Information on the processing of personal data pursuant to art. 13 and 14 of Regulation (EU) 2016/679
(hereinafter the “Regulation” or “GDPR”) within the scope of the package tour management.
In accordance with art. 13 and 14 of Regulation (EU) 2016/679 (hereinafter: “Regulation” or “GDPR”) with this information Globest S.r.l.s. intends to inform the customer about the processing of personal data in the context of the management of quotes and/ or booking of the travel package and related tourist services. This information is also provided to participants of the trip who are not holders of the application as well as to the participant of minor age and/ or incapacitated whose holder of the application is the holder of parental responsibility and/ or legal representative. The processing of personal data will be based on the principles of correctness, legality, transparency, limitation of purposes and storage, minimization and accuracy, integrity and confidentiality, as well as the principle of accountability referred to in art. 5 of the Regulation, in accordance with the legislation on personal data protection.
1. Data controller and data protection officer
The data controller of personal data is: Globest S.r.l.s., based in Palermo in via Ercole Bernabei n. 19, which can be contacted at: info@globest.it (hereinafter “Controller” or “Globest”), through its legal representative, Loredana Badalamenti, E-mail address: loredana.badalamenti@globest.it
2. Category and types of data subject to processing and source from which they originate
In the pursuit of the processing purposes identified in paragraph 3 below, the Data Controller may process personal data belonging to the category of common data and consisting, in particular, in the personal data and identification (including name, surname, tax code, date and place of birth, nationality etc. ), contact details (fixed and/or mobile phone number; e-mail address; address and/or residence data), passport and/or identity card details, information on the details of the travel estimates requested and/or the package tours and tourist services purchased, other administrative-accounting information relating to the purchase made, including payment information and, specifically, the information regarding the successful transaction made through the payment method used by the customer (payment by credit/debit card; bank transfer; etc. ). In addition, prior consent ex art. 9.2.a) of the Regulation, the Data Controller may also process data belonging to “special” categories relating to the state of health related to special needs of the holder of the practice and/ or other participants of the trip (e.g. specifically food allergies/intolerances, disability conditions and other health information including life-saving medicines and electronic medical devices), whose processing is necessary for the purpose of booking and/ or management of the package tour/ tourist service. With reference to the source from which the personal data mentioned above originate, please note that the personal data are collected directly from the interested party in the case of the request for a quote and/ or booking and purchase of the tourist package/ tourist service. The Data Controller specifies that the personal data of the participants of the trip not entitled to the application are obtained by the participant entitled to the application in the request for a quote and/ or booking of the travel package and related tourist services, as well as collected directly from the non-party to the case, for example when requesting assistance and/or information.
3. Purpose of processing, legal basis and mandatory or optional nature of the processing personal data will be processed for the following purposes:
a) creation of quotes, sale of the tourist packages and management of the same and related services, including insurance and personal assistance services, as regulated in the general conditions of sales of tourist packages, sending sms and/or e-tours service emails containing information on the requested quote as well as information related to the tourist package purchased and the related services, including the execution of any related contractual and administrative accounting activity; to identify specific requests for assistance and information addressed to the Owner in relation to pre- and post-sale, including the execution of related contractual and administrative accounting activities;
b) if the package is also combined with the compulsory and/or optional insurance policy offered by Globest’s partner insurance companies, for the transmission of personal data to these companies as independent data controllers, for the management and provision of the insurance service, as regulated in the general conditions of sale of the tourist package;
c) comply with any obligations under applicable laws, regulations or Community legislation, or respond to requests from the authorities;
d) excluding any personal data belonging to the “particular” categories referred to in art. 9, par. 1 of the GDPR, to send, with the specific consent of the data subject, promotional and marketing communications, including newsletters, promotional offers, commercial initiatives, advertising material, direct sales and market research, on products and services of the Data Controller, through automated contact systems (such as e-mail, sms, instant messaging systems) and non-automated (such as paper mail, telephone with operator); it is specified that the Data Controller collects a single consent for the marketing purposes described here, pursuant to the General Provision of the Guarantor for the Protection of Personal Data. 3 to 6 “Guidelines on promotional activities and anti-spam” of 4 July 2013. If, in any case, the customer wishes to object to the processing of their data for marketing purposes carried out with some or all the means of contact indicated above, you can do this at any time by contacting the Data Controller at the addresses indicated in paragraph 1 of this information, without prejudice to the lawfulness of the processing carried out before the objection;
e) for the direct sending by e-mail and paper of advertising material and commercial communications to promote the sale of Globest products or services similar to those purchased by the customer (cd. “soft spam”), unless you expressly refuse to receive such communications, which you may express at the first communication or on subsequent occasions through the appropriate feature in each e-mail or by writing at any time to the Data Controller at the contacts indicated above;
f) satisfy any defensive needs of the Owner both in the out-of-court and judicial phase;
The legal basis for processing personal data for the purposes referred to in letters a) and b) is to be identified, for common data, in art. 6, para. 1, lett. b) of the Regulation ([… ]the processing is necessary for the execution of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the data subject), as the processing is necessary for the provision of the requested services, whereas, for personal information belonging to the category of particular data related to health status, the legal basis of the processing is the consent given by the interested party pursuant to art. 9.2.a) of the Regulation; in the event that health data are related to minors and/ or incapacitated subjects, the explicit consent to the processing must be provided by the company of parental responsibility and/ or legal representative of the child and/ or subject unable.
The legal basis for the processing of personal data for the purpose referred to in point c) is to be identified, for common data, in art. 6, para. 1 lit. b) of the Regulation as the Holder, as the policyholder of the insurance policy in favor of the participants of the package tour, has a contractual obligation to communicate the data of the insured to the insurance company, Details of the journey and associated insurance coverages/packages. It is also noted that, with regard to personal data belonging to particular categories and specifically health-related data, the same may be transmitted to insurance companies only after specific consent of the interested party to the communication of such information pursuant to art. 9, para. 2, lett. a) of the Regulation, in order to allow the correct management of the insurance policy concluded by the interested party.
The provision of personal data for the purposes referred to in letters a), b) and c) is optional, but failure to provide it may make it impossible to provide the services requested. Likewise, the consent required for the processing of particular data is free and optional; however, without such consent the Data Controller will not process personal information belonging to the category of particular data for the purpose of providing the requested services. The purpose referred to in point d) represents a legitimate processing of personal data within the meaning of art. 6, para. 1, lett. c) of the Regulation ([… ]the processing is necessary to comply with a legal obligation to which the data controller is subject). Once the personal data has been transferred, in fact, the processing is necessary for the fulfilment of legal obligations and/or regulations to which the Controller is subject.
The processing carried out for the purpose referred to in letter e) is based on the consent of the data subject pursuant to art. 6, para. 1, lett. a) of the Regulation ([… ] the data subject has expressed consent to the processing of his or her personal data for one or more specific purposes). The provision of personal data and consent for this purpose is therefore entirely optional and failure to provide will make it impossible to send promotional communications and commercial proposals, but in no case will be affected the use of the services requested. The consent given is revocable at any time without prejudice to the lawfulness of the processing carried out prior to the revocation, in accordance with the provisions of art. 7 of the Regulation. You can object to the processing of data for direct marketing and/or profiling purposes at any time by contacting the Controller at the addresses indicated in paragraph 1 of this information.
The treatment referred to in point f) is carried out on the basis of art. 6, para. 1, lett. f) of the Regulation and 130, paragraph 4 of D.Lgs. 196/2003 (hereinafter “Privacy Code”) as well as the measure of the Supervisory Authority for the protection of personal data of 19 June 2008, in order to allow the Data Controller to use, for the purpose of direct sale of its products or services, the e-mail address and paper mail address provided by the data subject in the context of the sale of a product or service. The customer can express at any time his refusal to receive these types of communications, through the appropriate feature contained in the e-mail communications or by writing to the Controller to the contacts listed in paragraph 1 of this information.
The processing carried out for the purpose referred to in point g) is carried out to meet any defensive needs both in the extrajudicial and judicial phase of the Data Controller pursuant to art. 6, para. 1, lett. f) and 9, par. 2, lett. f) of the Rules. Once personal data has been transferred, the processing may become necessary to establish, exercise or defend a right in court or whenever judicial authorities perform their duties.
4. Recipients of personal data
Personal data may be shared, for the purposes described in paragraph 3 of this notice, with:
a. persons authorised by the Data Controller to process personal data pursuant to art. 29 and 32 of the GDPR and 2- quaterdecies del d.lgs. n. 196/2003 “Privacy Code” (e.g. staff responsible for sales, administration and accounting, pre- and post-sales assistance, CRM, management of information systems etc.);
b. third parties that, in the provision of services (by way of example: technological services, assistance and consulting services in accounting, administrative, legal, tax and financial matters, technical maintenance, transport services, etc. ), typically act as data processors pursuant to art. 28 of the Regulation; the Data Controller keeps an updated list of the persons responsible for processing appointed and guarantees that the data subject is able to view them at the place indicated above or upon request addressed to the addresses indicated above;
c. third parties, autonomous data controllers, to whom personal data may be communicated in order to allow the provision and management of tourist packages purchased by the interested party and related tourist services (such as, in particular, the air carrier, railway undertaking and/or transport undertakings for the management and provision of the transport services related to the package tour purchased; the managers of the destination accommodation facilities for the provision and management of accommodation, overnight stay and catering services, etc.);
d. if the package is also combined with the compulsory and/ or optional insurance policy proposed by Globest’s partner insurance companies, the customer’s data may be communicated to these companies as independent data controllers;
e. subjects, entities or authorities – autonomous controllers of the treatment – to which it is mandatory to communicate personal data pursuant to legal provisions or orders of the authorities;
The aforementioned entities are, hereinafter, collectively referred to as “Recipients”.
5. Transfers of personal data
In the event of any transfer of personal data to recipients located outside the European Economic Area, the Controller ensures that processing will be carried out in compliance with articles. 44 – 49 of the Regulation, according to one of the modalities allowed by the current law, such as, for example, the consent of the interested party, the adoption of Standard Clauses approved by the European Commission, the selection of subjects participating in international programs for free movement of data or operating in countries considered safe by the European Commission on the basis of an adequacy decision, in compliance with recommendations 01/2020 of the European Data Protection Board. In particular, in the execution of the purposes referred to in paragraph 3, lett. a) of this information, the transfer of personal data of participants to countries outside the EU for which no adequacy decision has been taken pursuant to art. 45, para. 3 of the Regulation or in the absence of adequate guarantees pursuant to art. 46 of the Regulation, takes place on the basis of what is provided for in art. 49, para. 1, lett. b) of the Regulation, because the transfer is necessary for the execution of the contract concluded between the interested party and the holder or for the execution of pre-contractual measures taken at the request of the interested party. More information is available by sending a written request to the Data Controller at the addresses indicated above in paragraph 1 of this notice.
6. Storage of personal data
Personal data will be processed and stored, in accordance with the principles of minimization and limitation of storage set out in art. 5, para. 1 lit. c) and e) of the Regulation, for the time strictly necessary to achieve the purposes indicated in paragraph 3, ie for the time necessary for the execution of the contract, to the provision of legal or contractual guarantees and in accordance with statutory retention periods (see also, in particular, art. 2946 c.c. and ss. ). In particular, the personal data subject to direct marketing activity referred to in paragraph 3, lett. e) of this policy will be processed and stored until the withdrawal of consent. Regarding quotations, including the personal information contained in them, please note that they will be kept until the validity of the quotation itself. The Data Controller reserves in any case to store the data for the time necessary to comply with any regulatory obligation to which it is subject or to meet any defensive needs. Specific security measures are observed to prevent data loss, illegal or incorrect use and unauthorized access. Further information regarding the data retention period and the criteria used to determine this period can be requested by sending a written request to the Controller at the addresses indicated in paragraph 1 of this policy.
7. Rights as a data subject
The customer, as a data subject, may at any time exercise the following rights:
a. Right to revoke the consent given (art. 7 of the GDPR) – The customer has the right to revoke at any time the consent given by you for the different treatments that require it, without prejudice to the lawfulness of the treatment carried out before the revocation;
b. Right of access (art. 15 of the GDPR) – The customer has the right to obtain confirmation about the existence or otherwise of a processing concerning his personal data as well as the right to receive any information regarding the same processing;
c. Right to rectification (art. 16 of the GDPR) – You have the right to obtain rectification of your personal data, if they are incomplete or inaccurate;
d. Right to erasure (art. 17 of the GDPR) – in certain circumstances, you have the right to have your personal data stored on our records deleted;
e. Right to restriction of processing (art. 18 GDPR) – if certain conditions are met, the customer has the right to obtain limitation of processing of his personal data;
f. Right to portability (art. 20 of the GDPR) – The customer has the right to obtain the transfer of his data himself to a different controller as well as the right to obtain in a structured format, the data concerning you is commonly used and readable by automatic devices;
g. Right of opposition (art. 21 of the GDPR) – The customer has the right to formulate a request for opposition to the processing of his personal data in which he gives evidence of the reasons that justify the opposition; the Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms. The customer also has the right to object at any time and without justification to the sending of direct marketing through automated contact systems and not by the Data Controller; this is without prejudice to the possibility of exercising this right even in part, or, in this case, by opposing, for example, the sending of promotional communications only carried out through automated means;
h. Right to lodge a complaint with the supervisory authority (art. 77 of the GDPR) – if you consider that the processing that concerns you violates the legislation on the protection of personal data and, in particular, when the Controller refuses to comply with your request, the customer may lodge a complaint with the supervisory authority of the Member State in which you habitually reside, work or where the alleged breach occurred; in any case, if the Data Controller refuses to comply with your requests, the reasons for non-compliance shall be adequately explained;
i. Right to apply to the appropriate courts (art. 79 of the GDPR).
Giving consent (optional) for the purpose of commercial and promotional communication
I Undersigned/a _______________________________, Born in ___________________ ( ___ ), on ________________
– read the attached information on the processing of personal data, which I declare to have carefully examined;
– aware that I can revoke my consent at any time;
– aware that, if I withdraw my consent, there will be no prejudice to the lawfulness of the processing carried out prior to the withdrawal;
I agree I do not agree
to the processing of my personal data by Globest for promotional and marketing purposes referred to in paragraph 3, lett. e) the privacy policy, including newsletters, promotional offers, commercial initiatives, advertising material, direct sales and market research, on travel packages, products and services offered by Globest, through the use of automated contact systems (e-mail, SMS, instant messaging) and non-automated (paper mail and telephone with operator).
(Legible signature)