Data subjects and scope of processing: Holders of a Unified European Disabled Parking Permit (CUDE) and PreParCo clients
WHO WE ARE
Azienda Veneziana della Mobilità S.p.A (hereinafter referred to as AVM), with its registered office in Venice, Isola Nova del Tronchetto 33, is the Data Controller of the personal data that it collects; it manages and provides the urban public transport service of the municipalities of Venice and Chioggia, the suburban transport service of the central-southern area of the metropolitan city of Venice, as well as the private and integrated mobility services of the municipality of Venice (parking facilities, exchange car parks, docks, BiciPark, etc.).
It is the parent company of the AVM Group and controls ACTV S.p.A. and Ve.La. S.p.A.
THE PERSONAL DATA THAT MAY BE COLLECTED FROM YOU
In the framework of the activity, we may collect and then process various categories of common personal data. Specifically, personal and contact data (information relating to name, place and date of birth, fiscal code, address, telephone number, e-mail, and PEC certified e-mail), vehicle location data (information relating to the name of the street, parking space number for Smart Parking, date, start and end time of the "parking" service, transit location for ZTL access points, access to and exit from car parks), financial data (information relating to payment methods, invoicing details), vehicle identification data (licence plate number, and a description of the vehicle).
In addition, as a result of the information you provide us with, we may eventually come into possession of special categories of personal data and, in detail, data relating to your health for the purpose of reserving parking spaces/facilities or granting rate subsidies. The processing of these special categories of data is executed in compliance with Article 9 of the GDPR.
PURPOSES FOR WHICH YOUR DATA MAY BE USED
Specifically, your data is processed for the following purposes, which are in relation to the implementation of statutory or contractual requirements:
• management of online booking services;
• customer management (establishment and execution of contractual relations and the resulting obligations, including communication relating to services);
Your data is processed for the following purposes, which are in relation to the implementation of statutory requirements:
• tax and accounting requirements.
Your data will also be used for the following purposes relating to the performance of measures connected with contractual or pre-contractual obligations:
• processing of claims for compensation for the eventuality of damages.
HOW YOUR PERSONAL DATA IS PROCESSED
All of your personal data is stored in our records or the records of our suppliers or business partners and it is accessible and used in compliance with our security standards and policies (or the equivalent standards applied by our suppliers or business partners).
Your personal data may be processed using the following methods:
• processing using electronic tools and IT systems;
• manual processing in the form of paper records.
We use a wide range of security measures to improve the protection and maintenance of the security, integrity and accessibility of your personal data.
The measures we implement include, and are not limited to, the following:
- strict restriction of access to your personal data, on a need-to-know basis and only for the specified purposes;
- perimeter security systems to prohibit unauthorised access from external sources;
- permanent monitoring of access to information systems in order to detect and stop the misuse of personal data;
- vulnerability tests, aimed at highlighting any gaps in perimeter security;
- tracking of access to your personal data by our staff and the control of the purpose it serves;
- double-factor authentication;
- encryption using Secure Socket Layer (SSL) technology in the case of transactions on our websites that require you to submit your personal data.
If we have provided you with (or you have chosen) a password that allows you to access certain areas of our website or other portals, applications or services provided to you by our company, please remember to keep this password secret and to also follow any other security procedures that are provided to you.
WHO WE CAN SHARE YOUR PERSONAL DATA WITH
Your data is only processed by our specifically instructed and authorised staff and, more specifically, by the following categories of staff:
• AVM employees in the specific relevant departments.
In order to execute some of the processing activities, we may communicate your personal data to the following categories of external parties, who will process them either as independent data controllers or as data processors, duly appointed in compliance with the applicable legislation:
• subsidiary and associated companies;
• consulting and IT services companies.
Your personal data will not be otherwise disclosed.
HOW LONG WE RETAIN YOUR INFORMATION
In compliance with the principles of lawfulness, purpose limitation and data minimisation, in accordance with Article 5 of the GDPR, we retain your personal data only for the time necessary to achieve the purpose for which it was collected or for any other legitimate related purpose. Therefore, if personal data is processed for two separate purposes, we retain that data until the purpose with the longer retention period expires, but we do not continue to process personal data for the purpose for which the retention period has expired. We restrict access to your personal data only to the subjects who require them to fulfil their tasks.
The personal data that are no longer required, or for which there is no longer a legal requirement for the retention thereof, is irreversibly anonymised (and as such can be safely stored) or destroyed.
Below are the retention times in relation to the purposes listed above:
• 10 years after termination of the contract, in compliance with legal obligations, limited to any documents required for tax and accounting purposes (contract, invoices);
• 3 years after receiving a customer satisfaction survey;
• 6 months after termination of the service, including online reservations, for subsidised stops and any violations of the applicable regulations (failure to appear/late cancellation).
YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO LODGE COMPLAINTS WITH THE SUPERVISORY AUTHORITY
You are entitled to obtain, if the conditions provided for by law are met, confirmation as to whether or not personal data concerning you exist, to have them communicated to you in an understandable form and to lodge a complaint with the supervisory authority.
More specifically, you are entitled to be provided with:
a. access to your personal data and all related information (Article 15 of the GDPR);
b. the correction of inaccurate personal data and the integration of incomplete personal data (Article 16 of the GDPR);
c. the erasure of personal data if any of the cases specified in Article 17 of the GDPR exist;
d. the restriction of the processing of your personal data if any of the conditions specified in Article 18 of the GDPR exist;
e. the portability of personal data (Article 20 of the GDPR).
You are entitled to object, in whole or in part, to the processing of personal data relating to you:
a. for legitimate reasons associated with your particular situation, even if they are relevant to the purpose of the data collection.
CONTACT DETAILS
Please be informed that the Data Controller is Azienda Veneziana della Mobilità S.p.A (Isola Nova del Tronchetto 33, 30135 Venice (VE), VAT Number 03096680271, contact details: e-mail avm@avmspa.it, telephone + 39 041 27 22 111) in the person of its legal representative in office for the time being.
We also inform you of the fact that we have appointed an external Data Protection Officer (DPO), whom you are entitled to contact as a general contact on issues relating to the protection of your personal data and associated rights.
If you have any complaints or concerns about how we process your personal data, we will make every effort to respond to your concerns. In any case, and if you prefer, you may forward your complaints or remarks to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), using the contact details listed at the following website www.garanteprivacy.it
• DPO - (available at the following e-mail address: dpogruppoavm@avmspa.it).
The updated version of this policy is also available at all times on the following website
https://www.privacylab.it/informativa.php?21285465271 .