Information on the processing of personal data (pursuant to art.13 EU Regulation 2016/679)
The current regulations regarding the processing of personal data defined in accordance with the provisions outlined in EU Regulation 2016/679 of 27 April 2016 relating on the protection of individuals and the processing of personal data and the free movement of this data (General Data Protection Regulation, hereinafter "EU Privacy Regulation") contains provisions aimed at ensuring that the processing of personal data is carried out in compliance with the fundamental rights and freedom of individuals, especially with reference to the protection of personal data.
1. Purpose and legal basis for processing
The processing of personal data is carried out for the purpose of:
1) requesting and purchasing the Viaggio card;
2) requesting and purchasing the Viaggio in Famiglia card;
3) purchasing online subscription;
4) purchasing train tickets with Customer profiling;
5) online invoicing service
6) invoicing service at the ticket office;
7) managing complaints on paper;
8) managing online complaints;
9) managing travel issues;
10) managing written notifications;
11) receiving newsletters;
13) refund management;
14) managing joint settlement;
15) sending information requests online
16) managing assistance files (via email or telephone);
17) lost property management;
18) CartaBlu/Blue Card requests;
19) annual subscription registration;
20) requesting and purchasing of cards;
21) managing reservations for group trips;
22) managing assistance for trips for people with reduced mobility.
The processing of personal data for promotional/commercial purposes: personal data may also be used for the purposes of customer profiling, information and commercial promotion of both products and services, in addition to satisfaction services regarding your experience and market research. In such cases, the processing of personal data will be based exclusively on your free and specific consent. Your consent may be revoked at any time without prejudice to the lawfulness of the processing operations carried out prior to the revocation.
All the data referred to in point 2 below will be stored for:
- 10 years for the data (common and sensitive) collected for the purposes of management of refunds; management of travel issues; management of written notifications; management of joint settlement; management of group travel bookings; management of travel assistance for people with reduced mobility; management of complaints on paper;
- 5 years for the data (common and sensitive) collected in order to request and purchase of cards; request and purchase the Viaggio card; request and purchase the Viaggio in Famiglia card; purchase of online subscription; purchase of train ticket with customer profiling; online invoicing service; invoicing service at the ticket office; management of online complaints; receiving newsletters; marketing; sending information requests online; management of assistance practices (via email or telephone); lost property management.
- 6 years for the data (common and sensitive) collected in order to request the CartaBlu/Blue Card;
- 18 months for the data (common and sensitive) collected for the purposes of the annual subscription register.
Any processing of sensitive data by the Data Controller is in accordance with the conditions set out in Art. 9.2 letter a) of the GDPR.
2. Types of personal data processed
Within the limits of the purposes outlined above, the Owner will process the following categories of personal data:
- Common personal data concerning personal information; residence, domicile, railway use habits; bank details
- Personal data belonging to the special categories referred to in art.9 of the GDPR (sensitive data) and consisting of photographs; health information; legal data; geolocation.
3. Data processing
For the sake of transparency and in compliance with the principles set out in art. 12 of the GDPR, please note that the "processing of personal data" refers to any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data. This includes the collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction.
The processing of personal data may be carried out with or without the aid of electronic or automated means and will include, in compliance with the limits and conditions set out in the GDPR, in addition to the communication to the subjects referred to in point 6, below.
4. Methods of data processing
The personal data subject to processing are:
1. Processed lawfully and fairly by persons authorised to perform these tasks, persons constantly identified, properly trained and informed of the constraints imposed by the GDPR;
2. Collected and recorded for specific, explicit and legitimate purposes and used in other processing operations in terms compatible with those purposes;
3. Accurate and, where necessary, up to date.
4. Relevant, complete and not excessive in relation to the purposes for which they were collected or subsequently processed;
5. Stored in a way in which permits identification of the data subject for a period of time which does not exceed that necessary for the purposes for which they were collected or subsequently processed;
6. Processed with the support of paper, computer or telematic means and with the use of security measures to ensure the confidentiality of the data subject to whom the data refer and to avoid undue access to third parties or unauthorised personnel.
5. Nature of the contribution
The provision of some personal data is necessary. In the event of failure to provide the requested personal data or in case of opposition to the processing of personal data, it may not be possible to proceed with the request and/or management of the service requested and/or the management of the contract.
Subject to your express content, the personal data you provide may be used for marketing purposes or to carry out automated activities aimed at profiling and analysis of both habits and consumer choices, for example, frequency, reason, methods of use, failure to consent to the processing of data and contact details for the purposes indicated does not prevent the continuation of the contractual relationship.
As provided for by the Guarantor for the protection of personal data, the consent given for marketing purposes with automated methods of contact (for example, SMS, MMS, telephone, email or web applications) also extends to traditional methods of contact. This is without prejudice to your right to give consent or to exercise your right to object to only one of the two ways of carrying out marketing activities.
6. Data communication and Data transfer abroad
The personal data collected are processes by staff who are required to have knowledge of them in the performance of their activities and by external parties who may act as data controllers or data processors, as the case may be.
The Data Controller also reserves the right to transfer personal data to a third country on the bases of the adequacy decisions of the European Commission or on the basis of the adequate guarantees provided by the current legislation.
The data will not be disclosed.
7. Rights of the data subject
Pursuant to Articles 15-20 of the GDPR, you may exercise specific rights, including that of obtaining access to personal data in intelligible form, its rectification, updating or deletion. You will also have the right to obtain from the Company the limitation of the processing. You may also oppose, for legitimate reasons, the processing of your data. If you believe that the processing of your personal data violates the rules of the GDPR, you have the right to file a complaint with the Guarantor Authority for the Protection of Personal Data pursuant to art. 77 of the GDPR.
8. Owner and Data Protection Office (DPO)
The Data Protection Officer, pursuant to art. 4.1.7 of the GDPR is Trenord S.r.l., with registered office at 20123 Milano, Piazzale Cadorna No.14.
The person responsible for personal data protection (also "DPO") is lawyer, Yari Mori. To exercise your rights under the GDPR referred to in point 6 of this statement, you may contact the DPO. The DPO must be requested to provide information regarding the identification of the data processors acting on behalf of the Data Controller.
The DPO may be contacted via post to the aforementioned registered Trenord office, or by email to the following email address: firstname.lastname@example.org.
The complete list of persons in charge and the categories of the persons in charge of data processing are available upon request.