Policy pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council
Alitalia – Società Aerea Italiana S.p.A. in limited partnership wishes to inform you, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council concerning the protection of individuals with regard to the processing of personal data (hereafter “European Regulation”), that it needs to process your personal data collected automatically or provided by you through navigation or use of the website https://www.alitalia.com/ (hereinafter “Website”) and the Alitalia App (https://apps.apple.com/it/app/alitalia/id377912556 e https://play.google.com/store/apps/details?id=com.alitalia.mobile) (hereinafter "App").
- THE DATA CONTROLLER
- DATA PROTECTION OFFICER
- DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
- PURPOSE OF THE PROCESSING AND LEGAL BASIS
- PERSONAL DATA STORAGE PERIOD
- CATEGORIES OF SUBJECTS RECEIVING THE DATA
- TRANSFER OF PERSONAL DATA TO THIRD PARTY COUNTRIES
7 A PASSENGERS TRAVELING TO THE UNITED STATES
7 B PASSENGERS TRAVELING TO CANADA
- AUTOMATED DECISIONAL PROCESSES, IF ANY
- NATURE OF THE CONFERMENT
- THE RIGHTS OF THE PARTY CONCERNED
- CONSENT OF MINORS FOR THE SERVICES OF THE INFORMATION COMPANY
- CHANGES IN THE CONSENT TO PERSONAL DATA PROCESSING
The Data Controller is Alitalia – Società Aerea Italiana S.p.A. in a.s., in the person of its legal representative, domiciled at the registered office in Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM) (hereinafter referred to as “Alitalia” or “Data Controller”).
2. DATA PROTECTION OFFICER
Considering the data processing activities performed by Alitalia, the Data Controller has deemed it necessary to appoint, pursuant to art. 37 of the European Regulation, a Data Manager who you may contact at the following address: Alitalia Data Protection Officer, Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM), or by sending an email to the address firstname.lastname@example.org
3. DEFINITION AND TYPE OF PERSONAL DATA PROCESSED
To allow you to use the air transport service offered by Alitalia, the website www.alitalia.com, the Alitalia App and the related services, the Data Controller needs to know and process some of your personal data.
The term "personal data" designates information that concerns a natural person who is either identified or identifiable, such as, for example, name, contact information and/or data relative to the booking.
For air ticket purchases, the data processed will be first name, last name, telephone number, email address, information about the journey purchased, including any special care required or preferences regarding meals and payment-related details. Moreover, depending on the destination, additional personal data categories may be collected, such as, for instance, date of birth, sex and passport number.
Instead, the type of data processed to merely browse the Website, and the dedicated informative notice on “cookies” are specified below.
The IT systems and software procedures that carry out Alitalia operations acquire, during their normal performance, some personal data, whose transmission is implicit when Web communication protocols are used.
This information is not collected to be associated with the identified parties, but by their very nature they might allow user identification through processing and the association with third party data.
This data category includes IP addresses or computer user names used by the users when they visit the Website, (Uniform Resource Identifier (URI) addresses of the requested resources, time of request, method of submission of the request to the server, size of the file received in response, numerical code indicating the status of the answer given by the server (successful, error, etc.) and other parameters concerning the operative system and the user's IT environment.
The Data Controller makes use of these data only to obtain anonymous statistical information about the use of the Website, the use of the App, and to monitor its correct function. The data might also be used to ascertain responsibility in case of theoretical IT crimes against Alitalia.
Data provided intentionally by the user
The option of sending, both explicitly and intentionally, emails to the addresses provided on this Website and in the App entails the subsequent acquisition of the sender's address, which is required to respond to the requests, and of any other personal data that is entered in the message.
The type of cookies used on this Website is stated below and how you can easily choose if and how your personal data will be processed by this type of technological solutions.
This Website makes use of the so-called “technical cookies”, small rows of text containing a certain quantity of information that is exchanged between the Website and its terminal (or between the browser and its terminal) to ensure correct function and use of the Website.
This Website uses the so-called “profiling cookies”. These cookies are not essential but they help us customize and improve your experience of the Website. For instance, they help us show you the departure airport that is closest to your location, or tell us about your purchase preferences and help us remember them. They also enable us to show you relevant and customized advertisements. Furthermore, they allow us to limit the number of times an advertisement is displayed, gauge the efficacy of the advertising campaign, remember your visit and share the data collected with third parties, such as our advertisers.
Hence, the removal of these cookies does not impair general use of the Website, but it might limit some functions.
Third party cookies
The installation of all cookies can be disabled by adjusting your browser's settings. However, please note that by changing these settings you might not be able to use the Website, if you happen to block cookies that are essential to provide our services. However, every browser has different settings to disable cookies. The links to instructions for the most widely used browsers are given here Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera.
- CALL CENTER
Calls to Call Center numbers might entail processing of the user's personal data to provide the services requested, such as, for instance, bookings, purchase and sending of the air tickets requested by the passenger, changes or replacements of issued tickets, reimbursements, after sales service, special assistance and purchases of complementary flight-related services.
If the third party call centers process data for which Alitalia is the Data Controller outside the EU, Alitalia requires its suppliers to comply with the warrantees laid down by art. 46 of the European Regulation.
When making use of foreign call centers based outside the European Union, in compliance with the legislation in force, Alitalia will inform its clients about the foreign country where the operator is physically located, offering its clients/users the option of requesting that the service be rendered by an operator located in the user's country.
- ACCESS THROUGH SOCIAL NETWORKS
We wish to inform all clients registered with the MilleMiglia Program (the “Program”) that personal data provided when they joined the Program will be collected and processed by Alitalia in a form that guarantees data safety and compliance with the European Regulation. Moreover, MilleMiglia clients who access the Program through Alitalia's Social Login also through the following links [Facebook – Twitter – Instagram – Linkedin] that the personal data provided will be used, with their explicit consent, for purposes that are strictly related to and instrumental to participation in the Program and/or to registration for the Program, and to customization of services designed by Alitalia. The data conferred may be used by Alitalia for promotional, advertising and marketing purposes, such as sending advertising, promotional and informative material about products and services, and for statistical analyses performed to gauge customer satisfaction with services/products offered.
4. PURPOSE OF DATA PROCESSING AND LEGAL BASIS
The personal data held by the Data Controller are exclusively those provided by you when browsing and/or when using our services. Therefore, the personal data will be processed to:
A) Allow you to use our flight ticket purchase service;
B) Allow you to use the air transport service;
C) Meet your travel needs and provide any services requested;
D) Send communications relating to the service status of your flight, if needed;
E) Satisfy all legal requirements related to air passenger transport;
F) Sell directly products or services similar to those already purchased by the interested party, using the email address provided by the same when purchasing a ticket or service, provided that the interested party, having been adequately informed, does not refuse subsequent communications;
G) Provide up-to-date news on Alitalia's activities and promotions as well as regarding co-marketing promotions used to enrich the travel experience, by sending newsletters, advertising material and/or communications and information of a commercial and direct marketing nature regarding our services and products, relevant offers, discounts and any other promotional and loyalty initiative adopted by us, both through traditional and fully automated contact systems, such as, for example, by means of your address of residence and/or email address, or also through text messages;
H) Enable registration to the Mille Miglia program;
I) Personalize the content of commercial communication and offer only dedicated products and offers, in line with the tastes and preferences expressed, as well as a better flight experience.
In consideration of the choice to use the services provided by the website and by the App, the legal basis on which the processing of your personal data is based may be that:
The data provided is necessary to make reservations and purchase one or more airline tickets;
- The data provided is necessary to be able to perform the air transport contract;
- The processing of personal data is necessary to comply with legal obligations foreseen in the aeronautical field, applicable on an individual basis, depending on the destination;
- The processing of personal data may be necessary to safeguard the vital interests of one or more natural persons;
- The Data Controller has a legitimate interest in processing personal data to offer the best service and the best flight experience;
- Based on the specific consents that can be freely provided, carry out direct marketing and profiling initiatives.
Personal data may be processed both via IT tools or on paper.
J) Ensure the protection of public health and safety
- Legal basis:
- processing is necessary for reasons of public interest in the public health sector, such as protection from serious cross-border threats to health.
5. PERSONAL DATA STORAGE PERIOD
The Data Controller plans on storing personal data for a period of time that does not exceed the time required to pursue the purposes for which the data were collected and processed.
Regarding personal data processing for direct marketing purposes, when it is explicitly authorized, in compliance with provisions laid down by the legislation in force, Alitalia has established that your personal data for direct marketing purposes will be deleted within 36 months after they have been recorded. Personal data processed for profiling purposes will, instead, be deleted 12 months after they have been recorded.
Regarding other personal data, since we cannot precisely define the storage period of your personal data, the Data Controller commits from this moment to process your personal data in compliance with the principles of appropriateness, relevance and minimization of data, as required by the European Regulation, regularly verifying the need to store them. Hence, once the purposes for which they were collected and processed have been achieved, we shall remove them from our systems and logs and/or we shall adopt the appropriate measures required to ensure their anonymity in order to prevent your identification.
This will be applied unless we need to maintain said data to fulfill legal obligations or to ascertain, exercise or defend our rights during legal proceedings.
6. CATEGORIES OF DATA SUBJECTS
The data processed will not be disclosed to third parties. However, they may become aware of your data, in relation to the processing purposes previously set out:
- Health and public health control authorities of any country on your itinerary, including stopovers and countries that you fly over;
- Subjects who can access the data pursuant to the provisions of the law provided for by European Union law or by that of the Member State to which the Data Controller is subject, including the Central Directorate of Immigration and the Border Police;
- Our employees are designated as Processing Coordinator, System Administrator, or as a person acting under the authority of the Data Controller or the Data Processor, provided that they have been previously trained in this sense by the Data Controller;
- External parties that perform functions strictly connected or instrumental to the air transport activity such as other air transport companies, external or belonging to the Alitalia Group, such as Alitalia Cityliner S.p.A. under extraordinary administration, and handling companies, as independent Data Controllers or Data Processors, who shall be considered fundamental for the operation of Alitalia flights, as well as Alitalia Loyalty S.p.A. as joint owner of the data relating to the Mille Miglia program;
- Banks and payment companies, as well as service providers for anti-fraud control connected to the payment process and (where necessary) activation of the anti-fraud control procedure;
- Third parties such as law firms and public authorities to which we turn to ensure that the stipulated contract is respected or applied and to safeguard all our other legitimate interests;
- Third parties such as police and national authorities to protect our rights, property or safety of you, staff and our assets and resources;
- Public authorities and law enforcement agencies, for example customs and immigration authorities, following a validly made request;
- Persons who carry out, in complete autonomy, as separate Data Controllers, or as Data Processors appointed by Alitalia for this purpose, auxiliary purposes to the activities and services referred to in paragraph 4., as commercial partners, companies that offer services advertising, marketing and communication, companies that offer IT infrastructures and IT assistance and consultancy services as well as design and implementation of software and Internet sites, companies that offer useful services to personalize and optimize our services, including those to provide and manage customer service, companies that offer useful services to analyze and develop data and develop and conduct market research.
Any communication of personal data will take place in full compliance with the legal provisions of the European Regulation and the technical and organizational measures prepared by the Data Controller in order to ensure an adequate level of security.
7. TRANSFER OF PERSONAL DATA TO THIRD-PARTY COUNTRIES AND FOR IMMIGRATION CONTROL AND COUNTER-TERRORISM
Alitalia is a global carrier that conveys passengers to countries all over the world. The controller may transfer personal data to third-party countries for the purpose of the proper performance of Alitalia's activities, as well as the fulfillment of the obligations arising from the requests of the Interested Party. Consequently, the data transfer in question is necessary to implement the agreement between the party concerned and Alitalia and, in some cases, to fulfill the legal obligations which the Data Controller is subjected to.
If personal data of the parties concerned is transferred outside the European Union, we commit to:
- include standard data protection contractual clauses approved by the European Commission for the transfer of personal information outside the EEA in our contracts with those third parties (these are clauses approved under Article 46.2 of the General Data Protection Regulation ("GDPR"); or
- ensure that the country where the personal information will be managed is deemed “appropriate” by the European Commission, pursuant to art. 45 of the GDPR; or
- (in the event that we transfer the personal information of the interested parties to a recipient in the United States) make sure that the recipient is part of the Privacy Shield, which requires that recipient to provide protection similar to any personal information shared between Europe and the United States.
For more information on data transfer rules outside the EEA, including the mechanisms on which we rely, please see the European Commission's website here.
7. A PASSENGERS TRAVELING TO THE UNITED STATES
In accordance with an international agreement between the European Union and the United States, Alitalia informs the US Department of Homeland Security (DHS) of travel and booking data, otherwise known as Passenger Name Record (PNR) data, of passengers flying between the European Union and the US. US authorities use PNR data for prevention and counter-terrorism purposes and other serious transnational crimes. This and other data can also be used to check whether passengers are listed as persons reported for security purposes.
Carriers that fail to fulfill these requirements may be subjected to heavy sanctions and even lose the right to land in the United States of America. In turn, the passengers of these carriers may be subjected to more thorough and extensive checks in US airports, with all the inconvenience that may entail.
Alitalia, just like all European carriers that operate from, to or through the United States of America, is obliged to meet the above requirements. The transfer of passenger data to the US authorities is, in fact, a condition to operate air transport services from, to or through US territory.
7. B PASSENGERS TRAVELING TO CANADA
On 18 June 2007 the Government of Canada introduced the Passenger Protect Program to implement a border control system as an anti-terrorism measure.
The Passenger Protect Program requires all air carriers operating from and to the Canadian territory to mandatorily check passenger names at check-in against the names present in lists drawn up and provided by the Canadian authorities, with the aim of evaluating the possibility of either proceeding or otherwise with the embarkation of any passengers who might be mentioned in the above lists. The Passenger Protect Program, which initially started on a voluntary basis, became mandatory for airlines in September 2008 and Alitalia duly fulfils the aforementioned obligation.
7. C TRANSFER OF INFORMATION FOR IMMIGRATION CONTROL AND COUNTER-TERRORISM PURPOSES
Alitalia, like other carriers, is required at the request of the immigration and customs enforcement authorities of many countries (United States, Canada, Japan, UK, etc.) to communicate Advance Passenger Information (API) before each incoming and/or departing flight, to improve external border controls and combat illegal immigration.
These checks are also carried out by our national authorities under Legislative Decree No. 53/2018 Application of the 2004/82/CE Directive.
In addition, in line with national, European and international legislation applicable in Italy (i.e. EU Directive 2016/681 and Legislative Decree No. 53 May 2018), we inform you that Alitalia, like other air carriers, is required to transmit the booking code data relating to each passenger's travel code (so-called "PNR", or Passenger Name Record, data) for the purpose of prevention, inspection, investigation and prosecution of terrorism offences and serious crimes.
In accordance with Article L.232-7 of the internal security code of France, we also inform you that Alitalia may be required to transmit to the French authorities the information of booking, check-in and boarding of passengers (API/PNR), according to the methods of treatment and for the purposes set by the French decree No. 2014-1095 of 9/26/2014.
- What type of passenger information can they access?
The United States Bureau of Customs and Border Protection (US CBP) has access to PNRs (precisely client data recorded when the journey by air was booked) concerning the flights operated from, to and through the United States of America.
They are electronic "files" created in the IT systems used by carriers for every route booked by the passenger, files that contain miscellaneous information including: name of the passenger, telephone contact of the passenger, flight details (date of the flight, departure and destination sites, inflight seat number, number of bags, etc.), and additional details, such as: any travel agency involved, form of payment, etc.
Hence, the PNR includes all information provided by the passenger during the booking phase. The US CBP is also sent, soon after take-off, the passenger's passport details (last name, first name, date of birth, nationality, passport number and sex).
AUTHORITIES AND PURPOSES
- Who will be authorized to access client details, who will store them and use them, and for what purposes will they be used?
The US CBP, which is part of the Department of Homeland Security, will have access to your data. This body will use it to prevent and fight terrorism and serious criminal actions.
However, as established by the U.S. legislation, said authorities might transmit the data to other American authorities that are appointed to fight terrorism or to ensure compliance with legal obligations and interests, after performing a case by case evaluation and always for the purpose of preventing and fighting terrorism or serious criminal acts.
Moreover, these data can be made accessible, when necessary, to protect the vital interest of passengers or of third parties (particularly in cases of important healthcare risks) or in the framework of penal proceedings or in other cases established by the law
- How are passenger data used?
Data are collected by the US CBP within the booking systems until 48 hours before the flight's departure and are used to perform passenger checks before arrival in the USA to ensure easy entrance to most travelers. US CBP will only focus on the small number of passengers who might represent an actual safety risk.
Data will be stored for a period of 7 years, though, when they are manually accessed during this period, they may be stored for another 8 years.
The U.S. authorities will adopt all appropriate technical and organizational measures to prevent the unauthorized use of these data.
- What rights do passengers have and how can they be exercised?
The U.S. authorities have committed, as a rule, not to object to passenger requests to receive a copy of data collected from the PNR and contained in their database. Passengers can request their data to be corrected. This will be done if the US CBP or Transport Security Agency (TSA) consider the request justified and appropriately explained. A negative decision may constitute a matter for judicial proceedings.
Requests to correct data and complaints about PNR data processing can be made by passengers (either directly or through data protection authorities in the Member States) to the Privacy Office of the DHS (Freedom of Information Act (FOIA) Program):
FOIA - Privacy Office
Department of Homeland Security
245 Murray Drive SW
Washington, DC 20528-0550
Toll free number: +1-866-431-0486
8. AUTOMATED DECISIONAL PROCESSES, IF ANY
The Data Controller does not make use of automated decisional processes, including the profiling mentioned in art. 22, sections 1 and 4, of the European Regulation, without his/her consent. If he/she accepts profiling, the data provided may be used to either analyze or anticipate preferences, behaviors and positions in order to customize the content of the commercial communication and to propose only dedicated products and offers that are consistent with the taste and preferences stated, thus reducing the number of commercial communications we send, and offering a better flight experience.
Specifically, these data processing activities envisage recording, analysis and profiling (i) of your identification details, (ii) of information about your flights, (iii) and of data regarding your habits and consumption choices.
The aggregation and analysis of personal data collected allow us to identify clients of the air transport service that have in common similar purchasing behaviors. The results of these analyses will enable the Data Controller to send clients who have consented to receive them, commercial proposals that are consistent with their needs.
9. NATURE OF THE CONFERMENT
The conferment of your personal data for the purposes stated in sections 4.A – 4.B – 4.C – 4.D – 4E is mandatory because your refusal, if any, to provide the personal data requested would make it impossible for Alitalia to provide the air transport service.
The conferment of personal data for the purposes stated in section 4.F is optional and the party concerned always has the right to refuse this use of his/her personal data on the part of the Data Controller.
The conferment of personal data for the purposes stated in section 4.G is optional. However, though failure to provide these data will not prevent you from using the Website, it might prevent us from providing you all the benefits offered through advertising, commercial and direct marketing communications, and from informing you about additional services, discounts and promotional offers.
The conferment of personal data for the purposes stated in section 4.H is optional but failure to provide these data will prevent you from joining the Program.
Conferment of personal data for the purposes stated in section 4.I is optional. However, failure to provide these data will prevent you from receiving all the benefits reserved for you, and from receiving exclusive dedicated products and offers that are consistent with the taste and preferences expressed, for a better flight experience.
10. THE RIGHTS OF THE PARTY CONCERNED
Regarding the processing of your personal data, pursuant to the European Regulation, the party concerned is entitled to:
- Withdraw consent to data processing, at any time, for all further data processing procedures that are not necessary to execute the service agreement; however, it must be said that withdrawal of consent does not constitute a bias to the lawfulness of data processed based on consent provided prior to withdrawal of the consent itself, as established by art. 7, section 3, of the European Regulation
- Ask the Data Controller access to personal data, as established by art. 15 of the European Regulation
- Obtain, from the Data Controller, the correction and integration of personal data that is deemed inaccurate, even providing a simple integrative statement, as established by art. 16 of the European Regulation;
- Obtain, from the Data Controller, the deletion of personal data if even just one of the reasons established by art. 17 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement,
- Obtain from the Data Controller the limitation of personal data processing, if even one of the cases theorized in art. 18 of the European Regulation is present, for all further data processing that might not be necessary to execute the service agreement
- Receive, from the Data Controller, the personal data that concern you, in a structured format widely used and legible by an automatic device; you are entitled to transmit these data to another Data Controller, as established by art. 20 of the European Regulation
- Object at any moment, for reasons associated with your particular situation, to the processing of personal data carried out in compliance with art. 6, section 1, letters e) or f), including profiling based on these provisions, as established by art. 21 of the European Regulation
- Not to be subjected to decisions solely based on automated data processing, including profiling, that will have legal repercussions for you, if you have not consented explicitly in advance, as established by art. 22 of the European Regulation; by way of a non-exhaustive example, this category includes any form of automated personal data processing intended to either analyze or foresee aspects that concern consumption and purchase choices, the economic situation, interests, reliability and behavior;
- Submit a complaint to the control authorities if you deem that the processing of your data violates the European Regulation; the complaint can be submitted in the Member State where you habitually reside or work or in the place where a presumed violation occurred, as established by art. 77 of the European Regulation.
To exercise each of your rights, you may contact the Data Controller, in the person of the legal representative, by contacting the registered office at Via A. Nassetti s.n.c., Pal. Alfa, 00054 Fiumicino (RM).
Alternatively, you can contact the Data Protection Officer by sending a communication to Alitalia Data Protection Officer, Via A. Nassetti s.n.c., Pal. Alfa, , 00054 Fiumicino (RM), or by sending an email to email@example.com providing the following information:
- First and last name and postal address
- Details of the request
- Booking code or flight number and date
- Photocopy of a valid document of identification
To exercise the rights related to the MilleMiglia Program, you can send an email to the address: firstname.lastname@example.org allegando: (i) MilleMiglia card number; (ii) details of the request; (iii) copy of a valid document of identification.
11. CONSENT OF MINORS FOR THE SERVICES OF THE INFORMATION COMPANY
To make use of the services issued over the Website and in the App, you must be over fourteen years of age. Processing the personal data of a minor aged under fourteen years is lawful as long as it is performed by the person who has parental authority over the minor. For further information, visit the page Organize Your Journey.
12. CHANGES IN THE CONSENT TO PERSONAL DATA PROCESSING
You can change the consent provided at any time for the following purposes:
- 4F - 4G by clicking on the link “unsubscribe” present in each newsletter received or by answering “unsubscribe” to the TEXT MESSAGE SERVICE message you received
- 4H – 4I by accessing your personal MilleMiglia page in the dedicated section.
Personal data processing will occur, including by means of external providers appropriately called external processing managers, with guaranteed security and confidentiality. These providers may be located also outside the European Union in accordance with the art. 26 of Directive 95/46/EC, after analysis of appropriate security measures and after the subscription of the standard clauses made available by the European Commission – The data processing may be performed not only with manual tools but also with automatic tools (both computer and telematic) that are capable of storing, managing and transmitting the said data. Personal data will be: processed in a legal and proper manner; collected and recorded for specific, explicit, legitimate and precise purposes, and, if necessary, updated, relevant and complete purposes, not exceeding the purposes of processing; stored in a way that allows it to be identified by the individual for a period of time not exceeding the time necessary for the purposes for which it was collected or subsequently processed.
As of February 1, 2007, based on the Partial Amendment to the Immigration Control and Refugee Recognition Act, the Japanese Authorities require as mandatory the personal data written on the passports of all passengers traveling to Japan.
The transfer of passenger data to the Japanese Authorities is a condition of operating air transport services to Japan.
Any passengers who do not consent to their data being transferred will consequently not be permitted to fly to Japan.