POLICY AND CONSENT TO THE USE OF PERSONAL DATA, PURSUANT TO ITALIAN LEGISLATIVE DECREE NO. 196 OF JUNE 30, 2003, ART. 13
Alitalia Società Aerea Italiana S.p.A. ("Alitalia S.p.A.") handles all of its customer data according to the legislation referred to in Italian legislative decree no. 196 of June 30, 2003, regarding the "Personal data protection code," which implements the European Union directives on this subject in Italy.
Alitalia S.p.A. ensures that the processing of personal data—however it is obtained—is performed with respect for fundamental rights and freedoms, as well as the individual's dignity, with particular reference to confidentiality, personal identity and the right to personal data protection. This policy is not valid for data collected through Alitalia's partner websites, which may be accessed using links on the Alitalia website, for which the company is not responsible in any way. For such processing, a separate policy should be provided by the respective owners.
For security reasons, Alitalia is required, to an increasing extent, to notify the various local authorities worldwide—the immigration and customs service in particular—of our customers' personal and travel data, obtained as part of normal flight schedules; as well as in Italy where requested by the Central Directorate for Immigration and Border Police. This notification is required in order to implement the contract of carriage.
Furthermore, measures taken to ensure data confidentiality comply with the provisions set out in the opinions of the Working Group Art. 29 for Personal Data Protection no. 2/2007 of February 15, 2007, reviewed and updated on June 24, 2008, on the information for passengers concerning the transfer of PNR data to the United States authorities (for more details, please see Information for Passengers Traveling to the United States).
Please carefully refer to this page regularly to check for any necessary updates or revisions, as well as to adopt and/or conform to national, community or international legislation, or to adapt to technological innovations.
Updates will be reported on this web page and will remain visible at all times, so that anyone who wishes to do so can be fully informed about the use of their own personal data through the Alitalia website or through other different data collection channels.
We recommend looking at this page every time you visit the Alitalia website.
DATA PROCESSING AND METHODS
Personal data processing will occur, including by means of external providers appropriately called external processing managers, with guaranteed security and confidentiality. These providers may be located also outside the European Union in accordance with the art. 26 of Directive 95/46/EC, after analysis of appropriate security measures and after the subscription of the standard clauses made available by the European Commission – The data processing may be performed not only with manual tools but also with automatic tools (both computer and telematic) that are capable of storing, managing and transmitting the said data. Personal data will be: processed in a legal and proper manner; collected and recorded for specific, explicit, legitimate and precise purposes, and, if necessary, updated, relevant and complete purposes, not exceeding the purposes of processing; stored in a way that allows it to be identified by the individual for a period of time not exceeding the time necessary for the purposes for which it was collected or subsequently processed.
DATA PROVIDED VOLUNTARILY BY THE USER
Alitalia collects personal information and other data that is communicated through the Company's call center or voluntarily entered into registration forms on the website and the Mobile site, as well as optional and explicit data submitted to the Company by post or email. This data may be information that is necessary for providing the services requested by the individual (primarily the air transport service), or other services (e.g. newsletter) and/or for contacting the individual (name, address, any other personal data entered in the message). The optional, explicit and voluntary sending of emails to the addresses indicated on this website implies the subsequent gathering of the sender's email address—which is necessary for responding to requests—as well as any other personal data entered in the message.
BROWSING DATA COLLECTED BY USING ELECTRONIC TOOLS
The computer systems and software procedures used to operate the Alitalia S.p.A. website and Mobile site acquire, over the course of their normal use, a series of personal information, the transmission of which is implicit in the use of Internet communication protocols (e.g. the user's IP address or the domain name of the computer used to access the website, the URL of the requested resources, the time of the request or the session time, the method used to submit the query to the server, the size of the files received in response to the request, the numerical code concerning the response status given by the server and other types of information regarding the user's operating system and computing environment).
While browsing the Alitalia S.p.A. website, information will be collected that allows your computer or browser to be identified using files called "cookies." "Cookies" are strings of encrypted text that can be stored on the user's cell phone (if accessing the Mobile site) or computer, so they can be quickly identified at a later date. Cookies for the Mobile site only store data relating to Name, Surname and Ticket Number. Cookies for computers allow websites to be personalized, making navigation easier for the user and—by quantitatively checking access to various web pages—allowing better presentation of the most requested information. The cookies we use do not store personal data, except for the IP address. The rest of the information stored in the cookies will remain anonymous because the cookie's identification number is not associated with the personal data provided by the user. Users can always request that the cookies are disabled by modifying their browser settings.
DATA COLLECTED THROUGH THE CALL CENTER
Calls made to the Call Center numbers listed on the Alitalia website may involve processing the user's personal data with the aim of providing the services requested by the user, such as: bookings, purchase and dispatch of air travel documents requested by the passenger, changes to or replacements for tickets that have already been issued, refunds, after-sales assistance, special assistance and purchases of additional flight services, etc. Finalizing electronic transactions may involve collecting data from customers' credit cards, which will be processed with all of the necessary precautions set out in the relevant legislation. Alitalia may also use third-party call centers that operate—always in full respect of privacy regulations—with a special service contract on behalf of the Holder, as external data processors pursuant to Art. 29 of Legislative Decree no. 196 of June 30, 2003. If the third-party call centers process data owned by Alitalia outside the EU, Alitalia asks the suppliers to respect the safeguards set out in Directive 95/46/EC and in the subsequent European Commission Decisions.
PURPOSE OF COLLECTION
By means of the website, Alitalia collects personal data from its users, which is required for implementing the operations for authorizing, enabling and granting individual access to the different areas and relevant contents of the Company's website. As specified, Alitalia S.p.A. collects the data necessary for complying with the contractual obligations to customers and the data from passenger ticket booking and purchasing operations, from the provision of ancillary services, as well as the data necessary for managing reports and complaints sent by customers and for the other purposes described above. Fulfillment of these obligations necessarily implies that this data must be made accessible to Alitalia's operations and commercial staff, as well as partner carriers in the execution of various commercial agreements and, where necessary, the insurance companies with which Alitalia has taken out the compulsory or optional covers related to the execution of air transport services and related services. The personal and/or sensitive data provided or collected throughout the contractual relationship may, in accordance with and within the limits of the requested service, be communicated to:
- Parties within the Alitalia S.p.A. facility For the purposes of improved performance, parties appointed as data processors by Alitalia S.p.A. pursuant to the procedures set out in Italian Legislative Decree 196/2003;
- Parties outside of the Alitalia S.p.A. facility that perform functions that are strictly connected or instrumental to our business, functions that must be considered fundamental to Alitalia's operations.
Any sensitive data may be also processed without the individual's express consent in the cases of Art. 26, no. 4, Legislative Decree 196/2003. However, this data will not be disclosed. It must be noted that in some cases (not subject to the ordinary administration of this website) the Authority can request news and information pursuant to Art. 157 of Legislative Decree no. 196/2003, for the purposes of controlling personal data processing. In these cases, response is mandatory, under penalty of a fine. Alitalia S.p.A., as "Holder," informs you that the data in question will be processed and used exclusively for the purposes outlined in this policy.
ACCESS THROUGH SOCIAL NETWORKS
We also wish to advise members of the MilleMiglia Program (hereinafter referred to as the "Program"), who intend to join the Alitalia Social Login service, that the personal data provided when joining the service (hereinafter the "Service") will be collected and recorded by Alitalia S.p.A. on paper, electronic and/or computer and/or telematic formats, protected and processed with the appropriate means for ensuring security and confidentiality in accordance with the provisions of the Code. Please note that the data provided directly when joining or indirectly through Social Networks may be used for purposes strictly connected and instrumental to participation in the Program and/or joining the Program itself, as well as personalization of Services designed by Alitalia S.p.A for subscribing customers. Subject to customer consent, the data provided may be used by Alitalia S.p.A. for promotional, advertising and marketing purposes, such as sending advertising, promotional and informational material on products and services, as well as for direct statistical analyses for detecting the degree of satisfaction for services and products offered. Email firstname.lastname@example.org
Alitalia S.p.A. customers may contact the Holder of the processed data to assert their rights as stipulated in Art. 7 of Italian Legislative Decree no. 196/2003 (including, but not limited to, the rights to obtain confirmation of the existence of data and the communication of said data in an intelligible form, the source of the data, the purposes and methods of processing, updating, correction or integration, deletion, anonymization or blocking of personal data processed illegally, and finally the right to object, in whole or in part, to its use) by means of a request sent without formal procedures to the following email address: email@example.com or by any other means that will be appropriately made known to the user. Please note that requests of any other kind (e.g. complaints, refund requests, requests regarding the MilleMiglia Program, etc.) sent to the privacy inbox will not be taken into consideration. For any such requests, please use the dedicated telephone numbers and addresses. (e.g. see pages: Contacts or Post-flight Assistance or the MilleMiglia section). If you no longer wish to receive communications from the Alitalia Group, please follow the following procedures:
- For sales communications from Alitalia, click the cancellation link found at the bottom of all emails from Alitalia. Cancellation may take several minutes. Please wait for confirmation that the operation has ended before leaving the relevant web page. Data will be deleted within five days of the cancellation request
- For communications to MilleMiglia Members, please access the "Your profile" service, selecting "No communication" in the "Communication" section of "News and Offers", and click on "Update". Or, you can call Customer Service. Your profile will be updated within five days of the request
DATA CONTROLLER AND DATA PROCESSOR
The Data Controller is Alitalia Società Aerea Italiana S.p.A.
with registered office in Via A.Nassetti
Fiumicino (RM), Italy
POLICY AND CONSENT TO THE USE OF PERSONAL DATA, PURSUANT TO LEGISLATIVE DECREE NO. 196 OF JUNE 30, 2003, ART. 13
As of March 5, 2003, the United States Authorities require carriers with flights from, to or through the United States of America, to provide the United States Bureau of Customs and Border Protection (CBP), for security reasons and to protect the United States of America, with electronic access to passenger data.
Carriers that do not fulfill these requirements could face heavy fines and even lose the right to land in the United States of America.
In turn, passengers on these carriers may be subject to more accurate and extended checks in United States airports, with all the possible inconveniences this may cause.
Alitalia, like all European carriers flying from, to or through the United States of America, sought to fulfill the abovementioned requirements.
The transfer of passenger data to the United States Authorities is in fact a condition of operating air transport services from, to or through the United States of America.
Any passengers who do not consent to their data being accessed will consequently not be permitted to fly from, to or through the United States of America. Alitalia therefore, in compliance with that required by said Authorities, reserves the right to cancel bookings where this data is missing the day before the deadline of 72 hours before departure.
The processing of PNR data is covered by the international agreement of July 26, 2007 between the European Union and the United States. The European Union will ensure that air carriers respect these obligations. Alitalia must comply with these requirements. For a more detailed explanation of PNR data processing collected by the United States Authorities (DHS – Department of Homeland Security) in relation to flights between the European Union (EU) and the United States, please refer to the international agreement and accompanying letter from the DHS, published in the Official Journal of the European Community L 204 of August 4, 2007, which you can see by clicking here.
Alitalia, therefore, considered it necessary to ensure that its passengers are aware of the following information relating to the processing and transfer methods of data contained in bookings (to which the United States of America is committed, pursuant to the agreement with the European Community), which are reported in the form of answers to specific questions.
- What type of passenger information can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNR (Passenger Name Record, or data from registered customers in the process of booking a flight) regarding flights from, to or through the United States of America.
This is in the form of electronic "files" created in the computer systems used by carriers for every itinerary booked by the passenger, containing various types of information, including: passenger name, telephone number, flight details (date, origin and destination, on-board seat number, number of bags, etc.), as well as other information such as: the name of any travel agency involved, payment method, etc.
The PNR therefore includes all the information provided by the passenger when booking. Immediately after takeoff, the passenger's passport details (surname, name, date of birth, nationality, passport number and gender) are also sent to the United States Customs and Immigration Authorities.
AUTHORITIES AND PURPOSES
- Who will have access to customer data, who will keep it and for what purposes will it be used?
The US CBP, which is part of the Department of Homeland Security, will have access to the data.
This entity will use it to prevent and combat terrorism and serious criminal acts.
The US CBP will not allow the public to access the data in question. According to United States law, data may still be transmitted to other US Authorities for combating terrorism or to comply with legal obligations and in the interests of justice. However, this must only occur after a case-by-case evaluation and always for the purposes of preventing and combating terrorism or serious criminal acts.
This data could also be made available, when necessary, for protecting the vital interests of passengers or third persons (especially in cases of significant health risks) or in criminal proceedings or other cases required by law.
- How will passenger data be used?
The data is intercepted by the US CBP within the booking system up to 48 hours before departure of the flight and is used to perform checks on passengers before they arrive in the United States of America, in order to facilitate the entry of most of the travelers, focusing the US CBP resources on a limited number of passengers who could be a real security threat.
The data is stored for a period of seven years, although, in cases where the data is accessed manually within this period, it could be stored for a further eight years.
Moreover, the United States Authorities will adopt all the appropriate technical and organizational measures to prevent unauthorized use of the data.
- What rights do passengers have and how can these be exercised?
The United States Authorities have undertaken, in principle, not to oppose requests from passengers to receive a copy of the data intercepted in the PNR and stored in their databases. Passengers may request that their data is amended and obtain it, where the US CBP or the Transport Security Agency (TSA) consider this request justified and adequately supported.
However, a negative decision may be subject to judicial appeal.
Passengers may address (directly or through the authorities in charge of data protection in the Member States) requests for amendments and complaints regarding PNR data processing to the DHS Privacy Office (Freedom of Information Act [FOIA] Program):
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll-free number: +1 866 431 0486
Tel.: +1 703 235 0790
Fax: +1 703 235 0443
Passengers can also receive further information on the protection of privacy through the competent authorities in their own country. In Italy, please contact the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali, Piazza Montecitorio, 121 – 00186 Rome, tel. 06 69677713, fax 06 69677715.
Alitalia currently only allows the US Authorities access to PNR data.
However, in the near future, it cannot be ruled out that other countries could put similar systems in place for accessing bookings for air carriers flying from, to or through their country.
As of June 18, 2007, the Government of Canada introduced the Passenger Protect Program to create a border control system as an anti-terrorism measure.
The Passenger Protect Program requires that all air carriers flying out of and into Canada check passenger names at check-in, comparing them to the names on the list prepared and provided by the Canadian Authorities, in order to assess whether or not to allow the passengers on this list to board. The Passenger Protect Program, which was initially voluntary, became mandatory for airlines in September 2008.
In order to avoid considerable fines or, in the worst case scenario, lose the right to land in Canada, Alitalia complied with the requirements, obtaining, in advance, the necessary favorable opinion from the Italian Data Protection Authority. In fact, although the Italian Data Protection Authority requested further analyses from the European Commission of the Passenger Protect Program, it gave a favorable opinion based on the balance of interests, pursuant to Art. 24 letter g. of Legislative Decree no. 196/2003.
Alitalia requires the following data to subsequently send to the Canadian Authorities: name, date of birth, gender and passport number.
As of February 1, 2007, based on the Partial Amendment to the Immigration Control and Refugee Recognition Act, the Japanese Authorities require as mandatory the personal data written on the passports of all passengers traveling to Japan.
The transfer of passenger data to the Japanese Authorities is a condition of operating air transport services to Japan.
Any passengers who do not consent to their data being transferred will consequently not be permitted to fly to Japan.