Privacy Policy
Pursuant to Article 13 of the General Data Protection Regulation 2016/679 (GDPR), we inform you that the data collected by CIAV Consorzio Italiano Autotrasporto Viaggiatori through its websites, email addresses and local units will be processed in accordance with the policies defined by the GDPR and in particular:
The user is required to read and fully accept the terms and contents of this notice before accessing and using the website that CIAV Consorzio Italiano Autotrasporto Viaggiatori makes available, and to periodically acknowledge any changes that may be released.
Identity of the Data Controller
The Data Controller is Consorzio Italiano Autotrasporto Viaggiatori (hereinafter also referred to as CIAV), with registered office in Via Sichelmanno, 22 - Salerno, represented by its Sole Director pro tempore.
Identity of the Data Protection Officer
The Data Protection Officer is domiciled for the office at the company headquarters in Via Sichelmanno, 22 - Salerno. For information or clarifications, write to consorziociav@pec.it.
Source of data and types of data collected
This website uses the following cookies, pixel tags and JavaScript tags for the purposes listed below: CIAV cookies (first-party cookies).
a) CIAV collects personal data voluntarily provided by the user at the time of registration on the website or when the user performs a transaction through the website, as well as other personal data associated with order processing. Since CIAV operates in the B2C segment and offers local public transport services, non-scheduled public transport services and private NCC transfer services, its commercial policy provides opportunities, discounts and tangible benefits for those who register on the site, which are communicated to the registered user by email. Personal data include: title, first and last name, date of birth, gender, email address, username and password, shipping and billing address (including postal code, city and country), phone number, type and quantity of services purchased, order date, date and time of service delivery, order value, currency, payment information (type of card used), and the following information provided voluntarily by the user.
b) CIAV also collects data on the user’s use of the website, such as IP address, products viewed and those saved in the shopping cart; if the user reaches the website via a referring page or a link in a promotional email or advertising on another website that redirects to CIAV’s website; the company may also collect information about the referring page and the promotional email or targeted advertising together with the user’s IP address to analyze the effectiveness of marketing operations (collectively “usage data”).
Purposes of processing
Personal data are processed by the Data Controller for:
a) Transaction data will be used to process orders, manage payments, communicate with the user regarding the order, and manage customer support requests. They will also be used to acquire pre-contractual data and information; exchange information aimed at the execution of the contractual relationship, including pre- and post-contractual activities; formulate requests or process requests received; manage accounting and tax obligations.
b) Transaction data will also be used to send the data subject personalized messages or invitations to review products; usage data, in the case of registered customers, will be used together with transaction data (excluding payment information) to show personalized products on the website based on the user’s expressed interests.
In order to make marketing communications and newsletters truly useful to the user, transaction data and website usage data will be analyzed by CIAV to send personalized commercial communications based on the preferences indicated.
Finally, data will be used to manage and control risks, prevent possible fraud, insolvency or non-compliance; prevent and manage possible disputes; and take legal action if necessary.
Legal basis for processing
The legal basis for processing is as follows:
Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject’s request, as regards the processing listed in point 1);
The data subject has given consent to the processing of his/her personal data for one or more specific purposes, as regards the processing listed in point 2);
Performance of pre-contractual measures taken at the data subject’s request and legitimate interest of the controller (maximization of the effectiveness of communications), as regards the processing listed in point 3);
Processing is necessary for the pursuit of the legitimate interest of the data controller (protection and prevention of fraud and insolvency), as regards the processing listed in point 4).
Recipients of data
Personal data processed by the Controller are not disseminated, i.e. they are not made known to unspecified subjects, in any possible form, including making them available or merely consulting them. They may instead be communicated to workers employed by the Controller, or to subjects authorized to process data as they operate under the authority of the Controller. In this regard, CIAV has appointed third-party service providers in relation to the operation of the website, such as hosting providers, marketing and website service providers, IT maintenance service providers, as well as providers that allow the integration on the website of other functions that the user can use at their discretion, such as the WhatsApp chat tool and product review function. These service providers, designated as Data Processors, are provided only with the personal data they need to provide the corresponding services and are not allowed to use or disclose the personal data of data subjects for other purposes without the data subject’s prior authorization.
If the data subject requests the sending of CIAV marketing communications and newsletters, his/her name, email address and other transaction and usage data may be shared with third parties to enable the analysis of the user’s interests and the sending of personalized commercial communications based on the preferences indicated.
They may also be communicated, within the strictly necessary limits, to subjects who, for the purposes of order fulfillment or other requests or service performance relating to the transaction or contractual relationship with the Controller, must provide goods and/or perform services on behalf of the Controller.
Finally, they may be communicated to subjects entitled to access them by virtue of laws, regulations, and EU rules. In particular, based on the roles and job duties performed, certain workers have been authorized to process personal data within the limits of their competence and in accordance with the instructions given by the Controller.
Data transfer
Under no circumstances does the Data Controller transfer personal data to third countries or international organizations. However, it reserves the possibility of using cloud services; in such case, service providers will be selected from those providing adequate guarantees, as required by Article 46 GDPR 679/16.
Data retention
The Data Controller stores and processes personal data for the time necessary to fulfill the indicated purposes. Subsequently, personal data will be stored, and no longer processed, for the time established by the applicable civil and tax regulations.
Rights of the data subject
With reference to Articles 15 (right of access), 16 (right to rectification), 17 (right to erasure), 18 (right to restriction of processing), 20 (right to portability), 21 (right to object), 22 (right to object to automated decision-making) of GDPR 679/16, the data subject exercises his/her rights by writing to the Data Controller at the address indicated above, or by email, specifying the subject of the request, the right he/she intends to exercise and attaching a copy of an identity document that attests to the legitimacy of the request. The Data Controller reminds in particular that any data subject may exercise the right to object in the forms and manner provided by Article 21 GDPR. Further information on the rights of the data subject can be found at the end of this section or can be requested at consorziociav@pec.it.
Withdrawal of consent
With reference to Article 7 of GDPR 679/16, the data subject may withdraw consent at any time. However, certain processing activities covered by this notice (points 1 and 4) are lawful and permitted, even in the absence of consent, as they are necessary for the performance of a contract to which the data subject is a party, or for the fulfillment of his/her requests, or to pursue the legitimate interests of the Controller. Withdrawal of consent, where applicable, may limit or compromise the modalities of interaction and communication of the customer or user with CIAV.
Right to lodge a complaint
The data subject has the right to lodge a complaint with the supervisory authority of the state of residence.
Refusal to provide data
Data subjects cannot refuse to provide the Controller with the personal data necessary to comply with the legal rules governing commercial transactions and taxation.
The provision of additional personal data may be necessary to improve the quality and efficiency of the transaction. Therefore, refusal to provide the data required by law will prevent order fulfillment. The additional data indicated in point a) of the paragraph “Source of data and types of data collected” are provided voluntarily; however, if the data subject decides not to provide the requested data, CIAV may not be able to provide the services, allow completion of the transaction through the website or process the order.
The data indicated in point b) are provided voluntarily by the data subject and, if he/she decides not to provide the requested data, the supply of products and services will not be compromised.
Automated decision-making processes
The Controller does not carry out processing consisting of automated decision-making processes on personal data, except those indicated in the paragraph “Recipients of data” with regard to those who request the sending of marketing communications and newsletters.
