PRIVACY POLICY UNDER ARTICLE 13 OF REGULATION (EU) 2016/679 FOR THE PROCESSING OF DATA FOR WHICH VOX MILANO PASS S.R.L. AND THE MILANO & PARTNERS ASSOCIATION ARE JOINT CONTROLLERS
Last updated: February 10, 2025.
This Privacy Policy (the "Privacy Policy") governs the processing of personal data and information collected by Vox Milano Pass S.r.l., a single-member company subject to the management and coordination activity exercised by Vox S.p.A., with its registered office at Via Pievaiola 21, Perugia, VAT number 03896580549 ("Vox" or "Data Controller"), as the data controller, for the purposes and in the manner specified below, in compliance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data ("GDPR") and the related implementing regulations.
1. Personal Data Collected
The personal data that concerns you is provided directly by you when you access or register on the website citypass.yesmilano.it ("Site") and/or the "YesMilano Pass" application developed and provided by Vox ("App"; together with the Site, collectively the "Platform"), and subsequently, during its use.
The App and the Site are designed to offer you a personal digital card ("YesMilano City Pass") created and managed by Vox on behalf of the Milano & Partners Association in a public-private partnership. The Vox App also offers you: electronic access tickets ("Tickets") to (i) museums, villas, churches, gardens, attractions, etc. ("Attractions"), (ii) any additional products offered by the Institutions as defined below ("Products"); (iii) additional services, including local public transport ("Accessory Services"), available under the YesMilano City Pass; and (iv) any other product and/or service provided by Vox through the App.
The updated list of entities managing the Attractions, offering the Products and/or providing the Accessory Services (Institutions) is available at citypass.yesmilano.it. More information on how the Site and the App work, and the services offered, can be found by clicking on citypass.yesmilano.it.
The personal data collected and processed by Vox includes:
The identification data you provide when accessing or registering on the Platform and subsequently during its use. This data may include: first and last name, address, phone number, email address, travel dates, and/or IP address;
2. Purpose of Data Processing and Legal Basis
The personal data mentioned in point 1 above is processed by Vox and the Association, as joint controllers ("Joint Controllers"), for the purpose of:
The legal basis for the processing of personal data is:
the performance of a contract for the purposes referred to in letters (a) and (b). This processing is therefore legitimate pursuant to Article 6.1(b) of the GDPR;
It should be noted that any consent given by you for the purposes referred to in letter (d) extends to commercial and promotional communications transmitted via email, SMS and WhatsApp. You may, at your option, revoke the consent previously given in order not to receive any further commercial communication on any of the aforementioned channels (email, SMS and WhatsApp), or revoke it only partially for specific methods of sending. To revoke consent, you may send a communication to privacy@milanocitypass.com.
Your consent is not required for the processing of data in anonymous form for the purpose referred to in letter (e).
The provision of data is optional. However, any refusal to provide the data necessary for registration on the Platform, for invoicing, for support through customer service and for the management of related payments referred to in letters (a) and (b), will make it impossible to register with the Platform and use all or part of the services and products offered therein by Vox. Also, any subsequent opposition or revocation to the processing of the aforementioned personal data, for the aforementioned purposes, will result in the immediate suspension of the use of the related services.
Any refusal to consent to the processing for the additional purposes of sending periodic updates and sending commercial and promotional communications referred to in letter (c), as well as any refusal to consent to the processing for commercial and promotional communications from third-party companies that are Vox partners, will not have any consequences, except for the impossibility of being informed about said marketing and promotional-advertising communications, as well as receiving commercial communications and/or content of interest to you.
If you consent to the profiling activity indicated in letter (d), it will presuppose an automated activity in order to place you in a category of subjects with homogeneous characteristics based on the services you have used, your habits of using the Platform, the Tickets, Products and/or Accessory Services you have purchased.
3. Methods of Processing Personal Data
The processing of your data for the purpose referred to in paragraph 2 above, will take place using paper, automated and telematic methods, based on logical criteria functional to the purposes for which the data was collected and, in any case, in compliance with all the precautions necessary to ensure the security and confidentiality of information pursuant to the GDPR.
4. Communication of Personal Data
Within the organizations of the Joint Controllers, your data may be processed only by employees who need to know and/or use them limited to the performance of their duties and for the purposes of providing services. These subjects are appointed in writing by Vox and the Association as persons in charge of processing and trained on the obligations provided for by the GDPR. In carrying out their activities, the Joint Controllers may communicate personal data concerning you to the following third parties: Vox group companies, partners and suppliers that provide services to the Joint Controllers, mailing companies and consultants. These subjects are appointed by the Joint Controllers as data processors for purposes for which you have expressed consent. A complete list of the data processors appointed by the Joint Controllers can be easily and freely obtained by sending a request to the address indicated in paragraph 7 of this Privacy Policy.
The Joint Controllers may, finally, communicate your data to the judicial authorities to respond to summons, comply with orders issued by courts or other legitimate requests from competent authorities; to assert or exercise our rights or defend ourselves in court; for investigative, crime prevention or suppression purposes and in any other case provided for by law. Except as provided above, your data will not be communicated to other third parties or otherwise disseminated.
5. Retention of Personal Data
Your personal data will be stored on the Joint Controllers' servers and located in the European Union. The Joint Controllers will not transfer your personal data to countries located outside the European Union. The personal data collected for the processing purposes indicated in the preceding point 2 will be kept until you have withdrawn your consent to receive commercial and promotional communications, or you request the deletion of the data, except for the exceptional need to keep the data to defend the rights of the Joint Controllers in relation to disputes in progress at the time of the request, or upon indication from the public authorities. It should be noted that regardless of your withdrawal of consent or any requests for deletion, your data will be kept for a maximum of one year from their collection, unless you intend to renew consent for such processing.
6. Your Rights
Finally, we inform you that you can exercise the rights conferred pursuant to and for the purposes of Articles 15-21 of the GDPR; that is, the right to obtain from the Joint Controllers access, rectification, cancellation, limitation of processing, revocation of consent as well as the portability of your data, in addition to the right to oppose the processing of the same.
We remind you that you also have the right to contact the Data Protection Authority (whose contact details are available at the following link https://www.garanteprivacy.it/home/footer/contatti) to assert your rights in relation to the processing of your personal data. For the purposes referred to in this point 6, you can send a request to the Joint Controllers by email to privacy@milanocitypass.com or by registered letter to Vox's registered office indicated in point 7 below.
7. The Joint Controllers of Processing
The joint controllers of processing are Vox Milano Pass S.r.l., a single-member company subject to the management and coordination activity exercised by Vox S.p.A., with its registered office at Via Pievaiola 21, Perugia, VAT number 03896580549 and the Milano & Partners Association, with its registered office at Piazza della Scala 2 - 20121 - Milan (MI), VAT number 11016320969. The joint controllers of processing can be contacted for requests or reports at the following email address: privacy@milanocitypass.com.
The essential contents of the joint controller agreement between Vox and the Association are available here.