Information on the protection of personal data AVM

INFORMATION ON THE PROTECTION OF PERSONAL DATA PURSUANT TO EUROPEAN REGULATION 679/16

Data Subjects and scope of processing: Clients

THE COMPANY

Azienda Veneziana della Mobilità S.p.A (hereinafter referred to as AVM), with its registered office in Venice, Isola Nova del Tronchetto 33, is the Data Controller of the personal data that it collects; it manages and provides the urban public transport service of the municipalities of Venice and Chioggia, the suburban transport service of the central-southern area of the metropolitan city of Venice, as well as the private and integrated mobility services of the municipality of Venice (parking facilities, exchange car parks, docks, BiciPark, etc.).

It is the parent company of the AVM Group and controls ACTV S.p.A. and Ve.La. S.p.A.

 

THE PERSONAL DATA THAT MAY BE COLLECTED FROM YOU

In the framework of the activity, several categories of common personal data may be collected and then processed, more specifically: personal and contact data (information relating to name, place and date of birth, fiscal code, address, telephone number, e-mail), mobile device data (operating system and browser), geopositioning data (information relating to your location is only processed if you have voluntarily activated the geopositioning function on your mobile device and use the App's specific services for geopositioning), positioning data (information relating to street name, the smart parking space number, date, start and end time of parking for the "parking" service, location in transit at the ZTL check-ins, access to parking spaces), payment data (information relating to payment methods, billing data), vehicle identification data (licence plate number, vehicle description), data collected using RFID technology (information relating to ticketing and validation of tickets, including location, whether you have stipulated a contract for the Venezia Unica card and the local public transport service), data on your education, career, profession, employment history, data on the use of services managed by the company and relative purchases you have made, photographic image on cards or uploaded onto your AVM Venezia Official App profile, the serial number of your Venezia Unica/Imob card.

In addition, as a result of the information you provide us with, we may eventually come into possession of special categories of personal data and, in detail, data relating to your health for the purpose of granting rate subsidies and/or refunds. The processing of these special categories of data is executed in compliance with Article 9 of the GDPR. In such cases, your explicit consent is mandatory, in the absence of which we are unable to process the file. If necessary, therefore, this consent is going to be specifically requested from you.

 

THE PURPOSES FOR WHICH PERSONAL DATA MAY BE USED

Specifically, your data will be processed for the following purposes, related to the implementation of statutory requirements:

compliance with legally binding fiscal and accounting requirements;

  • compliance with requests which are legally binding in order to fulfil statutory requirements, regulations or court orders;
  • verbalization of the violation relating to the administrative sanction against offending users in the context of local public transport or the Blue Stripes service (we use your personal data for the purpose of the correct recording of the assessed violation, the consequent legal communications and notifications and the subsequent stages of verification of the payment of the sanction).

Your data will also be used for the following purposes relating to the performance of measures connected with contractual or pre-contractual obligations:

  • management of online booking services;
  • customer management (establishment and execution of contractual relations and the resulting obligations, including communication relating to services);
  • processing of claims for compensation for the eventuality of damages.
  • Your personal and contact data will also be used for the following purposes necessary for the fulfilment of the holder's legitimate interest:
  • for the execution of institutional surveys, aimed at measuring the level of satisfaction (so-called customer satisfaction) of the provided service.

 

HOW WE PROCESS YOUR PERSONAL DATA

All of your personal data is stored in our records or the records of our suppliers or business partners and it is accessible and used in compliance with our security standards and policies (or the equivalent standards applied by our suppliers or business partners).

Your personal data may be processed using the following methods:

  • processing by means of computers and computer systems;
  • manual processing using paper files.

We use a wide range of security measures to improve the protection and maintenance of the security, integrity and accessibility of your personal data.

The measures we implement include, and are not limited to, the following:

  • strict restriction of access to your personal data, on a need-to-know basis and only for the purposes communicated; - perimeter security systems to prohibit unauthorised access from external sources;
  • permanent monitoring of access to information systems in order to detect and stop the misuse of personal data;
  • vulnerability tests, aimed at highlighting any gaps in perimeter security;
  • tracking of access to your personal data by internal staff and verification of its purpose;
  • two-factor authentication;
  • encryption using Secure Socket Layer (SSL) technology for transactions on our websites that require you to enter your personal information.

If we have provided you with (or you have chosen) a password that allows you to access certain areas of our website or other portals, applications or services provided to you by our company, please remember to keep this password secret and to also follow any other security procedures that are provided to you.

WHO WE CAN SHARE YOUR PERSONAL DATA WITH

Your data is only processed by our specifically instructed and authorised staff and, more specifically, by the following categories of staff:

  • AVM employees in the specific relevant departments.

In order to execute some of the processing activities, we may communicate your personal data to the following categories of external parties, who will process them either as independent data controllers or as data processors, duly appointed in compliance with the applicable legislation:

  • banks and credit institutions;
  • subsidiary and associated companies;
  • consultancy and IT services companies;
  • law firms in charge of any litigation.

Your personal data will not be otherwise disclosed.

HOW LONG WE RETAIN YOUR INFORMATION

In compliance with the principles of lawfulness, purpose limitation and data minimisation, in accordance with Article 5 of the GDPR, we retain your personal data only for the time necessary to achieve the purpose for which it was collected or for any other legitimate related  purpose.

Therefore, if personal data is processed for two separate purposes, we retain that data until the purpose with the longer retention period expires, but we do not continue to process personal data for the purpose for which the retention period has expired.

We restrict access to your personal data only to the subjects who require them to fulfil their tasks.

The personal data that are no longer required, or for which there is no longer a legal requirement for the retention thereof, is irreversibly anonymised (and as such can be safely stored) or destroyed.

Below are the retention times in relation to the different purposes listed above:

 

  • 1 year after the expiry of the Venezia Unica card, unless the card has been renewed;
  • 10 years after the conclusion of a procedure for the enforcement of administrative fines;
  • 10 years after the termination of the contract, in compliance with legal obligations, with regard to the storage of accounting records under Article 2220 of the Italian Civil Code (contract, correspondence, invoices);
  • 14 months for transit data collected at the car parks;
  • 2 years after the termination of an over 75 tariff reduction contract;
  • 24 hours after the validation of RFID data;
  • 3 years after receiving a customer satisfaction survey;
  • 3 years after submitting an online ferry booking;
  • 5 days after termination of the contract for the BiciPark service in the case of an occasional customer or 13 months after termination of the contract in the case of a season ticket holder;
  • for the time necessary to be able to conduct legal defence proceedings and to pursue an action against you or against third parties.

 

YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO FILE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

If the conditions provided for by law are met, you are entitled to obtain confirmation of the existence or otherwise of personal data relating to you, and to have them communicated to you in a comprehensible form, and to be able to lodge a complaint with the Supervisory Authority.
 

More specifically, you are entitled to be provided with:

a. access to your personal data and all related information (Article 15 of the GDPR);

b. the correction of inaccurate personal data and the integration of incomplete personal data (Article 16 of the GDPR);

c. deletion of personal data if one of the cases provided for in Article 17 of the GDPR is applicable;

d. the limitation of processing when one of the hypotheses established by Article 18 GDPR is applicable;

e. data portability (Article 20 of the GDPR).

You are entitled to object, in whole or in part, to the processing of personal data relating to you:

a. for legitimate reasons associated with your particular situation, even if they are relevant to the purpose of the data collection.

 

CONTACTS DETAILS 

If you have any questions regarding our processing of your personal data, please use the web form "privacy" in the "contacts" section of the site ww.avmspa.it or contact the telephone number 0412722111, asking the secretariat of the Legal and Corporate Affairs. We would also like to inform you that the Company has appointed an external data protection officer (DPO), whose contact details are dpogruppoavm@avmspa.it, to whom you may apply in general for matters relating to the protection of personal data and related rights. 

 

YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY

Please be reminded that the Data Controller is Azienda Veneziana della Mobilità S.p.A (Isola Nova del Tronchetto 33, 30135 Venice (VE); Tax Code: 03096680271; available at the following e-mail address: avm@avmspa.it; telephone: + 39 041 27 22 111)  in the person of its legal representative for the time being.

 

We also inform you of the fact that we have appointed an external data protection officer (DPO), whom you are entitled to contact as a general contact on issues relating to the protection of your personal data and associated rights.

If you have any complaints or concerns about how we process your personal data, we will make every effort to respond to your concerns. However, if you wish, you are also entitled to forward your complaints or reports to the national data protection authority, through the contact details available at www.garanteprivacy.it.  DPO - (available at the following e-mail address: e-mail: dpogruppoavm@avmspa.it).

 

The updated version of this policy is also available at all times on the following website:

 

https://www.privacylab.it/informativa.php?21285465260.