided by the Website, to answer requests or evaluate CVs. With specific reference to the purpose 4.c and the viewing of profiles on professional networking platforms made freely available on the Internet, as mentioned in section 3.b, the lawful basis is art. 6(1)(f) of the Regulation, i.e. the legitimate interest of the holder in verifying the candidate’s suitability for the open position and any potential risks.

The legal basis for the processing of Personal Data for the purposes referred to in sections 4.e and 4.f is art. 6(1)(b) of the Regulation, i.e. consent. The provision of Personal Data for the purposes referred to in the aforementioned sections is optional, but failure to provide it for the purpose referred to in section 4.e, while in no way preventing the use of the Services, may not allow us to allow you to take full advantage of the benefits offered through advertising, commercial and direct marketing communications, as well as to inform you about additional services, discounts and promotions offered.

For the purposes illustrated in section 4.d, the lawful basis is art. 6(1)(c) of the Regulation (compliance with legal obligations). Once provided, Personal Data must be processed for the Data Controller to comply with legal obligations.

6. Disclosure of Personal Data

Your Personal Data may be shared, for the purposes set out in section 4 above, with:

- Persons who can access the data by virtue of legal provisions provided for by the law of the European Union or the law of the Member State to which the Data Controller is subject, including the Central Directorate for Immigration and Border Police. Pursuant to Article 13 of the Regulations and following the provisions of Article 8 of Directive (EU) 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data, air carriers are obliged to transfer passenger name record (PNR) data to the database of the PIU (Passenger Information Unit) of the Member State on whose territory the flight lands or from whose territory the flight departs. The data will be processed in accordance with applicable legislation and for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

- Our employees, subject to designation as Authorised Persons (persons acting under the authority of the Controller), System Administrators, provided that they have been previously and adequately instructed to do so by the Controller.

- External parties who perform functions closely related or instrumental to the activity of air transport, as independent data controllers, joint data controllers or data processors, which should be considered essential for the operation of Sky Alps flights.

- Credit card companies and service providers for anti-fraud control related to the payment process and (where necessary) activation of the procedure for anti-fraud control.

- Third parties such as consultants and public authorities that Sky Alps may/must contact to enforce or apply the Services Agreement.

- Third parties such as the police and national authorities to protect our rights, property, or the safety of Sky Alps, its personnel and assets.

- Public authorities and law enforcement agencies, such as customs and immigration authorities, following a valid request.

- Subjects who carry out, in total autonomy, as separate data controllers, or as data processors appointed for this purpose by Sky Alps, purposes ancillary to the activities and services referred to in section 4, such as business partners, companies offering advertising, marketing and communication services, companies offering computer infrastructure and support services and computer consulting and design and implementation of software and websites, companies that offer services useful to customize and optimize our services.

The possible or necessary communication of Personal Data will take place in full compliance with the applicable legislation and the technical and organisational measures taken by the Data Controller to ensure an adequate level of security.

7. Transfer of Personal Data

Your Personal Data is not shared with recipients located outside the European Economic Area. However, Sky Alps assures you that, should a transfer outside the EU occur in the future, your Personal Data will be processed by these recipients in accordance with the Regulation. Indeed, transfers will be based on an adequacy decision, the Standard Contractual Clauses approved by the European Commission or another appropriate legal basis. More information is available by writing to the following address: privacy@skyalps.com.

8. Retention of Personal Data

Personal Data processed for the purposes referred to in section 4(a-b) will be kept only for as long as strictly necessary to achieve those purposes. In any case, since data is used in order to provide Services, the Data Controller will process the Personal Data up to the time allowed by Italian law (art. 2946 of the Italian Civil Code and subsequent amendments). With regard to applications and CVs submitted through the "Jobs and Careers" section referred to in section 4.c, Personal Data will be retained for as long as the position for which the CV was submitted is available or, in the case of spontaneous applications, for up to 12 months thereafter. This is without prejudice to the possibility for Sky Alps to contact the Candidate again shortly before the indicated expiry date to request an extension of this retention period.

Personal Data processed for the purposes referred to in section 4.d will be stored for as long as provided for by applicable laws and regulations.

For more information on our data retention policy and criteria, please contact: privacy@skyalps.com.

9. Any automated decision-making processes

Sky Alps does not use automated decision-making processes, including profiling referred to in Article 22, paragraphs 1 and 4, of the Regulation, without your consent. If you consent to the purpose of profiling, the Personal Data provided may be used to analyse or predict preferences, behaviours and positions in order to customize the content of commercial communication and offer only dedicated products and offers in line with the tastes and preferences expressed, thus decreasing the number of commercial communications that we will send and offering a better flight experience.

Specifically, these processing activities involve the recording, analysis and profiling of: (i) your identification data, (ii) information relating to your flights, (iii) as well as data relating to your consumption habits and choices.

The aggregation and analysis of the Personal Data collected allows Sky Alps to identify customers of the air transport service who share similar purchasing behaviour. Thanks to the results of these analyses, Sky Alps will be able to send to those who have consented commercial proposals functional to the needs. In addition, as required by art. 22, paragraph 3, of the Regulation, the Owner implements all appropriate measures to protect your rights, freedoms and legitimate interests even within the profiling process, in addition to any additional and legitimate rights as better explained in the following section 10 ("Rights of data subjects ") of this Privacy Policy.

10. Rights of data subjects

You may revoke at any time your consent to the processing of your Personal Data for all further processing not necessary for the purpose of providing the Services. It should be noted, however, that the revocation of your consent does not affect the lawfulness of the processing based on your consent before the revocation, as provided for in Article 7(3) of the Regulation.

Pursuant to Art. 15 and following of the Regulation, you have the right to obtain access to your Personal Data at any time. You have the right to request from the Data Controller rectification or erasure of your data, as well as to object to and restrict processing of your data in the cases provided for by Art. 18 of the Regulation. You have the right to obtain the Personal Data concerning you in a structured, commonly used and machine-readable format in compliance with Art. 20 of the Regulation.

Requests must be submitted in written form and sent at: privacy@skyalps.com

In any case, you also have the right to lodge a complaint with the competent Supervisory Authority (Italian Data Protection Authority) if you consider that the processing of your Personal Data infringes the applicable law, pursuant to Art. 77 of the Regulation.

11. Amendments

Sky Alps reserves the right to amend or simply update the contents of its privacy policy, either partially or entirely, for reasons which may include changes to the applicable legislation. You will be informed of any such changes through publication on the Website. Therefore, Sky Alps invites you to consult this section regularly in order to familiarize yourself with the most recent and up-to-date version of the privacy policy; this way you will always be adequately informed about the data gathered and how they are used.

Last update: September 2021.