Information in relation to the processing of personal data
We would like to inform you that, according to the Regulation (UE) 2016/679 that lays down rules relating to the protection of natural persons with regard to the processing of personal data, CTM S.p.A. shall provide the following information relating to the processing of your personal data. According to article 5 of Regulation (EU) 2016/679, personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject, collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, accurate and, where necessary, kept up to date, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is CTM S.p.A, with legal headquarters in Cagliari, viale Trieste 159/3. At every moment, data subjects may contact the controller by the following means: certified email (PEC): email@example.com, phone 07020911, fax 0702091222.
DATA PROTECTION OFFICER
CTM S.p.A. has appointed the Data Protection Officer (DPO) who may be contacted via email at the following email address: firstname.lastname@example.org
PURPOSES AND LEGAL BASIS FOR PROCESSING
All personal data provided by you is collected and processed for the following purposes:
Accounting and administrative purposes closely linked and instrumental in the management of relations with customers, in particular to provide for the fulfilment of all contractual obligations;
Invoicing purposes. In case of integrated transport services;
Fine management purposes, in order to check tickets or validations;
Handling of complaints.
The processing of your personal data for the purposes above listed it is mandatory to fulfil contractual obligations.
To access to the service, you will be asked some personal data for the following purposes:
Mobile phone number: needed to buy via mobile device. It will be forwarded to the bank providing the e-ticketing service. CTM will store your data in order to deal with enquiries or complaints;
Email address: required i) to inform the user about the purchase; ii) to provide the user with the necessary code to reinstall the app if it does not work properly;
Tax code: essential to purchase a personal pass via the app busfinder and to issue the invoice.
Name and surname: necessary for the CTM SpA to check the tickets on board and to manage fines and/or disputes. If an integrated ticket is purchased, CTM SpA will communicate the data to the companies providing integrated transport services, so that they can carry out – as independent controller – the same activities, including checking tickets. For information about the data processing carried out by these companies, please contact:
ARST SpA - Via Posada 8-10 09100 Cagliari
Trenitalia - Direzione Regionale Sardegna, Viale La Playa 17 09123 Cagliari
AUTOLINEE BAIRE S.R.L. - Via Cagliari n. 88 09012 Capoterra (CA)
Data provision is required and if incomplete or incorrect, CTM SpA will not be able to provide the service.
In case of on board ticket checking, passengers will be required to show their ID or the CTM Card with the Reminder paper released, or the Personal Card "UNO" issued by ARST, as shown at the following link: http://www.ctmcagliari.it/custom.php?nome=integrazione#
Some optional features of the application (Calculate route and Find BusStops) can run only by allowing the application to access the geolocation of your mobile device. The application will ask such optional authorization at the first opening and, in case of consent, the geolocation will be activated every time the application is used. The geolocation data remain on the user's mobile device and neither CTM or third parts may access them. At any time you may turn off the geolocation on your mobile device.
THE RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Personal data will be processed solely by third parties duly appointed as data processors. The identity of third parties providing the services here listed may be requested to the controller at any time.
DATA PROCESSING METHODS AND STORAGE TIMES
Processing personal data is performed electronically or manually by authorized CTM staff, duly internally appointed. The authorized staff are given access to your personal data as far as it is necessary and within the limits of pursuing the processing activities of your data.
Data relating to purchases will be stored by CTM SpA for 10 years for accounting and administrative purposes
Ticket validation data (type, identification number, date and time, vehicle identification and type of validation) will be stored by CTM SpA up to 72 hours. to verify the legitimate possession/the correct validation of the ticket, to detect any fraudulent conduct and to manage malfunctions or complaints. After 72 hours, the validation data are processed anonymously and stored by CTM SpA for the service management analysis. First and last validation data will be shown on the user’s mobile device.
RIGHTS OF THE DATA SUBJECT
Data subjects may exercise, at any time, the right of access (art. 15 GDPR), right to rectification (art. 16 GDPR), right to erasure (art. 17 GDPR), right to restriction of processing (art. 18 GDPR), right to data portability (art. 20 GDPR), right to object (art. 20 GDPR) in accordance with the methods set out in the articles to which express reference is made.
RIGHT TO LODGE A COMPLAINT
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation (UE) 2016/679.