Privacy Policy for Suppliers

This information on the processing of personal data is provided, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter the “Regulation” or “GDPR”), by Italia Trasporto Aereo S.p.A., with its registered office at Via XX Settembre, No. 97, 00187 Rome (RM), Tax Code and VAT number 15907661001, REA registration No. RM-1622937, as Data Controller (hereinafter, for the sake of brevity, also referred to as “ITA Airways”, the “Company”, or the “Data Controller”).

The Data Protection Officer of ITA Airways can be contacted at the Data Controller's headquarters at the address indicated above, or by email at: [email protected].

The Data Controller will process your personal data, collected as part of the signed contract and/or for the purposes of its conclusion. This includes, but is not limited to, your first name, surname, mobile phone number, email address, and, in general, your contact details as the legal representative of the company or as the contact person for commercial relationships maintained in the name and on behalf of the same for the purpose of signing the contract with the Company.

Your personal data will be processed for the following purposes:

1. Performance of the contract and/or pre-contractual measures (“Performance of the Contract”);
2. Fulfillment of any obligations established by law, regulation, or community legislation, as well as satisfying requests from Authorities (“Compliance Purposes”);
3. Legal defense necessary for the Data Controller to establish, exercise, or defend a right in court (“Defensive Purposes”).

The legal bases for processing for purposes 1 and 2 are Articles 6(1)(b) and 6(1)(c) of the Regulation, respectively.

The legal basis for processing for purpose 3 is Art. 6(1)(f) of the Regulation—specifically, the legitimate interest that the Data Controller has identified based on a balancing of interests.

Providing your personal data for the purposes above is optional; however, failure to provide it will make it impossible to establish commercial relationships with the supplier and/or execute the contract.

Your personal data may be shared with:

• Natural persons authorized by the Data Controller to process personal data pursuant to Art. 29 of the GDPR and Art. 2-quaterdecies of Legislative Decree 196/2003 (“Privacy Code”) in the performance of their work duties (e.g., employees, system administrators, etc.);
• Service providers (such as consultants, credit institutions, etc.) who typically act as Data Processors pursuant to Article 28 of the GDPR;
• Parties, entities, or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders from the authorities.

The complete and updated list of data recipients may be requested from the Data Controller using the contact details indicated above.

Your personal data may be transferred outside the European Economic Area. The Data Controller hereby declares that such processing will be carried out in accordance with the methods permitted by Articles 44 et seq. of the GDPR.

Your personal data will be retained only for as long as necessary for the purposes for which it was collected, in compliance with the principles of data minimization and storage limitation pursuant to Art. 5, paragraph 1, letters (c) and (e) of the GDPR. The Data Controller may retain certain data even after the termination of the contractual relationship for the period necessary to fulfill contractual and legal obligations. Further information is available from the Data Controller and/or DPO using the contact details provided above.

In relation to the indicated purposes, personal data is processed using manual, computerized, and electronic tools, with logic strictly related to those purposes and, in any case, in a manner that guarantees the security and confidentiality of the data, in addition to compliance with specific obligations established by law.

You have the right to access your data at any time, pursuant to Articles 15–22 of the GDPR. Specifically, you may request the rectification, erasure, or restriction of processing in the cases provided for by Article 18 of the GDPR, withdraw your consent, and obtain data portability in the cases provided for by Article 20 of the GDPR.

You may submit a request to object to the processing of your data pursuant to Art. 21 of the GDPR, detailing the reasons justifying your objection. The Data Controller reserves the right to evaluate your request, which will not be accepted if there are compelling legitimate grounds for processing that override your interests, rights, and freedoms.

Requests must be submitted in writing to the Data Controller or the DPO at the addresses indicated above.

If you believe that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante Privacy), pursuant to Article 77 of the GDPR, or to take appropriate legal action (Article 79 of the GDPR).