Privacy Policy, dated May 2018

Pila
Address:
VAT Number:
Email: customer@customerservice.com
Phone: Missing text.customer_service_phone

Dear customer,

We collect your personal data because of the following reasons:
The ski pass is personal and we have to be able to check if it is the correct person using the ski pass. Seasonal ski passes and daily passes are different for different age groups.

In case of refunds or issue of new RFID cards, we will have to be able to identify the correct ski pass holder. And we want you as a customer to have full control with your personal data.

As an online customer you may go to MY ACCOUNT and manage your personal data:

• You may update your personal information, both your customer account and members of your team.
• You may download a copy of your information
• You may delete your customer profile and members of your team.
• You may change your opinion about getting offers.

We as a ski resort will manage your personal data in a safe and responsible way. And we will not sell or transfer your personal data to a third party without your consent.

We will use your personal data in relation to the purposes for which they were collected or otherwise processed. This will help us to fulfil our commitment towards you as a customer. We will also use the data to improve our services to you as a consumer and also for analyses and statistical purposes.

We may also use your information to send you advantageous notifications by email to renew your Ski pass or Season pass. At any given time you may decline this by entering MY ACCOUNT and change your settings.

Payment data will be processed for purposes pursuant to directive 2015/2366 (EU) and subsequent changes to payment services in the European internal market (so-called PSD2).

The privacy statement below is provided in accordance with Article 13 of EU Regulation 697/2016 regarding the Protection of Personal Data.

The information in this privacy statement applies to all the types of Tickets/Passes, as specified below.
Resort tickets refer to all the travel tickets/passes that are valid solely in the ski areas managed by the companies.
Resort tickets with VDA extension refer to all the travel tickets/passes that are also valid in the other ski areas of Valle d’Aosta, on the cableways of Mont Blanc and in the ski resorts of La Rosière, Alagna and Alpe di Mera, for a limited and predefined number of days.
Regional tickets refer to all the travel tickets/passes valid in the ski areas of Valle d’Aosta, on the cableways of Mont Blanc and in the ski resorts of La Rosière, Alagna and Alpe di Mera.
By “Resort” is meant the ski area(s) managed by the company Pila S.p.A. – fraz. Pila, 16 – 11020 Gressan (Aosta).

Source of personal data
The data in our possession, acquired for contracts entered into, are collected directly from the person concerned and others. All the data collected is processed in compliance with current legislation and, in all cases, with due confidentiality.

Purpose of data processing
The sole reason for collecting and processing personal data is to correctly complete the business obligations required from the company Pila S.p.A., especially referring to: requirements preliminary to entering into a transport contract; fulfilling contractual obligations to the person concerned (the data subject) by performing an operation, a number of operations or a combination of operations necessary to fulfil said obligations; discharge the obligations towards every public or private body connected with or instrumental to the transport contract; comply with legal obligations. The processing of data regarding the photograph of the data subject, where required by the transport contract, is to check that access to the lifts is made by the person entitled to do so.
The system for detecting people passing through turnstiles is based on RFID proximity technology which allows customers to pass through the gate “hands-free” without having to insert authorisation cards at the gates.
The system for tracking people passing through the gates installed in the ski resorts named in the introduction makes it possible to track the ski routes taken by customers, in order to check on unauthorised use of tickets and to search for missing persons. For a profiling service of customer attendance and preferences to be activated will require consent from the data subject.
Personal data collected for the following purposes – market analysis, statistics and quality control, marketing, informing about future commercial ventures, new products and services for promotional initiatives in general – will only be processed after receiving the data subject’s consent (Article 7 GDPR).
If customers are asked to provide more sensitive information on their identity and state of health (such as a medical certificate) in order to be eligible for a discount or other concessions, such information will be used solely for this purpose and will not be further processed for other reasons or disclosed.

Methods of processing and nature of data
For the purposes referred to above, personal information is processed by manual, digital and data transmission instruments using logic strictly connected to these data collection purposes and, in any case, in a way that assures the security and confidentiality of the data in accordance with the provisions in the aforementioned law. The information collected on the individual regards personal data, identifying data (age, name, address, etc.) and geographical position (passages through turnstiles) and, in the event of accidents or to benefit from discounts or other concessions, it regards sensitive data connected to the customer’s state of health (for instance, a medical certificate).

Duration of processing
The data collected (Sensitive, Personal, Identifying and geographic location) are stored for the time consistent with achieving the purposes of the processing and to comply with tax obligations, and in any case for a maximum period of three years. At the end of this period, all personally identifiable information is removed and the data relating to attendance at the ski areas are processed solely for statistical purposes.
Sensitive data relating to a customer’s state of health will be stored for a maximum period of 10 years, except for longer periods in order to meet the purposes of processing and requirements imposed by current regulations.

Nature of data collecting
It is obligatory to collect personal data when entering into a transport contract in order to comply with legal and tax requirements: refusing to provide such data will make it impossible to enter into a contract with the company. Using data for promotional and marketing purposes as specified above requires the consent of the data subject, and therefore providing such data is optional and will not prevent the contract’s execution.

Communication and disclosure
Personal data and the related processing shall be shared with companies for performing economic activities (such as selling, managerial, IT system management, insurance, bank or non-bank brokerage, factoring, shipping management, mailing) or for complying with legal obligations (accounting firms, lawyers, Regional Administration). Such data is not disclosed further. Staff members employed by our company or by companies that have a sales mandate can be aware of these data, as are the entities and subjects that provide the rescue service on ski slopes (such as the Red Cross, Local Health Authority, the rescue associations for ski slopes, etc.)

Data Controller
The Data Controller is Pila S.p.A. – Fraz. Pila 16 – 11020 Gressan (AO) whose legal representative is domiciled for the purpose at the address of the Data Controller. Joint Data Controllers (including the company itself which, for the purposes of this privacy statement, is specifically the Data Controller), pursuant to Article 26 of EU Regulation 679/2016, are: Pila S.p.A.; Cervino S.p.A.; Courmayeur Mont Blanc Funivie S.p.A.; Funivie Monte Bianco S.p.A.; Funivie Piccolo San Bernardo S.p.A.; Monterosa S.p.A. (the complete and updated list of joint Data Controllers with their respective contact details can be seen at the company’s website: www.pila.it).

Data Protection Officer (DPO)
The Data Protection Officer (DPO) can be contacted by email at: privacy@dffsrl.com.

Rights of the Data Subject
Data Subjects may contact the Privacy Service at the Data Controller to verify their data and have them updated, rectified or added to, and/or to exercise other rights provided for in Articles 15 to 21 of the GDPR.

Right of access to personal data and other rights (Article 15 et seq.)
The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, have access to the personal data and the following information:

1. the purposes of the processing;
2. the categories of personal data concerned;
3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine the period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with the supervisory authority;
   where the personal data are not collected from the data subject, any available information as to their source;
7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
8. Where applicable, the data subject also has the rights provided in Article 16-21 GDPR (right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority

How to exercise rights
The data subjects concerned may at any time exercise their rights by sending one of the following:
a registered letter with receipt advice to the data controller company;
an email via certified email to the following address pilaspa@pcert.it
an email to the DPO at the address: privacy@dffsrl.com