Privacy Policy

This notice has been prepared for the website www.malpensashuttle.it, owned by AirPullman SpA, Via E. Fermi, 9, 20057 Assago (MI) — Tax Code / VAT: 00216510123 — PEC: airpullmanspa@legalmail.it

This notice is provided pursuant to Art. 13 GDPR, also in compliance with Recommendation no. 2/2001 adopted on 17 May 2001 by the European Data Protection Authorities, gathered in the Working Party established under Art. 29 of Directive no. 95/46/EC, to identify certain minimum requirements for the online collection of personal data, and any subsequent amendments and additions.

This notice is addressed to all individuals who interact with the website's web pages, both those who use the site without registering, and those who, following an appropriate procedure, register on the site and make use of the online services provided through it.

This notice is based on the definitions set out in Art. 4 of the European Data Protection Regulation (GDPR), the key elements of which are reproduced below to facilitate understanding of the notice itself.

GDPR:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Recipient:

a natural or legal person, public authority, agency or another body to which personal data are disclosed, whether or not a third party.

Personal data:

any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data may include, for example, a name, contact details, user behaviour or banking data.

Data Controller:

a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing of personal data:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The Data Controller and Data Protection Officer is AirPullman SpA, Via E. Fermi, 9, 20057 – Assago (MI), Tax Code / VAT: 00216510123, PEC: airpullmanspa@legalmail.it

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 of the GDPR, reachable at the following email address: privacy@airpullman.com.

Types of data processed: The data processed from users are of a common nature; in particular, they consist of navigation data derived from the use of computer systems. The software procedures used to operate the website acquire, in the course of normal operations, common personal facts whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature it could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the user's operating system and computer environment.

These data are used solely to obtain anonymous statistical information on the use of the site and to check its correct operation, and are deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site: except in this eventuality, web contact data do not persist for more than seven days.

Personal data provided by users are collected and processed exclusively for the following purposes:

1. Management of bookings and transport services requested by the user (legal basis: performance of a contract).
2. Responding to information requests sent via contact forms (legal basis: legitimate interest of the Data Controller).
3. Compliance with legal, regulatory or contractual obligations (legal basis: legal obligation).
4. Sending commercial and promotional communications, subject to the data subject's express consent (legal basis: consent).

Providing data for purposes 1, 2 and 3 is mandatory; failure to provide them may make it impossible to deliver the requested service. Providing data for purpose 4 is optional.

Personal data processed for contractual purposes are retained for the time necessary to fulfil the contract and, thereafter, for the period required by applicable laws (in particular, for 10 years for tax and accounting purposes).

Data processed on the basis of consent are retained until the consent is withdrawn. Navigation data are deleted within 7 days of collection, unless required for the investigation of offences.

Personal data are not disseminated. They may be communicated to:

• Technical and IT service providers acting as data processors (e.g. hosting, website maintenance).
• Banking and financial institutions for payment processing.
• Competent authorities, where required by law.

Data are not transferred outside the European Economic Area, except where necessary for the provision of the requested service, with the guarantees required by the GDPR.

Pursuant to Arts. 15–22 of the GDPR, the data subject has the right to:

• Access their personal data and obtain a copy (right of access).
• Request the rectification of inaccurate or incomplete data (right to rectification).
• Request the erasure of data (right to erasure / right to be forgotten), where applicable.
• Request the restriction of processing (right to restriction).
• Object to processing on legitimate grounds (right to object).
• Request data portability (right to data portability).
• Withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before its withdrawal.

The data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – www.garanteprivacy.it).

To exercise their rights, the data subject may contact the Data Controller at the following addresses:

The Data Controller will respond to the request within 30 days of receipt.

The Data Controller reserves the right to make changes to this notice at any time, giving appropriate notice to users by updating it on the website. Users are therefore invited to consult this page regularly.

Any future additions or changes to this list will be duly brought to your attention.