In compliance with the new European General Data Protection Regulation n. 679/2016 (also known as "GDPR") on the protection of personal data in force since May 25th, 2018, Gastaldi Global Travel Srl, as Data Controller informs its customers and all the persons who intend to give, or who have freely given their personal data to the undersigned company, that the privacy policies adopted by us are compliant with the law.
What are the main rights of individuals with regard to their personal data (Chapter III - Rights of the interested party - Articles 12 and following)
Right of access - Every person has the right to obtain confirmation about the existence or not, of a treatment concerning his / her data as well as the right to receive free and prompt information concerning the same treatment.
Right to rectification - Everyone has the right to have their data corrected if they are incomplete or inaccurate.
Right to be cancelled (so-called "right to be forgotten") - without prejudice to legal obligations, every person has the right to obtain the cancellation of his/her data in our archives, being aware that such cancellation could prejudice the continuation of the agreed services or give rise to penalties in the event of contract interruptions.
Right to treatment suspension or limitation - Under certain conditions, the user has the right to suspend and / or limit the treatment, shouldn’t it be relevant for the pursuance of the contract and without prejudice to legal obligations.
Right of portability - Everyone has the right to obtain the transfer of his/her data to a different holder. Such transfer will take place directly and digitally wherever possible.
Right of opposition - Every person has the right to oppose, at any time, for reasons connected to his/her particular situation, to the processing of the personal data, being aware that the end of the treatment could prejudice the continuation of the agreed services or give rise to penalties in case of contract interruptions.
Right of consent withdrawal - Every person has the right to revoke the approval to his/her data treatment processing at any time, while the lawfulness of the treatment based on consent before the revocation remains firm. If revocation of consent to processing takes place before the conclusion of the contractual obligations, the revoking party may incur in sanctions or penalties.
The right to submit a complaint to the Control Authority -, Everyone has the faculty to ask his/her own rights exercise towards the Guarantor Authority at any time (www.garanteprivacy.it).
The above rights may be exercised towards us, by contacting the addresses/contacts listed in the following paragraph 1. The exercise of rights by an interested party is always free (except for special cases and provable costs by the Owner) in accordance with article 12 , of the GDPR.
1. The Controller of personal data processing (GDPR - Article 4 - paragraph 7) and Data Protection Officer (Article 37 et seq.)
Gastaldi Global Travel Srl, fiscal code 02852610100, with legal address in Via Nazionale 243, 00184 Roma, in the person of its legal representative, is the data Controller of personal data. To exercise your own rights, as set out in this statement, the Data Controller can be contacted by sending an e-mail to the dedicated e-mail address firstname.lastname@example.org or by writing to: Data controller / Titolare del trattamento dei dati – c/o Gastaldi Global Travel Srl – Via Nazionale 243, 00184 Roma.
Gastaldi Global Travel also informs that it has prepared the Register of treatments (GDPR - Article 30), specifically edited and kept under constant updating. This Register is available for any appropriate inspection of the Competent Authority.
Lastly, Gastaldi Global Travel informs that on June 1st, 2018, it has designated the Data Protection Officer (DPO), with the task of providing guarantees to the Data Treatment Controller and to all the persons entitled, that the GDPR rules have been correctly interpreted and implemented. The DPO, appointed according to article 37 and following, answers the dedicated address: DPO@gastaldi.it
2. What data is treated (GDPR- Article 5 and following)
"Personal data" means any information suitable for identifying, directly or indirectly, a natural person who uses the services offered by Gastaldi Global Travel, directly and / or through their own trademarks and / or by the companies of the Gastaldi Group. In particular, we collect and process personal data necessary for the stipulation of contracts typical of our prevailing business object (Tourism Services) such as:
personal data and identification (name, surname, date and place of birth, fiscal code, gender);
residence address, telephone number and email address;
credit card information for payments;
the bank account details for any charges;
in general, any other data and information necessary for the best conclusion and execution of the contract.
Moreover, when a user uses our website, in addition to the information present in the "registration forms", there are also being tracked and processed:
the IP address,
the domain name of the devices used,
the URL used,
information on the operating system and the IT environment used,
the browsing chronology,
as well as data provided voluntarily in this context to take advantage of our services and purchase our products.
In special cases, and at the express request of the costumer, information on possible food allergies or intolerances or other health information necessary for the correct execution of the contract could be collected. Such sensitive information will be treated by us in strict confidence and in the exclusive interest of the user. When the strict necessity of use of such information will be over, these will be cancelled.
Gastaldi Global Travel does not intend to treat, nor wants to request or collect personal information from individuals under the age of 18 (article 8 of the GDPR and following). If the user of the site is under the age of 18 years old, he/she must not use the site or must not provide his/her data. This restriction includes, without limitation, all the interactive areas of the site. In special cases, because of contractual obligations (air travel, hotel reservations, etc.), information on under 18 persons can be collected ONLY under the responsibility of a legal guardian: in this case, once the necessary formalities related to the provision of the services have been completed, the data of the under 18 persons will be IMMEDIATELY deleted from all our systems.
3. Treatment Purpose (GDPR - Article 6 - Lawfulness of processing)
The personal data collected by us are strictly necessary to follow up the requests and services purchased by customers, i.e.:
• For the conclusion and execution of the contract concerning our services, i.e. for any necessary connected and instrumental pre-contractual activity, for the management of the contractual relationship (administrative and accounting activities, customer assistance, complaints management, credit recovery ), for the delivery of services required;
• to comply with the legal obligations and requests of the Authorities, as well as to comply with the provisions of the legislation for the prevention of fraud, money laundering and terrorism financing, where applicable;
Furthermore, in view of the continuous improvement of our customer experience and in order to offer increasingly targeted services, the treatment, with explicit authorization (as the rule prescribes), is carried out:
• for commercial promotion and marketing activities for the direct offering of our products and services similar to those already purchased, or which interest has been expressed for (requests for quotations). We will do so acting on the basis of our legitimate interest, providing the interested parties at any time with the right to oppose to receiving communications by contacting us at the addresses indicated previously at above point 1.
4. Data transfer to third parties (GDPR - Chapter V - articles 44th and following)
The data provided to us is communicated and / or transferred only to the individuals employed for conducting activities necessary to achieve the purposes covered by the contracts for tourist services.
Said information can be transferred within the European Union or outside according to the placing of correspondents who provide or facilitate the development of the services offered and / or purchased by our customers.
Some of our services (information, booking, contact) could be provided in collaboration with third parties who mainly provide us with IT cloud resources and services. These entities will be specifically appointed by us as controllers: the list of third parties processing data on our behalf can be requested by contacting us at the above indicated addresses.
5. Data storage time limit (GDPR Article 5 - letter "e" and subsequent references)
Personal data will be kept for the time necessary to perform the processing for the purposes mentioned above. In particular, personal data will be stored with specific reference to the different treatment processing purposes:
a) Storage of data for the duration of the contract and until there are obligations or obligations related to the execution of the same. After the termination of the contractual relationship, the data will be stored in the necessary manner and only for the period provided for to comply with legal obligations;
b) With reference to data processing for marketing purposes, carried out on the basis of a legitimate interest, i.e. of received consent, the data will be processed for the entire duration of the contract and, subsequently, up to the opposition or revocation of consent, (which may occur at any time);
c) The data processed for profiling purposes (practice to establish only travel and tourism trends, not transferable to third parties and obtained with specific consent) will be managed until the possible revocation of consent and / or the request to obtain the termination of treatment.
6. Customer Liability
The customer (private or company):
Guarantees to be elder than eighteen (18) years old and that the information provided to Gastaldi Global Travel is true, accurate, complete, up-to-date and authorized. To this end, the user is responsible for the truthfulness of all data communicated and undertakes to provide information in a timely manner, so that they always correspond to the actual situation. In the case of children under 16 years old, the information must be provided by a legal guardian under his/her own responsibility.
In the event of companies, the Customer guarantees that he has informed the third parties of whom he provided the data, if any, of the topics covered in this document. Customer also guarantees that it has obtained the authorization to provide such data to Gastaldi Global Travel for the purposes indicated.
The Customer (private or company) will be held responsible for any false or inaccurate or not allowed information, provided on our website or by other means, and responsible for consequent direct or indirect damages caused to Gastaldi Global Travel and / or to third parties.
7. Customer Data Protection (GDPR Article 32)
Gastaldi Global Travel, under the supervision of the DPO, takes the protection of Customer data seriously and has taken appropriate technical and physical measures to protect the information collected in relation to the provided Services. All our archives containing personal data are protected in special fireproof cabinets with key. All our computers and our remote accesses are password protected with strict policies on updates and backups. Gastaldi Global Travel is organizing services to monitor the "data breach" (Article 33 of the Regulation) as specified in the rule, in order to notify the Authority and the interested parties of any violations within 72 hours.
Gastaldi Global Travel will treat the Customer's data at all times in an absolutely confidential manner and maintaining the obligation of secrecy in front of him/her, in compliance with the provisions of the Regulations, adopting the reasonable necessary technical and organizational measures in order to guarantee the security of data and avoiding alteration, loss, unauthorized treatment or access, taking into account the technology status, the kind of the stored data and any risks to which they are exposed.
8. Privacy Notice Updates
This current Privacy Notice, numbered release 1.1 and written on June 4th, 2018, replaces the previous 1.0 release, drafted on May 25th, 2018.