Introduzione alle Informative di cui agli articoli 13 e 14 del Regolamento UE n. 2016/679 (“GDPR”)
The data controller is Arriva Italia S.r.l., with registered office in 20145 – Milan via Trebazio 1 (“Owner”).
The Data Controller has appointed a person responsible for the protection of personal data (“Data Protection Officer” or “DPO”) that the interested party may contact in order to exercise their rights, as well as to receive any information relating to the same and / or information on referred to below, by writing to email@example.com.
The protection and respect of personal data are important for Arriva Italia S.r.l. The Disclosures indicate the bases under which any personal data collected or provided to us will be processed.
We invite users to read the following carefully in order to understand Arriva Italia’s practices
regarding the use and storage of personal data and the related processing methods.
By visiting the websites www.arriva.it and www.estore.arriva.it or providing information and personal data in the cases described below, the user acknowledges and, where appropriate, agrees to the processing described in the related information.
1. Data collected
Data provided by the user. By filling out the forms available on the Arriva Italia sites or by contacting Arriva Italia by telephone, e-mail or other methods on the sites, the user will provide their personal data. The personal data requested in accordance with the minimization principle are only the data necessary and sufficient to identify the data subject in relation to the services requested.
Furthermore, the user will also provide personal data on other occasions such as, for example, when registering to use the sites, to download and use the App, subscribe to the services, purchase tickets, use the Wi-Fi service. present on vehicles, participate in a competition, promotion or survey, report a problem relating to the sites or make a complaint, propose a candidacy in the “work with us” section, or propose other reports in the appropriate area (eg: lost objects) as well as to take advantage of specific benefits provided for by the regulations in force or offered by ARRIVA.
The personal data provided on such occasions could include the name and surname, place and date of birth, social security number, residence and domicile address, e-mail address and telephone number, financial information, photography or other details concerning the ” use of the user’s mobile device or laptop.
Collected data. On the occasion of each access and visit to the sites by the user, like the Apps, Arriva Italia will have the opportunity to collect the following information:
• information of a technical nature, such as the IP or MAC address used to connect the mobile device or
computer to the Internet, geographic location login information, browser type and version,
settings relating to the time zone, system and operating platform;
• information relating to access, including the full URL, click flows to, through and from sites (including date and time), products viewed or searched, page response times, download errors, duration of visits to certain pages, information about the interaction of the page (such as scrolling, clicking and mouse-overs) and methods used to navigate and any telephone number used to contact customer service.
• Information received from other sources. Arriva Italia works closely with third parties (for purposes
commercial, use of technical services, payment and delivery, analysis purposes, research information,
credit agencies) and we may receive information on your personal data from these parties in case of use of the related sites.
Personal Data collected: Cookies and Usage Data.
Facebook Ads is a form of advertising that allows the Owner to promote a post, or content to an audience that is therefore interested in a particular product. The activity is carried out by means of a tracking pixel (“tracking pixel”) that connects the Sites to the company page on Facebook. The code collects visitor data allowing to trace their path.
Data belonging to particular categories. Arriva Italia, in compliance with article 9 GDPR, does not process data
of the interested party qualified as “special categories of personal data” (for example, information relating to membership of a trade union, ethnic origin or information relating to the state of health) unless the conditions of exemption provided for in the same article 9 apply point 2, with particular regard to letter b) “consent of the interested party” and letter c) “exercise of specific rights of the interested party and the Data Controller”.
Arriva Italia has prepared specific information for the different processing purposes:
ITALY ARRIVES – LIST OF RELATED INFORMATION
a) Information for customers and third parties
b) Information on travel tickets
c) Information on the sale of tourist events
d) Information on LPT administrative sanctions
e) TPL video surveillance information
f) Information on video surveillance deposits and ticket offices
g) Information on anti-mafia purchases
h) DUVRI information
i) Information on personnel selection
j) Newsletter information
k) Geolocation information
l) Cookies information
3. Purpose and legal basis of the treatments
Data collected by us: The computer systems and software procedures used to operate the websites
acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow the interested parties to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the sites, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data constitute the connection register.
These data are used by Arriva Italia for the sole purpose of obtaining anonymous statistical information on the use of the sites and to check their correct functioning. The register of connections is then kept at the disposal of the Judicial Authority and exhibited only upon explicit request.
Data provided by users. Legal basis of the processing. The processing of the data of the interested party is lawful only if justified by a legal basis. Pursuant to Article 6 of the GDPR, the processing is lawful only if and to the extent that at least one of the following conditions is met:
a) the interested party has given consent to the processing of their personal data for one or more specifications
b) the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of
pre-contractual measures adopted at the request of the same;
c) the processing is necessary to fulfill a legal obligation to which the data controller is subject;
d) the processing is necessary for the protection of the vital interests of the data subject or of another natural person;
e) the processing is necessary for the performance of a task of public interest or related to the exercise of public authority vested in the data controller;
f) the processing is necessary for the pursuit of the legitimate interest of the data controller or of
third parties, provided that the interests or fundamental rights and freedoms of the interested party do not prevail
require the protection of personal data, in particular if the data subject is a minor.
Nature of the provision
The legal basis for the processing of the requested data is indicated within each information notice. In relation to this condition, the need arises on the part of the interested party to provide his consent or the need to acquire such data without the consent of the interested party, since – otherwise – the processing of such data would not be possible and, consequently, access to the service provided. Therefore, the user’s refusal to provide personal data will not allow to provide
ire the information, services and, in any case, the response to the interested party’s request.
4. Sharing of information provided by the interested party
For the pursuit of the purposes indicated, Arriva Italia has the right to communicate the personal data of the interested party to the following categories of recipients. Arriva Italia however provides for the request for the release of consent to the transfer of said data.
• companies of the Deutsche Bahn Group (www.bahn.de) or companies of the Arriva Group (www.arriva.co.uk);
• subjects who carry out tasks of a technical and organizational nature on behalf of Arriva Italia;
• subjects who carry out acquisition, processing and processing services of the data necessary for the use of services for customers;
• subjects that provide services for the management of the sites and their information system;
• subjects who carry out customer assistance activities;
• firms and companies that provide services to Arriva Italia in the context of assistance and consultancy relationships;
• subjects who carry out checks, audits, certification of the activities implemented by Arriva Italia also in the interest of its customers and users;
• companies and consultants specialized in conducting informative interviews, in carrying out psycho-aptitude tests and in evaluating their results;
• companies for the provision of functional services for recruitment / selection (such as, by way of example, IT or archiving services).
Arriva Italia also has the right to communicate the user’s personal data to a buyer or potential buyer (and their agents and consultants) in relation to any reorganization, restructuring, merger or sale, or other transfer of assets, it being understood that , in these cases, Arriva Italia undertakes to inform any recipient of your personal data who must use them exclusively for the purposes indicated in this information. The subjects belonging to the above categories operate as separate Data Controllers or as data processors appointed for this purpose by Arriva Italia. Personal data may also be known by Arriva Italia employees / consultants who have been specifically appointed persons authorized to
Arriva Italia, pursuant to the GDPR, maintains a Register of treatments, in which the Data Controllers and Managers of the treatments are noted, as well as the various treatments. For any information in this regard, it is possible to contact the DPO at the addresses indicated.
5. Retention period of personal data.
Personal data will be processed for the period strictly necessary for the purpose for which they were collected and stored for the period established by the law (including the provisions for the prescription of rights) or by company practice, where there are no indications. For the related information, please refer to the individual disclosures.
6. Safety information
Arriva Italia adopts appropriate technical and organizational security measures in order to protect the personal data processed by collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, unauthorized use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.
All personal data provided or collected are stored on an infrastructure compliant with the UNI CEI EN ISO / IEC 27001: 2013 standard in the “Information Technologies – Security Techniques – Information Security Management Systems” standard UNI CEI EN ISO / IEC 27018: 2019 and UNI CEI EN ISO / IEC 27018: 2014, both in the field of “Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”.
Arriva Italia has also participated since 2013 in a group program (promoted by Arriva Plc – UK) in the field of Information Security with its own Information Security Framework, based on UNI CEI EN ISO / IEC 27000 standards and CSIA Framework – Cyber Security & Information Assurance (Policy, Framework, Standards).
Arriva Italia is part of the Deutsche Bahn – Arriva Group, which, in addition to carrying out training courses for its employees regarding the policies and procedures internally adopted on privacy, has implemented an access system for which it is only allowed to authorized employees, based on the need to learn about them consistently with the role held, to access personal data. Arriva Italia also acts to ensure that all service providers that the company assigns to process personal data on our behalf take appropriate technical and organizational measures to
in order to safeguard such personal data.
7. Update of this information
Arriva Italia will update this Notice as a result of regulatory, technical or commercial changes. In this case, Arriva Italia will take appropriate measures to inform the interested parties. Any substantial change to the information will be subject to new consent.
The information published on the sites are updated to the most recent version. Any further version cancels and replaces the previous one.
8. Rights of the interested party
In relation to the treatments described in this Notice, as an interested party you may, under the conditions provided for by the GDPR, exercise, in particular, the following rights:
• right of access: right to obtain confirmation as to whether or not personal data is being processed, in this case, to obtain access to personal data – including a copy of the same – and the communication, among others, of the following information :
a) purpose of the processing
b) categories of personal data processed
c) recipients to whom these have been or will be communicated
d) data retention period or the criteria used
e) rights of the interested party (rectification, cancellation of personal data, limitation of processing and right to object to processing
f) right to lodge a complaint
g) the right to receive information on the origin of my personal data if they have not been collected from the interested party
h) the existence of an automated decision-making process, including profiling
• right of rectification: the right to obtain the rectification of inaccurate personal data and / or the integration of incomplete personal data;
• right to cancellation (right to be forgotten): the right to obtain the cancellation of personal data when:
a) the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed
b) You have withdrawn your consent and there is no other legal basis for the processing
c) You have successfully opposed the processing of your personal data
d) the data have been unlawfully processed
e) the data must be deleted to fulfill a legal obligation
f) the personal data was collected in relation to the information society service offer referred to in Article 8, paragraph 1, GDPR. The right to erasure does not apply to the extent that the processing is necessary for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or for the ascertainment, exercise or defense of a right. in court
• right to limitation of treatment: right to obtain limitation of treatment, when:
a) the interested party disputes the accuracy of personal data
b) the processing is unlawful and the interested party opposes the deletion of personal data and instead requests that its use be limited
c) personal data are necessary for the interested party to ascertain, exercise or defend a right in court
• right to object: right to object to the processing of personal data, unless there are legitimate reasons for the Data Controller to continue processing;
• right to data portability: right to receive, in a structured format, commonly used and readable by an automatic device, the personal data concerning you provided to the Data Controller and the right to transmit them to another controller without impediments, if the processing is based on consent and is carried out by automated means. Furthermore, the right to obtain that personal data be transmitted directly from Arriva Italia to another owner if this is technically feasible;
• lodge a complaint with the Guarantor Authority for the protection of personal data, Piazza di Montecitorio n. 121, 00186, Rome (RM).
9. Questions on the present disclosure.
For any question, doubt or request relating to this information or in relation to the processing carried out in relation to the user’s personal data, the contacts are as follows: e-mail firstname.lastname@example.org or by post to the following address: Arriva Italia S.r.l. via Trebazio 1, 20145 Milan.