Esercizi Aeroportuali S.E.A., a joint stock company with registered office in Segrate (Milan) – 20090 – at Milan Linate Airport, (the "Company"), as part of the services offered and the purchases made by users on the website www.viamilanoshop.it ("Service(s)") processes the personal data freely provided by the persons concerned in accordance with articles 4, no. 7) and 24 of the EU Regulations 2016/679 of 27 April 2016 concerning the protection of physical persons with regard to the processing of the personal data ("Regulation"), as well as the current Italian regulations.
Processing personal data refers to any operation or series of operations, carried out with or without the aid of automated processes and applied to personal data or series of personal data, even if not registered on a databank, such as the collection, registration, organisation, structuring, retention, processing, selection, blockage, adaptation or modification, extraction, consultation, use, communication via transmission, dissemination or any other form of making them available, comparison or interconnection, limitation, deletion or destruction.
The Company shall, therefore, proceed, in accordance with articles 13 or 14 of the Regulation and the current Italian regulations, with the respective processing for the purposes listed below, manually and/or with the aid of computers or data transmission.
1. Purpose and legal basis of the processing
The data are acquired and processed in compliance with the rules set by the Regulation and by the current Italian regulations for the following purposes with the consent of the persons concerned:
- fulfillment of the obligations arising from the Services sales contracts on the website and/or the fulfillment, before the conclusion of the aforementioned contracts, of specific requests by the persons concerned ("Primary Purposes")
- marketing (see subsequent point 3.2)
- profiling (see subsequent point 3.3)
- transfer of data to third parties (see subsequent points 3.2 and 3.3)
2. Communication and dissemination of personal data for the pursuit of the Primary Purposes of the processing
The data may be communicated to third parties when that communication is obligatory by force of law, including in the sphere of prevention/suppression of any unlawful activities. With reference to article 13, paragraph 1, letter (e) of the Regulation and the current Italian regulations, the data may be communicated, solely for the pursuit of the Primary Purposes, to employees/collaborators/consultants, as well as to third-party companies, the collaboration of which the Company makes use of in the pursuit of the Primary Purposes. The updated list of the external data managers is available at the Company's registered office.
The data shall not be disseminated, that is, personal data shall not be disclosed to the public or, in any event, to an indeterminate number of subjects.
3. Obligatory or voluntary basis of the granting of data for the pursuit of the purposes of the processing
3.1 Primary Purposes
The granting of the data to the Company is obligatory only for data for which there are legal, administrative, tax and accounting obligations connected to purchases made on the website.
Any refusal to grant these obligatory data could force the Company to acquire them from third-party sources (where legally possible) or lead to the failure to implement the Service.
To complete an online purchase, it will be necessary to provide the data marked with an asterisk on the appropriate registration form. Any refusal, partial or incorrect granting of these data will make it impossible for the Company to perform the services requested or the purchase to be completed. Any refusal, partial or incorrect granting of the data not marked with an asterisk shall not prevent the implementation of the services or purchase.
3.2 Marketing purposes
To proceed with the processing for marketing purposes, it is obligatory to acquire specific, separate, express, documented, prior and entirely optional consent.
By granting consent to the processing for marketing purposes, the person concerned specifically acknowledges the promotional, commercial and marketing purposes overall of the processing (including the consequent managerial and administrative activities) and expressly authorises the aforementioned processing in accordance with article 6, paragraph 1, letter (a) of the Regulation and in compliance with the current Italian regulations.
Should the person concerned not intend to give consent to the processing for marketing purposes, the consequence will be the impossibility for the Company to proceed with the respective processing. Failure to grant consent to the processing for marketing purposes shall not lead to any interference and/or consequence on any other negotiation or contractual relations, or of any other type, existing with the user.
The persons concerned is free to give consent to the additional communication to third parties who, in turn, wish to proceed with the processing for marketing purposes. Should the person concerned not give consent to the communication of their data to third parties, the consequence shall be that there shall not be any communication by the Company and the data shall be processed only and exclusively by the Company, should the person concerned have given the latter consent to processing for marketing purposes.
It is possible that, for marketing purposes and the improvement of the Services, the Company may proceed with the processing of so-called "profiling" data. For such processing, and for the purposes of complete information, reference is made to the definition referred to in article 4, paragraph 1, no. (4) of the Regulation: "any form of automated processing of personal data involving the use of such personal data in order to assess certain personal aspects regarding a physical person, in particular for analysing or predicting aspects concerning professional performance, economic situation, health, personal preferences, interests, reliability, conduct, location and movements of the aforementioned physical person".
In order to proceed with profiling processing, it is obligatory to acquire specific and separate consent.
Should the person concerned not intend to give consent to the processing for profiling purposes, the consequence will be the impossibility for the Company to proceed with the respective processing. The person concerned is free to give consent to the processing for marketing purposes and not to give it for the further consent to the processing for profiling purposes and/or communication to third parties that, in turn, wish to proceed with the processing for profiling purposes. Should the person concerned not give consent to the processing for profiling purposes and/or communication to third parties that, in turn, wish to proceed with the processing for profiling purposes, the consequence shall be that there shall not be any profiling and other communication to third parties by the Company and the data collected shall be processed only and exclusively by the Company, should the person concerned have given the latter consent to processing for marketing purposes. Data subject to profiling processing and the respective authorised profiles shall not be subject to any dissemination.
In any case, even where the person concerned has given consent to authorise the Company to pursue all the purposes mentioned in the points reported above, they shall in any event be free to revoke it at any time.
Notice is specifically and separately given, as required by article 21 of the Regulation, where applicable, that the person concerned has the right to object at any time to the processing of personal data that concern them for these purposes and that, should the person concerned object to the processing, the personal data shall no longer be subject to processing for these purposes.
4. Transfer of personal data to Countries that do not belong to the European Union
The data collected and processed are not transferred to companies or other entities outside the community territory.
5. Data retention
With reference to personal data processed for the pursuit of the Primary Purposes, they shall be retained in compliance with the principle of proportionality and as long as the purposes of the processing are being pursued, for a period of no longer than 10 years. With reference to the marketing and profiling purposes, for a period of 24 months and 12 months respectively.
6. Data controller
The identity details of the Company that is the Data Controller are the following:
Esercizi Aeroportuali S.E.A., a joint stock company with registered office in Segrate (Milan) - 20090 - at Milan-Linate Airport.
7. Data Protection Officer (DPO)
It is possible to contact the Data Protection Officer, including for the exercise of the rights of the person concerned under articles 15-22 of the Regulation, by sending an email to the address email@example.com.
1. by sending an e-mail to firstname.lastname@example.org;
2. by sending a letter by normal post to the Data Processor for exercising the right of access to personal data expressly indicated in paragraph 6 above, at the registered office of SEA;
3. with regard to promotional communications, send an e-mail, also by using as a data subject the "Reserved Area – User Data" function.
8. Rights of the person concerned
With regard to the data processing, the person concerned may exercise the rights referred to in articles 15 to 22 of the European Regulation 2016/679, reproduced in limited form in Attachment A to this information briefing.
The exercise of rights is not subject to any form of constraint and is free.
European Regulation on matters of the protection of personal data
Articles 15 to 22
In accordance with articles 15 to 22 of the European Regulation 2016/679, the person concerned has the right to obtain from the Data Controller the correction, supplementation or deletion (the so-called right to be forgotten) of their personal data; the right to obtain the limitation of the processing and the right to the portability of the data, the right of objection to the processing of personal data, including profiling, and finally, the right to complain to the Supervisory Authority.
COOKIE INFORMATION BRIEFING
Cookies are small strings of text that websites visited by the user send to the terminal (usually the browser), where they are saved before being re-sent to the same websites at the next visit by the same user. When browsing a website, the user may also receive cookies on his terminal sent by different web servers or websites (referred to as "third party") on which certain elements may be held (such as, for example, images, maps, sounds, specific links to pages of other domains) present on the website that he is visiting. Three categories of cookies are identified: "technical" cookies, "non-anonymous analytical" cookies and "profiling" cookies, own and third party.
The technical cookies are those used merely to "transmit a communication on an electronic communication network or to the extent strictly necessary to the supplier of an information society service, specifically asked by the contractor or user to supply said service" (Art. 122, paragraph 1 of the Personal Data Protection Code). They are not used for any further purpose and are normally installed directly by the Controller or website manager. They can be divided up into browsing or session cookies, which guarantee the normal browsing and use of the website (allowing, for example, a purchase to be made or user to identify himself in order to access reserved areas); analytics cookies, similar to technical cookies, where used directly by the website manager to collect information in aggregated form on the number of users and on how they visit the website; function cookies that enable the user to browse according to a series of selected criteria (e.g. language, products chosen for purchase) in order to improve the service offered. For the installation of technical cookies, no prior user consent is required, whilst the obligation remains to provide a disclosure in accordance with Art. 13 of the Personal Data Protection Code, which the website manager, if only using these devices, may supply in the way it considers most appropriate.
The technical cookies used are:
_ga: created by Google Analytics; used to collect information and generate statistics on the use of websites, without supplying personal data on individual visitors to Google. It is valid for 2 years;
_gat: created by Google Analytics; used to collect information and generate statistics on the use of websites, without supplying personal data on individual visitors to Google. It is valid for 10 minutes;
_gid: created by Google Analytics; used to collect information and generate statistics on the use of websites, without supplying personal data on individual visitors to Google. It is valid for 24 hours;
s_fid: tracking cookie, created by Adobe Omniture. It is valid for 5 years;
s_cc: tracking cookie, created by Adobe Omniture. They expire when the browser is closed or the website exited;
Commerce: browsing cookies, created by the application. They expire when the session expires;
JSESSIONID: session cookies, created by the WebLogic server to maintain the session. They expire when the session expires;
__utma: created by Google Analytics, cookie distinguishing the Visitor. This lasts for 2 years and, amongst other things, has a unique code that can distinguish the Visitor. Google Analytics, to measure the number of people (one-time visitors) who visited a website, counts the utma number;
_utmb and _utmc. These are the two cookies that identify the session (Visit). Google Analytics uses them to calculate the metrics based on time, and duration of Visit or time on the Page. They expire when the browser is closed or the website exited;
__utmt: tracking cookie, created by Google Analytics. It is valid for 10 minutes;
s_fid: tracking cookie, created by Adobe Omniture. It is valid for 5 years;
s_cc: tracking cookie, created by Adobe Omniture. They expire when the browser is closed or the website exited;
Third party profiling cookies (marketing/retargeting)
Third party profiling cookies are used by third party companies and enable the user to view advertising banners on other affiliated websites, showing the last products displayed on the websites www.viamilanoeshop.eu, www.viamilanoparking.eu, www.milanomalpensa-airport.com and www.milanolinate-airport.com.
These cookies allow for the creation, distribution and monitoring of digital marketing campaigns and show the user products that could be of interest to him. More specifically, as regards third party profiling cookies: Adform is used for on-line marketing campaigns, including based on user behaviour. For more information and to disable this cookie: http://site.adform.com/privacy-policy/en/.
Acceptance and rejection of cookies
Continuing with the navigation on one of the websites indicated above by clicking on the button "Accept" or clicking on any part of the page means acceptance of SEA's Cookies Policy and cookies will be set and collected for the website being navigated. In the case of failure to accept the cookies by abandoning the navigation, no "I do not accept" button of any kind is provided, any cookies already registered locally on the browser will remain registered there but will no longer be read or used by SEA until any subsequent acceptance of the Policy. The option always remains of removing these cookies at any time using the methods described in the subsequent paragraphs.
1. Purpose of the processing for which the data are intended
The purposes for which cookies are used on our websites as indicated above are the following:
1. Execution of digital authentication
2. Monitoring of the sessions
3. Definition of the user profile on the basis of the preferences displayed during the navigation.
2. Nature of granting the data and consequences of any refusal to respond
With reference to points 1 and 2 referred to in the previous paragraph 1, the installation of these cookies is not subject to the prior consent of the users since they are strictly necessary to implement the transmission of communication on an electronic communication network. With reference to point 3, referred to in paragraph 1 above, the user's consent is necessary for the installation of these cookies and any refusal shall not in any way preclude navigation on the website.
The processing shall be carried out with automated systems suitable for storing and managing the data with regard to the aforementioned purposes and in such a way as to guarantee security and confidentiality.
3. Scope of communication and dissemination of the data
For the aforementioned purposes, the data may be communication by the joint stock company Esercizi Aeroportuali S.E.A.:
- to all subjects with a right of access to these data that is acknowledge by virtue of regulatory provisions and/or of the Authorities;
- to our collaborators, employees, consultants and suppliers, within the sphere of their respective duties;
- to other companies of the SEA group.
4. Identification details of the Data Controller and Data Manager
The Data Controller, in accordance with the Code, is the joint stock company Esercizi Aeroportuali S.E.A., with registered office in Segrate (Milan) at Milan Linate Airport. The Data Manager, in accordance with the Code, is SEA's Information and Communication Technology Director. Within the company, Data Processors have been identified.
The data shall be processed by the Data Controller's employees and collaborators in the role of Data Processors and Managers. A complete, updated list of the Data Managers appointed by the Data Controller can be obtained by sending an email to email@example.com. The data collected using cookies shall not be disseminated.
5. Rights referred to in articles 15-22 of the Regulation
Regarding the processing of the data collected, the persons concerned shall have the right, in accordance with articles 15 to 22 of the European Regulation 2016/679 and where applicable, to obtain from the Data Controller the correction, supplementation or deletion (the so-called right to be forgotten) of their personal data, including profiling, and finally to complain to the Supervisory Authority by sending a request to the Data Protection Manager at the address firstname.lastname@example.org or via ordinary post, addressed to the Data Protection Manager – 20090 Segrate (Milan) at Milan Linate Airport. For a longer and more complete version of the information briefing, it is possible to consult the Privacy Information Briefing of the Websites.
HOW ARE COOKIES DISABLED?
1. How are third-party cookies disabled?
Advertising companies enable the receipt of targeted announcements to be rejected, if this is desired. This does not prevent the setting of cookies but stops the use and collection of certain data by these companies.
Links are given below to the web pages containing the information briefings adopted by third parties:
AD FORM: http://site.adform.com/privacy-policy/en/ (English version)
For more information and to renounce, should you so wish, also visit http://www.youronlinechoices.com/uk/
2. How to disable cookies in the main browsers ?
Most browsers (Internet Explorer, Firefox, Chrome, etc.) are configured to accept cookies. Cookies stored on the hard disk of your device can, in any event, be deleted and it is also possible to disable cookies by following the instructions provided by the main browsers; the instructions of the main browsers are at the following links:
Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-10