We would like to inform you that your personal data is processed with fairness and transparency, for lawful purposes, and protecting your privacy and rights, in full compliance with the current data protection regulations (EU Regulation 2016/679 - GDPR and the current Privacy Code). Therefore, in compliance with the aforementioned regulations, we provide you with the followinginformation:
Data Controller: SNCM Italia S.r.l. Via Tagliamento 3, 20139 Milan, IT VAT No. 13172990155 sncmitalia@pec.sncm.it
Your data is processed using IT systems, through our website http://ferry4you.com/ or other electronic tools suitable for ensuring high levels of security and confidentiality. It may also be processed in paper form or by phone, through our call center.
The data that may be requested from you includes: name, surname, phone number, email address, number of a valid identification document, date of birth, banking details, payment information, financial and tax data, and similar information (hereinafter referred to as “personal data” or simply “data”). The requested data is necessary for SNCM Italia S.r.l. to make a booking with one of the affiliated shipping companies and is obligatorily communicated to the company with which the ticket holder is traveling. Generally, we do not process sensitive or judicial data, but if this becomes necessary, we will only do so with your prior consent (Articles 9 and 10 of EU Regulation 2016/679). Data concerning minors may be processed: in such cases, appropriate information is provided in accordance with Article 8 of EU Regulation 2016/679.
The Data Controller processes personal and identifying data solely to provide the offered services and build customer loyalty. Our services consist of a main service, the issuance of the ticket, and a series of ancillary services. In all cases, given the necessity of the main service, without which the ancillary services could not be provided, the requested data is the same, and the purposes pursued by the Data Controller (to perform the agreed services and build customer loyalty) are identical. However, depending on the requested service, additional data may need to be communicated, due to the different activities requested by the customer/user, imposed on the Data Controller to comply with legal obligations, or dictated by appropriately justified operational choices. The explicit and voluntary provision of data through the completion of specific forms on our website entails the subsequent acquisition of that data by us. Summary information notices are prepared and/or displayed on the individual web pages dedicated to requesting specific ancillary services. SNCM Italia S.r.l. processes your personal data for the following purposes and based on the related legal criteria:
1. Issuing the ticket and providing any anticipated/purchased ancillary services. By providing the necessary data to complete the booking, you consent to its subsequent communication to the chosen shipping company. Failure to provide even some of these data and/or not consenting to their communication to the chosen company will make it impossible to fulfill the requested service(s). Since these processes are necessary for the definition of the contractual agreement and its subsequent implementation, your consent is not required (Art. 6, para. 1, lit. b) GDPR).
2. Managing payments, including through third-party banking/financial entities (Cariparma, Nexi). As these processes are necessary for the definition of the contractual agreement and its subsequent implementation, your consent is not required (Art. 6, para. 1, lit. b) GDPR). Data is processed by us and our appointed personnel and is communicated externally only to fulfill legal obligations. If you refuse to provide the necessary data for the above obligations, we will not be able to provide the requested services.
3. Managing invoicing. For this purpose, the processing is carried out without the need to obtain your consent (Art. 6, para. 1, lit. c) GDPR). Data is processed by us and our appointed personnel and is communicated externally only to fulfill legal obligations. If you refuse to provide the necessary data for the above obligations, we will not be able to provide the requested services. Data acquired for these purposes is retained by us for the time required by current regulations (10 years or more in the case of tax audits).
4. Handling potential complaints and/or disputes. For this purpose, processing is carried out without the need to obtain your consent (Art. 6, para. 1, lit. f) GDPR).
5. If it becomes necessary to perform a task in the public interest or related to the exercise of public authority vested in the Data Controller, processing is carried out without the need to obtain your consent (Art. 6, para. 1, lit. e) GDPR).
6.In certain cases, there may be a prevailing legitimate interest of the Data Controller, for instance, in cases of contractual non-compliance by the counterparty, leading the Data Controller to initiate a debt recovery procedure. In such cases, your consent is not required (Art. 6, para. 1, lit. f) GDPR).
7. With your explicit consent and until its withdrawal (Art. 6, para. 1, lit. a) and Art. 7 GDPR), to be given following specific and comprehensive information provided before obtaining the consent, your personal data may be processed for sending newsletters, advertising material, offers, including personalized ones, and other forms of direct and indirect marketing (Art. 130 Privacy Code and Art. 7 GDPR).
Examples of Ancillary Services Offered, Purposes of Processing, and Types of Data Processeda) Sending an SMS about the ticket and reservation status solely for the purpose of processing the reservation (ticket) with: ticket number and other information. The purpose of the processing is to facilitate the complete acquisition of all relevant data related to the completed ticket purchase. The additional data requested, if not already provided, is a mobile contact number of the ticket holder. Generally, data is not transferred to non-European third countries. If such a transfer becomes necessary due to the location of the IT devices in use, such as servers or data storage systems, the Data Controller will promptly provide adequate information to the Customer. The Data Controller adopts measures suitable for data storage, using protection tools appropriate to the nature of the data. The regulation grants you the rights listed in Articles 15 to 22 of the GDPR, which you can exercise by contacting the Data Controller and/or the Data Protection Officer at the following contacts: Data Controller: SNCM Italia S.r.l., PEC: sncmitalia@pec.sncm.it Data Protection Officer: Paolo Napodano, email: paolo@ferry4you.com
b) Newsletter Subscription and Direct Marketing. The purpose of the processing is to obtain your explicit consent, pursuant to Art. 7 of the GDPR, for sending informational and promotional material to the email address provided. The only data requested is your email address.
c) Quick Contact Form. The purpose of the processing is to provide a prompt response to all your information requests. The data necessary for this purpose are name, surname, and email.
The transfer of personal data beyond the borders where the GDPR applies involves the risk that the applicable laws in the destination may not offer the same level of protection. Therefore, it is important for the data subject to be informed about potential risks related to the security and protection of the data. Our processing activities do not involve the transfer of personal data outside the borders of GDPR applicability
Your data will be retained for a period not exceeding what is necessary to fulfill the stated purposes, and specifically, for the entire duration of the relationship and, even thereafter, for the time strictly necessary to comply with legal obligations. After these periods, the data will be deleted or anonymized and used only for statistical purposes.
Certain personal data (name, surname, phone number, email, number of a valid identification document, date of birth) is necessary for us to perform the main service (ticket issuance): failure to provide all or part of this data will result in our inability to execute the service. During your navigation on our website, through phone or electronic communications, or in direct contact at our office, you may be asked to provide additional data that is not strictly necessary for the main service but becomes relevant for the execution of any additional services. These will be specifically and thoroughly described each time, as exemplified in the previous section 5. Whenever we intend to offer you a service other than the main one, you will be provided with the specific purposes pursued and all information related to the processing we will perform, and you will be asked to give your consent. Failure to provide the requested data for a specific service or to give the corresponding consent for its use will not affect your ability to request and consent to other different services, nor will it limit, impede, or exclude the main service.
The personal data we collect is never disseminated, meaning it is not made available, even for consultation purposes, to undetermined subjects. Instead, it is subject to communication, particularly to:
❖ The chosen shipping company;
❖ Entities that may access the data to fulfill a legal obligation, within the limits established by the relevant legislation;
❖ Regular collaborators based on specific contractual agreements, identified according to their particular expertise related to the services requested by you
❖ Public authorities and organizations for various necessary purposes;
❖ Banks and/or other financial entities if you choose to use payment methods managed by such entities;
❖ Third parties who become interlocutors or counterparts in the execution of the purchased services;
❖ Partner companies, if you have given consent to receive advertising and direct marketing from third parties.
As a data subject, you have the following rights under Articles 13-22 and 77-79 of the GDPR:
- Withdraw Consent at Any Time. You can withdraw consent for the processing of your personal data at any time (Art. 13, para. 2, lett. c) GDPR)
-Object to Data Processing. You can object to the processing of your data in the cases specified in Art. 21 GDPR.
- Access Your Data. You have the right to obtain information about the data processed by the Data Controller, specific aspects of the processing, and to receive a copy of the data being processed (Art. 15 GDPR).
- Verify and Request Rectification. You can verify the accuracy of your data and request updates or corrections (Art. 16 GDPR).
- Obtain Restriction of Processing. Under certain conditions, you can request the restriction of the processing of your data. In such cases, we will only retain the data without further processing (Art. 18 GDPR)
- Obtain Erasure or Removal of Personal Data. Under certain conditions, you can request the erasure of your data by the Data Controller (Art. 17 GDPR). We will ensure the deletion as promptly as possible in these cases.
-Receive Data in a Structured, Commonly Used, and Machine-Readable Format. Where technically feasible, you have the right to obtain and transfer your data to another data controller. This applies when data is processed using automated tools and the processing is based on consent, a contract involving the data subject, or related contractual measures (Art. 20 GDPR).
- File a Complaint. You can file a complaint with the competent data protection authority (Art. 77 GDPR).
- Take Legal Action. You have the right to seek judicial remedies (Art. 79 GDPR).
You can exercise your rights at any time by contacting the Data Controller at one of the provided addresses. For all matters related to the processing of your data and the exercise of your rights under the Regulation, you may contact the Data Protection Officer (DPO) at the following email address: paolo@ferry4you.com - Paolo Napodano (sncmitalia@pec.sncm.it)