ALITALIA MILLEMIGLIA PROGRAM PRIVACY POLICY

1. ABOUT US

Alitalia – Società Aerea italiana S.p.A. in A. S., with registered office at via A. Nassetti s.n.c., Palazzina Alfa, 00054 Fiumicino (RM) (hereinafter, “Alitalia”) and Alitalia Loyalty S.p.A., with registered office at Piazza Almerico da Schio n. 3, Palazzina Bravo, 00054 Fiumicino (RM) (hereinafter,” Alitalia Loyalty") signed on July 9, 2019 a joint ownership agreement, the extract of which is available at the following link, with the purpose of defining, pursuant to art. 26 of the GDPR, the processing of personal data of members enrolled in the MilleMiglia Program (hereinafter, the “Program”) for the purposes specified below.

Alitalia and Alitalia Loyalty, in their capacity as data  of the members of the Program (hereinafter, the “joint data owners”), take great care to ensure the security and confidentiality of the personal data of the Members of the Program and want to provide you with some information regarding the processing of your personal data, as defined below, that the same may process as a result of your enrolment in the Program.

 

2. WHAT PERSONAL DATA CONCERNING YOU MAY BE COLLECTED

The joint data owners collect the following categories of personal data concerning you (the term “personal data” means all the following categories, jointly considered):

 

  • Personal data and contact details - information on your name, surname, date of birth, gender, postal address, telephone number, mobile number and email.
  • Transactions data – information concerning airline ticket purchases and your transactions (including transaction history, payment method information or other details) and/or services purchased, activities performed and transactions entered into with our Business Partners.
  • Interests and Data provided by you voluntarily – information you provide to us regarding your travel preferences or other interests, your company name, your professional status, responses to surveys, contests and/or market research in which you participate or other personal data.
  • Browsing data – informazioni relative alle modalità con cui Lei utilizza il sito, apre o inoltra le nostre comunicazioni, incluse le informazioni raccolte tramite cookie (può trovare la nostra Informativa sui Cookie al seguente link.

 

3. HOW WE COLLECT YOUR PERSONAL DATA

The joint data owners collect and process your personal data in the following circumstances:

 

  • if you subscribe to the Program, through the online form, accessing the "MilleMiglia" section of the website www.alitalia.com
  • if you sign up for the Program, using the paper form or on digital media (eg. tablet) supplied by the joint data owners or by companies appointed by them.

 

If you provide personal data on behalf of someone else, first you need to make sure that the interested parties read these Privacy Guidelines.

Please help us keep your personal data up-to-date by informing us on any changes that may occur.

 

4. WHAT ARE THE PURPOSES FOR WHICH YOUR PERSONAL DATA MAY BE USED

Your personal data are processed by the joint data owners for one or more of the following purposes, on the basis of the legal premise indicated from time to time.

 

a)  Operational management of your enrollment in the Program and purposes closely related thereto.

The joint data owners collect and process your personal Data and contact details, data concerning transactions, and your Interests and Data provided by You voluntarily in order to (i) follow-up and manage your program application form (ii) send you service communications that are functional to the capacity of Shareholder and related to the possible program deadlines and/or benefits, (iii) comply with all contractual obligations and meet any requests that you may make in relation to the Program.

 

Prerequisite for processing: performance of a contract to which you are a party or implementation of pre-contractual measures under Article 6 letter b) of the GDPR.

 

b) Marketing to meet your needs and to provide you with promotional offers also in line with your preferences also in line with your preferences

 

Subject to your express and specific consent, the joint data owners will process your personal data and contact details as well as your transactions data for marketing and advertising communication, aimed at informing you about sales promotions or for market research and statistical surveys of the joint data owners. The joint data owners will also process the aforesaid data in order to inform you about sales promotions of their business partners who are independent data owners. Please click here for a list of the Program’s Commercial Partners.

Marketing communications may be sent through automated contact methods (e.g. email, sms, instant messaging, social networks, push notifications and other mass messaging tools, etc.) and traditional contact methods (e.g. phone call with operator).  In this regard, you may at any time oppose the receipt of promotional communications through some of the contact methods mentioned above.


Prerequisite for processing: your consent pursuant to art. 6, par. 1 lett. a) of the GDPR; failure to provide the same does not preclude or entail any consequences with regard to your enrollment in the Program.

 

You may at any time revoke your consent, with effect for subsequent processing, for the receipt of messages by electronic mail or other means:

 

(i)  by clicking on the appropriate option at the bottom of each e-mail received;

(ii) by making a request to the contacts referred to in the following paragraph "YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO FILE COMPLAINTS WITH THE SUPERVISORY AUTHORITY”.

 

c) Data Profiling and Data Enrichment

Subject to your separate and specific consent, the joint data owners will process your personal and contact details, transaction data, interest data and data provided voluntarily by you as well as navigation data for profiling purposes, through a statistical processing of the aforementioned personal data on the basis of the analysis of your interests, purchasing habits and choices, analysis of data relating to the use of the website, in order to create an individual profile of you, also through information acquired from public sources or from the Partners of the Program in order to develop, promote and provide services and/or products of the joint data owners in line with your needs and preferences to develop targeted digital campaigns.

Prerequisite for processing: your consent pursuant to art. 6, par. 1 lett. a) of the GDPR; failure to provide the same does not preclude or entail any consequences with regard to your enrollment in the Program.

In the manner referred to in the following paragraph "YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO FILE COMPLAINTS WITH THE SUPERVISORY AUTHORITY", you may at any time revoke your consent with effect for further processing.

 

d) Purposes related to the obligations provided for by laws, regulations or European legislation, by provisions / requests of authorities legitimized by law and / or by supervisory and control bodies

 

The joint data owners may process your personal data to comply with legal obligations to which they are required to comply.

 

Prerequisite for processing: compliance with legal obligations to which the joint data owners are subject pursuant to Art. 6, par. 1 lett. c) of the GDPR.

 

e)  Protection of rights in judicial, administrative or out-of-court proceedings and in disputes arising in connection with the programme and the related services. 

The joint data owners may process your personal data to defend their rights or act or even make claims against you or third parties.

 

Prerequisite for processing: compliance with legal obligations to which the joint data owners are subject pursuant to Art. 6, par. 1 lett. c) of the GDPR.

 

5. MANDATORY OR OPTIONAL NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF THE REFUSAL, IF ANY, TO PROVIDE THEM

The provision of the personal data requested in the program registration form, marked with an asterisk ( * ), is mandatory as they are required for your registration in the program; failure to provide such personal data will make it impossible to conclude the registration. The provision of additional personal data, not marked with an asterisk ( * ), is optional and the failure to provide them will not entail consequences for your enrolment in the program.

 

The provision of personal data for the purposes referred to in paragraph 4 (A) above is mandatory since it is necessary for the performance of the contract; failing this, you will not be able to register in the program.

 

The provision of personal data for the purposes referred to in paragraph 4 (b) and (c) is optional in nature and failure to do so shall not preclude or have any consequences regarding your enrolment in the programme, but it will not allow us to inform you in a timely manner of all the advantages reserved for Program Members through commercial communications.

 

For the purposes set forth in paragraph 4 letters d) and e), you are not required to provide a new and specific contribution, since the joint data owners will pursue this further purpose, where necessary, by processing the personal data collected for the above-mentioned purposes, which are deemed compatible with this one (also because of the context in which the data were collected, the relationship between you and the joint data owners, the nature of the data themselves and the adequate guarantees for their processing, as well as the link between the above-mentioned purposes, from A. to C., and the above-mentioned further purposes).

 

6. HOW WE KEEP YOUR PERSONAL DATA SAFE

The joint data owners shall use a wide range of security measures in order to enhance the protection and maintenance of the security, integrity and accessibility of your personal data.

The joint data owners have identified, within the parent company Alitalia, the person to be entrusted with the task of managing the infrastructure, the systems and the related security measures related to the Program and the website www.alitalia.com and, to that end, Alitalia Loyalty has appointed Alitalia, with a separate written agreement, as Data Processor pursuant to Art. 28 of GDPR.

All of your Personal Data are stored on a secure server (or safe paper copies) of the joint data owners, or of our suppliers or business Partners, and are accessible and usable according to our standards and our security policy (or equivalent standards for our suppliers or business partners).

Where the joint data owners have given you (or where You have chosen) a password that allows access to your personal area of our Website, applications or services provided by us, You will be responsible for the confidentiality of that password and for complying with any other security procedure of which we may inform you.

 

7. HOW LONG DO WE STORE YOUR INFORMATIONS

We store your personal data only for the time necessary to achieve the purposes for which they were collected or for any other legal purpose related to them. Therefore, if personal data are processed for two different purposes, we will store said data until the purpose with the longer-term ends, also, we will not store personal data for the purpose whose storage period lasted less.

We limit access to your personal data only to those who need to use them for relevant purposes.

Your personal data that are no longer necessary, or for which there is no longer a legal requirement to store them, are irreversibly anonymized (and this way they can be still be stored) or destroyed in a safe manner.

Below are the retention periods for different purposes mentioned above:

 

  • Personal data and contact details, Data concerning transactions and collected data, and Interests and Data provided by You voluntarily processed for registration and operation of the Program: they will be retained by the joint data owners for the duration of your enrollment in the Program, but not beyond the next 10 years from the cancellation of the Program for documents and data of a civil law, accounting and tax nature as provided by applicable law.
  • Interests and data provided by you voluntarily and transaction data for profiling purposes: If you have given your consent for us to process your personal data for profiling purposes, such data will be retained for 36 months after collection, however we will periodically refresh your consent for such purposes in order to respect your choices.
  • Personal data and contact details as well as transaction data processed for marketing purposes: in case of processing of your personal data for marketing purposes, which involves the use of only personal data and contact details, such data will be kept for 36 months from collection within the marketing database; however, we will periodically refresh your consent for such purpose in order to respect your choices.
  • Browsing data: such personal data will be kept as long as your MilleMiglia profile is active. The retention period for the various cookies that may be used, can be consulted in the appropriate cookie notice at the following link.

 

With particular reference to the judicial protection of our rights or in case of requests by the authority, the personal data processed will be kept for the time necessary to fulfil  the request or to pursue the protection of said rights.

 

8.  WITH WHOM MAY WE SHARE YOUR PERSONAL DATA

Your personal data may be accessed by duly authorized employees, including external suppliers, appointed, if necessary, as data processors, who provide support for the provision of services related to the Program or as autonomous data owners.

The following may also gain knowledge of your personal data, for the purposes specified above:

 

  • persons who may access personal data pursuant to legal provisions laid down in the law of the European Union or that of the member state to which the joint data owners are subject;
  • companies of the Alitalia Group, such as Alitalia CityLiner S.p.A. in A.S.;
  • banks and payment companies;
  • third parties such as law firms and public authorities to whom we refer so that the contract entered into is observed or applied and to safeguard all our other legitimate interests;
  • third parties such as police and national authorities to protect our rights;
  • public authorities and public security forces following a valid request;
  • companies that offer IT infrastructure and support and consultancy services as well as the design and implementation of software and websites;
  • companies which offer useful services to customize and optimize our services, including those to supply and manage the customer service.

 

Any communication of the personal data shall take place in full compliance with the legal provisions provided by the GDPR.

Please contact us at the addresses below if you wish to view the list of data controllers and other persons to whom we disclose the personal data. Your personal data will not be disclosed to third parties.

 

9.     TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

In order to carry out some of the activities of processing of your personal data, the joint data owners will communicate the same to external entities located in countries that do not belong to the European Union (EU) or the European Economic Area (EEA) (hereinafter the "Third Countries").
In particular, the joint data owners will inform you that personal data may be transferred to Third Countries; the lawfulness of such transfer is, in any case, guaranteed through the instruments provided for by art. 46 of the GDPR, as the joint data owners have signed the Standard Contractual Clauses approved by the European Commission (supplemented by additional technical/organizational/legal measures).
These external parties will process your personal data as autonomous data owners or as data processors, duly appointed by the joint data owners in accordance with the data protection legislation (depending on the role they play in relation to processing).
You may write to the data owners at any time, using the contact details below, asking which entities your personal data will be disclosed to, and to receive a copy of the safeguards adopted for the transfer.

 

10.     ANY AUTOMATED DECISION-MAKING PROCESSES

The data owners shall not use automated decision-making processes, including profiling, without your consent.

 

11. YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO FILE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Under the conditions provided by the GDPR you have the right to request from the joint data owners:

 

  •  Access to your personal data, as provided for in art. 15 of the GDPR,
  • rectification and integration of your personal data in our possession considered incorrect, as provided by art. 16 of the GDPR,
  • deletion of personal data for which we no longer have any legal basis for their processing, as provided by art. 17 of the GDPR,
  • limitation of the way in which we process your personal data if one of the cases provided for in art. 18 of the GDPR applies,
  • a copy of the personal data you have provided to us, in a structured format, commonly used and readable by an automatic device for processing based on the contractual relationship (so-called. portability), as provided by art. 20 of the GDPR,
  • not to be subjected to decisions based solely on automated processing including profiling, which produce legal effects that concern you, if you have not given your prior consent, as provided for in art. 22 of the GDPR,
  • withdrawal of your consent at any time, in the event that the processing is based on consent. It should be noted that any withdrawal of consent will only take effect with regard to subsequent processing, without prejudice to the lawfulness of the processing previously carried out prior to such withdrawal.

 

 

Right to object: in addition to the rights listed above, you have the right to object at any time, for reasons related to your particular situation to the processing of personal data carried out for the purposes of the legitimate interest of the joint data owners and for the processing of personal data for marketing purposes, including profiling to the extent related to such marketing.

 

In the event of his death, the rights mentioned above may also be exercised by anyone who has an interest of his own, or acts in his protection, as his agent, or for family reasons worthy of protection, pursuant to art. 2-terdecies of Legislative Decree. 196/2003, as amended by Legislative Decree No 101/2018 ("Privacy Code"). You may expressly prohibit the exercise of some or all of the above rights by your successors by sending a written statement to the joint data owners at the contact details listed in the following paragraph “CONTACTS” below. This declaration may be revoked or amended at any time and in the same manner.

In order to exercise the aforementioned rights against the joint data owners, you (or your successor in title, within the above limits) may send your communication to Alitalia Loyalty Data Protection Officer, Piazza Almerico Da Schio n. 3, Palazzina Bravo, 00054 Fiumicino (RM), or you can write to the following e-mail address: dpo.alitalialoyalty@alitalia.com, specifying, in both cases, (i) Your name and surname, (ii) your MilleMiglia card number, (iii) the details of your request, without prejudice to your right to exercise the aforementioned rights with regard to each joint data owner.

Exerting such rights is subject to some exceptions aimed to protect the public interest (for example preventing or identifying crimes), and our interests (for example preserving professional secrecy). In case you exert any of the aforementioned rights, it will be our responsibility to check that you are entitled to exert said right, and we will provide a reply, as a rule, within a month.

If you believe that the processing of personal data concerning you is in violation of the provisions of the GDPR, you have the right to lodge a complaint with the guarantor for the protection of personal data, using the references available on the website www.garanteprivacy.it/home.en  or to refer to the appropriate judicial offices.

 

12. CONTACTS OF THE JOINT DATA OWNERS AND OF THE DATA PROTECTION OFFICERS (“RPD” or “DPO")

The contact details of the joint data owners are as follows:

 

  • Alitalia Loyalty S.p.A., Piazza Almerico da Schio, 3, Palazzina Bravo, 00054 Fiumicino (RM)
  • The Personal Data Protection Officer (DPO) appointed by Alitalia Loyalty can be contacted at the following e-mail address: dpo.alitalialoyalty@alitalia.com
  • Alitalia – Società Aerea italiana S.p.A. in A. S., via A. Nassetti s.n.c., Palazzina Alfa, 00054 Fiumicino (RM)
  • The Personal Data Protection Officer (DPO) appointed by Alitalia – Società Aerea italiana S.p.A. in A.S. can be contacted at the following e-mail address: dpo@alitalia.com.

 

Managing your MilleMiglia profile – updating and deleting the Program

If you want to make requests relating to the operational management of Your MilleMiglia profile, as well as to the update of the data contained therein, or to the cancellation of your Program membership, You can send a communication to the following e-mail address: profilomillemiglia@alitalia.com, specifying (i)  your MilleMiglia code, (ii) the details of your request, and providing (iii) a copy of your valid ID document, as provided by the Program Regulations.