Privacy Policy

Information on the processing of personal data

Dear Customer/User we wish to inform you that the processing of your personal data is carried out fairly and transparently, for lawful purposes and protecting your confidentiality and your rights, in full compliance with current legislation on the protection of personal data (EU Reg. 2016/679 – GDPR and current Privacy Code). Therefore, in compliance with the aforementioned legislation, we provide you with the following information: 1. Data controller Translated with DeepL.com (free version)

Your data is processed using computer media, through our website www.ontanotravel.com or other electronic tools suitable for guaranteeing high levels of security and confidentiality; it can also be processed in paper form or even by telephone, through our call center. 3. Nature of the data processed. The data that may be requested are: name, surname, telephone number, email, number of a valid identification document, date of birth, bank, payment, financial, tax and similar identification data (hereinafter “personal data” or simply “data”). The data requested are those necessary for Ontano Travel to make the reservation with one of the affiliated shipping companies and are obligatorily communicated to the company with which the ticket holder travels. Generally, we do not process any sensitive or judicial data, but if this becomes necessary we will only do so by first asking for your consent (articles 9 and 10 of EU Reg. 2016/679). Data of minors may be processed: in such cases, appropriate information is provided in compliance with art. 8 of EU Regulation 2016/679. 4. Purpose of processing and their legal basis The Data Controller processes personal and identifying data only for the purpose of carrying out the services offered and building customer loyalty. Our services consist of a main service, issuing the ticket, and a series of ancillary services: in all cases, given the necessary presence of the main service, in the absence of which the ancillary services could not survive, the data requested are the same, as are the purposes pursued by the data controller (performing the agreed services and building customer loyalty), however, depending on the service requested, it may be necessary to communicate additional data, due to the different activities requested by the customer/user, imposed on the data controller in compliance with legal obligations, or dictated by adequately motivated operational choices. Ontano Travel s.r.l., processes your personal data for the following purposes and in accordance with the related lawfulness criteria:

1. Issuing the ticket and carrying out any ancillary services estimated/purchased. By collecting the data necessary to complete the booking, you accept their subsequent communication to the chosen shipping company: failure to communicate even some of such data and/or failure to consent to their communication to the chosen company will make it impossible to perform the requested service/s. Since these are necessary treatments for the definition of the contractual agreement and for its subsequent implementation, your consent is not required (art. 6, par. 1, lett. b) EU Reg. 2016/679).
2. Managing payments, including through third-party banking/financial entities (setefi – Intesa San Paolo; Braintree-Gruppo Paypal; Paypal; Amazonpay). Since these are necessary treatments for the definition of the contractual agreement and for its subsequent implementation, your consent is not required (art. 6, par. 1, letter b) EU Reg. 2016/679). The data are processed by us and our representatives and are communicated externally only in compliance with legal obligations. In case of refusal to provide the data necessary for the above-mentioned obligations, we will not be able to provide you with the requested services.
3. Manage invoicing. For these purposes, the processing is carried out without the need to acquire your consent (art. 6, par. 1, letter c) EU Reg. 2016/679). The data are processed by us and our representatives and are communicated externally only in compliance with legal obligations. In case of refusal to provide the data necessary for the above-mentioned obligations, we will not be able to provide you with the requested services. The data acquired for these purposes are retained by us for the time required by current legislation (10 years and even longer in the case of tax audits).
4. Management of any complaints and/or disputes. For these purposes, the processing is carried out without the need to acquire your consent (art. 6, par. 1, letter f) EU Reg. 2016/679). If it is necessary to perform a task of public interest or connected to the exercise of public powers with which the data controller is invested, the processing is carried out without the need to acquire your consent (art. 6, par. 1, letter e), EU Reg. 2016/679).
5. In some cases, the prevailing interest of the data controller may exist, for example, if there is a breach of contract by the other party, such as to induce the data controller to initiate proceedings for the recovery of the credit. In such cases, it is not necessary to acquire your consent (art. 6, par. 1, lett. f) EU Reg. 2016/679).
6. Subject to your express consent and until revocation of the same (art. 6, par. 1, lett. a) and art. 7 EU Reg. 2016/679), to be provided following timely and exhaustive information illustrated before the acquisition of consent, your personal data may be processed for sending newsletters, advertising material, offers, including personalized ones, and other possible forms of direct and indirect marketing (art. 130 Privacy Code and art. 7 EU Reg. 2016/679).

5. Exemplary list of the additional services offered, purposes of the processing and related types of data processed

a) Sending an SMS on the status of the ticket and reservation for the sole purpose of processing the reservation (ticket) with: ticket number, port address and other similar information. The purpose of the processing is to facilitate the complete acquisition of all relevant data relating to the concluded purchase of the ticket. The additional data requested, if not already communicated, is a mobile number of the ticket holder.

b) Insurance coverage against any subsequent cancellation of the ticket. Ontano Travel s.r.l. guarantees the refund, through the presentation of suitable documentation, in compliance with what is detailed in the Cancellation Coverage Appendix. The purpose of the processing is to guarantee the refund of the ticket in the event of subsequent impossibility to carry out the booked trip. The data requested for this purpose are the same as those required for issuing the ticket (name, surname, address, date and place of birth, tax code, a telephone number, email). In the event of activation of the policy, if the event consists of an accident or illness, you may be asked to communicate medical reports and/or certificates, which will be processed exclusively with your express consent (art. 9 EU Reg. 2016/679). The data is processed by us and our representatives and is communicated externally only in compliance with legal obligations. In the event of refusal to provide the data necessary for the above-mentioned obligations, we will not be able to provide you with the requested services. c) Subscription to newsletters and direct marketing. The purpose of the processing is to acquire your express consent, pursuant to art. 7 EU Reg. 2016/679, for the sending of informational and advertising material to the indicated email address. The only additional data requested (in addition to that required to complete the ticket issuing procedure) is your email address. d) Indirect marketing: subject to your express consent in compliance with art. 7 EU Reg. 2016/679, communication of your data to partner companies for the sending of informational and advertising material directly by them, following the stipulation of the contract, to the email address indicated by you. The purpose of the processing is the performance of indirect marketing by partner entities and the only additional data requested is an email address of the ticket holder.

6. Transfers of data to third countries or international organisations

The transfer of personal data beyond the borders within which the GDPR operates entails the risk that the applicable legislation in the place of transfer does not present the same standards of guarantees. It therefore becomes relevant for the interested party to be made aware of the potential risks relating to data security and protection. Our processing does not involve the transfer of personal data outside the borders of applicability of the GDPR.

7. Retention period

Your data will be stored for a period of time not exceeding that necessary to satisfy the purposes indicated, and in particular, for the entire duration of the relationship and, even subsequently, for the time strictly necessary to fulfill legal obligations; after these terms, the data will be deleted or made anonymous and used for statistical purposes only.

8. Obligation or option to provide data and consequences of any refusal.

Some personal data (name, surname, telephone number, email, number of a valid identification document, date of birth) are necessary for us to be able to carry out the main service (ticket issuance): failure to provide them in whole or in part consequently makes it impossible to carry out the service itself. During navigation on our site, or during your telephone/electronic contacts, or even in the case of direct contact at the office, you may be asked to communicate additional data to us, not strictly necessary for the fulfillment of the main service, but which become relevant for the performance of any additional services, which from time to time will be punctually and in detail represented to you and which we have indicated as an example in the previous point 5. Each time we intend to propose a service other than the main one, you will be provided with the purposes specifically pursued and all the information relating to the processing that we will carry out, and you will be asked to express your consent. Failure to provide the data requested for a specific service or failure to provide the relevant and consequent consent to their use does not prejudice the possibility of requesting and consenting to the provision of other different services, nor, even less, does it limit, impede or exclude the main service.

9. Communication of collected data

The personal data collected by us are never “disseminated”, that is, they are not made available, even for consultation purposes only, to unspecified subjects; instead, they are the object of “communication”, in particular to:

• the chosen shipping company;
• subjects who can access the data in compliance with a legal obligation, within the limits set by the same reference legislation;
• habitual collaborators by virtue of specific contractual agreements, who are identified on the basis of their specific skills in relation to the services requested by you;
• public bodies and organizations for the various necessary purposes;
• banks and/or other financial entities, if you decide to use payment instruments managed by such entities;
• third parties who become interlocutors or counterparties in the execution of the purchased services;
• partner companies, in the event that consent has been given to the sending of advertising and the carrying out of direct marketing by third parties.

10. Rights of the interested party

In your capacity as interested party, you have the rights set forth in articles 13/22 and 77/79 of EU Reg. 2016/679, and specifically the rights to:

• withdraw consent at any time. The interested party may always withdraw consent to the processing of their personal data previously expressed (art. 13, par. 2, lett. c) EU Reg. 2016/679); object to the processing of their data. The interested party may object to the processing of their data in the cases referred to in art. 21 EU Reg. 2016/679;
• access their data. The interested party has the right to obtain information on the data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the data processed (art. 15 EU Reg. 2016/679);
• verify and request rectification. The interested party may verify the correctness of their data and request its updating or correction (art. 16 EU Reg. 2016/679);
• obtain the limitation of the processing. When certain conditions apply, the interested party may request the limitation of the processing of their data. In this case, we will not process the data for any purpose other than their conservation (art. 18 EU Reg. 2016/679);
• obtain the deletion or removal of their personal data. When certain conditions apply, the interested party may request the deletion of their data by the Data Controller (art. 17 EU Reg. 2016/679). In these cases, we will certainly proceed with the deletion as quickly as possible.
• the interested party has the right to receive their data in a structured, commonly used and machine-readable format and, where technically feasible, to obtain the transfer without hindrance to another owner. This provision is applicable when the data is processed with automated tools and the processing is based on the consent of the interested party, on a contract to which the interested party is a party or on contractual measures connected to it (art. 20 EU Reg. 2016/679);
• file a complaint. The interested party may file a complaint with the competent Data Protection Supervisory Authority (art. 77 EU Reg. 2016/679); take legal action (art. 79 EU Reg. 2016/679).

11. How to exercise your rights

You may exercise your rights at any time by contacting the Data Controller at one of the contact details indicated.

You may also, at any time, lodge a complaint with the Privacy Guarantor by registered letter with return receipt addressed to: Garante per la protezione dei dati personali, Piazza Venezia 11, 00186, Roma. Or by certified email (pec) addressed to: protocollo@pec.gpdp.it (art. 77 EU Reg. 2016/679), or appeal to the ordinary judicial authority (art. 79 EU Reg. 2016/679).