INFORMATION ON PRIVACY PURSUANT TO ART. 13 EU REG. 679/2016

 

  1. Introduction

CO.RA.T. SAS of Cannizzaro Fabiana takes the user’s privacy seriously and undertakes to respect the principles of protection, they will be treated according to the principles of lawfulness, correctness, transparency, minimization, confidentiality of personal data of any nature or category. This “Privacy Policy” prepared pursuant to art. 13 EU Reg. 679/2016 describes the personal data processing activities, indicating the methods and purposes, carried out and the related commitments undertaken in this sense by the Company.

Where consent has been given when registering in the reserved area on the www.corat.travel website, we will process the data provided for the purposes described below. If the user provides personal data of third parties, he will have to ensure that this communication is delivered to the interested party and that the subsequent processing for the purposes specified in the information is applicable in accordance with EU Reg. 679/2016.

  1. Owner, managers, appointees and DPO

The Data Controller is CO.RA.T. SAS of Cannizzaro Fabiana with headquarters in VIA MORANDI 3/E – 20094 BUCCINASCO (MI) and VAT number 11954960156. The person in charge of the  data processing is CANNIZZARO FABIANA. The updated list of data processors is kept at the registered office of the Data Controller.

  1. Object of the Processing

The collection and subsequent processing of customer personal data takes place in a manner directly carried out by the owner through its own online channels. In carrying out the activity, personal and identification data may be processed (for example, name, surname, company name, address, telephone, e-mail, tax, bank and payment references), voluntarily provided by the user when of the services offered, even for information only, or on the occasion of pre-contractual and/or contractual relationships, strictly related to existing or future commercial relationships.

  1. Purpose of data processing
    A) The company processes user data for the purposes described below:
  • Conclude contracts for the services requested by the user;
  • Manage needs or reports and provide information requested by its users, including through written communications or the sending of related documentation.
  • To organize and promote tourist packages or services or other additional and accessory services;
  • Provide a reserved and personalized area to the user;
  • Fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships;
  • Manage requests and reports from its customers or suppliers;
  • Fulfill the obligations established by law, by a regulation, by community legislation or by an order of the Authority;
  • Exercise the rights of the Data Controller (exercise or defense in court, etc.);

B) Your personal data may instead be processed only with your specific and distinct consent (art. 7 EU Reg. 679/2016), for the following marketing and promotional purposes:

  • Send promotional material and/or commercial communications relating to the Company’s services and products, to the addresses indicated, both through traditional methods and/or means of contact (such as paper mail, telephone calls with an operator, etc.) and automated ( such as communications via the Internet, faxes, e-mails, text messages, applications, social network accounts).
  • Process statistics and market research in anonymous and pseudonymised form;

 

  1. Methods and times of treatment 

The processing of your personal data is carried out by means of the operations indicated in art. 4 Privacy Code and precisely consisting of: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data is subjected to both paper and electronic and/or automated processing in full compliance with Reg.EU 679/2016, and inspired by the principles of correctness and lawfulness of treatment. Personal data is stored and processed through IT systems owned by CO.RA.T. SAS of Cannizzaro Fabiana  and managed by the same company. We inform you that, where possible, your data will also be processed anonymously, aggregated or pseudonymised in compliance with the principles of minimization and pseudonymisation envisaged. We inform you that your data may be communicated and processed by companies , professionals, natural persons or service providers in general, who could be based in non-EU countries. Therefore, the treatment will take place provided that certain conditions established by the applicable legislation are respected and subject to adequate guarantees, and in any case within the limits envisaged, specified and indicated in the information and with particular reference to the purposes. The Data Controller will process personal data for the time necessary to fulfill the aforementioned purposes, while the retention of your data may also be extended after the end of the relationship for the time necessary for the purposes of fulfillment of legal obligations, especially in tax matters IVA, fiscal, tax and in any case for the purposes of the envisaged legal obligations.

  1. Security and quality of personal data

The Data Controller undertakes to protect the security of the user’s personal data and complies with the provisions
security matters envisaged by the applicable legislation in order to avoid data loss, illegitimate or illegal use of data and unauthorized access to the same, with particular reference to the Technical Regulations on the subject of minimum security measures. Furthermore, the procedures, information systems and computer programs used are configured in such a way as to minimize the use of personal and identification data, which are in any case processed only for the achievement of the specific purposes pursued from time to time.

  1. Data access

The data will be made accessible only to those who, within the company, need it due to their job. These subjects will be suitably instructed in order to avoid problems of any kind to the data in possession. Your data may be made accessible for the purposes referred to in points 4.A) and 4.B):

  • To employees and collaborators of the Data Controller, in their capacity as persons in charge and/or internal/external data processors and/or system administrators;
  • To commercial partners such as hospitality businesses, tour operators and travel agencies;
  • To third-party companies or other subjects who carry out outsourced activities on behalf of the Data Controller, in their capacity as external data processors;
  • To third party technical service providers, telematics and IT services and hosting providers;
  • To professionals, consultancy firms, credit institutions, information companies, debt collection companies or companies operating in the transport and logistics sector;
  • To subjects who can access your data by virtue of provisions of law or secondary and community legislation.
  • To public and private bodies, also following inspections and checks (e.g. Financial Administration, Police Bodies, Judicial Authorities, Social Security Bodies, Chambers of Commerce, etc.)
  • To companies, which offer adequate security guarantees, of IT services including the personnel in charge who are entrusted with ordinary and extraordinary maintenance operations or who support the Owner in providing the services offered.
  1. Communication and data transfer

Your data will never be published, disseminated, exhibited or made available/consulted by subjects not specified in the previous point. The subjects to whom the data will be communicated will treat them as independent data controllers and will in any case be required to comply with the provisions on data processing security provided for by current legislation.

  1. Nature of providing data and consequences of refusing to answer

The provision of data for the purposes referred to in point 4.A) is mandatory, to allow you to manage communications, process requests or to contact you again and follow up on any needs, therefore provide the services. The missing, partial or incorrect provision of the requested data necessary for the pursuit of the purposes described, does not make it possible to complete the requests of the interested party, it will not allow the management of commercial relations or may cause inconvenience in the provision of the service.

The provision of data for the purposes referred to in point 4.B) on the contrary is optional and failure to provide it will not entail any consequences for the provision of the service, but in this case, you will not be able to receive newsletters, commercial communications and advertising material relating to the offer of the Owner.

You can therefore opt not to provide any data or to subsequently and at any time deny the possibility of processing data already provided, in which case, you will not be able to receive the Services offered by the Owner.

  1. Rights of the interested party

In your capacity as an interested party, you have the rights referred to in articles 15-21 and 77 EU Reg. 679/2016 and precisely the rights of:

10.1. Right of access to data.

  • Each interested party has the right to request access and therefore to know and obtain, with a written request, confirmation from the Data Controller of the Internal Managers of the conservation and processing of his personal data provided at the time of the request for a quote.
  • Each interested party also has the right, with a written request, to ascertain which of his personal data are stored and processed by the Data Controller.

10.2 Right to rectification and integration of personal data.

  • Each interested party has the right to obtain, through a written request, from the Data Controller and/or Internal Managers, the rectification of inaccurate personal data concerning him without unjustified delay.
  • Each interested party also has the right to obtain, through a written request containing a supplementary declaration, from the Data Controller and/or Internal Managers, the integration of his or her incomplete personal data.

10.3 Right to erasure of personal data (Right to be forgotten).

  • Each interested party has the right to obtain from the Data Controller and the Internal Managers, with a written request, the cancellation of personal data or part of them, stored both in the paper archive and in the automated archive of the Data Controller himself .
  • Following the aforementioned written request, the Data Controller and/or the Internal Managers are obliged to cancel all or part of the personal data without unjustified delay as requested by the interested party.

10.4 Limitation of the processing of personal data.

  • Each interested party has the right to obtain from the Data Controller and/or from the Internal Managers, the temporary submission of his personal data to the sole conservation operation if the same are pending verifications or to ensure their claims as follows indicated:
  1. if the interested party disputes the accuracy of the personal data stored by the Data Controller and/or Internal Managers.
  2. if the use of personal data by the Data Controller and/or Internal Managers is unlawful for any reason, the data subject may in any case request a limited use only for the purposes envisaged and accepted by signing this Information ;
  3. if personal data are necessary for the interested party for the assessment, exercise or defense in court.
  • The interested party who has obtained from the Data Controller and/or from the Internal Managers the limitation on the use of their personal data will have the right to be informed by the same in writing, before this limitation is revoked.

10.5 Notification obligation by the Data Controller and/or Internal Manager.

The Data Controller and/or the Internal Managers declare to notify the interested party of any corrections, cancellations or limitations on the use of his personal data according to the purposes envisaged and accepted with the signing of this disclosure model, unless this implies a disproportionate effort for the Data Controller and/or Internal Managers.

10.6 Data subject’s right to object.

The interested party has the right to express his opposition to the processing of his personal data to the Data Controller and/or Internal Managers at any time, with a written request.< /p>

10.7 Right to portability of personal data.

  • The interested party has the right to request and obtain, upon written request, the direct transmission of their personal data stored by the Data Controller and/or by the Internal Managers to a subject specifically indicated by him, in a structured format, commonly used common and machine-readable.
  • However, the interested party acknowledges that the exercise of this right can only take place if technically possible, i.e. if their personal data are processed by the Data Controller and/or by the Internal Manager through automated means.
  • The interested party also acknowledges that the exercise of this right cannot prejudice the provisions of this information model in point “8.4 Limitation of the processing of personal data.”

10.8 Right to lodge a complaint with a supervisory authority.

The interested party who believes that one of his or her rights has been infringed has the right to submit reports, complaints or appeals in writing to the Guarantor for the protection of personal data, to the Public Relations Office (URP).

  1. How to exercise your rights

You can exercise your rights at any time by sending a communication to the Data Controller:

  • An email to info@corat.travel