Dear Sir/Madam,
please find below some information about the processing of your personal data.
The data controller is Maddalena Lines S.r.l. (hereafter, “Company”), which can be contacted at:
- e-mail address: privacy@carontetourist.it
- telephone number: +39.090.9038201
The company has appointed a Data Protection Officer, in accordance with articles 37 and following of Regulation (EU) 2016/679 (hereafter, “GDPR”), who can be contacted at the data controller's head office or by e-mail at dpo@carontetourist.it.
Type of data collected
The processing concerns the following personal data referred to in Art. 4, no. 1, GDPR, referring to the Customer (or, in the case of a legal entity, to natural persons working within the same):
- personal data (name, surname, tax code, place and date of birth);
- contact data (home address, e-mail address, certified electronic e-mail, telephone number);
- vehicle license plate number;
- data on bookings and/or trips made;
- assistance for persons with reduced mobility;
- any special customer requests;
- any complaints made by the customer;
- personal data spontaneously provided by the Customer through the data controller’s contact channels (e-mail address, telephone number, social networks, etc.), in order to request assistance and/or information.
Purpose and legal basis of processing
Your data are processed for the following purposes:
| Purpose | Legal basis for processing | |
| a) |
| Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR) |
| b) | Transmission of your data to maritime agencies, judicial authorities and law enforcement agencies | Processing necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) |
| c) | Assistance for persons with reduced mobility | Processing necessary for reasons of substantial public interest, on the basis of Union or Member State law (Art. 9(2)(g) GDPR) |
| d) | Fulfilment of regulations related to the contractual relationship (e.g. tax obligations) | Processing necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR) |
| e) | Sending communications for conducting anonymous customer satisfaction surveys related to purchase and service provision (customer satisfaction) | Processing is necessary for the pursuit of a legitimate interest of the Data Controller, insofar as the interests or fundamental rights and freedoms of the data subject do not override it (Art. 6(1)(f) GDPR) |
Necessity or Optional Nature of Processing
The provision of personal data for the purposes set out in points a), b), and d) is necessary for the establishment of the relationship with the Company; therefore, any refusal to provide such data, in whole or in part, may result in the Company being unable to conclude the contract.
The provision of personal data for the purposes set out in point c) is necessary in order to provide the assistance required by the customer.
Processing under purpose e) does not require further provision of personal data. The information collected through the surveys will be processed anonymously and used only for statistical purposes to pursue the Company's legitimate interest in improving the quality of the service offered.
Recipients of personal data
Personal data may be disclosed, strictly in relation to the above-mentioned purposes, to the following subjects or categories of subjects:
- natural persons authorised in writing by the Company/data controller pursuant to art. 29 GDPR by reason of the performance of their work duties;
- subjects in relation to which current legislation (e.g. tax and accounting) provides for mandatory reporting, including public bodies;
- Public authorities within the meaning of Ministry of Infrastructure and Transport Memorandum No. 104/2014 in compliance with Directive 98/41/EC (i.e. harbour master's office and port authority);
- Judicial and law enforcement authorities;
- ticket offices and maritime agencies for the organisation of embarkation/disembarkation activities;
- law firms, in case any disputes arise;
- insurance companies both when booking tickets and when making claims;
- experts during complaint procedures;
- companies providing other services that are essential to the provision of the shipping service or the sale of tickets (such as web hosting, auditing services, data analysis).
Processing methods
Personal data are collected at the time of booking/purchasing the ticket and in the stages following that moment, in the event of a request by the customer for additional services (e.g. post-purchase assistance, invoicing, etc.). The processing is carried out using paper and IT tools, in compliance with the provisions on the protection of personal data, adopting appropriate technical and organisational measures, pursuant to in Article 32(1) of the GDPR, and with the observance of all precautionary measures to ensure the integrity, confidentiality and availability of the data.
Personal data stored on computer databases are only accessible to identified persons (authorized under art. 29 GDPR), by means of personal access keys.
Data retention period
Your travel data will be stored until 31 December of the second year following the trip.
Your data for administrative-accounting purposes will be stored for 10 (ten) years after collection.
In the event that a dispute arises between the Company/data controller and the person concerned, the retention period will be extended for the duration of that dispute and for 10 years following its final settlement (e.g. settlement agreement or final judgment).
At the end of the period indicated, your Personal Data will be deleted from the database and from any other archiving media, whether paper or computerised.
Rights of the data subject under Articles 15-22 of the EU Regulation - GDPR 2016/679
Pursuant to the relevant legislation, the rights of each data subject and how to exercise them are listed below.
- Right of access - The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed; the evinsaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; he existence of automated decision-making, including profiling.
- Right to rectification - The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and/or the integration of incomplete data.
- Right to erasure - The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay if: the purpose of the processing has been fulfilled; consent has been withdrawn; objection to the processing has been made; the data have been processed unlawfully; the data must be erased to comply with a legal obligation under EU or national law.
- Right to restriction of processing - The data subject has the right to obtain from the controller restriction of processing: in the case of inaccurate data, until the Data Controller verifies their accuracy; in the case of unlawful processing; if the purposes of the processing have been fulfilled but the personal data are necessary for the data subject to establish, exercise, or defend a right in court; if the data subject has objected to the processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject.
- Right to portability - The data subject has the right to receive the personal data concerning him or her in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance, where the processing: is based on consent or on a contract; is carried out by automated means.
- Right to object - The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR.
This is without prejudice to the limitations provided for by law.
Methods of the data subject's request
The data subject may exercise the above rights at any time by sending an e-mail to privacy@carontetourist.it
The data subject is entitled to lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority) on the basis of the indications given at www.garanteprivacy.it/garante/doc.jsp?ID=4535524 or to any other supervisory Authority.
Maddalena Lines S.r.l.
