Privacy Policy Subscribers

Gestione Governativa Navigazione Laghi, headquartered in Milan, Via Lodovico Ariosto 21, VAT no. 00802050153, in its capacity as Data Controller (hereinafter also “GGNL” or the “Controller”), informs you that your personal data (hereinafter “Data”) will be processed in accordance with the provisions of the General Data Protection Regulation (EU Regulation 2016/679, “GDPR”), applicable data protection legislation, and as outlined in this Privacy Notice.

1. SUBJECT OF DATA PROCESSING

The data processed under this notice fall into the following categories:

• Personal data, such as general information, identification data, contact details, and tax-related data;

• Special category data, including data that may reveal health status.

2. PURPOSES AND LEGAL BASES FOR PROCESSING

Personal data will be processed for the following purposes and on the following legal bases:

a) To perform all activities related to the contract entered into, including, by way of example, the issuance of a personalized subscription pass, access to transport services, and sending SMS alerts in case of service disruptions, breakdowns, or replacements.

Legal basis: performance of a contract or pre-contractual measures, pursuant to Article 6(1)(b) of the GDPR;

b) To comply with legal obligations, including those under national and EU laws or imposed by competent authorities.

Legal basis: compliance with a legal obligation, pursuant to Article 6(1)(c) of the GDPR;

c) To pursue legitimate interests of the Controller, such as the prevention and suppression of unlawful acts, the exercise of legal rights in judicial proceedings, and dispute resolution.

Where applicable, special category data may be processed in the public interest pursuant to Article 9(2)(g) of the GDPR and under the provisions of the Decree of the President of the Council of Ministers dated 5 December 2013, No. 159.

3. METHODS OF PROCESSING

All data are stored on GGNL servers or on servers of appointed service providers (Data Processors), using automated, electronic, IT, or telematic tools, as well as paper-based systems. Data are managed according to strict security standards and policies (or equivalent standards in the case of third-party providers).

4. DATA RETENTION

Data will be retained for no longer than necessary to fulfill the purposes for which they were collected or subsequently processed, in accordance with legal, fiscal, and civil obligations, including those related to dispute management.

5. PROVISION OF DATA

Providing personal data is mandatory. Failure to provide the requested data may prevent the establishment or continuation of the contractual relationship.

6. DATA DISCLOSURE

Your personal data may be disclosed to:

• Employees and collaborators of the Controller, who are duly instructed and authorized under Articles 29 of the GDPR and Article 2-quaterdecies of Legislative Decree 196/2003;

• Third parties expressly appointed as Data Processors under Article 28 of the GDPR for purposes directly related to the performance of the contract or to legal compliance (e.g., IT service providers, accountants, tax consultants, legal advisors, etc.).

An updated list of Data Processors may be requested at any time from the Controller.

7. DATA TRANSFER

Your personal data may be transferred to third countries or international organizations for the purposes outlined above, either under an adequacy decision pursuant to Article 45 of the GDPR or subject to appropriate safeguards pursuant to Article 46 of the GDPR.

8. DATA SUBJECT RIGHTS

As a data subject, and unless restricted by law, you have the right to:

• Obtain confirmation of whether your personal data are being processed, even if not yet recorded, and access such data in an intelligible form;

• Obtain information and, where applicable, a copy of:
  a) the origin and categories of personal data;
  
  b) the logic applied in case of processing with electronic means;
  
  c) the purposes and methods of processing;
  
  d) the identity of the Controller and Data Processors;
  
  e) the recipients or categories of recipients, especially if located in third countries or international organizations;
  
  f) where possible, the retention period or criteria used to determine it;
  
  g) the existence of any automated decision-making process, including profiling, and its rationale, significance, and consequences;
  
  h) the safeguards in place for data transferred outside the EU;

• Obtain, without undue delay, the rectification of inaccurate data or the completion of incomplete data;

• Withdraw consent at any time, without difficulty or impediments, preferably using the same channel used to provide it;

• Request the erasure, anonymization, or blocking of data where:
  
  a) unlawfully processed;
  
  b) no longer necessary for the purposes collected;
  
  c) based on consent that has been withdrawn with no other legal basis;
  
  d) processing has been objected to with no overriding legitimate grounds;
  
  e) erasure is required by legal obligation;
  
  f) the data refer to minors.
  
  The Controller may deny erasure only in the following cases:
  
  a) exercise of the right to freedom of expression and information;
  
  b) compliance with a legal obligation or performance of a task in the public interest or in the exercise of official authority;
  
  c) reasons of public health;
  
  d) archiving in the public interest, scientific or historical research, or statistical purposes;
  
  e) establishment, exercise, or defense of legal claims;

• Obtain restriction of processing in cases of:
  
  a) contesting the accuracy of the data;
  
  b) unlawful processing where deletion is not requested;
  
  c) necessity to retain the data for legal claims;
  
  d) pending verification of overriding legitimate interest;

• Receive your data in a structured, commonly used, and machine-readable format, and transmit it to another controller, or—if technically feasible—have it transmitted directly by the Controller;

• Object, in whole or in part, on legitimate grounds related to your specific situation, to the processing of your personal data;

• Lodge a complaint with the Italian Data Protection Authority.

Where applicable, the Controller will notify third parties to whom your data have been disclosed of any exercise of rights, unless this proves impossible or requires disproportionate effort.

If you believe your rights have been violated, you have the right to file a complaint.

For more information, visit the official website of the Italian Data Protection Authority: www.garanteprivacy.it, where a dedicated section on data subject rights is available.

9. HOW TO EXERCISE YOUR RIGHTS

You may exercise your rights at any time by:

• Sending a registered letter with return receipt to the Controller’s registered office;

• Sending an email to: privacy@navigazionelaghi.it