PRIVACY NOTICE PURSUANT TO ARTICLE 13 OF REGULATION (EU) 2016/679
Last update: October 17, 2023
This Privacy Notice ("Privacy Notice") governs the processing of personal data and information collected by Vox Milano Pass S.r.l., a single-member company subject to the management and coordination activities carried out by Vox S.p.A., with registered office at Via Pievaiola 21, Perugia, VAT Number 03896580549 ("Vox" or "Data Controller"), in its capacity as data controller, for the purposes and in the manner specified below, in compliance with the provisions of Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, concerning the protection of individuals with regard to the processing of personal data ("GDPR") and the relevant implementing legislation.
1. Personal data collected
The personal data that concerns you is provided directly by you when you register on the website citypass.yesmilano.it ("Website") and/or the application "YesMilano Pass", developed and made available by Vox ("App"; together with the Website, collectively referred to as the "Platform"), and subsequently, during their use.
The App and the Website aim to provide you with a personal digital card ("YesMilano City Pass") created and managed by Vox on behalf of the Associazione Milano & Partners in public-private partnership. The Vox App also offers you electronic access tickets ("Tickets") to (i) museums, villas, churches, gardens, and attractions, etc. ("Attractions"), (ii) any additional products possibly offered by the Institutions as defined below ("Products"); (iii) additional services, including local public transportation ("Ancillary Services"), available as part of the YesMilano City Pass; and (iv) any other product and/or service provided by Vox via the App.
The updated list of entities that manage the Attractions, offer the Products, and/or provide the Ancillary Services (Institutions) is available at citypass.yesmilano.it. You can find more information about how the Website and App work, and the services offered, by clicking citypass.yesmilano.it.
The personal data collected and processed by Vox includes:
- the identification data you provide when registering on the Platform and subsequently during its use. Such data may include: name, address, telephone number, email address, and IP address;
- any personal data provided when you contact customer service;
- the data automatically received such as the mobile device and the unique identifier of the device, as well as the software and hardware characteristics;
- the data relating to your use of the Platform, such as the content you view, the frequency with which you use the Platform, the purchase of Tickets, Products, and/or Ancillary Services, etc.
2. Purpose of processing and legal basis
The personal data referred to in point 1 above is processed by Vox for the following purposes:
- management of registration on the Platform, offering and enjoying the YesMilano City Pass, Tickets, Products, and/or Ancillary Services, and managing support requests submitted to Vox's customer service;
- compliance with payments management of the YesMilano City Pass and related invoicing;
- statistical purposes on anonymized data;
- sending updates on Vox's activities and commercial and promotional communications about discounts, offers, services, or events by Vox. Commercial and promotional communications may be sent via email, SMS, and/or WhatsApp.
The legal basis for the processing of personal data is:
- the execution of a contract for the purposes referred to in letters a) and b). This processing is therefore legitimate pursuant to Article 6.1(b) of the GDPR; and
- your prior consent for the purposes referred to in letters c), e), and f). You may revoke your consent at any time to no longer receive any communication, however, this will not affect the lawfulness of the processing based on the consent you gave before the revocation.
Please note that any consent you may have given for the purposes referred to in point e) above extends to commercial and promotional communications sent via email, SMS, and WhatsApp. You may choose to revoke the consent previously given to no longer receive any commercial communication on any of the aforementioned channels (email, SMS, and WhatsApp), or partially revoke it for specific sending methods. To revoke your consent, you may send a communication to email@example.com.
Your consent is not required for the processing of data in an anonymous form for the purpose referred to in letter d).
Providing your data is optional. However, refusal to provide the necessary data for registration on the Platform, for billing, for customer service support, and for managing related payments as per point 2) letters a) and b), will result in the impossibility to register on the Platform and to use all or part of the services and products offered by Vox. Similarly, any subsequent objection or withdrawal of consent to the processing of the aforementioned personal data, for the purposes mentioned above, will result in the immediate suspension of the enjoyment of the related services.
Refusal to consent to the processing for additional purposes of profiling, sending periodic updates, and sending commercial and promotional communications as per point 2), letters c) and e), as well as refusal to consent to the processing for commercial and promotional communications from third-party companies partnered with Vox, as per point 2), letter f), will have no consequences, except the inability to be informed about said marketing and promotional communications, as well as to receive commercial communications and/or content of your interest.
If you consent to the profiling activity indicated in letter c) above, it will imply an automated activity aimed at placing you in a category of subjects with homogeneous characteristics based on the services you have used, your usage habits of the Platform, and the Tickets, Products, and/or Accessory Services you have purchased.
3. Methods of processing personal data
The processing of your data for the purposes referred to in paragraph 2 above will take place using paper, automated, and electronic methods, based on logical criteria functional to the purposes for which the data was collected, and in any case, in compliance with all necessary precautions to ensure the security and confidentiality of information pursuant to the GDPR.
4. Communication of personal data
Within the organization of the Data Controller, your data may be processed by employees who need to know and/or use it, limited to the performance of their duties and for the provision of services. These individuals are appointed in writing by Vox as data processing agents and trained on the obligations set forth by the GDPR.
Vox may also communicate your data to judicial authorities to respond to subpoenas, comply with orders issued by courts or other legitimate requests from competent authorities; to assert or exercise our rights or defend ourselves in court; for investigative purposes, prevention or fight against crime, and in any other case provided by law.
We may also communicate only the anonymous data collected through the Platform to our customers, business partners, and companies with which we have collaborative relationships, including Institutions.
Except as above, your data will not be communicated to other third parties or otherwise disclosed.
5. Retention of personal data
Your personal data will be stored on servers available to Vox and located in the European Union. The Data Controller will not transfer your personal data to countries located outside the European Union.
The personal data collected for the processing purposes indicated in point 2) letters a) and b) will be retained for the duration of your registration on the Platform. Subsequently, personal data will be stored for a period not exceeding the limitation period provided by law to possibly assert or defend a right in court against you or third parties. The data collected for the processing purposes indicated in point 2), letters c), e), and f) will be retained until you withdraw your consent to profiling activities and the receipt of commercial and promotional communications (by Vox and/or third-party partner companies), or to the data transfer, or you request data deletion, except for the exceptional need to retain data to defend the rights of the Data Controller in relation to disputes in progress at the time of the request, or as indicated by public authorities.
6. Your rights
Pursuant to Articles 15-21 of the GDPR, we remind you that you have the right:
a) to obtain information regarding the purposes for which your personal data is processed, the period of processing, and the subjects to whom the data is communicated (so-called right of access);
b) to obtain the rectification or integration of inaccurate personal data concerning you (so-called right to rectification);
c) to obtain the deletion of personal data concerning you in the following cases: (i) the data is no longer necessary for the purposes for which it was collected or processed; (ii) you have withdrawn your consent to the data processing, if they are processed based on your consent; (iii) you have opposed the processing of personal data concerning you if they are processed for a legitimate interest of Vox; or (iv) the processing of your personal data is not compliant with the law. However, please note that the retention of personal data by Vox is lawful if necessary to comply with a legal obligation or to assert, exercise, or defend a right in court (so-called right to deletion);
d) to obtain that personal data concerning you be only stored without any further use in the following cases: (i) you have contested the accuracy of personal data, for the period necessary to allow Vox to verify the accuracy of such personal data; (ii) the processing is unlawful but you still oppose the deletion of personal data by Vox; (iii) personal data is necessary for the establishment, exercise, or defense of a right in court; (iv) you have opposed the processing, and it is pending verification regarding the possible prevalence of Vox's legitimate reasons for processing over your own (so-called right to restriction);
e) to obtain the cessation of processing in cases where your personal data is processed for the legitimate interest of Vox, and you contest the existence of this interest (so-called right of opposition);
f) to receive in a commonly used, machine-readable, and interoperable format the personal data concerning you processed with automated means, if they are processed by virtue of a contract or based on your consent (so-called right to portability).
We remind you that you also have the right to contact the Data Protection Authority (whose contact details are available at the following link https://www.garanteprivacy.it/home/footer/contatti) to assert your rights in relation to the processing of your personal data.
For the purposes referred to in this point 6, you may send a request to the Data Controller by email at firstname.lastname@example.org or by registered letter at the legal address of Vox indicated in point 7 that follows.
7. The data controller
The data controller is Vox Milano Pass S.r.l., a single-member company subject to the management and coordination activities carried out by Vox S.p.A., with legal office in Via Pievaiola 21, Perugia, VAT number 03896580549. The Data Controller can be contacted for requests or reports at the following email address: email@example.com