INFORMATION LETTER PURSUANT TO ART. 14 OF REG. 679/16/EU (REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA, ON THE FREE MOVEMENT OF SUCH DATA AND ON THE REPEAL OF THE DIRECTIVE)
Pursuant to Art. 14 of Reg. 679/16 / EU (hereinafter referred to as "GDPR" for brevity) of the European Parliament and of the Council on the protection of personal data (Legislative Decree no. 196/2003), SKY ALPS TOUR OPERATOR Ltd. with registered office in Bolzano, Kornplatz 3, postcode 39100, tax number, VAT number and registration number in the Register of the Chamber of Commerce of Bolzano 03067170211 - REA BZ-229344, in its capacity as data controller of the General Data Protection Regulation (hereinafter referred to as "Controller"), informs you about the main aspects of the processing of your personal data.
A) Nature of the data collected, purpose and legal basis for the processing, mandatory or optional nature of the data transfer.
Personal data may be processed for the following reasons:
2. Data collection for newsletter distribution, for the performance of a service or to comply with the law or for internal administrative purposes:
a. For newsletter distribution and/or for the performance of a service (contractual purposes): Some users may provide us with personal data and contact details or register on our website. Other users may sign up for our newsletter. Still others may make reservations, purchase tickets or use other services and/or participate in initiatives promoted on or through the website. In other cases, data is processed to manage and respond to enquiries, reports, assistance and communications relating to reservations or purchases made, as well as for additional and complementary services, such as fulfilling specific requests, prior to the conclusion of a contract. In these cases, the legal basis of the data processing is the need to carry out a pre-contractual action, to provide a (requested) service (e.g. to send the newsletter) or to fulfil the contract. This processing does not require any further consent, as the data has been provided to us to provide the service (pursuant to Article 6.1.b of the GDPR "performance of the contract or pre-contractual measure"). You are not obliged to provide us with your data for these purposes, however the data is necessary for the performance of the services requested. In other words, if you want to book a flight or other service, we cannot make the booking if we do not have your personal data. If you do not provide us with your email address, we cannot send you a newsletter, etc. If you do not provide us with your data, we cannot conclude a contract or provide the services you have requested;
b. To comply with legal obligations: Our activity obliges us to process certain data in order to comply with the obligations established by applicable laws. These obligations include, but are not limited to, the maintenance of company accounts for both civil and tax purposes, the accounting of the related data, direct internal administrative acts and processes for the fulfilment of the above obligations and the preparation of documents for the balance sheet, the possible preparation and archiving of travel and transport documents, as well as the fulfilment of all legal, common law and international regulations issued by public authorities and applied in our country. The processing of personal data for these purposes is based on the legal basis of the need to comply with legal obligations and therefore Art. 6.1.c (legal obligation) of the GDPR and does not require your consent;
c. To carry out marketing, advertising and sales purposes: Persons who have provided us with their contact details, such as e-mail address, mobile phone number for sending text messages, etc., will receive, if they have given their consent, commercial and advertising communications relating to events, promotions or services. This data may also be used to determine customer satisfaction by means of e-mail, traditional mail, fax, SMS or MMS. The legal basis for this type of processing of personal data is based on our desire to keep in touch with customers and to inform them about our activities in accordance with the provisions of Art. 6.1 (a) of the GDPR; the provision of this data for this purpose is on a voluntary basis. If consent is refused, the user will not receive information about our new programmes, promotions or initiatives. Users who wish to receive communications for commercial and/or marketing purposes must therefore give their express, voluntary and unambiguous consent through the tools provided for this purpose on this website. This consent constitutes the legal basis for this type of data processing.
d. To carry out so-called profiling activities: We may use your data obtained through navigation, requested services, reservations and/or personalised settings, as well as through direct interactions with us, for analysis purposes in order to improve our offer and to send you personalised information and offers tailored to your interests. This will only be done with your explicit and voluntary consent, which also forms the legal basis.
Consent for the processing of data for the purpose indicated in point 2.b is mandatory.
We may present or offer third party products or services on our website. In terms of data protection, the websites of these third-party providers may be subject to different data protection guidelines that are independent of us. Therefore, we disclaim any liability with respect to the content or activities of such linked websites. Nevertheless, we are committed to protecting the integrity of our website at all times and therefore welcome your comments on the above websites.
• Information on the connectivity of the device and the phone, e.g. operator, network type, network operator, subscriber identity module ("SIM") operator and country of the SIM card;
• Operating system and corresponding version;
• Terminal device model;
• Data performance and usage;
• Usage data such as date and time of access to our servers, links clicked and functions in the app, searches, transactions and downloaded data and files;
• Selected or enabled settings of the mobile device such as Wi-Fi, Global Positioning System ("GPS") location and Bluetooth (may be used for geolocation after consent is given, as explained below);
• Mobile device settings;
• Other technical information such as the name of the app, type and version required to provide the services;
B) CATEGORIES OF DATA PROCESSED
In accordance with the purposes described above and any consents given, the following categories of personal data are processed:
• Navigation data on the website
• IP address of the user
• Identifying data - name, surname, anagraphic data, address, etc.
• Contact data: Email address, mobile phone number, fax number, etc.
• Contractual data - bookings, tickets and services used.
C) SOURCE OF THE DATA
The personal data processed is provided by you directly or collected when you download and use the app and when you visit our website through various tools such as cookies, tags, etc.
D) PROCESSING METHODS, LOCATION AND DURATION OF DATA STORAGE
User data is processed both with electronic devices and without electronic devices, using appropriate security measures to prevent the risk of destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or processed. The data will be processed by the data controller within the European Union. Should data processing be necessary outside the European Union for technical and/or business reasons (e.g. in the case of intercontinental travel bookings), we hereby inform you that, depending on the situation, these third countries will be nominated as data controllers in accordance with Article 28 of the GDPR and that the transfer of personal data for this specific processing to third countries is governed by Chapter V of the GDPR. All necessary precautions will thus be applied to guarantee the full protection of your personal data for this transfer: (a) on adequacy decision on the part of the European Commission for these destination third countries; (b) on adequate safeguards issued by the destination third country in accordance with Article 46 of the GDPR. In any case, you can ask the data controller for further information regarding the processing of your data outside the European Union.
The data for the services used will be kept for the period required by law for tax, accounting and contractual purposes.
Registration data will be retained until account deletion or refusal of consent.
Unless further retention periods are required by law or necessary for legal process, this information will be valid.
E) RECIPIENTS OF PERSONAL DATA. WHO MAY COME INTO CONTACT WITH THE DATA.
In order to fulfil the above-mentioned purposes, your personal data may be made available to the following persons:
1. To employees and collaborators of the data controller who work under its management and are authorised for data processing in their capacity as agents or authorised persons;
2. For companies belonging to the same group of companies as the data controller, as well as their employees and collaborators;
3. For persons whose activity is necessary for the performance of the services requested or provided by you or for the fulfilment of requirements prior to the conclusion of the contract (e.g. suppliers and subcontractors at home and abroad, companies and institutions in the banking, credit, financing and insurance sectors) and law firms for the protection of the rights of the data controller;
4. For third parties to whom your data must be transferred in order for them to fulfil their contract, e.g. for bookings or transport (e.g. the airline(s) involved for all or part of the journey);
5. For third parties that have been contracted by the data controller to carry out certain processing activities and/or related tasks and that consequently provide the data controller with corresponding services, which in any case are related to the purposes mentioned above, such as administrative services, accounting, fiscal purposes, audits, IT system management, communication, collection, data archiving, customer service. These third parties carry out the data processing on behalf of the controller and have the relevant authorisation in accordance with Art. 28 of the GDPR;
6. For public administrations, public security, customs, airport, air traffic control, inspection authorities and, in general, for persons authorised by law.
Your data will not be passed on, i.e. they will not be disclosed to any person.
F) RIGHTS ACCORDING TO GDPR
You can exercise your rights under the GDPR at any time:
Article 15 (Right of access of the data subject)
1. The data subject shall have the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed and, if so, to obtain access to those personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data processed; (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or to international organisations; (d) where possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining such duration; (e) the existence of a right of rectification or erasure of the personal data concerning him or her, or of the right to object to processing by the controller; (f) the existence of a right of appeal to a supervisory authority; (g) where the personal data are not collected from the data subject, any available information on the origin of the data; (h) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in such cases, meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards referred to in Article 46 in relation to the transfer.
3. The responsible person shall provide a copy of the personal data which are the subject of the processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. 3If the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject indicates otherwise.
4. The right to receive a copy under paragraph 3 shall not prejudice the rights and freedoms of other persons.
Article 16 (Right to rectification)
The data subject shall have the right to obtain from the controller the rectification without delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to obtain the completion of incomplete personal data, including by means of a supplementary declaration.
Article 17 (Right to erasure - "right to be forgotten")
1. The data subject shall have the right to obtain from the controller the erasure without delay of personal data concerning him or her and the controller shall be obliged to erase personal data without delay where one of the following reasons applies: (a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed. (b) The data subject withdraws the consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing. (c) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). (d) The personal data have been processed unlawfully. (e) The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. (f) The personal data have been collected in relation to information society services offered in accordance with Article 8(1).
2. Where the responsible person has made the personal data public and is obliged to erase it pursuant to paragraph 1, he or she shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to, or copies or replications of, that personal data.
3. Paragraphs 1 and 2 shall not apply insofar as processing is necessary: (a) for the exercise of the right to freedom of expression and information; (b) for compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3); (d) for archiving, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Article 89, paragraph 1, where the right referred to in paragraph 1 is likely to make impossible or seriously prejudice the achievement of the purposes of such processing; or (e) for the establishment, exercise or defence of legal claims.
Article 18 (Right to restrict processing)
1. The data subject shall have the right to obtain from the controller the restriction of processing where one of the following conditions is met: (a) the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data, (b) the processing is unlawful and the data subject objects to erasure of the personal data and requests instead the restriction of the use of the personal data; (c) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims; or (d) the data subject has objected to the processing pursuant to Article 21(1) for as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject.
2. the data subject has objected to the processing pursuant to Article 21(1), as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject.
3. the data subject has objected to the processing pursuant to Article 21(1), as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject.
Article 19 (Notification obligation in connection with the rectification or erasure of personal data or the restriction of processing)The controller shall notify all recipients to whom personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. 2The controller shall inform the data subject of those recipients if the data subject so requests.
Article 20 (Right to data portability)
1. The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that (a) the data subject has objected to the processing pursuant to Article 21(1) for as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject. (b) processing is carried out by automated means.
2. When exercising their right to data portability in accordance with paragraph 1, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17- This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in Article 1 shall not prejudice the rights and freedoms of others.
Article 21 (Right of objection)
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f), including for profiling based on those provisions. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
2. If personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this shall also apply to profiling insofar as it is related to such direct marketing.
3. If the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
4. The data subject shall be expressly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; this information shall be given in a comprehensible form separate from other information.
5. In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications.
6. The data subject shall have the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1), unless the processing is necessary for the performance of a task carried out in the public interest.
Article 22 (Automated decisions in individual cases, including profiling)
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision (a) is necessary for the conclusion or performance of a contract between the data subject and the controller, (b) is authorised by Union or Member State law to which the controller is subject and that law contains suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (c) is made with the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take reasonable steps to safeguard the rights and freedoms of the data subject, as well as the legitimate interests of the data subject, which include at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions under paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject.
Article 23 (Restrictions)
1. Union or Member State legislation to which the controller or processor is subject may, by way of legislative measures, restrict the obligations and rights referred to in Articles 12 to 22 and Article 34 and Article 5, in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, provided that such restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society ensuring: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) the protection of other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, such as in the monetary, budgetary, taxation, public health or social security fields; (f) the protection of the independence of the judiciary and the protection of judicial proceedings; (g) the prevention, detection, investigation and prosecution of breaches of professional rules of regulated professions; (h) control, supervision and regulatory functions connected, even occasionally, with the exercise of official authority for the purposes referred to in points (a) to (e) and (g); (i) the protection of the data subject or of the rights and freedoms of others; (j) the enforcement of civil claims.
2. Any legislative measure referred to in paragraph 1 shall in particular contain, where appropriate, specific provisions at least as regards (a) the purposes of the processing or the categories of processing, (b) the categories of personal data, (c) the scope of the restrictions applied, (d) the safeguards against misuse or unlawful access or unlawful disclosure; (e) the identification of the controller or categories of controllers; (f) the respective retention periods as well as the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed of the restriction, unless this would be detrimental to the purpose of the restriction.
Article 34 (Notification of the data subject of a personal data breach)
1. Where the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay.
2. The notification to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. Notification to the data subject pursuant to paragraph 1 shall not be required if any of the following conditions are met: (a) the controller has implemented appropriate technical and organisational security measures and those measures have been applied to the personal data concerned by the personal data breach, in particular measures that render the personal data inaccessible to any person who is not authorised to access the personal data, such as encryption; (b) the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subjects referred to in paragraph 1 is no longer likely to exist; (c) notification would involve a disproportionate effort. In that case, a public notice or similar measure shall be taken instead, which informs the data subjects in a comparably effective manner.
4. If the data controller has not already notified the data subject of the personal data breach, the supervisory authority may, taking into account the likelihood that the personal data breach will result in a high risk, require the data controller to do so or may determine by means of a decision that certain of the conditions referred to in paragraph 3 are met.
We would like to point out that you can send a specific request regarding the exercise of your above-mentioned rights to the data controller at any time: info(at)skyalps.com
You also have the right to (a) contact the data controller in all matters relating to the processing of personal data and the exercise of rights under the GDPR; (b) lodge a complaint with the data protection authority "Garante della Protezione dei dati" (www.garanteprivacy.it) if you consider that your data have not been processed in accordance with Art. 77 or to take legal action (Art. 79).
INFORMATION ON THE HOLDER AND, IF SPECIFIED, THE REPRESENTATIVE IN ACCORDANCE WITH ARTICLES 27 AND 28 OF THE DSGVO. 27 AND 28 OF THE GDPR
The data controller is SKY ALPS TOUR OPERATOR Srl, in the person of the legal representative pro tempore, with registered office in Bolzano, Kornplatz 3, postcode 39100, tax number, VAT number and registration number in the register of the Bolzano Chamber of Commerce 03067170211 - REA BZ-229344.
Last updated: May 2021