Privacy statement for customers

Pursuant to articles 13 and 14 of EU Reg. no. 2016/679

1. CONTACT DATA

Data Controller
TraWell Co S.p.A., Via Olona n.183G, 21013, Gallarate and its subsidiaries, namely:

Data Processor:
TraWell Co S.p.A., Via Olona n.183G, 21013, Gallarate, mail privacy@trawellco.com, phone 0331 777154

2. OBJECT OF DATA PROCESSING

In the course of the activities offered by the Data Controller, customer data may be acquired, including for instance the customer’s name, surname, telephone number, e-mail address, travel route, baggage destination, bank details and photos.

3. PURPOSE OF DATA PROCESSING

Personal data are processed only upon your specific and distinct consent (art. 6. a. and art. 7 EU Reg. no. 2016/679) in order to:

  • Manage information requests and complaints about the services purchased;
  • Receive e-mails / sms with offers and commercial initiatives.
  • Publish photographs on social media to promote the company’s image online;

4. PROCESSING METHODS, CRITERIA AND DATA RETENTION TIME

Your personal data is processed by means of the operations indicated in art. 4 of EU Reg. no. 2016/679, more precisely: collection, registration, organization, storage, consultation, change, processing, modification, selection, extraction, comparison, use, interconnection, blocking, limitation, communication, cancellation and destruction of data. Your personal data are subjected to both paper and electronic processing. The Data Controller will process personal data for the time necessary to fulfil the aforementioned purposes. More specifically:

  • documents relating to the handling of complaints will be kept in our files for at least 10 years after the claim is closed.
  • personal data relating to purchase details will be kept for marketing purposes for a period of no more than 24 months from their registration, unless the data is made anonymous in such a way that the data subjects cannot be indirectly identified.

5. DATA ACCESS

Your data may be made accessible for the purposes referred to in art. 3:

  • to employees and collaborators of the Data Controller, in their capacity as persons in charge of data processing and/or internal data processors and/or system administrators;
  • to third-party companies such as companies entrusted with customer care service and social network management, and companies in charge of IT system maintenance, in their capacity as external data processors.

6. DATA COMMUNICATION

The controller can communicate your data without the need for express consent (art. 6 of EU Reg. no. 2016/679) for the purposes referred to in art. 2.A) to:

  • Banking institutions for claims settlement;
  • Airport Lost&Found Offices at luggage destination.
  • Companies controlled by Safe Bag SpA, operating at the branch where services were purchased.

These subjects will process the data in their capacity as independent data controllers. Your data will not be disseminated.

7. SOURCES

In order to trace missing luggage, airport databases may be consulted upon request.

8. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Our customer care services are entrusted to a third-party company that acts as a data processor. This company manages contact and call centre activities from Moldova, guaranteeing appropriate privacy protections. If requested, calls can be managed directly from Italy to avoid the transfer of data abroad.

9. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL TO PROVIDE DATA

The provision of data is optional. You can therefore decide not to provide any data, or to deny the processing of data previously provided. In such a case, we will not be able to guarantee the provision of services or your ability to receive our offers.
Your consent will be regularly collected for specific purposes through data collection forms or audio recording.

10. RIGHTS OF THE DATA SUBJECT

According to EU Reg. 2016/679: Chap.III:

  • 1. The data subject has the right to obtain confirmation of whether or not personal data concerning him/her exist, even if not yet registered, and to receive communications in intelligible form.
  • 2. The data subject has the right to obtain information about the origin of the personal data; the purposes and methods of data processing; the logic applied in case of processing with electronic tools; identifying details for the data controller, the data processor and their representative; the subjects or categories of subjects to whom the personal data may be communicated or who can learn about it in their capacity as appointed representatives of the State, data processors or persons in charge of data processing.
  • 3. The data subject has the right to obtain:
    • a. updates, corrections or, if interested, the integration of data;
    • b. the erasure, transformation into anonymous form or blocking of unlawfully processed data, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
    • c. confirmation that the operations referred to in a) and b) above and their content have been brought to the attention of those to whom the data had been communicated or disseminated, except in cases where fulfilling this condition proves impossible or requires the use of means manifestly disproportionate to the protected right;
    • d. a copy of the information we hold in a common and interoperable format;
    • e. limitation of processing of personal data about him/her, or to oppose the processing of personal data about him/her, in whole or in part, for legitimate reasons, even if the data are relevant to the purpose for which they are being collected;

    Furthermore, the data subject has the right to:

    • f. revoke consent at any time, without prejudice to the lawfulness of data processing that was based on consent before revocation;
    • g. bring a complaint to a Supervisory Authority;

A formal declaration may be requested from the data controller certifying that the data subject’s requests have been effectively resolved and brought to the attention of those to whom data had previously been disseminated and disclosed.
As a data subject, you may also designate a third person with a copy of a power of attorney, or of a proxy signed in the presence of an official, or a proxy signed and presented with an unauthenticated photocopy of the data subject’s identification document. The data controller is obliged to reply to the request within 15 days from the date of submission or 30 days if the answer is problematic. In any case, within 15 days you will be notified in writing of any reason for delay. You may exercise your rights at any time by sending a registered letter (A/R) or an e-mail to the Data Controller.