The following personal data or information (including data belonging to the particular categories ex Article 9 of the Regulation) may be processed: surname and first name; nationality and citizenship; email; age group; gender; date and place of birth (municipality and province if in Italy, state if abroad); duration of travel and date of arrival; reason for travel; movement and geographical positions; type of identity document, number and place of issue (municipality and province if in Italy, state if abroad) as well as copy of the same.

The personal data collected is processed for the following purposes:

2.1 the management of commercial and contractual relationships established, i.e. to ensure the use of the services provided by MMS (including online check-in at the chosen hotel/accommodation facility), through the use of the Manet platform, complaints management, fraud prevention, etc. The provision of personal data for this purpose is not mandatory, however it is functional to the services requested and any refusal to provide the data would make it impossible to perform the services. The legal basis of the processing is the execution.

2.2 the management of administrative/accounting relationships, i.e. to implement administrative/accounting activities strictly related to the provision of the requested services. The provision of personal data for this purpose is not mandatory, however it is functional to the services requested and any refusal to provide such data would make it impossible to perform the services. The legal basis of the processing is the execution of the contractual relationship to which the data subject is party (Article 6-b of the Regulation).

2.3 legal obligations, or to fulfil specific obligations provided for by law (for example, of a fiscal nature, such as electronic invoicing, or of a legal nature related to Public Security laws, as in the case of online check-in), by regulation or by EU legislation. Once the data subject has voluntarily provided their data in order to receive the requested services, the subsequent provision of personal data for this purpose is mandatory. In fact, the legal basis of the processing is the fulfilment of legal obligations by the Data Controller (Article 6-c) of the Regulation).

2.4 profiling activities aimed at direct marketing and on behalf of third companies, i.e. for the promotion of products and services, statistical surveys, market research, carried out through automated communication tools (e.g. email, push notifications, apps), also through the use of GPS; third-party companies, for whose account marketing activities will be carried out, are companies related to MMS, the hotel/reception structure or also companies belonging to the publishing, finance, economy, industry, luxury, services, telecommunications, commerce, insurance and non-profit sectors. The provision of data for this purpose is optional and the legal basis is the informed, free and express consent of the customer (Article 6-a) of the Regulation).

2.5 profiling activities aimed at communicating data to third parties for their marketing purposes, the third companies to which the data may be disclosed are companies linked to MMS or even companies belonging to the publishing, finance, economy, industry, luxury, services, telecommunications, commerce, insurance and non-profit sectors. The provision of data for this purpose is optional and the legal basis is the informed, free and express consent of the customer (Article 6-a) of the Regulation).

In relation to the purposes of this information, personal data is processed by automated and non-automated means, by subjects specifically designated to the processing, in accordance with Article 2-quaterdecies of Italian Legislative Decree No. 196 of 2003, as amended by Italian Legislative Decree No. 101 of 2018 (hereinafter, the “Privacy Code”) and Article 29 of the Regulation, for the time strictly necessary to achieve the purposes for which it was collected and in full compliance with all precautionary measures, guaranteeing the security and confidentiality of the data, as well as full compliance with legal obligations.

The personal data used for the purposes indicated in this policy will be stored:

• for the purpose referred to in point 2.1 for a period of time necessary and not exceeding the duration of use of the service
• for the purpose referred to in point 2.2 for a period of time necessary and not exceeding 10 years
• for the purpose referred to in point 2.3 for the period of time required by the applicable law, regulation or Community legislation
• for the purpose referred to in point 2.4 the data will be kept for 24 months
• for the purpose referred to in point 2.5 the data will be kept for 24 months
• for the check-in purposes referred to in points 2.1 and 2.3 the data will be kept for 36 months.

Following the termination of processing, the data will be kept for a maximum period of one month. The termination of processing is done by contacting the Data Controller at the addresses indicated in point 6.
Once the above-mentioned storage period has expired, data relating to nationality, email, age group, gender, travel time, reason for travel, movement and geographical positions will be rendered totally anonymous and used solely for statistical research purposes, in accordance with Article 89 of the EU Regulation.

As already pointed out, at the end of the use of the service, the data will be stored and kept for a further ten years solely for purposes of defence in court for contractual liability and for administrative-accounting purposes, as required by law.

The use of the Manet platform and of the services offered by the Data Controller is reserved to entities legally able, based on the relevant national legislation, to conclude contractual obligations. The Data Controller, where necessary for specific services, in order to prevent illegitimate access to the same, implements preventive measures to protect its legitimate interest, such as Tax ID checks and/or other permitted and appropriate checks.

Personal data may be processed by designated processing managers (Article 29 of the Regulation) responsible for the management of the services requested and/or by data processors (Article 28 of the Regulation) appointed by MMS. Data Processors fall into the following categories: lawyers, consultants of the Controller, hotel/accommodation facilities, rent-a-car companies, tour operators. Any communication will take place in compliance with the purposes of the processing described above. It is possible to request the list of designated managers and data processors from the Data Controller at the addresses indicated in point 6.

Personal data may be disclosed to third parties to comply with legal obligations (e.g. Public Security laws in the case of online check-in), MMS may transfer your personal data to government authorities, courts, external consultants and similar third parties that are public bodies to the extent required or permitted by applicable law, for instance if the processing is necessary to pursue MMS’s legitimate interests. This can happen for example if an administrative offence is committed while using the Manet platform.

If necessary in relation to particular services (e.g. online check-in) or products requested, personal data may be disclosed to third parties who, as independent data controllers, perform functions strictly connected and instrumental to the provision of such services or products (e.g. hotel/accommodation facilities, etc).

MMS uses Amazon Web Services EMEA SARL (AWS) with server location in the EU as an external cloud service provider.

MMS uses the SendGrid platform (www.sendgrid.com) with servers located in the United States of America as a service provider for sending emails. This data transfer is carried out by means of subscription by SendGrid to the Privacy Shield.

Where the person providing the data is under 16 years of age, such processing shall be lawful only if and to the extent that such consent is given or authorised by the holder of parental responsibility for whom the identification data and copies of identification documents are acquired.

Pursuant to the Regulation and applicable national regulations, Data Subjects may, in accordance with the procedures and within the limits envisaged, exercise the following rights:

• request confirmation of the existence of personal data concerning them (right of access)
• know about the origins of data
• receive intelligible communication
• have information about the logic, methods and purposes of the processing
• request the updating, rectification, integration, cancellation, transformation into anonymous form, blocking of data processed in violation of the law, including data no longer necessary for the purposes for which it was collected
• in cases of processing based on consent, to receive their data provided to the Data Controller in a structured and readable form by a Data Processor and in a format commonly used by an electronic device
• in cases of processing based on consent, to withdraw it at any time, without prejudice to the lawfulness of the processing based on consent given before the withdrawal
• the right to lodge a complaint with the Supervisory Authority.

For any questions and to exercise your rights, please contact Manet Mobile Solutions S.r.l. at the following telephone number: 0640409801 and/or e-mail address: info@manetmobile.com.

The Data Controller of the above-mentioned data is Manet Mobile Solutions S.r.l., with registered office in Rome (00193), Via Tibullo 10, Tax ID and VAT No. 13464271009, in the person of its legal representative Antonio Calia.

The complete list of data processors and processing managers is available at the MMS registered office and to obtain it, simply contact the following telephone number 0640409801 and/or email address info@manetmobile.com.

The Data Controller makes use of a Data Protection Officer (hereinafter, “DPO”) to supervise the protection of personal data, appointed pursuant to Article 37 of the Regulation.

We remind you that you can contact the DPO at any time and send any question or request regarding your personal data by writing to dpo@manetmobile.com.

This Privacy Policy may need to be updated from time to time (for example, due to the implementation of new technologies or the introduction of new services). We reserve the right to modify or supplement this Privacy Policy at any time. We will post the changes on www.manetmobile.com and/or inform you accordingly (e.g. by email).