PRIVACY POLICY - Release 1.1 as of June 4th, 2018

In compliance with the new European General Data Protection Regulation n. 679/2016 (also known as "GDPR") on the protection of personal data in force since May 25th, 2018, Gastaldi Global Travel Srl, as Data Controller informs its customers and all the persons who intend to give, or who have freely given their personal data to the undersigned company, that the privacy policies adopted by us are compliant with the law.

Through this Privacy Policy document, the user is informed about his/her own rights. By accepting to provide any personal data, the user grants his / her free consent, specific and unequivocal  that his/her personal data, provided on the website www.gastaldiglobal.com or through social networks or via Mail or other means of communication including verbal communication , are treated by Gastaldi Global Travel.

The user is bound to read carefully the following Privacy Policy document, written in a concise, clear and simple way to improve its understanding, in order to freely and voluntarily decide if he/her wishes to provide his/her personal data to Gastaldi Global Travel Srl.

 

What are the main rights of individuals with regard to their personal data (Chapter III - Rights of the interested party - Articles 12 and following)

  1. Right of access - Every person has the right to obtain confirmation about the existence or not, of a treatment concerning his / her data as well as the right to receive free and prompt information concerning the same treatment.

  2. Right to rectification - Everyone has the right to have their data corrected if they are incomplete or inaccurate.

  3. Right to be cancelled (so-called "right to be forgotten") - without prejudice to legal obligations, every person has the right to obtain the cancellation of his/her data in our archives, being aware that such cancellation could prejudice the continuation of the agreed services or give rise to penalties in the event of contract interruptions.

  4. Right to treatment suspension or limitation - Under certain conditions, the user has the right to suspend and / or limit the treatment, shouldn’t it be relevant for the pursuance of the contract and without prejudice to legal obligations.

  5. Right of portability - Everyone has the right to obtain the transfer of his/her data to a different holder. Such transfer will take place directly and digitally wherever possible.

  6. Right of opposition - Every person has the right to oppose, at any time, for reasons connected to his/her particular situation, to the processing of the personal data, being aware that the end of the treatment could prejudice the continuation of the agreed services or give rise to penalties in case of contract interruptions.

  7. Right of consent withdrawal - Every person has the right to revoke the approval to his/her data treatment processing at any time, while the lawfulness of the treatment based on consent before the revocation remains firm. If revocation of consent to processing takes place before the conclusion of the contractual obligations, the revoking party may incur in sanctions or penalties.

  8. The right to submit a complaint to the Control Authority -, Everyone has the faculty to ask his/her own rights exercise  towards the Guarantor Authority at any time (www.garanteprivacy.it).

The above rights may be exercised towards us, by contacting the addresses/contacts  listed in the following paragraph 1. The exercise of rights by an interested party is always free (except for special cases and provable costs by the Owner) in accordance with article 12 , of the GDPR.

1. The Controller of personal data processing (GDPR - Article 4 - paragraph 7) and Data Protection Officer (Article 37 et seq.)

Gastaldi Global Travel Srl, fiscal code 02852610100, with legal address in Via Nazionale 243, 00184 Roma, in the person of its legal representative, is the data Controller of personal data. To exercise your own rights, as set out in this statement, the Data Controller can be contacted by sending an e-mail to the dedicated e-mail address privacy@gastaldi.it  or by writing to: Data controller / Titolare del trattamento dei dati – c/o Gastaldi Global Travel Srl – Via Nazionale 243, 00184  Roma.

Gastaldi Global Travel also informs that it has prepared the Register of treatments (GDPR - Article 30), specifically edited and kept under constant updating. This Register is available for any appropriate inspection of the Competent Authority.

Lastly, Gastaldi Global Travel informs that on June 1st, 2018, it has designated the Data Protection Officer (DPO), with the task of providing guarantees to the Data Treatment Controller and to all the persons entitled, that the GDPR rules have been correctly interpreted and implemented. The DPO, appointed according to article 37 and following, answers the dedicated address: DPO@gastaldi.it

2. What data is treated (GDPR- Article 5 and following)

"Personal data" means any information suitable for identifying, directly or indirectly, a natural person who uses the services offered by Gastaldi Global Travel, directly and / or through their own trademarks and / or by the companies of the Gastaldi Group. In particular, we collect and process personal data necessary for the stipulation of contracts typical of our prevailing business object (Tourism Services) such as:

  • personal data and identification (name, surname, date and place of birth, fiscal code, gender);

  • residence address, telephone number and email address;

  • credit card information for payments;

  • the bank account details for any charges;

  • in general, any other data and information necessary for the best conclusion and execution of the contract.

Moreover, when a user uses our website, in addition to the information present in the "registration forms", there are also being tracked and processed:

  • navigation data,

  • contact details,

  • the IP address,

  • the domain name of the devices used,

  • the URL used,

  • information on the operating system and the IT environment used,

  • the browsing chronology,

as well as data provided voluntarily in this context to take advantage of our services and purchase our products.

Within the boundaries of the law, Gastaldi Global Travel may receive information regarding the consumer from third-party sources (typically Correspondents and Travel Agencies): Gastaldi undertakes to ensure that all the third-party sources, with which maintains consolidated business relationships, also apply correctly the rules set out in the "GDPR" Regulations, (article 14 - Information not obtained directly by the interested party), specifically that personal information will be transferred to us, indicating  to the costumer to consult this Privacy Policy document. Following same article 14 of the GDPR, Customer has to be aware that whenever personal information is provided to us by third parties (for example family members who book for the whole family), the person who communicates the data assumes full responsibility for what he/ she declares, i.e. must declare having received the explicit consent of the persons for whom we are provided with the data.

In special cases, and at the express request of the costumer, information on possible food allergies or intolerances or other health information necessary for the correct execution of the contract could be collected. Such sensitive information will be treated by us in strict confidence and in the exclusive interest of the user. When the strict necessity of use of such information will be over, these will be cancelled.

Gastaldi Global Travel does not intend to treat, nor wants to request or collect personal information from individuals under the age of 18 (article 8 of the GDPR and following). If the user of the site is under the age of 18 years old, he/she must not use the site or must not provide his/her data. This restriction includes, without limitation, all the interactive areas of the site. In special cases, because of contractual obligations (air travel, hotel reservations, etc.), information on under 18 persons can be collected ONLY under the responsibility of a legal guardian: in this case, once the necessary formalities related to the provision of the services have been completed, the data of the under 18 persons will be IMMEDIATELY deleted from all our systems.

Finally, our websites also collect data via cookies. In general, we use the so-called technical cookies necessary to ensure the customer the best functionality of our website. Should the use of cookies need to be disabled, the user may at any time change the settings of his PC browser. For more details about the additional types of cookies we use, i.e. the so-called third-party cookies and profiling, please see our cookie policy published on our website.

3. Treatment Purpose (GDPR - Article 6 - Lawfulness of processing)

The personal data collected by us are strictly necessary to follow up the requests and services purchased by customers, i.e.:

• For the conclusion and execution of the contract concerning our services, i.e. for  any necessary connected and instrumental pre-contractual activity, for the management of the contractual relationship (administrative and accounting activities, customer assistance, complaints management, credit recovery ), for the delivery of services required;

• to comply with the legal obligations and requests of the Authorities, as well as to comply with the provisions of the legislation for the prevention of fraud, money laundering and terrorism financing, where applicable;

Furthermore, in view of the continuous improvement of our customer experience and in order to offer increasingly targeted services, the treatment, with explicit authorization (as the rule prescribes), is carried out:

• for commercial promotion and marketing activities for the direct offering of our products and services similar to those already purchased, or which interest has been expressed for (requests for quotations). We will do so acting on the basis of our legitimate interest, providing the interested parties at any time with the right to oppose to receiving communications by contacting us at the addresses indicated previously at above point 1.

4. Data transfer to third parties (GDPR - Chapter V - articles 44th and following)

The data provided to us is communicated and / or transferred only to the individuals employed for conducting activities necessary to achieve the purposes covered by the contracts for tourist services.

Said information can be transferred within the European Union or outside according to the placing of correspondents who provide or facilitate the development of the services offered and / or purchased by our customers.

Some of our services (information, booking, contact) could be provided in collaboration with third parties who mainly provide us with IT cloud resources and services. These entities will be specifically appointed by us as controllers: the list of third parties processing data on our behalf can be requested by contacting us at the above indicated addresses.

5. Data storage time limit (GDPR Article 5 - letter "e" and subsequent references)

Personal data will be kept for the time necessary to perform the processing for the purposes mentioned above. In particular, personal data will be stored with specific reference to the different treatment processing purposes:

a) Storage of data for the duration of the contract and until there are obligations or obligations related to the execution of the same. After the termination of the contractual relationship, the data will be stored in the necessary manner and only for the period provided for to comply with legal obligations;

b) With reference to data processing for marketing purposes, carried out on the basis of a legitimate interest, i.e. of received consent, the data will be processed for the entire duration of the contract and, subsequently, up to the opposition or revocation of consent, (which may occur at any time);

c) The data processed for profiling purposes (practice to establish only travel and tourism trends, not transferable to third parties and obtained with specific consent) will be managed until the possible revocation of consent and / or the request to obtain the termination of treatment.

6. Customer Liability

The customer (private or company):

  • Guarantees to be elder than eighteen (18) years old and that the information provided to Gastaldi Global Travel is true, accurate, complete, up-to-date and authorized. To this end, the user is responsible for the truthfulness of all data communicated and undertakes to provide information in a timely manner, so that they always correspond to the actual situation. In the case of children under 16 years old, the information must be provided by a legal guardian under his/her own responsibility.

  • If a person provides information of other people (typically family bookings), the person in question assumes the responsibility of informing all the people involved of having provided us with their personal data, the purposes for which they have been provided, as well as our Privacy Policy.

  • In the event of companies, the Customer guarantees that he has informed the third parties of whom he provided the data, if any, of the topics covered in this document. Customer also guarantees that it has obtained the authorization to provide such data to Gastaldi Global Travel for the purposes indicated.

  • The Customer (private or company) will be held responsible for any false or inaccurate or not allowed information, provided on our website or by other means, and responsible for consequent direct or indirect damages caused to Gastaldi Global Travel and / or to third parties.

7. Customer  Data Protection (GDPR Article 32)
Gastaldi Global Travel, under the supervision of the DPO, takes the protection of Customer data seriously and has taken appropriate technical and physical measures to protect the information collected in relation to the provided Services. All our archives containing personal data are protected in special fireproof cabinets with key. All our computers and our remote accesses are password protected with strict policies on updates and backups. Gastaldi Global Travel is organizing services to monitor  the "data breach" (Article 33 of the Regulation) as specified in the rule, in order to notify the Authority and the interested parties of any violations within 72 hours.

Gastaldi Global Travel will treat the Customer's data at all times in an absolutely confidential manner and maintaining the obligation of secrecy in front of him/her, in compliance with the provisions of the Regulations, adopting the reasonable necessary technical and organizational measures in order to guarantee the security of data and avoiding alteration, loss, unauthorized treatment or access, taking into account the technology status, the kind of the stored data and any risks to which they are exposed.

8. Privacy Notice Updates
This current Privacy Notice, numbered release 1.1 and written on June 4th,  2018, replaces the previous 1.0 release, drafted on May 25th,  2018.

Each release may be periodically updated in order to take into account the changes made to Gastaldi Global Travel's organizational procedures on personal data in relation to the Services, or due to changes in the applicable law. Gastaldi Global Travel will publish a communication on its website and / or communicate it via e-mail to its Customers (when sending newsletters to registered users) to inform in case of substantial changes (main release) to the Privacy Policy.