This document wants to provide, in a simple and intuitive way, all the useful and necessary information so that the Users can provide their data in an aware and informed way and, at any time, request and obtain clarifications and/or corrections.
1. Who are we and who you can contact
The Data Controller is the Company TOURIST POINT S.r.l., with legal head office in Corso Vercelli 11 – 20100 Milan (MI), VAT number 09167390963. Contact email address: [email protected]. The Data Controller has appointed a Data Protection Manager, the User's point of contact for all information and requests relating to data protection, who can be contacted at the e-mail address: [email protected].
2. Reasons behind this document and who it is addressed to
The Data Controller, consistent with its mission and values, undertakes to respect the identity, the dignity of every human being and the fundamental freedoms guaranteed by the Constitution with regard to the processing of personal data and the free flow of such data. The Data Controller company will maintain this commitment constantly, within the scope of the principle of accountability, by consistently implementing adequate technical, organizational measures and suitable policies, to guarantee and be able to demonstrate that the processing is carried out in compliance with the GDPR .
This document is addressed to the Users of the Site. Access to some sections of the Site and/or any requests for information or services by Users may be subject to the entry of personal data relating to natural persons ("Personal Data") which will be processed in compliance with the GDPR.
For the use of specific services of the Site, the User will be informed through this document and, where necessary, specific consent will be requested for the processing of personal data.
This document is provided only for the Site and not for other websites consulted by Users through links possibly referred to on this Site.
3. Categories of personal data collected and treatment
Web Surfing Data
The computer systems and software procedures used to operate this internet portal acquire, during their normal operation and only for the duration of the connection, some personal data whose transmission takes place implicitly in the use of Internet communication protocols. This information is not collected for the purpose of associating it with identified interested parties or Users. By their very nature, however, this information could, through processing and association with data held by third parties, allow the identification of visitor users (e.g. IP addresses), the domain names of the terminals used, the addresses in URI notation (Uniform Resource Identifier) of the applicants, the time of the requests, etc. and are used for the sole purpose of obtaining statistical information on the use of the Site and to check its correct functioning. No data originating from the service will be disclosed.
Data collected to provide our E-commerce services
We collect the Personal Data you provide on our Site or on third-party websites. We may collect Personal Data directly or through our service providers, business partners, booking channel providers, which may include, but are not limited to:
Personal Data collected:
- Name and Surname
- Date and place of birth
- City of Residence
- Telephone number
- Driver licence or similar ID document with photograph
- E-mail address
- Fiscal Code
- Means of transport with which you arrived in the city
- Information on the next destinations
- IP address
- Device ID
- Browser type
- Operating system
- Mobile device identifiers
- Geolocalisation data
- State or Country from which the Site was visited / accessed
- Specific web pages visited
- Date, time and duration of the visit
- Number of connections and specific links clicked upon on the Site
- Functions used on the Site
- All reservations, updates, purchases or other transactions made through the Site
- Data viewd or downloaded from the Site
- Number of views of any specific advertisement
- Credit / debit Card information
- Third party service provider
- Preferences and usage information
- Sustained costs
- Purchase cost and details
- Itinerary information
- Data concerning refund requests
Health data (e.g. in the event of a request for support from a disabled Customer or for investigating an accident in order to collaborate with insurance companies or to handle claims regarding any injuries that might have occurred).
Health-related data, the treatment of which is required by regulatory provisions or provisions of public authorities during an emergency state (e.g. for managing pandemics or other health emergencies).
Collection sources may include, but are not limited to:
- Our Web Site
- Our offices
- Mobile "App"
- Our social media pages
- Third parties social network
4. Purposes of the processing, legal bases and data retention time
A. User navigation data: they are used for the sole purpose of obtaining statistical information on the use of the Portal, electronic identification data (IP address, location, cookies, browser, etc.). The legal basis can be identified: legitimate interest art. 6 lett. F) and recital 47: the processing is necessary for the pursuit of the legitimate interest of the data controller or of third parties. This provided that the interests or fundamental rights and freedoms of the User / person who require the protection of personal data do not prevail, taking into account the reasonable expectations nourished by the User / person based on his relationship with the Data Controller.
B. Data collected to provide our e-commerce services, and provided directly by the User are collected for the following purposes:
- To offer the "MilanoCard" service (hereinafter also "MilanoCard"), that gives to its purchasers the possibility of benefiting from discounts, reductions and gratuities (the latter limited in quantity or time) within the circuit of commercial activities and services that have signed an agreement and/or collaboration with the Data Controller. Supply of the “MilanoCard” offer is subject to the presentation of the MilanoCard proof of purchase. MilanoCard is distributed both physically and online, i.e. through numerical codes or vouchers or e-mails or text messages or any other support and/or instrument deemed suitable, approved and certified by the Data Controller and recognized by the affiliated network.
- To fulfill the contractual and pre-contractual obligations (borne by and in favor of the Data Controller) and therefore for purposes strictly connected to the management of relationships with customers, including potential ones. Administrative, tax and accounting formalities and obligations are to be considered included, as well as any other instrumental activity to the conclusion and execution of a contract, such as, for example: acquisition of information preliminary to the conclusion of a contract, for operational and management needs; for payment control needs and for the actions that follow; to access, and possibly use, all the services (included the interactive ones) of the Site, etc; for internal statistical analyses, complaint management and pre-litigation and/or litigation management; for the stipulation of contracts and the fulfillment of contractual or pre-contractual obligations, but failure to provide it will make it impossible to follow up on the supply and/or service request. Once the contract stipulated, the provision of further necessary data, or the updating of those already provided, is mandatory for all that is required by legal and contractual obligations and, therefore, any refusal to supply them in whole or in part can give rise to the impossibility for the Owner to execute the contract and could in any case constitute a breach of contract or a violation of the law by the User / Customer. The legal basis of the processing for the aforementioned purposes derives from the fact that the processing itself is necessary for the execution of the contract of which the interested party is a part (or, in the pre-contractual phase, in relation to pre-contractual measures in the context of the contracting procedure) , or to fulfill legal obligations connected to the contract itself, or in any case to the supply of the product and/or service.
- To fulfill the regulatory obligations (from both national and community sources) and the provisions issued by authorities legitimated by the law and by supervisory and control bodies also in relation to the Site;
- (if the User / interested party does not express dissent) to transmit, via the e-mail address provided by the User / interested party, communications concerning commercial offers for the direct sale of products or services similar to those already provided. This includes the promotion to the Company pages’ "followers". This provided that the User / interested party, adequately informed, does not refuse such use, initially or on the occasion of subsequent communications (marketing purposes on similar products, so-called soft spam);
- Only with the consent of the User / interested party (legal basis of the processing), we will process the User's data in order to promote our services (and also those of Partner companies, but without communicating them any data) by telephone, with advertising material, through automated communication systems, via e-mail newsletters, etc. We will also conduct market and customer satisfaction surveys, thanks to the support of specialized companies, through personal or telephone interviews, questionnaires and online surveys aimed at the specific proposal of products and services (marketing purposes);
- Only with the consent of the User / interested party (legal basis of the processing), we will process the User's data to communicate them to third parties for marketing purposes and/or customer satisfaction surveys marketing purposes and/or customer satisfaction surveys; in particular, this will imply communication to the commercial partners of the Data Controller.
- Sending of newsletters: the data provided by the User (name, surname, email address) are processed for sending communications relating to events, exhibitions, promotion of products and services. The legal basis for the purpose of sending the Newsletter is the prior, express consent of the interested party. These communications may concern promotional, commercial and advertising material; or they may be related to events and initiatives. They will be delivered by the Data Controller by automated means of e-mail, fax, SMS or other types of messages, as well as by telephone calls through an operator, even automated, or by paper mail or through other informative material. Failure to provide consent for these specific purposes has the only consequence of not being able to carry out communication activities through promotional communications or newsletters. In fact, as envisaged by the GDPR, if the User / interested party has given consent to the processing of personal data for one or more purposes for which it was requested, he may, at any time, revoke it totally and / or partially without prejudice to the lawfulness of the processing based on the consent given before the revocation. The methods for revoking consent are very simple and intuitive, just contact the Data Controller using the contacts indicated in this document. In addition to the above and for the sake of simplicity, if the interested party were to receive e-mail messages published by the Data Controller that are no longer of interest, it will be sufficient to click on the unsubscribe button to no longer receive any communication, even through other contact channels for which consent had been obtained. Please note that the data provided may be processed for the protection of the legitimate interests of the owner, including defense in court. The data provided for the aforementioned purposes will be kept for the period necessary in relation to the purpose and in any case, until the consent of the interested party is revoked.
The processing will be carried out both with manual and IT and telematic tools in compliance with the regulations in force and with the principles of correctness, lawfulness, transparency, pertinence, completeness and non-excess, data minimization and accuracy. It will also be done with organization and processing logics strictly related to the purposes pursued and in any case in such a way as to guarantee the security, integrity and confidentiality of the data processed, in compliance with the organisational, physical and logical measures envisaged by the provisions in force, that will be implemented and increased also in relation to technological development to guarantee confidentiality, availability and integrity of the data processed.
5. Automated decisions
The Data Controller of the processing declares that it does not adopt decisions likely to influence the User / interested party based exclusively on the automated processing of Personal Data. All decision-making processes associated with the processing purposes described above are performed with human intervention.
6. Personal data communication
Personal Data may be communicated to specific subjects considered Recipients or to Persons Authorized to process such Personal Data under the authority of the Data Controller. In this perspective, in order to correctly carry out all the Processing activities necessary to pursue the purposes referred to in this document, the following categories of Recipients may be in a position to process Personal Data:
- The other companies of the MilanoCard Group or the commercial activities / service providers who have signed an agreement with and/or collaborate with the Data Controller that has created the service called MilanoCard.
- Third parties who carry out part of the Processing activities and/or activities connected and instrumental to the execution of the E-commerce contract, on behalf of the Data Controller, that are based in the countries of the European Union and that have been entrusted with the task of performing the services, assistance and/or consultancy activities also for the functioning of this Site, and that can be included in the following categories: (a) subjects with whom the Data Controller has signed collaboration agreements; (b) suppliers involved in the provision of services; (c) consultants and employees / or commercial collaborators of the Data Controller performing the functions involved in the activity of the Data Controller who have received, in this regard, adequate instructions on the subject of security and correct use of personal data;
- Finally, public authorities or public bodies for the fulfillment of the legal obligations to which the Data Controller is subject, and any other public entity entitled to request the data, in the cases provided for by law; Where required by law or to prevent or suppress the commission of a crime, Personal Data may be disclosed to public bodies or judicial authorities.
Some of the Recipients of the data collected have been designated by the Data Controller pursuant to article 28 of the GDPR, as data processors. It remains understood that the data processed will be exclusively those necessary to achieve the specific purpose. It follows that the data managed through third parties will be limited to the specific purpose.
Personal Data will not be disclosed.
7. International transfer of personal data
Personal Data will be processed by the Data Controller within the territory of the European Union.
If, for technical and/or operational reasons, it will be necessary to make use of subjects located outside the European Union, the transfer of Personal Data, limited to the performance of specific Processing activities, will be regulated in accordance with the provided for by chapter V of the GDPR.
All necessary precautions will therefore be taken in order to guarantee the most complete protection of Personal Data by basing this transfer: (i) on opinions about the adequacy of third countries recipient expressed by the European Commission; (ii) on adequate guarantees expressed by the recipient third party pursuant to article 46 of the GDPR; (iii) on the adoption of binding corporate rules.
8. Rights of the interested party and their implementation
As required by Article 15 of the GDPR, the User / interested party will be able to access Personal Data, request its rectification and updating, if incomplete or incorrect, request its cancellation if the collection took place in violation of a law or the GDPR, as well as oppose the Processing for legitimate and specific reasons. In particular, the rights that the User may exercise, at any time, against the Data Controller are as follows.
Right of access: the right, pursuant to article 15, paragraph 1 of the GDPR, to obtain confirmation from the Data Controller as to whether or not Personal Data is being processed and, in this case, to obtain access to such Personal Data and to the following information: a) the purposes of the Processing; b) the categories of Personal Data in question; c) the Recipients or categories of Recipients to whom the Personal Data have been or will be disclosed, in particular if Recipients from third countries or international organizations; d) when possible, the envisaged storage period of the Personal Data or, if this is not possible, the criteria used to determine this period; e) the existence of the right of the User / interested party to ask the Data Controller to rectify or cancel Personal Data or limit the Processing of his Personal Data or to oppose their Processing; f) the right to complain to a supervisory authority; g) if the Personal Data are not collected from the interested party, all the information available on their origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4, of the GDPR and, at least in such cases, significant information on the logic used, as well as the importance and envisaged consequences of such Treatment for the User / interested party.
Right of rectification: pursuant to Article 16 of the GDPR, the rectification of Personal Data that is inaccurate. Furthermore, taking into account the purposes of the Processing, it will be possible to obtain the integration of Personal Data that are incomplete, also by providing a supplementary declaration.
Right to cancellation: pursuant to article 17, paragraph 1 of the GDPR, you may obtain the erasure of your Personal Data without unjustified delay and the Data Controller will be obliged to erase your Personal Data, if even just one of the following reasons holds: a) Personal Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) has revoked the consent on which the Processing of Personal Data is based and there is no other legal basis for their Processing; c) has opposed the Processing pursuant to Article 21, paragraph 1 or 2 of the GDPR and there is no longer any overriding legitimate reason to proceed with the Processing of Personal Data; d) the Personal Data have been processed unlawfully; e) it is necessary to cancel the Personal Data to fulfill a legal obligation established by a Community law or by internal law. In some cases, as provided for by article 17, paragraph 3 of the GDPR, the Data Controller is entitled not to proceed with the cancellation of Personal Data if their Treatment is necessary, for example, for the fulfillment of a legal obligation, for reasons of public interest, for archiving purposes in the public interest or for statistical purposes, for the establishment, exercise or defense of a law in court.
Right to limit processing: you may obtain the limitation of processing, in accordance with article 18 of the GDPR, in the event that one of the following hypotheses holds: a) the accuracy of the Personal Data has been contested (the limitation will continue for the period necessary for the Data Controller to verify the accuracy of such Personal Data); b) the Processing is unlawful but you opposed the erasure of your Personal Data, instead requesting that its use be limited; c) although the Data Controller no longer needs it for the purposes of the Processing, the Personal Data are used to ascertain, exercise or defend a right in court; d) the interested party has opposed the Processing pursuant to article 21, paragraph 1, of the GDPR and is awaiting the verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the User / interested party. In the event of limitation of the Processing, the Personal Data will be processed (we will inform the User before such limitation is revoked) except for storage, only with the consent of the User / interested party or for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest.
Right to data portability: the User / interested party may, at any time, request and receive, pursuant to article 20, paragraph 1 of the GDPR, that all Personal Data be processed by the Data Controller in a structured format, commonly used and legible or request its transmission to another data controller without particular difficulties. In this case, it will be up to the interested party to provide us with all the exact details of the new data controller to whom he intends to transfer the Personal Data by providing us with written authorization.
Right to object: pursuant to Article 21, paragraph 2 of the GDPR, the User may object at any time to the Processing of Personal Data if these are processed for marketing purposes, including profiling to the extent that it is connected to direct marketing.
Right to lodge a complaint with the supervisory authority: without prejudice to the right to appeal to any other administrative or judicial venue, if the User / interested party believes that the processing of personal data carried out by the data controller is in violation of the GDPR and/or the applicable legislation may lodge a complaint with the competent Authority for the Protection of Personal Data by means of a certified e-mail to: [email protected]
9. These rights may be exercised by contacting the Data Controller
Any requests pursuant to art. 15 of the GDPR must be addressed to the Data Controller at the registered office or by email at the address: [email protected], to which any request must be sent. The Data Controller has appointed a Data Protection Manager, the User's point of contact for all information and requests relating to data protection, who can be contacted at the e-mail address: [email protected]. Furthermore, at any time you can consult the "Privacy" section of the Website where you will find all the information concerning the Personal Data Processing Policy applied by the Data Controller, the use and Processing of Personal Data, updated information in regarding the contacts and communication channels made available to the Data Subject by the Data Controller.
The Data Controller
Tourist Point s.r.l.
Version of the policy updated 25 July 2023