Information according to the European Regulation n. 2016/679 – Purchase via internet of a transport ticket including use of Rfid technology

Dear client,
According to the European Regulation n. 2016/679 “Personal Data Protection Code of Practice or Privacy Code” (effective from 25 may 2018), Funivie Monte Bianco S.P.A. (hereafter “the Company”), as Data Controller, is obliged to provide you (the Data Subject) with certain information concerning the use of your personal data.

1. Source and nature of the personal data
Your personal data and that of any minors that you represent are normally collected in the act of ticket purchase for a named individual (e.g. personal season ticket) and will be treated in accordance with European Regulation n. 2016/679 and the company's own respect for confidentiality.
It may occur that in obtaining a photograph for the ticket, where requested, and more generally, in the fulfilment of the obligations deriving from the contract to transport, that the Company may come into possession of data that the law defines as “sensitive”, namely those from which can be inferred (for example in the case of incidents which require medical assistance etc.) amongst others, the racial and ethnic origins and state of health.
You are informed that supplying your personal data, including sensitive data, and where necessary those of your adult family members, is not mandatory. However, non-acceptance of the need to supply certain data necessary to fulfil the contract, could render it impossible to appropriately fulfil said contract.

2. How the data is handled
To achieve the aims indicated in paragraph 3 below, the personal data will be processed manually, by computer and telematic tools, strictly according to need and in a way to guarantee the security and confidentiality of the data.
It should be pointed out that the media onto which the tickets are loaded use RFID technology (Radio Frequency Identification), which through the means of connected systems permit the recording of transits through the turnstiles without the intervention of the people concerned. The use of such technology allows the Company to record the daily trips by the ticket holder and operates to achieve the legitimate aims of the Company detailed at paragraph 3c), d) and f).
The data on trips is retained for around 18 months and is not anonymised or aggregated.

3. How the data is used
The acquisition and treatment of your personal data and that of any minors you represent , may include name, family name, address, date of birth, photograph, telephone number. This data is handled within the normal context of the Company's activity for the following purposes:

• a. to effect the contract, including verification of the conditions for concessionary tariffs.
• b. issue of the ticket valid for the lifts and the activation of possible insurance linked to the same
• c. control the fulfilment of the transport service (replacement and invalidation of the ticket in the case of loss or theft; reconstruction, through the use of data obtained with Rfid technology, of the movements of a travel document to provide information useful for missing person searches, for the requirement to check the regularity of the service and to assess possible disputes raised by clients);
• d. to control fraudulent use of the ticket and service. In this regard it must be pointed out that, to allow rapid checks on correct usage, the photograph supplied by you is scanned and visible on supporting systems.
• e. fulfilling legal obligations such as the issue and recording of invoices, carrying out emergency care, etc.;
• f. financial management, analysis of company statistics (reconstruction, through manipulation of data obtained with Rfid technology or via the anonymised bar-code printed on tickets obtained through the Company website, of traffic flows and use of the lifts, rationalization of services and the division of receipts with other ski resorts or commercial partners, etc. );
• g. Information on the activity and initiatives organized by the Data Controller for the benefit of clients.
  

The supply of the data necessary to fulfil the requirements of e) are required by law and ultimate refusal to supply the information would render it impossible for the Company to fulfill their legal obligations and consequently to manage their relationship with you.
The data required for the furtherance of the aims in a), b), c), d) f) and g) are non-mandatory; nevertheless a refusal to supply the information for the aims in a), b), c), d) and f) would entail the impossibility of supplying the requested service whereas for g) the Company would not be able to inform you about promotional activities and offers.

4. Potential external Data Processors
For the implementation of some of the activities connected to the aims detailed above, the Data Controller may also supply the personal data to external Data Processors, that is:

• a. banks and lending institutions for payment handling;
• b. legal and financial consultants, with objectives strictly connected to the economic activity of the Data Controller;
• c. lift companies or commercial partners;
• d. Information systems and facilities companies;
• e. subsidiary or associate companies;
• f. insurance companies;
• g. local health authority, Italian Red Cross and medical assistance companies.

The users in the categories above to which data may be sent will use the said data in their legal capacity as Data Processors, having no bearing on the original data handling carried out at the Company.

5. Potential Data Recipients
Personal data may be disclosed to personnel of the Company charged with its handling by their respective management, as well as the nominated Data handlers. An up-to-date list of persons in charge of processing may be obtained from the Company headquarters.

6. Payment data
Payment data will be processed for purposes pursuant to directive 2015/2366 (EU) and subsequent amendments on payment services in the European internal market (so-called PSD2).

7. Data Subject Rights under article 17
Lastly we inform you that article 17 of the European Regulation n. 2016/679 confers on the Data Subjects specific rights. In particular the Data Subjects can obtain from the Data Controller the confirmation of the existence or not of their own personal data and that this data can be provided in intelligible form (Subject Data Access). They can likewise ask to know the origins of the data as well as the purpose for which it was collected, ask for anonymisation or the freezing of data handled in violation of the law, as well as its updating, amendment or, if it is of interest, the integration of the data; or for legitimate reasons obtain a block on the data handling itself.

Such actions can be carried out in total autonomy accessing the reserved section of your Account under heading "Your Profile" and "Manage Personal Data" or by sending a request to the data processing manager.

For further information and clarifications, you can contact the data protection officer:

Lawyer Mr Alessandro Medori
Tel Nr: 011 026 2700
Mobile: 347 79 87 724
Mail address: medori@studiolegale46bis.it
PEC address: alessandromedori@pec.ordineavvocatitorino.it

Information according to the European Regulation n. 2016/679 – Purchase via internet of a transport ticket including use of Rfid technology

Dear client,
According to the European Regulation n. 2016/679 “Personal Data Protection Code of Practice or Privacy Code” (effective from 25 may 2018), Funivie Monte Bianco S.P.A. (hereafter “the Company”), as Data Controller, is obliged to provide you (the Data Subject) with certain information concerning the use of your personal data.

1. Source and nature of the personal data
Your personal data and that of any minors that you represent are normally collected in the act of ticket purchase for a named individual (e.g. personal season ticket) and will be treated in accordance with European Regulation n. 2016/679 and the company's own respect for confidentiality.
It may occur that in obtaining a photograph for the ticket, where requested, and more generally, in the fulfilment of the obligations deriving from the contract to transport, that the Company may come into possession of data that the law defines as “sensitive”, namely those from which can be inferred (for example in the case of incidents which require medical assistance etc.) amongst others, the racial and ethnic origins and state of health.
You are informed that supplying your personal data, including sensitive data, and where necessary those of your adult family members, is not mandatory. However, non-acceptance of the need to supply certain data necessary to fulfil the contract, could render it impossible to appropriately fulfil said contract.

2. How the data is handled
To achieve the aims indicated in paragraph 3 below, the personal data will be processed manually, by computer and telematic tools, strictly according to need and in a way to guarantee the security and confidentiality of the data.
It should be pointed out that the media onto which the tickets are loaded use RFID technology (Radio Frequency Identification), which through the means of connected systems permit the recording of transits through the turnstiles without the intervention of the people concerned. The use of such technology allows the Company to record the daily trips by the ticket holder and operates to achieve the legitimate aims of the Company detailed at paragraph 3c), d) and f).
The data on trips is retained for around 18 months and is not anonymised or aggregated.

3. How the data is used
The acquisition and treatment of your personal data and that of any minors you represent , may include name, family name, address, date of birth, photograph, telephone number. This data is handled within the normal context of the Company's activity for the following purposes:

• a. to effect the contract, including verification of the conditions for concessionary tariffs.
• b. issue of the ticket valid for the lifts and the activation of possible insurance linked to the same
• c. control the fulfilment of the transport service (replacement and invalidation of the ticket in the case of loss or theft; reconstruction, through the use of data obtained with Rfid technology, of the movements of a travel document to provide information useful for missing person searches, for the requirement to check the regularity of the service and to assess possible disputes raised by clients);
• d. to control fraudulent use of the ticket and service. In this regard it must be pointed out that, to allow rapid checks on correct usage, the photograph supplied by you is scanned and visible on supporting systems.
• e. fulfilling legal obligations such as the issue and recording of invoices, carrying out emergency care, etc.;
• f. financial management, analysis of company statistics (reconstruction, through manipulation of data obtained with Rfid technology or via the anonymised bar-code printed on tickets obtained through the Company website, of traffic flows and use of the lifts, rationalization of services and the division of receipts with other ski resorts or commercial partners, etc. );
• g. Information on the activity and initiatives organized by the Data Controller for the benefit of clients.
  

The supply of the data necessary to fulfil the requirements of e) are required by law and ultimate refusal to supply the information would render it impossible for the Company to fulfill their legal obligations and consequently to manage their relationship with you.
The data required for the furtherance of the aims in a), b), c), d) f) and g) are non-mandatory; nevertheless a refusal to supply the information for the aims in a), b), c), d) and f) would entail the impossibility of supplying the requested service whereas for g) the Company would not be able to inform you about promotional activities and offers.

4. Potential external Data Processors
For the implementation of some of the activities connected to the aims detailed above, the Data Controller may also supply the personal data to external Data Processors, that is:

• a. banks and lending institutions for payment handling;
• b. legal and financial consultants, with objectives strictly connected to the economic activity of the Data Controller;
• c. lift companies or commercial partners;
• d. Information systems and facilities companies;
• e. subsidiary or associate companies;
• f. insurance companies;
• g. Local health authority, Italian Red Cross and medical assistance companies.
  

The users in the categories above to which data may be sent will use the said data in their legal capacity as Data Processors, having no bearing on the original data handling carried out at the Company.

5. Potential Data Recipients
Personal data may be disclosed to personnel of the Company charged with its handling by their respective management, as well as the nominated Data handlers. An up-to-date list of persons in charge of processing may be obtained from the Company headquarters.

6. Cookies
A cookie is a brief string of text sent to the browser and saved on the device every time a user visits a web site. The Site uses proprietary and third party cookies to improve the navigational experience of the user, rendering it as efficient and simple as possible. So when a user visits the website a minimum of information is saved on their equipment in a specific directory of their web browser. The saved cookies cannot be used to extract any data from the hard disk, insert malware or identify and use the email address of the user.
The cookies are used to improve the navigation of the user. In particular they:

- allow efficient internal navigation of the web site;
- store the user's name and preferences;
- avoid the need for reinput of the same information during the visit;
- monitor the use of the service on the part of the users in order to optimise the navigational experience and the service itself.

It is possible to disable cookies at any time. Disabling or deleting cookies could, in certain respects, block the optimal use of some areas of the site and compromise the use of some services.
There follows a description of the types of cookie that may be used on the Site and the purpose for which they are used.

Technical cookies
These are necessary for the correct functioning of the site and comprise both persistent and session (temporary) cookies . In their absence the site or certain parts of it may not function correctly. Therefore they are always used, independently of user preferences. This type of cookie are always sent from our domain. The Data Controller is not required to request consent for technical cookies since they are strictly necessary for the provision of the service.

Analytics cookies
This type are used to collect information on the use of the site. The Data Controller uses such information for statistical analysis, to improve the site and simplify its use as well as monitor its correct functioning.

Third Party Cookies
Cookies of this type are used to collect anonymized information on the use of the site by visitors, the key words used to reach the site, the web sites visited and the origin of the traffic. The Data Controller can use such information to produce reports and improve the site. The cookies are issued by the Site itself and by third party domains.

To know the cookies on the website and see the instructions for their management consult the related information at the following link.

7. Payment data
Payment data will be processed for purposes pursuant to Directive 2015/2366 (EU) and subsequent amendments on payment services in the European internal market (so-called PSD2).

8. Data Subject Rights under article 17
Lastly we inform you that article 17 of the European Regulation n. 2016/679 confers on the Data Subjects specific rights. In particular the Data Subjects can obtain from the Data Controller the confirmation of the existence or not of their own personal data and that this data can be provided in intelligible form (Subject Data Access). They can likewise ask to know the origins of the data as well as the purpose for which it was collected, ask for anonymisation or the freezing of data handled in violation of the law, as well as its updating, amendment or, if it is of interest, the integration of the data; or for legitimate reasons obtain a block on the data handling itself.

Such actions can be carried out in total autonomy accessing the reserved section of your Account under heading "Your Profile" and "Manage Personal Data" or by sending a request to the data processing manager.

For further information and clarifications, you can contact the data protection officer:

Lawyer Mr Alessandro Medori
Tel Nr: 011 026 2700
Mobile: 347 79 87 724
Mail address: medori@studiolegale46bis.it
PEC address: alessandromedori@pec.ordineavvocatitorino.it