Policy pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council
Alitalia – Società Aerea Italiana S.p.A. in limited partnership wishes to inform you, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council concerning the protection of individuals with regard to the processing of personal data (hereafter “European Regulation”), that it needs to process your personal data collected automatically or provided by you through navigation or use of the website https://www.alitalia.com/ (hereinafter “Website”).
1. THE DATA CONTROLLER
The Data controller is Alitalia – Società Aerea Italiana S.p.A. in limited partnership, in the person of its legal representative, domiciled at the registered office in Via A. Nassetti s.n.c, Pal. Alfa, 00054 Fiumicino (RM) (hereinafter “Alitalia” or “Data Controller”).
2. DATA PROTECTION OFFICER
Due to the processing activities carried out by Alitalia, the Data Controller has deemed it necessary to designate, pursuant to Article 37 of the European Regulation, a Data Protection Officer who you may contact at the following address: Alitalia Data Protection Officer, Via A. Nassetti s.n.c, Pal. Alfa, 00054 Fiumicino (RM), or by sending an email to email@example.com.
3. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
To allow you to use the Website and its services, the Data Controller needs to know and process some of your personal data.
By personal data we mean information concerning an identified or identifiable natural person, such as, for example, the name, contact details or booking data.
To purchase an air ticket, the data processed will be the name, surname, telephone number, email address, information relating to the trip purchased, including any special assistance requests or preferences related to meals, and payment data. In addition, and depending on the destination, additional categories of personal data may be collected such as, for example, the date of birth, sex and passport number.
On the other hand, and for simply navigating the Website, the types of data processed and the related specific information for “cookies” are specified below.
The computer systems and software procedures used for the functioning of Alitalia acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected for association with identified interested parties, but could – by its very nature and through processing and association with data held by third parties – allow users to be identified.
These categories of data include IP addresses or domain names of the computers used by users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters related to the operating system and the user’s IT environment.
These data are used by the Data Controller for the sole purpose of obtaining anonymous statistical information on the use of the Website and to verify its correct function. The data could also be used to ascertain responsibility in case of hypothetical IT crimes against Alitalia.
Data provided voluntarily by the user
The optional, explicit and voluntary sending of emails to the addresses indicated on this Website entails subsequent gathering of the sender’s email address, which is necessary for responding to requests, as well as any other personal data entered in the message.
Following are the types of cookies used by this Website and the correct methods that allow you to choose easily whether and how your personal data may be processed through this type of technology.
This site uses so-called “technical cookies”, i.e. small text files containing a certain amount of information exchanged between the Website and your terminal (or better, your terminal’s browser), which allow the correct operation and use of the same.
This site uses so-called “profiling cookies”. These cookies are not essential, but they help us to customize and improve your experience on the Website. For example, they help us to indicate the departure airport closest to your location, to recognize and remember your preferences and to show you relevant and personalized advertisements. They also allow us to limit the number of times each ad is shown, measure the effectiveness of the advertising campaign, remember the visit and share the data collected with third parties, such as advertisers.
The elimination of these cookies, therefore, even if it does not compromise the general usability of the Website, may result in a limitation of some features.
Third parties can also install cookies on your device. We do not control the use of third-party cookies and, therefore, we are not responsible for their use. Third parties have their own privacy information and data collection methods. The information is available at the following links:
The provision of all cookies can be deactivated by adjusting the settings of your browser. It should be noted, however, that adjustment to these settings could make the Website unusable if essential cookies for the supply of our services are blocked. However, each browser has different settings for deactivating cookies. The links to the instructions for the most common browsers are here Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera.
- CALL CENTER
Calls made to the Call Center numbers listed on the Alitalia Website may involve processing the user’s personal data in order to provide the services requested by the user, such as: bookings, purchase and dispatch of air travel documents requested by the passenger, changes to or replacements for tickets that have already been issued, refunds, after-sales assistance, special assistance and purchases of additional flight services, etc. Finalizing electronic transactions may involve collecting data from customers’ credit cards, which will be processed with all of the necessary precautions set out in the relevant legislation. Alitalia may also use third-party call centers that operate in full respect of privacy regulations, with a special service contract on behalf of the Data Controller, as external Data Processors pursuant to Article 28 of the European Regulation. If the third-party call centers process data that Alitalia is Data Controller for outside the EU, Alitalia requires its suppliers to respect the safeguards set out in Article 46 of the European Regulation.
- ACCESS THROUGH SOCIAL NETWORKS
Please note that all the members of the MilleMiglia Program (the “Program”) that the personal data provided during the subscription to the Program will be collected and processed by Alitalia in a form that guarantees its security and compliance with the European Regulation. In addition, we inform subscribers of the Program that access through the Alitalia Social Login service also through the following links [Facebook – Twitter – Instagram and LinkedIn] that the personal data provided will be used for purposes strictly connected and instrumental to participation in the Program and/or registration to the Program itself, as well as customization of the services devised by Alitalia, subject to express consent. The data provided will be processed by Alitalia for promotional, advertising and marketing purposes, such as sending advertising, promotional and informative material on products and services, as well as for direct statistical analyses for detecting the degree of satisfaction for services and products offered
4. PURPOSE OF THE PROCESSING AND LEGAL BASIS
The personal data of which the Data Controller is in possession are exclusively those provided by you during navigation and/or during the use of our services. Therefore, personal data will be processed for:
A) Allowing you to take advantage of our ticket purchase service;
B) Meeting travel needs and offering the required services;
C) Sending communications relating to the state of service of your flight in case of need;
D) Meeting all the legal requirements related to passenger air transport;
E) Providing updated news on Alitalia’s activities and promotions, by sending newsletters, advertising material and/or communications and information of a commercial and direct marketing nature on our services and products, on their offers, on discounts and on any other promotional and loyalty initiatives, both through traditional and totally automated contact systems, as, for example, through the residence and/or email addresses, or through SMS messages;
F) Joining the MilleMiglia program;
G) Customizing the content of commercial communication in order to offer only products and dedicated offers that are in line with expressed tastes and preferences as well as for a better flight experience.
Given the choice to use the services provided by the Website, the legal basis on which the processing of your personal data is based may be:
- The data provided are necessary to complete the bookings made and, therefore, perform the air transport contract;
- The processing of personal data is necessary to comply with legal obligations in the aeronautical field, applicable from time to time depending on the destination;
- The processing of personal data may be necessary to protect the vital interests of one or more natural persons;
- The Data Controller has a legitimate interest in processing personal data to offer the best service and the best flight experience;
- Based on the specific consent that can be freely provided, to carry out direct marketing initiatives and profiling.
Personal data may be processed either through IT tools or on paper.
5. STORAGE PERIOD OF PERSONAL DATA
The Data Controller intends to store personal data for a period of time no longer than necessary to achieve the purposes for which it was collected and processed.
Regarding the processing of personal data for the purposes of direct marketing – if it has been explicitly authorized, and in compliance with the regulatory requirements and the General Provision of the Guarantor for the protection of personal data adopted on February 24, 2015 regarding loyalty cards – Alitalia has decided to ensure the deletion of your personal data processed for direct marketing purposes within 24 months of their registration. Personal data processed for profiling purposes will instead be deleted after 12 months from registration.
With regard to other personal data, since the Data Controller cannot accurately determine the storage period of personal data, the Data Controller undertakes from now on, for the processing of personal data in his/her care, to be inspired by the principles of adequacy, relevance and data minimization, as required by the European Regulations, periodically checking the need for their conservation. As a result, and once they have achieved the purposes for which they were collected and processed, we will remove them from our systems and records and/or take appropriate measures to make them anonymous, so as to prevent you from being identified.
This, without prejudice to circumstances in which we will need to maintain such data to comply with regulatory obligations, or to ascertain, exercise or defend our right in court.
6. CATEGORIES OF PARTIES TO WHOM DATA MAY BE DISCLOSED
The processed data will not be disclosed to third parties. They can however come to know your data, in relation to the treatment purposes previously outlined:
· Persons who can access the data by virtue of a legal provision provided for by European Union law or by that of the Member State to which the Data Controller is subject, including the Central Directorate of Immigration and the Border Police;
· Our employees, provided that they have been previously appointed as Processing Coordinator, System Administrator, or as a person acting under the authority of the Data Controller or the Data Processor, provided that they have been previously instructed to do so by the Data Controller;
· External parties that perform functions strictly connected or instrumental to the activity of air transport, such as other air transport companies, external or belonging to the Alitalia Group, such as Alitalia CityLiner S.p.A. in limited partnership, and handling companies, as independent Data Controllers or Data Processors that may be considered fundamental for the operations of Alitalia flights, as well as Alitalia Loyalty S.p.A. as the co-owner of the data relating to the MilleMiglia program;
· Credit card companies and service providers for anti-fraud checks connected to the payment process and (where necessary) activation of the anti-fraud control procedure;
· Third parties such as law firms and public authorities that we use to ensure that the stipulated contract is respected or applied;
· Third parties such as police and national authorities to protect our rights, property or safety, personnel and resources;
· Public authorities and law enforcement agencies, such as customs and immigration authorities, following a valid request;
· Parties who perform, in complete autonomy as separate Data Controllers, or as Data Processors appointed for this purpose by Alitalia, auxiliary functions with respect to the activities and services referred to in paragraph 4., such as; business partners; companies offering advertising, marketing and communication services; companies that offer IT infrastructures and IT assistance and consultancy services, as well as the design and implementation of software and Internet sites; companies that offer services useful for customizing and optimizing our services, including those for providing and managing customer service; companies that offer useful services for analyzing and developing data and developing and conducting market research.
Any communication of personal data will take place in full compliance with the provisions of the law provided for by the European Regulations and the technical and organizational measures prepared by the Data Controller to ensure an adequate level of security.
7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Alitalia is a global carrier that transports passengers to a number of countries around the world. The Data Controller may transfer personal data to third countries for the purpose of the proper conduct of Alitalia activities, as well as for the fulfillment of obligations arising from requests by the interested party. Therefore, the transfer in question is necessary for the performance of the contract concluded between the interested party and Alitalia and, in some cases, to fulfill the legal obligations to which the Data Controller is subject.
In case of transfer of personal information of interested parties outside the European Union, we are committed to:
- including the standard contractual data protection clauses approved by the European Commission for the transfer of personal information outside the EEA in our contracts with such third parties (these are the clauses approved pursuant to Article 46.2 of the General Data Protection Regulation ( “GDPR”); or
- to make sure that the country in which personal information will be handled has been deemed “adequate” by the European Commission under Article 45 of the GDPR; or
- (if applicable, when we transfer the personal information of data subjects to a recipient in the United States) to make sure that the recipient is part of the Privacy Shield, which requires such recipient to provide similar protection to any personal information shared between Europe and the United States.
For more information on the rules for data transfers outside the EEA, including the mechanisms on which we rely, see the European Commission website here [hypertext link to https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en].
- PASSENGERS TRAVELING TO THE UNITED STATES
As of March 5, 2003, the US authorities have requested that carriers operating flights from, to, or through the United States of America provide electronic access to passenger data to the United States Bureau of Customs and Border Protection (CBP), for reasons of security and protection of their territory.
Carriers that do not comply with such requests could incur heavy penalties, and even lose the right to land in the United States of America.
For their part, the passengers of such carriers could be subject to more thorough and prolonged checks within the airports of that country, with all the possible inconvenience that comes with this.
Alitalia, as all European carriers operating from, to, or through the United States of America, complies with the above requests.
The transfer of passenger data to the US authorities is, in fact, a condition for operating air transport services from, to, or through the US territory.
If a passenger does not allow access to such data, this objection would consequently make it impossible for him or her to travel to, from, or through the United States of America. Alitalia, therefore, in compliance with the requirements set by said Authorities, reserves the right to cancel bookings where this data is missing on the day prior to the deadline of 72 hours before departure.
The processing of PNR data is governed by the international agreement of July 26, 2007 between the European Union and the United States. The European Union will ensure that air carriers respect these obligations. Alitalia must comply with these requirements. For a more complete explanation on the processing of PNR data collected by the US authorities (DHS – Department of Homeland Security) in relation to flights between the European Union (EU) and the United States, we hereby refer you to the international agreement and the DHS accompanying letter, published in the Official Journal of the European Communities L 204 of August 4, 2007, which is available by clicking here.
Alitalia therefore has deemed it necessary to ensure that its passengers be aware of the following information concerning the methods for processing and transferring the data contained in the bookings (which the United States of America undertook to respect by virtue of the aforementioned agreement with the European Community), which are provided in the form of FAQs.
- What type of passenger data can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNRs (Passenger Name Records, that is, customer data recorded when booking air travel) regarding flights operated from, to, or through the United States of America.
These are electronic files created in the computer systems used by the carriers for each itinerary booked by a passenger, and which contain information of various kinds, including: name of the passenger, telephone contact, details of the flight (date of travel, origin and destination, seat number on board, number of pieces of baggage, etc.), as well as further details such as: the indication of any travel agency involved, the manner of payment, etc.
The PNR therefore includes all data provided by a passenger during the booking process. Immediately after takeoff, the passenger’s passport details (surname, name, date of birth, nationality, passport number, and gender) are also sent to the United States Customs and Immigration Authorities.
AUTHORITIES AND PURPOSES
- Who will have access to customers’ data, who will store them, and for what purposes will they be used?
The US CBP, which is part of the Department of Homeland Security, will have access to the data.
This agency will use them to prevent and combat terrorism and serious criminal acts.
The US CBP will not allow public access to said data. According to US legislation, however, they could be forwarded to other US Authorities tasked with fighting terrorism or enforcing legal obligations and serving the interests of justice, following, however, a case-by-case assessment, and always for the purposes of preventing and fighting terrorism or serious criminal acts.
This data could also be made available, when necessary, to protect the vital interests of passengers or third parties (particularly in the event of significant health risks), or in the context of criminal proceedings, or in other cases provided for by law.
- How is passenger data used?
The data is intercepted by the US CBP within the reservation systems up to 48 hours before flight departure and are used to carry out checks on passengers prior to their arrival on US territory, with the aim of facilitating the entry of most travelers, and focusing the resources of the US CBP only on the small number of passengers who could pose a real security risk.
The data will be kept for a period of seven years, although, in cases where manual access to the data has been made during this period, they may be kept for a further eight years.
The US Authorities will also adopt all the appropriate technical and organizational measures to prevent the unauthorized use of the data.
- What rights do passengers have, and how can they be exercised?
The US Authorities have undertaken, in principle, not to oppose requests from passengers who wish to receive a copy of the data intercepted in the PNR and stored in their databases. Passengers may request the amendment of their data and obtain this when the US CBP or the Transport Security Agency (TSA) deems this request justified and sufficiently proven. A negative decision may, however, be subjected to judicial challenge.
Amendment requests and complaints about the processing of PNR data may be addressed by passengers (either directly or through the data protection authorities in the Member States) to the DHS Privacy Office (FOIA program):
FOIA – Privacy office
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll Free number: +1-866-431-0486
- PASSENGERS TRAVELING TO CANADA
As of June 18, 2007 the Canadian Government has introduced the Passenger Protect Program to implement a border control system functioning as an anti-terrorism measure. The Passenger Protect Program requires that all air carriers operating flights from, to, or through Canada check passenger names at check-in, comparing them to the names on the lists prepared and provided by the Canadian Authorities, in order to assess whether or not to allow passengers on this list to board. The Passenger Protect Program, which initially started on a voluntary basis, became mandatory for airlines in September 2008. Alitalia, in order to avoid huge penalties or, in the worst case scenario, the suspension of the right to land on Canadian territory, has complied with these requirements, obtaining in advance the necessary favorable opinion from the Italian Data Protection Authority. Indeed, despite requesting further analysis of the Passenger Protect Program from the European Commission, the Italian Authority gave a favorable opinion based on the balance of interests, pursuant to Art. 24(g) of Legislative Decree No. 196/2003.
The data that Alitalia requires for forwarding to the Canadian Authorities are: name, date of birth, gender, and passport number.
Please note that if a passenger does not allow access to and the forwarding of such data, this refusal will necessarily imply the impossibility for Alitalia to transport such a passenger by air to Canada. Alitalia’s Security Department has been tasked with checking any correspondence in the names on the lists sent by the Government of Canada and those of the passengers on the Company’s check-in list.
- PASSENGERS TRAVELING TO JAPAN
As of February 1, 2007, the Japanese Authorities require, on the basis of the Partial Amendment of the Immigration Control and Refugee Recognition Act, the personal data that are on the passport of all passengers traveling to Japan. The transfer of passenger data to Japanese authorities is a requirement for operating air transport services for Japan.
If a passenger does not allow the transfer of such data, this refusal would consequently make it impossible for him or her to travel to Japan.
8. POTENTIAL AUTOMATED DECISION-MAKING PROCESSES
The Data Controller does not use automated decision-making processes, including the profiling referred to in Article 22, paragraphs 1 and 4 of the European Regulation, without your consent. If you consent to profiling, the data provided will be used to analyze or predict preferences, behaviors and stances in order to customize the content of marketing communication, and offer only products and offers in line with the tastes and preferences expressed, thus decreasing the number of marketing communications that we will send, and offering a better flight experience.
9. NATURE OF THE PROVISION
The provision of your personal data for the purposes referred to in paragraph 4.A - 4.B - 4.C - 4.D is mandatory, as your refusal to provide the personal data requested would make it impossible for Alitalia to provide the air transport service.
The provision of personal data for the purposes referred to in paragraph 4.E is optional, but failure to provide them, while in no way preventing the use of the website, may not allow us to ensure you benefit fully from the advantages offered through the advertising, commercial, and direct marketing communications, as well as to inform you about additional services, discounts and promotions offered.
The provision of personal data for the purposes referred to in paragraph 4.F is optional, but failure to provide them prevents the enrollment in the Program.
The provision of personal data for the purposes referred to in paragraph 4.G is optional, but failure to provide them may not allow us to ensure you benefit fully from the reserved advantages, or to receive offers consistent with the tastes and preferences you express, and a better flight experience.
10. RIGHTS OF THE DATA SUBJECT
In connection with the processing of your personal data, in accordance with the European Regulation, the data subject has the right to:
· withdraw consent to processing at any time, for any additional processing that is not necessary for the purpose of providing the agreed service. It should be noted, however, that the withdrawal of consent does not affect the lawfulness of the processing based on consent before revocation, as provided for by Art. 7(3) of the European Regulation;
· ask the Data Controller to access personal data, as provided by Art. 15 of the European Regulation;
· obtain the amendment and integration of personal data that is deemed inaccurate from the Data Controller by providing a simple supplementary statement, as provided for by Art. 16 of the European Regulation;
· obtain the deletion of personal data from the Data Controller if there is even only one of the reasons provided for by Art. 17 of the European Regulation for any additional processing that is not necessary for the purposes of providing the agreed service;
· obtain the limitation of the processing of personal data from the Data Controller in the event of one of the hypotheses provided for by Art. 18 of the European Regulation for any additional processing that is not necessary for the purposes of providing the agreed service;
· receive the personal data concerning you from the Data Controller in a structured, commonly used format readable by an automatic device, as well as the right to transmit such data to another data controller without impediments, as provided for by Art. 20 of the European Regulations;
· oppose at any time, for reasons connected to your individual situation, the processing of personal data carried out pursuant to Art. 6(1)(e) or (f), including profiling on the basis of these provisions, as required by Art. 21 of the European Regulation;
· not be subjected to decisions based solely on automated processing, including profiling, that produce legal effects relating to you, unless you have previously and explicitly consented to this, as required by Art. 22 of the European Regulation. By way of example this category includes, but is not limited to, any form of automated processing of personal data aimed at analyzing or predicting matters concerning your consumption and purchase choices, financial situation, interests, reliability and behavior;
· file a complaint to a supervisory authority, if you deem that the processing that concerns you is in breach of the European Regulation. A complaint may be filed in the Member State in which you usually reside, work, or in the place where the alleged breach has occurred, as provided for by Art. 77 of the European Regulation.
To exercise all your rights, you can contact the Data Controller, in the person of the legal representative, by writing to the registered office in Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM), providing us with the following data:
- Name, surname and mailing address
- Details of the request
- Reservation code or flight number and date
- Photocopy of a valid identity document
To exercise the rights related to the MilleMiglia program, you can send an email to the following address: firstname.lastname@example.org enclosing: (i) MilleMiglia card number; (ii) details of the request; (iii) a copy of a valid identity document.
11. CONSENT OF MINORS IN RELATION TO DIGITAL SERVICES
To be able to use the services provided through the website it is necessary to be older than 16; the processing of personal data of those under 16 is allowed, provided that it is exercised by the persons exercising parental responsibility. For more information, visit the page Plan Your Trip.
12. CHANGES IN CONSENT TO THE PROCESSING OF PERSONAL DATA
You may modify the consent granted for the following purposes at any time:
- 4E by clicking on the “unsubscribe” link available in each newsletter received or by replying “unsubscribe” to the SMS you have received
- 4F by accessing your personal MilleMiglia page, in the section for this