Pursuant to article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “GDPR”), we inform you that the personal data you voluntarily provide to Itabus S.p.A. (hereinafter also referred to as the "Company", "Itabus" or the "Controller") during the browsing of the web site www.itabus.it (hereinafter referred to as the "Web Site") or Itabus App (hereinafter referred to as the "App") will be processed in accordance with the current legislation on the protection of personal data, meaning the GDPR, the Legislative Decree 196/2003, as subsequently amended by Legislative Decree 101/2018 (hereinafter the “Privacy Code”), as well as all the provisions and guidelines of the Italian Data Protection Authority, as applicable from time to time and, in any case, in compliance with the principles of confidentiality that inspire the Company's activities.
1. Types of data processed
Itabus will process the following categories of personal data provided by you:
- browsing data, such as, by way of example, information relating to the device used to browse the Website/App and/or to make purchases, IP address, cookies, etc.
During the browsing of the web site, with particular reference to the use of cookies, Itabus informs you that, in accordance with the Provision of the Italian Data Protection Authority of 8 May 2014, at the following link you can consult the Cookie Policy of the Website containing all the information useful to understand, identify, use or delete the cookies used on the Website;
- identity data such as, by way of example, name and surname of the purchaser and any additional passengers, tax code, VAT number, etc.;
- contact data, such as, by way of example, customer code, e-mail address and telephone number;
- bank and/or payment data;
- data relating to the state of health, only if this is necessary for the pursuit of the specific purpose referred to in letter c) of paragraph 2 below;
- location data.
2. Purposes of processing and legal basis of the processing
Personal data made available to Itabus (using Website/App) will be processed for the following purposes:
a) obligations related to the use of the Website/App such as, by way of example, the activation through registration, and subsequent management and technical security maintenance, of accounts to guarantee access to the Website/App and/or the services made available therein, as well as passwords or similar authentication credentials, the management and processing of your requests for information submitted by filling out forms on the Website/App etc.;
b) obligations related to legal obligations to which the Company is subject, including obligations of an administrative and/or accounting nature;
c) with reference to the personal data of users who intend to make use of the services offered by Itabus to passengers with reduced mobility, fulfilment of the legal obligations to which the Company is subject regarding assistance to people with disabilities or reduced mobility as per Regulation (EU) No. 181/2011 of the European Parliament and of the Council of 16 February 2011;
d) obligations related to the performance of a contract, pre-contractual measures and/or the provision of services, such as, by way of example, the establishment and performance of the contractual relationship with Itabus relating to the transport service you have requested, assistance with the services and/or products you have purchased through the Web Site/App (so-called "customer service"), etc.;
e) requirements related to the need to ascertain, exercise or defend a right in judicial or administrative proceedings or in arbitration or conciliation proceedings;
f) activities of direct sales of services similar to those purchased by you, pursuant to the provisions of art. 130, paragraph 4, of the Privacy Code (so-called "soft spam"). It will be possible for the Company to use the e-mail address you provided in the context of the purchase of the ticket. However, you will be able, at any time (initially or during subsequent communications) to object to such processing by making a specific request to the data controller, made in accordance with the provisions of paragraph 8 of this policy;
g) the performance of promotional activities (so-called "marketing") and the sending of informative and promotional communications - by Itabus - concerning products and services of Itabus or an Itabus partner, and/or the reduction of the price of your research, by mail, internet, telephone, e-mail - including newsletters and direct e-mail marketing - MMS, SMS, also in order to carry out market research (so-called "customer satisfaction");
h) with reference to the personal data of users registered on the private area of the Website/App, the performance of profiling activities carried out in order to allow the analysis of tastes, preferences, habits, needs and consumption choices to receive personalized offers based on purchasing preferences;
i) provide information to users about the nearest bus stations and services that can be used in the geographical area of connection.
The processing of Your data for the purposes under letters b) and c) above does not require Your consent as it is necessary to comply with legal obligations to which the Controller is subject pursuant to article 6(1)(c) of the GDPR. In particular, the processing for the purpose under letter c) is necessary in order to comply with the legal obligations relating to assistance to people with disabilities or reduced mobility set out in Regulation (EU) No. 181/2011, pursuant to article 6(1)(c) and article 9(2)(b) of the GDPR.
The processing of Your data for the purpose under letter d) above does not require Your consent as it is based on the need to take pre-contractual measures and/or perform a contract to which You are a party pursuant to article 6(1)(b) of the GDPR.
The processing of Your data for the purposes under letters a), e) and f) above does not require Your consent as it is necessary to pursue the legitimate interest of the Controller, pursuant to article 6(1)(f) of the GDPR and article 130(4) of the Privacy Code.
The processing of Your data for the purposes under letters g), h) and i) requires Your consent pursuant to article 6(1)(a) of the GDPR.
3. Modalities of Processing
The processing of personal data will be carried out by means of suitable paper, electronic and/or telematic instruments, with logic strictly related to the purposes mentioned above and, in any case, in such a way as to ensure the security and confidentiality of the data.
4. Provision of data and consequences in case of failure to provide data
The provision of personal data for the purposes under letters b), c) and d) of the previous paragraph 2 is necessary for the fulfillment of legal and/or contractual obligations. The refusal and/or the provision of inaccurate and/or incomplete information could have as possible consequences:
i) the impossibility for the Company to comply with all the requirements imposed by the regulations in force instrumental and/or however related to the establishment and/or performance of the contractual relationship to which it is subject;
ii) the inability to enter into the contract of transportation and/or to ensure the regular and timely performance of the relevant contractual relationship, including assistance activities relating to services and / or products purchased by You through the Website/App (so-called "customer service").
The provision of personal data for the purposes under letters a), e) and f) of the previous paragraph 2 is necessary for the pursuit of the legitimate interests of the Controller indicated above. The refusal and/or the provision of inaccurate and/or incomplete information could have as possible consequences:
i) the impossibility for the Company to perform the activities related to the use of the Website/App, including the management and processing of Your requests for information submitted by filling in forms on the Website/App;
ii) the impossibility for the Company to ascertain, exercise or defend a right in judicial or administrative proceedings or in arbitration or conciliation procedures;
iii) the impossibility for the Company to perform direct sales of services similar to those purchased by You, pursuant to the provisions of art. 130(4) of the Privacy Code.
The provision of personal data for the purposes under letters g), h) and i) of the previous paragraph 2 is optional. However, the refusal and/or the provision of inaccurate and/or incomplete information could have as possible consequences:
i) the impossibility for the Company to contact You and/or send You informative and commercial communications, also of a promotional nature, advertising material and/or offers of goods and services of Itabus as well as to carry out market research;
ii) the impossibility for the Company to analyze your tastes, preferences, habits, needs and consumption choices and to send you personalized offers based on your purchasing preferences;
iii) the impossibility for the Company to provide information regarding the nearest bus stations and services that can be used in the geographical area of connection.
5. Recipients or categories of recipients of personal data
Your personal data may be disclosed to the shareholders, members of the board of directors or other administrative body and, in any case, to the Data Protection Officer, external data processors and subjects duly appointed by the Company in the exercise of their functions (so-called “Preposti” and “Autorizzati”).
Your personal data may be communicated to any subjects that provide the Company with services connected to the purposes indicated in paragraph 2 above such as, merely by way of example, subjects, entities and/or companies that manage and/or participate in the management and/or maintenance of the Websites and electronic and/or telematic instruments used by us.
Your personal data may also be communicated to suppliers, contractors, sub-contractors, banks and/or insurance companies, consultants who assist Itabus in various ways with particular reference to legal, tax, social security, accounting and organizational aspects; to the Police Force or to the Judicial Authorities in the context of investigations or judicial police inquiries for the purposes of prevention, detection or suppression of crimes; any other subject to whom the data must be communicated according to an express provision of law.
6. Transfer of data to Third Countries
Your personal data may possibly be communicated and/or transferred abroad, in accordance with the provisions of current legislation, including to countries outside the European Union.
In all such cases, the transfer is made on the basis of an adequacy decision of the Commission (Article 45 of the GDPR) or in accordance with standard data protection clauses or other appropriate safeguards pursuant to Articles 46 or 49 of the GDPR.
7. Period of processing and retention period
Your personal data will be processed only for the time necessary to achieve the purposes for which they are processed.
The data will be stored according to the following criteria:
- data processed for purposes related to the fulfilment of legal and contractual and/or pre-contractual obligations referred to in letters b), c) and d) of the paragraph 2 “Purposes of processing and legal basis of the processing” of this privacy policy will be stored for a period of 10 years, unless a need for further storage arises, in order to Itabus to defend its rights;
- the data processed for the purpose of direct sales of services similar to those purchased by You referred to in letter f) of the paragraph 2 " Purposes of processing and legal basis of the processing" of this privacy policy will be stored for a maximum period of 24 months;
- the data processed for the marketing purposes referred to in letter g) of the paragraph 2 “Purposes of processing and legal basis of the processing” of this privacy policy will be stored for a maximum period of 24 months;
- the data processed for the purpose of profiling referred to in letter h) of the paragraph 2 " Purposes of processing and legal basis of the processing” of this privacy policy will be stored for a maximum period of 12 months;
- the data processed for the pursuit of the legitimate interests referred to in letters a) and e) of the paragraph 2 “Purposes of processing and legal basis of the processing” of this privacy policy will be stored for a maximum period of time equal to the period of prescription of the rights that can be enforced by the Controller, as applicable from time to time;
- the data processed for the purpose of localization referred to in letter i) of the paragraph 2 " Purposes of processing and legal basis of the processing " of this privacy policy will not be retained.
8. Rights of the data subjects
We hereby inform You that at any time, in relation to Your data, You may exercise the rights within the limits and under the conditions set out in Articles 7 and 15-22 of the GDPR.
You may exercise such rights by contacting Itabus to the following email address privacy@itabus.it. You will have a suitable reply without delay and, in any case, within one month from the receipt of the request.
In detail, as data subject, You will have the right to:
- obtain confirmation whether or not personal data concerning You is being processed;
- if processing is in progress, obtain access to personal data and information relating to the processing and request a copy of the personal data;
- obtain the rectification of inaccurate personal data and the integration of incomplete personal data;
- obtain, if one of the conditions provided for in Article 17 of the GDPR is met, the erasure of personal data concerning You;
- obtain, in the cases provided for in Article 18 of the GDPR, the restriction of processing;
- receive personal data concerning You in a structured, commonly used and machine-readable format and request their transmission to another controller, if technically feasible.
8.1 Right to object
Each data subject has the right to object at any time to the processing of his/her data carried out in the pursuit of a legitimate interest of the Controller. In case of objection, Your data will no longer be processed unless there are legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
8.2 Right to object and to withdraw consent in relation to processing carried out for marketing, profiling and localization purposes
With regard to the processing of data for the purposes under letters g), h) and i) of the paragraph 2 " Purposes of processing and legal basis of the processing" of this privacy policy, each data subject may withdraw at any time the consent possibly given or object to their processing, by writing an email to the address privacy@itabus.it.
The withdrawal of Your consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Objection to the processing carried out through these methods also extends to the sending of commercial communications through the postal service or telephone calls with an operator, without prejudice to the possibility of exercising this right in part, for example by objecting only to processing carried out using automated communication systems.
8.3 Right to lodge a complaint with the Italian Data Protection Authority
Finally, pursuant to Article 77 of the GDPR, we remind You that You have the right to lodge a complaint with the Italian Data Protection Authority, if You believe that Your rights under the GDPR have been infringed, in the manner indicated on the website of the Italian Data Protection Authority accessible at the address www.garanteprivacy.it.
9. Data Controller, Processors and Data Protection Officer
The Controller is Itabus S.p.A., in the person of its Legal Representative pro tempore, with registered office at Lungotevere Vittorio Gassman 22, Rome.
The updated list of processors is available at the Controller’s registered office and may be obtained by sending an email to the email address: privacy@itabus.it.
The Data Protection Officer may be contacted by sending an email to the address dpo@itabus.it.
Last update: April 2021