PRIVACY POLICY MILLEMIGLIA

PRIVACY POLICY MILLEMIGLIA PROGRAM MADE PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (GDPR)

1. ABOUT US

 

Alitalia – Società Aerea italiana S.p.A. in A. S., with registered office at via A. Nassetti s.n.c., Palazzina Alfa, 00054 Fiumicino (RM) (hereinafter, “Alitalia”) and Alitalia Loyalty S.p.A., with registered office at Piazza Almerico da Schio n. 3, Palazzina Bravo, 00054 Fiumicino (RM) (hereinafter,” Alitalia Loyalty") signed on July 9, 2019 a joint ownership agreement, the extract of which is available at the following link: https://www.alitalia.com/it, with the purpose of defining, pursuant to art. 26 of the GDPR, the processing of personal data of members enrolled in the MilleMiglia Program (hereinafter, the “Program”) for the purposes specified below.

Alitalia and Alitalia Loyalty, in their capacity as data  of the members of the Program (hereinafter, the “joint data owners”), take great care to ensure the security and confidentiality of the personal data of the Members of the Program and want to provide you with some information regarding the processing of your personal data, as defined below, that the same may process as a result of your enrolment in the Program.

 

2. WHAT PERSONAL DATA CONCERNING YOU MAY BE COLLECTED

 

The joint data owners collect the following categories of personal data concerning you (the term “personal data” means all the following categories, jointly considered):

 

  • Personal data and contact details - information on your name, surname, date of birth, gender, postal address, telephone number, mobile number and email.
  • Data on the transactions - information concerning your transactions (transaction history) relating to "miles flown", services purchased, activities performed and transactions concluded with the sponsors and business partners of the joint data owners.
  • Interests and data you voluntarily provided – information you provide to us about your travel preferences or other interests, the name of your company, your professional situation, how you prefer to be contacted or other personal data.
  • Dati di navigazione – informazioni relative alle modalità con cui Lei utilizza il sito, apre o inoltra le nostre comunicazioni, incluse le informazioni raccolte tramite cookie (può trovare la nostra Informativa sui Cookie al seguente link.

 

3. HOW WE COLLECT YOUR PERSONAL DATA

The joint data owners collect and process your personal data in the following circumstances:

 

  • if you subscribe to the Program, through the online form, accessing the "MilleMiglia" section of the website www.alitalia.com
  • if you sign up for the Program, using the paper form or on digital media (eg. tablet) supplied by the joint data owners or by companies appointed by them.

 

If you provide personal data on behalf of someone else, first you need to make sure that the interested parties read these Privacy Guidelines.

Please help us keep your personal data up-to-date by informing us on any changes that may occur.

 

4. WHAT ARE THE PURPOSES FOR WHICH YOUR PERSONAL DATA MAY BE USED

Personal data processing must be justified by one of the legal requirements provided for by legislation in force on personal data protection, as described below. 

 

a)  Operational management of your enrollment in the Program and purposes closely related thereto.

The joint data owners collect and process your personal Data and contact details, data concerning transactions, and your Interests and Data provided by You voluntarily in order to (i) follow-up and manage your program application form (ii) send you service communications that are functional to the capacity of Shareholder and related to the possible program deadlines and/or benefits, (iii) comply with all contractual obligations and meet any requests that you may make in relation to the Program.

Prerequisite for processing: signing of a contract to which you are a party or implementation of pre-contractual measures, to allow you to enrol in the Program.

 

b) Marketing to meet your needs and to provide you with promotional offers also in line with your preferences also in line with your preferences

With your express and specific consent, the joint data owners will process your personal and contact data for marketing and advertising communication purposes, aimed at informing you about promotional sales initiatives or for market research and Statistical Surveys of the joint data owners. The joint data owners will also process the aforementioned data to send you Communications aimed at informing you about promotional sales initiatives of their sponsors and business partners. Please click here for the list of sponsors and Commercial Partners of the Program.

Marketing communications may be sent through automated contact modes (e.g. email, sms, instant messaging, social networks, push notifications and other mass messaging tools, etc.) and traditional contact methods (e.g. phone call with operator).

Prerequisite for the processing: your consent; failure to provide your consent does not preclude or imply consequences regarding your enrolment in the Program.

In the manner referred to in the following paragraph "YOUR RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY" you may at any time revoke your consent with effect from the subsequent processing. In addition, you may at any time indicate the contact method you prefer among those listed above and you may object to the receipt of promotional communications through all or only some of these contact methods.  

 

c)  Profiling

Subject to your separate and specific consent, the joint data owners will process your personal data and contact details, the  data  concerning the transactions, the interests and the data provided by You voluntarily and the navigation data for the purposes of profiling, through a statistical processing of the aforesaid personal data on the basis of an analysis of your interests, habits and purchase choices and an analysis of the data relating to the use of the website, in order to create your own personal profile.

Prerequisite for the processing: your consent; failure to provide your consent does not preclude or imply consequences regarding your enrolment in the Program.

In the manner referred to in the following paragraph "YOUR RIGHTS CONCERNING THE PROTECTION OF PERSONAL DATA AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY" you may at any time revoke your consent with effect from the subsequent processing. In addition, you may at any time indicate the contact method you prefer among those listed above and you may object to the receipt of promotional communications through all or only some of these contact methods.

 

d) Purposes related to the obligations provided for by laws, regulations or European legislation, by provisions / requests of authorities legitimized by law and / or by supervisory and     control bodies

The joint data owners may process your personal data to comply with legal obligations to which they are required to comply.

Prerequisite for processing: compliance with legal obligations.

 

e)  Protection of rights in judicial, administrative or out-of-court proceedings and in disputes arising in connection with the programme and the related services. 

The joint data owners may process your personal data to defend their rights or act or even make claims against you or third parties.

Prerequisite for processing: legitimate interest of the joint data owners to protect their rights.  

 

4. MANDATORY OR OPTIONAL NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF THE REFUSAL, IF ANY, TO PROVIDE THEM

The provision of the personal data requested in the program registration form, marked with an asterisk ( * ), is mandatory as they are required for your registration in the program; failure to provide such personal data will make it impossible to conclude the registration. The provision of additional personal data, not marked with an asterisk ( * ), is optional and the failure to provide them will not entail consequences for your enrolment in the program.

The provision of personal data for the purposes referred to in paragraph 4 (A) above is mandatory since it is necessary for the performance of the contract; failing this, you will not be able to register in the program.

The provision of personal data for the purposes referred to in paragraph 4 (b) and (c) is optional in nature and failure to do so shall not preclude or have any consequences regarding your enrolment in the programme, but it will not allow us to inform you in a timely manner of all the advantages reserved for Program Members through commercial communications.

The provision of personal data for the purposes referred to in paragraph 4 (D) above is mandatory as, in the case to the contrary, the joint data owners will be unable to comply with specific legal requirements.

 

5.     HOW WE KEEP YOUR PERSONAL DATA SAFE

The joint data owners shall use a wide range of security measures in order to enhance the protection and maintenance of the security, integrity and accessibility of your personal data.

The joint data owners have identified, within the parent company Alitalia, the person to be entrusted with the task of managing the infrastructure, the systems and the related security measures related to the Program and the website www.alitalia.com and, to that end, Alitalia Loyalty has appointed Alitalia, with a separate written agreement, as Data Processor pursuant to Art. 28 of GDPR.

All of your Personal Data are stored on a secure server (or safe paper copies) of the joint data owners, or of our suppliers or business Partners, and are accessible and usable according to our standards and our security policy (or equivalent standards for our suppliers or business partners).

Where the joint data owners have given you (or where You have chosen) a password that allows access to your personal area of our Website, applications or services provided by us, You will be responsible for the confidentiality of that password and for complying with any other security procedure of which we may inform you.

 

6. HOW LONG DO WE STORE YOUR INFORMATION

We store your personal data only for the time necessary to achieve the purposes for which they were collected or for any other legal purpose related to them. Therefore, if personal data are processed for two different purposes, we will store said data until the purpose with the longer-term ends, also, we will not store personal data for the purpose whose storage period lasted less.

We limit access to your personal data only to those who need to use them for relevant purposes.

Your personal data that are no longer necessary, or for which there is no longer a legal requirement to store them, are irreversibly anonymized (and this way they can be still be stored) or destroyed in a safe manner.

Below are the retention periods for different purposes mentioned above:

 

  • Personal data and contact details, Data concerning transactions and collected data, and Interests and Data provided by You voluntarily processed for registration and operation of the Program: they will be retained by the joint data owners for the duration of your enrollment in the Program, but not beyond the next 10 years from the cancellation of the Program for documents and data of a civil law, accounting and tax nature as provided by applicable law.
  • Interests and data provided by you voluntarily and data related to transactions: if you have given your consent to the processing of these personal data for profiling purposes, such data will be stored for 12 months from the collection, however we will periodically refresh your consent for this purpose so as to respect your choices.
  • Personal data and contact details collected and processed for marketing purposes: in the case of the processing of your Personal Data for marketing purposes, which requires the use of only the personal and contact details, these will be stored for 24 months from the time they are collected in the marketing database; however, we will make sure to refresh periodically your consent for such purposes so as to respect your choices.
  • Browsing data: such personal data will be kept as long as your MilleMiglia profile is active. The retention period for the various cookies that may be used, can be consulted in the appropriate cookie notice at the following link.
  • With particular reference to the judicial protection of our rights or in case of requests by the authority, the personal data processed will be kept for the time necessary to fulfil  the request or to pursue the protection of said rights.

 

7.  WITH WHOM MAY WE SHARE YOUR PERSONAL DATA

Your personal data may be accessed by duly authorized employees, including external suppliers, appointed, if necessary, as data processors, who provide support for the provision of services related to the Program or as autonomous data owners.

The following may also gain knowledge of your personal data, for the purposes specified above:

 

  • persons who may access personal data pursuant to legal provisions laid down in the law of the European Union or that of the member state to which the joint data owners are subject;
  • companies of the Alitalia Group, such as Alitalia CityLiner S.p.A. in A.S.;
  • banks and payment companies;
  • third parties such as law firms and public authorities to whom we refer so that the contract entered into is observed or applied and to safeguard all our other legitimate interests;
  • third parties such as police and national authorities to protect our rights;
  • public authorities and public security forces following a valid request;
  • third parties that perform as independent data owners or as data processors, purposes which are ancillary to the activities and services referred to in paragraph 4, such as companies that offer IT infrastructure and support and consultancy services as well as the design and implementation of software and websites, companies which offer useful services to customize and optimize our services, including those to supply and manage the customer service, companies that offer useful services to analyze and develop the data and process and conduct market research studies.

 

Any communication of the personal data shall take place in full compliance with the legal provisions provided by the GDPR.

Please contact us at the addresses below if you wish to view the list of data controllers and other persons to whom we disclose the personal data. Your personal data will not be disclosed to third parties.

 

8.     TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

The joint data owners may transfer your personal data to third countries for the proper conduct and implementation of the programme. For this reason, the transfer may be necessary for the performance of the contract concluded with the joint data owners and to which you are a party and, in some cases, for the fulfilment of the legal requirements to which the joint data owners are subject.

In case of transfer of your personal data outside the European Union, the joint data owners hereby undertake to:

 

  • include the standard data protection clauses approved by the European Commission for the transfer of personal information outside the EEA in our contracts with such third parties (these are the clauses approved under Article 46.2 of the GDPR; or
  • ensure that the country in which your personal data will be processed has been deemed “appropriate” by the European Commission in accordance with Article 45 of the GDPR; or
  • (if necessary when transferring Personal Data of the parties concerned to a recipient in the United States) ensure that the recipient is part of the Privacy Shield, which requires the recipient to provide similar protection to any personal information that is shared between Europe and the United States. 

 

For more information on the rules for data transfers outside the EEA, including the mechanisms on which we rely, please consult the European Commission's website here.

For more information about the countries to which the joint data owners may transfer your personal data, please contact the joint data owners at the contact details given in the next section “CONTACTS”.

 

9.     ANY AUTOMATED DECISION-MAKING PROCESSES

The data owners shall not use automated decision-making processes, including profiling, without your consent.

 

10. YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO FILE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Under the conditions provided by the GDPR you have the right to request from the joint data owners:

 

  •  Access to your personal data, as provided for in art. 15 of the GDPR,
  • rectification and integration of your personal data in our possession considered incorrect, as provided by art. 16 of the GDPR,
  • deletion of personal data for which we no longer have any legal basis for their processing, as provided by art. 17 of the GDPR,
  • limitation of the way in which we process your personal data if one of the cases provided for in art. 18 of the GDPR applies,
  • a copy of the personal data you have provided to us, in a structured format, commonly used and readable by an automatic device for processing based on the contractual relationship (so-called. portability), as provided by art. 20 of the GDPR,
  • not to be subjected to decisions based solely on automated processing including profiling, which produce legal effects that concern you, if you have not given your prior consent, as provided for in art. 22 of the GDPR,
  • withdrawal of your consent at any time, in the event that the processing is based on consent. It should be noted that any withdrawal of consent will only take effect with regard to subsequent processing, without prejudice to the lawfulness of the processing previously carried out prior to such withdrawal.

 

 

Right to object: in addition to the rights listed above, you have the right to object at any time, for reasons related to your particular situation to the processing of personal data carried out for the purposes of the legitimate interest of the joint data owners and for the processing of personal data for marketing purposes, including profiling to the extent related to such marketing.

In the event of his death, the rights mentioned above may also be exercised by anyone who has an interest of his own, or acts in his protection, as his agent, or for family reasons worthy of protection, pursuant to art. 2-terdecies of Legislative Decree. 196/2003, as amended by Legislative Decree No 101/2018 ("Privacy Code"). You may expressly prohibit the exercise of some or all of the above rights by your successors by sending a written statement to the joint data owners at the contact details listed in the following paragraph “CONTACTS” below. This declaration may be revoked or amended at any time and in the same manner.

In order to exercise the aforementioned rights against the joint data owners, you (or your successor in title, within the above limits) may send your communication to Alitalia Loyalty Data Protection Officer, Piazza Almerico Da Schio n. 3, Palazzina Bravo, 00054 Fiumicino (RM), or you can write to the following e-mail address: dpo.alitalialoyalty@alitalia.com, specifying, in both cases, (i) Your name and surname, (ii) your MilleMiglia card number, (iii) the details of your request, without prejudice to your right to exercise the aforementioned rights with regard to each joint data owner.

Exerting such rights is subject to some exceptions aimed to protect the public interest (for example preventing or identifying crimes), and our interests (for example preserving professional secrecy). In case you exert any of the aforementioned rights, it will be our responsibility to check that you are entitled to exert said right, and we will provide a reply, as a rule, within a month.

If you believe that the processing of personal data concerning you is in violation of the provisions of the GDPR, you have the right to lodge a complaint with the guarantor for the protection of personal data, using the references available on the website www.garanteprivacy.it  or to refer to the appropriate judicial offices.

 

11. CONTACTS OF THE JOINT DATA OWNERS AND OF THE DATA PROTECTION OFFICERS (“RPD” or “DPO")

The contact details of the joint data owners are as follows:

 

  • Alitalia Loyalty S.p.A., Piazza Almerico da Schio, 3, Palazzina Bravo, 00054 Fiumicino (RM)
  • The Personal Data Protection Officer (DPO) appointed by Alitalia Loyalty can be contacted at the following e-mail address: dpo.alitalialoyalty@alitalia.com
  • Alitalia – Società Aerea italiana S.p.A. in A. S., via A. Nassetti s.n.c., Palazzina Alfa, 00054 Fiumicino (RM)
  • The Personal Data Protection Officer (DPO) appointed by Alitalia – Società Aerea italiana S.p.A. in A.S. can be contacted at the following e-mail address: dpo@alitalia.com.

 

Managing your MilleMiglia profile – updating and deleting the Program

If you want to make requests relating to the operational management of Your MilleMiglia profile, as well as to the update of the data contained therein, or to the cancellation of your Program membership, You can send a communication to the following e-mail address: profilomillemiglia@alitalia.com, specifying (i)  your MilleMiglia card number, (ii) the details of your request, and providing (iii) a copy of your valid ID document, as provided by the Program Regulations.