Policy pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council
Alitalia – Società Aerea Italiana S.p.A. in limited partnership wishes to inform you, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council concerning the protection of individuals with regard to the processing of personal data (hereafter “European Regulation”), that it needs to process your personal data collected automatically or provided by you through navigation or use of the website https://www.alitalia.com/ (hereinafter “Website”).
- THE DATA CONTROLLER
- DATA PROTECTION OFFICER
- DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
- PURPOSE OF THE PROCESSING AND LEGAL BASIS
- PERSONAL DATA STORAGE PERIOD
- CATEGORIES OF SUBJECTS RECEIVING THE DATA
- TRANSFER OF PERSONAL DATA TO THIRD PARTY COUNTRIES
7 A PASSENGERS TRAVELING TO THE UNITED STATES
7 B PASSENGERS TRAVELING TO CANADA
- AUTOMATED DECISIONAL PROCESSES, IF ANY
- NATURE OF THE CONFERMENT
- THE RIGHTS OF THE PARTY CONCERNED
- CONSENT OF MINORS FOR THE SERVICES OF THE INFORMATION COMPANY
- CHANGES IN THE CONSENT TO PERSONAL DATA PROCESSING
The Data Controller is Alitalia – Società Aerea Italiana S.p.A. in a.s., in the person of its legal representative, domiciled at the registered office in Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM) (hereinafter referred to as “Alitalia” or “Data Controller”).
2. DATA PROTECTION OFFICER
Considering the data processing activities performed by Alitalia, the Data Controller has deemed it necessary to appoint, pursuant to art. 37 of the European Regulation, a Data Manager who you may contact at the following address: Alitalia Data Protection Officer, Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM), or by sending an email to the address firstname.lastname@example.org
3. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
To allow you to use the air transport service offered by Alitalia, the website www.alitalia.com and the related services, the Data Controller needs to know and process some of your personal data.
The term "personal data" designates information that concerns a natural person who is either identified or identifiable, such as, for example, name, contact information and/or data relative to the booking.
For air ticket purchases, the data processed will be first name, last name, telephone number, email address, information about the journey purchased, including any special care required or preferences regarding meals and payment-related details. Moreover, depending on the destination, additional personal data categories may be collected, such as, for instance, date of birth, sex and passport number.
Instead, the type of data processed to merely browse the Website, and the dedicated informative notice on “cookies” are specified below.
The IT systems and software procedures that carry out Alitalia operations acquire, during their normal performance, some personal data, whose transmission is implicit when Web communication protocols are used.
This information is not collected to be associated with the identified parties, but by their very nature they might allow user identification through processing and the association with third party data.
This data category includes IP addresses or computer user names used by the users when they visit the Website, (Uniform Resource Identifier (URI) addresses of the requested resources, time of request, method of submission of the request to the server, size of the file received in response, numerical code indicating the status of the answer given by the server (successful, error, etc.) and other parameters concerning the operative system and the user's IT environment.
The Data Controller makes use of these data only to obtain anonymous statistical information about the use of the Website and to monitor its correct function. The data might also be used to ascertain responsibility in case of theoretical IT crimes against Alitalia.
Data provided intentionally by the user
The option of sending, both explicitly and intentionally, emails to the addresses provided on this Website entails the subsequent acquisition of the sender's address, which is required to respond to the requests, and of any other personal data that is entered in the message.
The type of cookies used on this Website is stated below and how you can easily choose if and how your personal data will be processed by this type of technological solutions.
This Website makes use of the so-called “technical cookies”, small rows of text containing a certain quantity of information that is exchanged between the Website and its terminal (or between the browser and its terminal) to ensure correct function and use of the Website.
This Website uses the so-called “profiling cookies”. These cookies are not essential but they help us customize and improve your experience of the Website. For instance, they help us show you the departure airport that is closest to your location, or tell us about your purchase preferences and help us remember them. They also enable us to show you relevant and customized advertisements. Furthermore, they allow us to limit the number of times an advertisement is displayed, gauge the efficacy of the advertising campaign, remember your visit and share the data collected with third parties, such as our advertisers.
Hence, the removal of these cookies does not impair general use of the Website, but it might limit some functions.
Third party cookies
The installation of all cookies can be disabled by adjusting your browser's settings. However, please note that by changing these settings you might not be able to use the Website, if you happen to block cookies that are essential to provide our services. However, every browser has different settings to disable cookies. The links to instructions for the most widely used browsers are given here Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera.
- CALL CENTER
Calls to Call Center numbers might entail processing of the user's personal data to provide the services requested, such as, for instance, bookings, purchase and sending of the air tickets requested by the passenger, changes or replacements of issued tickets, reimbursements, after sales service, special assistance and purchases of complementary flight-related services.
If the third party call centers process data for which Alitalia is the Data Controller outside the EU, Alitalia requires its suppliers to comply with the warrantees laid down by art. 46 of the European Regulation.
When making use of foreign call centers based outside the European Union, in compliance with the legislation in force, Alitalia will inform its clients about the foreign country where the operator is physically located, offering its clients/users the option of requesting that the service be rendered by an operator located in the user's country.
- ACCESS THROUGH SOCIAL NETWORKS
We wish to inform all clients registered with the MilleMiglia Program (the “Program”) that personal data provided when they joined the Program will be collected and processed by Alitalia in a form that guarantees data safety and compliance with the European Regulation. Moreover, MilleMiglia clients who access the Program through Alitalia's Social Login also through the following links [Facebook – Twitter – Instagram – Linkedin] that the personal data provided will be used, with their explicit consent, for purposes that are strictly related to and instrumental to participation in the Program and/or to registration for the Program, and to customization of services designed by Alitalia. The data conferred may be used by Alitalia for promotional, advertising and marketing purposes, such as sending advertising, promotional and informative material about products and services, and for statistical analyses performed to gauge customer satisfaction with services/products offered.
4. SCOPE OF DATA PROCESSING AND THE LEGAL GROUNDS
Personal data possessed by the Data Controller only include data provided by you when browsing the Website and/or when using our services. Hence, personal data will be processed to:
A) Access our air ticket purchasing service
B) Access the air transport service
C) Meet travel-related needs and offer the requested services
D) Send communications about the service status of your flight, if necessary
E) Meet all legal requirements related to air transport of passengers
F) Directly sell products and services that are similar to those already purchased by the party concerned, using the email address provided by the same when purchasing a ticket or service, if the appropriately informed party does not refuse subsequent communications;
G) Always provide updated information about Alitalia's activities and promotional offers, and about co-marketing promotions in order to enrich the travel experience; we shall send newsletters, advertising material and/or sales and direct marketing communications about our services and products, about the related offers, discounts and any other promotional and loyalization initiative adopted by us, both through traditional contact systems and through entirely automated ones, such as, for example, residence address and/or email, or even the TEXT MESSAGE SERVICE
H) Allow you to register for the MilleMiglia program
I) Customize the contents of commercial communications and only offer dedicated products and offers, consistently with the taste and preferences stated, for a better flight experience.
Considering your decision to make use of the Website services, the legal grounds to process your personal data can be as specified below:
- The data provided are necessary for bookings and to purchase one or more air tickets
- The data provided are necessary to execute the air transport contract
- Personal data processing is required to fulfill legal obligations established for the aeronautical framework that apply from time to time, based on the destination
- Personal data processing might be required to safeguard the vital interests of one or more natural persons
- The Data Controller has a lawful interest in processing personal data to offer the best service and flight experience
- To implement direct marketing and profiling initiatives, based on the specific consent that might be freely given.
Personal data may be processed both with IT devices and hard copy.
5. PERSONAL DATA STORAGE PERIOD
The Data Controller plans on storing personal data for a period of time that does not exceed the time required to pursue the purposes for which the data were collected and processed.
Regarding personal data processing for direct marketing purposes, when it is explicitly authorized, in compliance with provisions laid down by the legislation in force, Alitalia has established that your personal data for direct marketing purposes will be deleted within 24 months after they have been recorded. Personal data processed for profiling purposes will, instead, be deleted 12 months after they have been recorded.
Regarding other personal data, since we cannot precisely define the storage period of your personal data, the Data Controller commits from this moment to process your personal data in compliance with the principles of appropriateness, relevance and minimization of data, as required by the European Regulation, regularly verifying the need to store them. Hence, once the purposes for which they were collected and processed have been achieved, we shall remove them from our systems and logs and/or we shall adopt the appropriate measures required to ensure their anonymity in order to prevent your identification.
This will be applied unless we need to maintain said data to fulfill legal obligations or to ascertain, exercise or defend our rights during legal proceedings.
6. CATEGORIES OF SUBJECTS RECEIVING THE DATA
The data processed will not be disseminated to third parties. They might, anyhow, come to know your data, depending on the above-described data processing purposes:
- Subjects who can access the data as a result of legal provisions established by European Union Law or by the law of a Member State to which the Data Controller is subjected, including the Central Administration for Immigration and Border Police
- Our employed personnel appointed as Data Processing Coordinator, System Administrator or as subject who acts under the authority of the Data Controller or Data Processing Manager, as long as they have been previously instructed in this regard by the Data Controllers
- External subjects who perform functions that are closely related to or instrumental to the air transport activity, such as other air transport companies, either external or which belong to the Alitalia Group, such as Alitalia Cityliner S.p.A. in a.s., and handling companies, as independent Data Controllers or Data Managers, who might deem it essential for Alitalia's flight operations, and Alitalia Loyalty S.p.A. as joint Data Controller of data related to the MilleMiglia Program
- Banks, trust companies and service providers for anti-fraud control associated with the payment process and (when necessary) activation of the anti-fraud control procedure
- Third parties, such as law firms and public authorities, which we rely on to ensure compliance with or application of the agreement and to safeguard all our legal interests
- Third parties, such as the police and national authorities to protect our rights, property or your safety, the safety of staff and of our assets and resources
- Public authorities and law enforcement officers, such as customs and immigration authorities, following a valid application
- Subjects who, as distinct Data Controllers or Data Managers appointed by Alitalia when required, independently carry out auxiliary activities and services specified in section 4, as commercial partners, companies that offer advertising, marketing and communication services, companies that offer IT infrastructures, customer service and IT and design consultations, besides the creation of software and websites, companies that offer useful services to customize and make the most of our services, including supply and management of customer care, companies that offer useful services to analyze and develop data and to process and carry out market surveys.
Any communication of personal data will be carried out in total compliance with legal provisions laid down by the European Regulation and by the technical and organizational measures established by the Data Controller to ensure appropriate safety standards.
7. TRANSFER OF PERSONAL DATA TO THIRD PARTY COUNTRIES
Alitalia is a global carrier that conveys passengers to many countries worldwide. The Data Controller might transfer personal data to Third Party countries to ensure correct performance of Alitalia's activities, and to fulfill obligations resulting from the requests of the party concerned. Hence, the data transfer in question is necessary to implement the agreement between the party concerned and Alitalia and, in some cases, to fulfill the legal obligations which the Data Controller is subjected to.
If personal data of the parties concerned is transferred outside the European Union, we commit to:
- Include standard contractual clauses for data protection approved by the European Commission for the transfer of personal data outside the SEE in our agreements with these third parties (these clauses have been approved pursuant to art. 46.2 of the General Data Protection Regulation (“GDPR”); or
- Ensure that the country where the personal information will be managed is deemed “appropriate” by the European Commission, pursuant to art. 45 of the RGPD; or
- (If necessary, when we transfer personal information of the parties concerned to an entity in the United States) ensure that the addressee is included in the Privacy Shield, which requires said entity to provide similar protection for any personal data shared between Europe and the United States.
For more information about regulations concerning data transfer outside the SEE, including the procedures we refer to, consult the website of the European Commission here.
7. A- PASSENGERS TRAVELING TO THE UNITED STATES
From 5 March 2003, the United States Authorities require carriers operating flights from, to or through the United States of America to provide the United States Bureau of Customs and Border Protection (CBP) electronic access to passenger data for reasons related to the safety and protection of their territory.
Carriers who fail to fulfill these requirements might be heavily sanctioned and even lose the right to land in the United States of America. In turn, the passengers of these carriers might be subjected to more accurate and extensive controls in airports in the United States, with all the related inconvenience.
Alitalia, as all European carriers that operate from, to or through the United States of America, is obliged to meet the above requirements. The transfer of passenger data to the United States Authorities is, in fact, an essential condition to operate air transport service from, to or through the U.S. territory.
If a passenger refuses access to said data, his/her refusal would make it impossible for him/her to travel from, to or through the United States of America. Hence, Alitalia, in compliance with the requests made by said Authorities, reserves the right to cancel bookings that do not contain said data on the day before the 72-hour deadline prior to departure.
Passenger Name Record (PNR) data processing is regulated by the international agreement of 26 July 2007 between the European Union and the United States of America. The European Union will ensure that air carriers comply with these obligations. Alitalia must comply with these provisions. For a more exhaustive explanation about the processing of PNR data collected by U.S. authorities (DHS – Department of Homeland Security) regarding flights between the European Union (EU) and the United States of America, refer to the international agreement and to the accompanying letter of the DHS, published in the Official Bulletin of the European Communities Law no. 204 of 4 August 2007, which can be consulted by clicking here.
Hence, Alitalia has deemed it necessary to ensure that its passengers are aware of the information below regarding the processing and transfer methods of data contained in the bookings (which the United States of America have committed to respect in compliance with the cited agreement with the European Community). The information is provided in the form of answers to targeted questions.
- What type of passenger information can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNRs (precisely client data recorded when the journey by air was booked) concerning the flights operated from, to and through the United States of America.
They are electronic "files" created in the IT systems used by carriers for every route booked by the passenger, files that contain miscellaneous information including: name of the passenger, telephone contact of the passenger, flight details (date of the flight, departure and destination sites, inflight seat number, number of bags, etc.), and additional details, such as: any travel agency involved, form of payment, etc.
Hence, the PNR includes all information provided by the passenger during the booking phase. The US CBP is also sent, soon after take-off, the passenger's passport details (last name, first name, date of birth, nationality, passport number and sex).
AUTHORITIES AND PURPOSES
- Who will be authorized to access client details, who will store them and use them, and for what purposes will they be used?
The US CBP, which is part of the Department of Homeland Security, will have access to your data. This body will use it to prevent and fight terrorism and serious criminal actions.
However, as established by the U.S. legislation, said authorities might transmit the data to other American authorities that are appointed to fight terrorism or to ensure compliance with legal obligations and interests, after performing a case by case evaluation and always for the purpose of preventing and fighting terrorism or serious criminal acts.
Moreover, these data can be made accessible, when necessary, to protect the vital interest of passengers or of third parties (particularly in cases of important healthcare risks) or in the framework of penal proceedings or in other cases established by the law
- How are passenger data used?
Data are collected by the US CBP within the booking systems until 48 hours before the flight's departure and are used to perform passenger checks before arrival in the USA to ensure easy entrance to most travelers. US CBP will only focus on the small number of passengers who might represent an actual safety risk.
Data will be stored for a period of 7 years, though, when they are manually accessed during this period, they may be stored for another 8 years.
The U.S. authorities will adopt all appropriate technical and organizational measures to prevent the unauthorized use of these data.
- What rights do passengers have and how can they be exercised?
The U.S. authorities have committed, as a rule, not to object to passenger requests to receive a copy of data collected from the PNR and contained in their database. Passengers can request their data to be corrected. This will be done if the US CBP or Transport Security Agency (TSA) consider the request justified and appropriately explained. A negative decision may constitute a matter for judicial proceedings.
Requests to correct data and complaints about PNR data processing can be made by passengers (either directly or through data protection authorities in the Member States) to the Privacy Office of the DHS (Freedom of Information Act (FOIA) Program):
FOIA - Privacy Office
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll free number: +1-866-431-0486
7. B- PASSENGERS TRAVELING TO CANADA
On 18 June 2007 the Government of Canada introduced the Passenger Protect Program to implement a border control system as an anti-terrorism measure.
The Passenger Protect Progam requires all air carriers operating from and to the Canadian territory to mandatorily check passenger names at check-in against the names present in lists drawn up and provided by the Canadian authorities to evaluate the possibility of either proceeding or not with the embarkation of any passengers who might be mentioned in the above lists. The Passenger Protect Program, which was initially launched on a voluntary basis, became mandatory for airlines in September 2008. To avoid very high sanctions or, in the worst case scenario, suspension of the right to land in Canadian territory, Alitalia has had to comply with the provisions required and, therefore, provides PNR and Application Programming Interface (API) data to Canadian authorities.
Currently Canada is the target of a decision on adequacy, pursuant to art. 45 of the GDPR.
The data processed by Alitalia for the purpose of subsequent transmission to the Canadian authorities include: name, date of birth, sex and passport number. Please note that if a passenger refuses access to and transmission of his/her personal data, this denial will necessarily make it impossible for Alitalia to carry the passenger by air to Canada. Alitalia's Safety Administration has been appointed to verify the correspondence between the names present in the lists sent by the Government of Canada and the passenger present in the airline's check-in lists.
- PASSENGERS TRAVELING TO JAPAN
Based on the Partial Amendment of the Immigration Control and Refugee Recognition Act, from 1 February 2007 the Japanese authorities mandatorily request the personal data stated in the passport of all passengers traveling to Japan. The transfer of passenger data to the Japanese authorities is a necessary condition to operate air transport services to Japan.
If a passenger denies the transfer of these data, his/her refusal would make it impossible for the passenger to travel to Japan.
8. AUTOMATED DECISIONAL PROCESSES, IF ANY
The Data Controller does not make use of automated decisional processes, including the profiling mentioned in art. 22, sections 1 and 4, of the European Regulation, without his/her consent. If he/she accepts profiling, the data provided may be used to either analyze or anticipate preferences, behaviors and positions in order to customize the content of the commercial communication and to propose only dedicated products and offers that are consistent with the taste and preferences stated, thus reducing the number of commercial communications we send, and offering a better flight experience.
Specifically, these data processing activities envisage recording, analysis and profiling (i) of your identification details, (ii) of information about your flights, (iii) and of data regarding your habits and consumption choices.
The aggregation and analysis of personal data collected allow us to identify clients of the air transport service that have in common similar purchasing behaviors. The results of these analyses will enable the Data Controller to send clients who have consented to receive them, commercial proposals that are consistent with their needs.
9. NATURE OF THE CONFERMENT
The conferment of your personal data for the purposes stated in sections 4.A – 4.B – 4.C – 4.D – 4E is mandatory because your refusal, if any, to provide the personal data requested would make it impossible for Alitalia to provide the air transport service.
The conferment of personal data for the purposes stated in section 4.F is optional and the party concerned always has the right to refuse this use of his/her personal data on the part of the Data Controller.
The conferment of personal data for the purposes stated in section 4.G is optional. However, though failure to provide these data will not prevent you from using the Website, it might prevent us from providing you all the benefits offered through advertising, commercial and direct marketing communications, and from informing you about additional services, discounts and promotional offers.
The conferment of personal data for the purposes stated in section 4.H is optional but failure to provide these data will prevent you from joining the Program.
Conferment of personal data for the purposes stated in section 4.I is optional. However, failure to provide these data will prevent you from receiving all the benefits reserved for you, and from receiving exclusive dedicated products and offers that are consistent with the taste and preferences expressed, for a better flight experience.
10. THE RIGHTS OF THE PARTY CONCERNED
Regarding the processing of your personal data, pursuant to the European Regulation, the party concerned is entitled to:
- Withdraw consent to data processing, at any time, for all further data processing procedures that are not necessary to execute the service agreement; however, it must be said that withdrawal of consent does not constitute a bias to the lawfulness of data processed based on consent provided prior to withdrawal of the consent itself, as established by art. 7, section 3, of the European Regulation
- Ask the Data Controller access to personal data, as established by art. 15 of the European Regulation
- Obtain, from the Data Controller, the correction and integration of personal data that is deemed inaccurate, even providing a simple integrative statement, as established by art. 16 of the European Regulation;
- Obtain, from the Data Controller, the deletion of personal data if even just one of the reasons established by art. 17 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement,
- Obtain from the Data Controller the limitation of personal data processing, if even one of the cases theorized in art. 18 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement
- Receive, from the Data Controller, the personal data that concern you, in a structured format widely used and legible by an automatic device; you are entitled to transmit these data to another Data Controller, as established by art. 20 of the European Regulation
- Object at any moment, for reasons associated with your particular situation, to the processing of personal data carried out in compliance with art. 6, section 1, letters e) or f), including profiling based on these provisions, as established by art. 21 of the European Regulation
- Not to be subjected to decisions solely based on automated data processing, including profiling, that will have legal repercussions for you, if you have not consented explicitly in advance, as established by art. 22 of the European Regulation; by way of a non-exhaustive example, this category includes any form of automated personal data processing intended to either analyze or foresee aspects that concern consumption and purchase choices, the economic situation, interests, reliability and behavior;
- Submit a complaint to the control authorities if you deem that the processing of your data violates the European Regulation; the complaint can be submitted in the Member State where you habitually reside or work or in the place where a presumed violation occurred, as established by art. 77 of the European Regulation.
To exercise each of your rights, you may contact the Data Controller, in the person of the legal representative, by contacting the registered office at Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM).
Alternatively, you can contact the Data Protection Officer by sending a communication to Alitalia Data Protection Officer, Via A. Nassetti s.n.c., Pal. Alfa, , 00054 Fiumicino (RM), or by sending an email to email@example.com providing the following information:
- First and last name and postal address
- Details of the request
- Booking code or flight number and date
- Photocopy of a valid document of identification
To exercise the rights related to the MilleMiglia Program, you can send an email to the address: firstname.lastname@example.org allegando: (i) MilleMiglia card number; (ii) details of the request; (iii) copy of a valid document of identification.
11. CONSENT OF MINORS FOR THE SERVICES OF THE INFORMATION COMPANY
To make use of the services issued over the Website, you must be over fourteen years of age. Processing the personal data of a minor aged under fourteen years is lawful as long as it is performed by the person who has parental authority over the minor. For further information, visit the page Organize Your Journey.
12. CHANGES IN THE CONSENT TO PERSONAL DATA PROCESSING
You can change the consent provided at any time for the following purposes:
- 4F - 4G by clicking on the link “unsubscribe” present in each newsletter received or by answering “unsubscribe” to the TEXT MESSAGE SERVICE message you received
- 4H – 4I by accessing your personal MilleMiglia page in the dedicated section.
Personal data processing will occur, including by means of external providers appropriately called external processing managers, with guaranteed security and confidentiality. These providers may be located also outside the European Union in accordance with the art. 26 of Directive 95/46/EC, after analysis of appropriate security measures and after the subscription of the standard clauses made available by the European Commission – The data processing may be performed not only with manual tools but also with automatic tools (both computer and telematic) that are capable of storing, managing and transmitting the said data. Personal data will be: processed in a legal and proper manner; collected and recorded for specific, explicit, legitimate and precise purposes, and, if necessary, updated, relevant and complete purposes, not exceeding the purposes of processing; stored in a way that allows it to be identified by the individual for a period of time not exceeding the time necessary for the purposes for which it was collected or subsequently processed.
POLICY AND CONSENT TO THE USE OF PERSONAL DATA, PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL
As of March 5, 2003, the United States Authorities require carriers with flights from, to or through the United States of America, to provide the United States Bureau of Customs and Border Protection (CBP), for security reasons and to protect the United States of America, with electronic access to passenger data.
Carriers that do not fulfill these requirements could face heavy fines and even lose the right to land in the United States of America.
In turn, passengers on these carriers may be subject to more accurate and extended checks in United States airports, with all the possible inconveniences this may cause.
Alitalia, like all European carriers flying from, to or through the United States of America, sought to fulfill the abovementioned requirements.
The transfer of passenger data to the United States Authorities is in fact a condition of operating air transport services from, to or through the United States of America.
Any passengers who do not consent to their data being accessed will consequently not be permitted to fly from, to or through the United States of America. Alitalia therefore, in compliance with that required by said Authorities, reserves the right to cancel bookings where this data is missing the day before the deadline of 72 hours before departure.
The processing of PNR data is covered by the international agreement of July 26, 2007 between the European Union and the United States. The European Union will ensure that air carriers respect these obligations. Alitalia must comply with these requirements. For a more detailed explanation of PNR data processing collected by the United States Authorities (DHS – Department of Homeland Security) in relation to flights between the European Union (EU) and the United States, please refer to the international agreement and accompanying letter from the DHS, published in the Official Journal of the European Community L 204 of August 4, 2007, which you can see by clicking here.
Alitalia, therefore, considered it necessary to ensure that its passengers are aware of the following information relating to the processing and transfer methods of data contained in bookings (to which the United States of America is committed, pursuant to the agreement with the European Community), which are reported in the form of answers to specific questions.
- What type of passenger information can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNR (Passenger Name Record, or data from registered customers in the process of booking a flight) regarding flights from, to or through the United States of America.
This is in the form of electronic "files" created in the computer systems used by carriers for every itinerary booked by the passenger, containing various types of information, including: passenger name, telephone number, flight details (date, origin and destination, on-board seat number, number of bags, etc.), as well as other information such as: the name of any travel agency involved, payment method, etc.
The PNR therefore includes all the information provided by the passenger when booking. Immediately after takeoff, the passenger's passport details (surname, name, date of birth, nationality, passport number and gender) are also sent to the United States Customs and Immigration Authorities.
AUTHORITIES AND PURPOSES
- Who will have access to customer data, who will keep it and for what purposes will it be used?
The US CBP, which is part of the Department of Homeland Security, will have access to the data.
This entity will use it to prevent and combat terrorism and serious criminal acts.
The US CBP will not allow the public to access the data in question. According to United States law, data may still be transmitted to other US Authorities for combating terrorism or to comply with legal obligations and in the interests of justice. However, this must only occur after a case-by-case evaluation and always for the purposes of preventing and combating terrorism or serious criminal acts.
This data could also be made available, when necessary, for protecting the vital interests of passengers or third persons (especially in cases of significant health risks) or in criminal proceedings or other cases required by law.
- How will passenger data be used?
The data is intercepted by the US CBP within the booking system up to 48 hours before departure of the flight and is used to perform checks on passengers before they arrive in the United States of America, in order to facilitate the entry of most of the travelers, focusing the US CBP resources on a limited number of passengers who could be a real security threat.
The data is stored for a period of seven years, although, in cases where the data is accessed manually within this period, it could be stored for a further eight years.
Moreover, the United States Authorities will adopt all the appropriate technical and organizational measures to prevent unauthorized use of the data.
- What rights do passengers have and how can these be exercised?
The United States Authorities have undertaken, in principle, not to oppose requests from passengers to receive a copy of the data intercepted in the PNR and stored in their databases. Passengers may request that their data is amended and obtain it, where the US CBP or the Transport Security Agency (TSA) consider this request justified and adequately supported.
However, a negative decision may be subject to judicial appeal.
Passengers may address (directly or through the authorities in charge of data protection in the Member States) requests for amendments and complaints regarding PNR data processing to the DHS Privacy Office (Freedom of Information Act [FOIA] Program):
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll-free number: +1 866 431 0486
Tel.: +1 703 235 0790
Fax: +1 703 235 0443
Passengers can also receive further information on the protection of privacy through the competent authorities in their own country. In Italy, please contact the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali, Piazza Montecitorio, 121 – 00186 Rome, tel. 06 69677713, fax 06 69677715.
Alitalia currently only allows the US Authorities access to PNR data.
However, in the near future, it cannot be ruled out that other countries could put similar systems in place for accessing bookings for air carriers flying from, to or through their country.
As of June 18, 2007, the Government of Canada introduced the Passenger Protect Program to create a border control system as an anti-terrorism measure.
The Passenger Protect Program requires that all air carriers flying out of and into Canada check passenger names at check-in, comparing them to the names on the list prepared and provided by the Canadian Authorities, in order to assess whether or not to allow the passengers on this list to board. The Passenger Protect Program, which was initially voluntary, became mandatory for airlines in September 2008.
In order to avoid considerable fines or, in the worst case scenario, lose the right to land in Canada, Alitalia complied with the requirements, obtaining, in advance, the necessary favorable opinion from the Italian Data Protection Authority. In fact, although the Italian Data Protection Authority requested further analyses from the European Commission of the Passenger Protect Program, it gave a favorable opinion based on the balance of interests, pursuant to Art. 24 letter g. of Legislative Decree no. 196/2003.
Alitalia requires the following data to subsequently send to the Canadian Authorities: name, date of birth, gender and passport number.
Please note that any passengers who do not consent to this data being accessed and sent to the Authorities will consequently not be permitted to fly to Canada on Alitalia flights. Alitalia's Security Department is responsible for checking that the names on the lists sent by the Government of Canada match those of the passengers on the Company's check-in list. We would also like to inform customers that the Data Controller is Alitalia S.p.a. in a.s. and the Operations Division is the Data Processor. To exercise all your rights, you can contact the Data Controller, in the person of the legal representative, by writing to the registered office in Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM), or, alternatively you can contact the Data Protection Officer, by writing to Alitalia Data Protection Officer, Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM), or by sending an email to email@example.com
As of February 1, 2007, based on the Partial Amendment to the Immigration Control and Refugee Recognition Act, the Japanese Authorities require as mandatory the personal data written on the passports of all passengers traveling to Japan.
The transfer of passenger data to the Japanese Authorities is a condition of operating air transport services to Japan.
Any passengers who do not consent to their data being transferred will consequently not be permitted to fly to Japan.