privacy

Disclosure on processing of the personal data of visitors to the Enav.it website pursuant to Articles 13 and 14 of Regulation (EU) no. 2016/679

Controller

The controller of your personal data is ENAV SpA, with registered office in Italy, Via Salaria 716 in Rome, which you can contact to exercise the rights referred to in Articles 15 et seq. of Regulation (EU) no. 2016/679 through the following channels:

Data Protection Officer

ENAV has appointed a Data Protection Officer (DPO), who can be contacted at: dpo@enav.it

Categories of personal data processed

Only the ordinary personal data referred to in Article 4, paragraph 2, of Regulation (EU) no. 2016/679 are processed, such as:

  • Name and surname;

  • Profession

  • Organisation

  • E-mail address

  • Any other personal data contained in any text voluntarily submitted through the contact forms on the website or via e-mail.

The optional, explicit and voluntary submission of messages and documents through the contact forms results in the acquisition of personal data needed to reply, as well as all personal data included in the communication.

Purpose of the processing

Personal data is processed to provide support and enable access to the services offered through the ENAV website to ordinary visitors to the site for the following purposes:

  • to access, subject to registration, restricted areas (e.g. online services for pilots/journalists/professionals, access to pre-flight information);

  • to access and use of flight plan services, pre-analysis and assessment of air traffic obstacles and self-briefing navigation services;

  • to analyse aggregate data concerning the behaviour of data subjects in connection with visits to the website;

  • to manage personal data submitted by data subjects in connection with voluntary applications or as part of selection processes carried out through the "Work with Us" section of the website by ENAV SpA and/or the subsidiary Techno Sky Srl, subject to registration where appropriate, by accessing the dedicated recruiting system;

  • to manage personal data related to registration on and use of the e-procurement platform of ENAV SpA and Techno Sky Srl;

  • to prevent and collect information on fraudulent activities or harmful abuses;

  • to perform necessary and automatic collection of data of data subjects relating to their interaction with the website (technical cookies).

Legal basis

The data processing referred to above is lawful because:

  • it is necessary for the exercise of the official authority vested in the controller;

  • it is necessary for the performance of a contract to which the data subject is a party;

  • it is necessary for the pursuit of the legitimate interest of the controller or third parties;

The legal basis is grounded in in the following sources:

  • Article 6, paragraph 1, point e) of Regulation (EU) no. 2016/679 "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;

  • Article 6, paragraph 1, point b) of Regulation (EU) no. 2016/679 "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract";

  • Article 6, paragraph 1, point f) of Regulation (EU) no. 2016/679 "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party".

Data retention

Personal data will be processed for the time strictly necessary to fulfil contractual obligations and will be deleted 10 years after the expiration or termination of the contact (Article 2220 of the Civil Code);

For support requests, personal data will be retained no longer than the period of time necessary to process the request and in all cases deleted or anonymized within 12 months of collection, except in cases where processing is not necessary to fulfil a legal obligation, pursuant to Article 6, paragraph 1, point e) of Regulation (EU) no. 2016/679.

In any case, if the following types of data are present in the messages, they will be deleted:

  • special categories of personal data (Article 9 of Regulation (EU) no. 2016/679), specifically any data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, trade unions, associations or organisations of a religious, philosophical, political or trade union nature, data on the state of health or sex life of a natural person;

  • data of minors (Article 9 of Regulation (EU) no. 2016/679);

  • personal data relating to criminal convictions and offences or related security measures (Article 10 of Regulation (EU) no. 2016/679).

Communication of data to recipients

Data may be accessed or communicated, in compliance with current legislation and the purposes described above, to external entities engaged by the controller to provide services of various kinds, such as the operation and maintenance of the platform, the measurement of service quality, the provision of site services, etc. Accordingly, the controller has designated these persons as processors pursuant to Article 28 of Regulation (EU) no. 2016/679 from among those that offer sufficient guarantees to implement adequate technical and organisational measures so that the processing is compliant with the requirements of the Regulation and ensure that the rights of data subjects are protected.

Personal data is managed and stored on servers located within the European Union and the European Economic Area. Currently, the servers used are located in Italy.

Personal data are not disclosed to unidentified persons, in any form, including by making them available or allowing them to be consulted.

The personal data involved in processing will not be transferred abroad to non-EU countries that do not ensure adequate levels of protection.

In any case, your data may be communicated to all subjects who have a statutory right to access such data.

Rights of the data subject

The data subject has a right to obtain confirmation from the controller as to whether the data subject’s personal data is being processed and, in this case, to obtain access to the personal data and the following information: the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed (including recipients in third countries or international organizations), the period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period, the source of personal data if they have not be obtained from the data subject, the existence of automated decision-making including profiling and information on the logic involved.

Furthermore, the data subject has the right, in the cases provided for by Regulation (EU) no. 2016/679, to:

  • withdraw consent at any time without prejudice to the lawfulness of the processing based on consent given before its withdrawal;

  • obtain rectification of inaccurate personal data;

  • obtain completion of incomplete personal data;

  • obtain erasure of personal data (right to be forgotten);

  • obtain restriction of processing of personal data (in this case, the data are processed only with the consent of the data subject, except for the necessary storage of the data and in other cases permitted by law);

  • data portability, including by way of the transmission of the data subject's personal data directly from one controller to another, where technically feasible;

  • object to processing.

The related requests must be forwarded to the controller, using the contact details provided in this statement.

Right to lodge a complaint

If the data subject believes that the processing performed by the controller may have violated applicable regulations regarding the protection of personal data, the data subject has a right to lodge a complaint with the supervisory authority for the protection of personal data pursuant to Article 77 of Regulation (EU) no. 2016/679 through the following channels:

  • Address: Piazza di Monte Citorio n. 121, 00186 ROMA

  • Telephone: (+39) 06.696771

  • Certified e-mail: protocollo@pec.gpdp.it

  • E-mail: garante@gpdp.it

  • Fax: (+39) 06.69677.3785

Communication of personal data and consequences of failure to provide data

The communication of personal data is optional. Any refusal will make it impossible to provide you with the services requested and/or provide you with support or a response to your messages.