Privacy Notice for the Processing of Personal Data in relation to the Itabus Plus Loyalty Program

REGULATION (EU) No. 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016


Pursuant to and for the purposes of Articles 13 and 14 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation, hereinafter also referred to as the “Regulation” or “GDPR”) and repealing Directive 95/46/EC, we inform you that the Personal Data voluntarily provided by you to Itabus S.p.A. (hereinafter also referred to as the “Company” or “Itabus”) will be processed in compliance with the applicable legislation on the protection of Personal Data and, in any case, in accordance with the principles of confidentiality that inspire the Company’s activities.


1. Categories of Personal Data processed

Itabus will process the following categories of Personal Data:

a) Common personal data provided by you at the time of registration to the Itabus Plus loyalty program (hereinafter also referred to as the “Program”) or subsequently acquired in the event of assistance requests, such as but not limited to: personal identification data (name and surname), personal email address, username, password, customer code, copy of identity document, mobile phone number, date of birth;

b) to allow you to use the services and benefits, as well as to carry out the activities reserved for you by virtue of your participation in the Program, including the possibility of sending you service communications strictly related to your participation in the Program (legal basis: GDPR art. 6, para. 1, letter b);

c) for administrative and accounting purposes and for the fulfilment of obligations provided for by applicable law (legal basis: GDPR art. 6, para. 1, letter c);

d) for marketing purposes, following your eventual and specific consent (legal basis: GDPR art. 6, para. 1, letter a), such as, for example: sending informational and commercial communications, including promotional communications (including our newsletter or invitations to complete customer satisfaction surveys), advertising material and/or offers of goods and services from Itabus and Itabus commercial partners, by any means, including, by way of example and not limited to, mail, Internet, telephone, email, MMS, SMS from Italy or from abroad (including from countries outside the European Union) by Itabus, by its parent companies, subsidiaries and/or affiliates, as well as by natural or legal entities contractually linked to Itabus that send communications in the name and on behalf of Itabus. The updated list is always available and can be consulted on the Itabus website in the dedicated section “Itabus Partners”;

e) for profiling purposes, following your eventual and specific consent (legal basis: GDPR art. 6, para. 1, letter a): your personal data referred to in paragraph 1, letters a) and b) above and, where applicable, the data related to the travel ticket and/or services purchased and/or used referred to in paragraph 1, letter c) above, may be processed to enable the preparation and carrying out of statistical and market studies and research, as well as the analysis of tastes, preferences, habits, needs and consumption choices, and to receive personalized offers based on purchase preferences, by Itabus, by its parent companies, subsidiaries and/or affiliates, as well as, in the name and on behalf of Itabus, by natural or legal entities contractually linked to Itabus and/or otherwise collaborating in the commercial activities of Itabus.

f) following your possible and specific consent (legal basis: GDPR art. 6, para. 1, letter a) for the transfer of data to Itabus commercial partners for the purpose of receiving their communications.

g) lastly, Itabus may use your Personal Data for system security activities (risk management) and fraud prevention. For this purpose, the legal basis is the legitimate interest of Itabus (GDPR art. 6, para. 1, letter f).


We remind you that, with reference to the purposes indicated in points a), b), c) and g), the provision of your Personal Data is mandatory. Any refusal on your part and/or the provision of inaccurate and/or incomplete information would prevent:

-      with reference to the purpose referred to in point a): your participation/registration in the Program;

-      with reference to the purpose referred to in point b): your use of the products and/or services, as well as the performance of the activities reserved for you by virtue of your participation in the Program;

-      with reference to the purpose referred to in point g): for Itabus, the performance of system security and fraud prevention activities.


In particular, we inform you that Itabus may request, in compliance with the applicable legislation, a copy of your identity document in order to verify the accuracy of the data relating to you, for example in the event of a request submitted by you to change the personal details provided at the time of registration to the Program.

With reference to the additional purposes indicated in points d), e) and f), the provision of your Personal Data and your consent to the processing of such data for the aforementioned purposes are optional. However, any refusal on your part to provide your Data and/or to give consent to the processing related to the aforementioned purposes and/or the provision of inaccurate and/or incomplete information may prevent the Company from:

-      with reference to the purpose referred to in point d): the sending of promotional communications by Itabus;

-      with reference to the purpose referred to in point e): the carrying out of profiling activities and the sending of personalized offers based on your purchase preferences by Itabus;

-      with reference to the purpose referred to in point f): the transfer of your Personal Data to Itabus commercial partners for the purpose of receiving their communications. In this regard, with reference to the purposes indicated in points d), e) and f), we remind you that any changes you make to your consent will become effective in our systems within 7 days from the time of the modification.


3. Methods of processing

The processing of your Personal Data will be carried out using appropriate paper, electronic and/or telematic tools, with methods strictly related to the purposes indicated above and, in any case, in such a way as to ensure the security and confidentiality of the Data. In the event that the user (i) logs in or registers for Itabus services using the access credentials of a social network (for example Facebook or Twitter, hereinafter “Social Network”)

or (ii) links their account to an account of the same user on a Social Network, Itabus may receive user-related Data from such Social Network, in accordance with the terms of use and the provisions set out in the privacy policy of the Social Network itself. Itabus may add such information to the user’s Data already collected through its services. If the user chooses to share information with such Social Networks, Itabus receives the Data from them in accordance with the consent options provided by the user.

The Personal Data that may be communicated by the Social Network will be subject to the terms and conditions of use of the Social Network.


4. Recipients or Categories of Recipients of Personal Data

Your Personal Data may come to the attention of the shareholders, members of the Board of Directors or other administrative body, the Data Protection Officer and, in any case, the Data Processors designated by Itabus and the Personal Data Processors appointed by the Company in the exercise of their functions. Your Personal Data may be disclosed to any parties that provide Itabus with services or activities instrumental to the purposes indicated in paragraph 2 above, such as, by way of example and not limited to, parent companies, subsidiaries, affiliates and/or associated companies. Your Personal Data may also be disclosed to suppliers, contractors, subcontractors, banking and/or insurance institutions or other entities and/or bodies that provide (on behalf of Itabus or as independent data controllers): management and/or maintenance of the websites and of the electronic and/or telematic tools used by Itabus; to risk management activities and/or fraud prevention activities; to the management of participation/registration in the Program; to the sending of informational and promotional communications, including commercial communications, advertising material and/or offers of goods and services, as well as invitations to complete customer satisfaction surveys; to the performance of profiling activities, including the analysis of habits, tastes, preferences and consumption choices, as well as the preparation and carrying out of market studies and research.

Your Personal Data may be transferred abroad, in accordance with the applicable legislation, including to countries outside the European Union where the Company may pursue its interests. The transfer to non-EU countries, in addition to cases where it is guaranteed by adequacy decisions of the European Commission, is carried out in such a way as to provide appropriate safeguards in accordance with Articles 46, 47 or 49 of the Regulation.

 

5. Duration of processing and criteria used for the retention of Personal Data

5.1 Duration

For the purposes referred to in letters a), b) and c) of paragraph 2 “Purposes of Processing” of this privacy notice, your Personal Data will be processed only for the time necessary, and not longer than that required for the fulfilment of applicable legal obligations or for the protection of the Controller’s rights in judicial proceedings. For the purposes of marketing, profiling and communication to Itabus commercial partners referred to in letters d), e) and f) of paragraph 2 “Purposes of Processing” of this privacy notice, your Personal Data will be processed until the data subject withdraws their consent.

5.2 Retention

The Data will be retained according to the following criteria:

-     the Data processed for participation/registration in the loyalty program referred to in letters a), b), c) and g) of paragraph 2 “Purposes of Processing” of this privacy notice will be retained in compliance with legal obligations for the entire period during which you participate in the program and for a period of 10 years following the termination of the relationship, unless further retention is required to allow Itabus to defend its rights;

-      the Data processed for marketing and profiling purposes referred to in letters d) and e) of paragraph 2 “Purposes of Processing” of this privacy notice will be retained for a maximum period of 24 months.


6. Rights of the Interested Party

We inform you that, at any time with regard to your Data, you may exercise the rights provided for within the limits and under the conditions set out in Articles 7 and 15–22 of the Regulation. For the exercise of these rights, described below, please contact the Data Controller through the Privacy office at the email addresses dpo@itabus.it and privacy@itabus.it; an appropriate response will be provided to such request within the time limits provided for by the GDPR.

In relation to the Data subject to processing under this privacy notice, you are entitled at any time to exercise the right to:

-      Withdrawal of consent (art. 7 of the GDPR)

-       Access (art. 15 of the GDPR), including the right to obtain a copy of the personal data concerning you, provided that the rights and freedoms of others are not adversely affected;

-      Rectification (art. 16 of the GDPR);

-      Cancellation (art. 17 of the GDPR);

-      Limitazione (art. 18 del GDPR);

-       Portability, meaning the right to obtain from the controller the data in a structured, commonly used and machine-readable format in order to transmit them to another controller without hindrance, where technically feasible (art. 20 of the GDPR);

-      Objection to processing (art. 21 of the GDPR).

It should be noted that, pursuant to art. 77 of the Regulation, you may lodge a complaint with the Supervisory Authority in the event of a violation of the applicable legislation on the protection of personal data, following the procedures and instructions published on the official website of the Authority at www.garanteprivacy.it.


7. Data Controller, Data Processors and Data Protection Officer

The Data Controller of your Data is Itabus S.p.A., with registered office in Rome (RM), Via Casilina, 1, CAP 00182, in the person of the pro tempore Legal Representative. Any request relating to the personal data processed by Itabus may be sent to the Company’s registered office or by writing to the following email addresses dpo@itabus.it and privacy@itabus.it. The updated list of subjects appointed as Data Processors pursuant to Article 28 of the GDPR is available at the Company and may be obtained upon specific request made in accordance with the procedures indicated above.

The contact details of the Data Protection Officer of Itabus are dpo@itabus.it.

This privacy notice may be subject to updates. Itabus therefore invites Users who wish to be informed about the methods of processing of the Personal Data collected by Itabus to periodically visit this page.


Last revision: March 2026


Data controller: ITABUS S.p.A.


This is an English courtesy translation of the original documentation prepared in Italian language. Please consider that only the original version in italian language has legal value.