FlyNAP Privacy Policy:
Application Privacy Notice
This privacy notice aims to describe the management of personal data of users of the FlyNAP
application ("App" or "FlyNAP").
FlyNAP provides information regarding the activities performed by GESAC S.p.A. on behalf of Naples Airport and Salerno Airport, as well as certain additional airport services intended for users.
Using the App does not require creating an account. However, if the user decides to register on the App, GE.S.A.C. S.p.A. will acquire the personal data of registered users and will have access to certain statistical and technical information about the use of the App, after the User has reviewed this notice as well as the terms and conditions of service.
Pursuant to EU Regulation 679/2016, "processing" is defined as any operation, including mere collection and/or storage, of personal data belonging to any natural person (hereinafter, the "Data Subject" or the "User"), "controller" is defined as the natural or legal person who determines the purposes and means of the processing, and personal data is defined as any information relating to a natural person, identified or identifiable even indirectly by reference to any other information.
This privacy notice is provided before the Data Subject has transmitted any personal data to the Controller.
1. Data Controller The Data Controller is GE.S.A.C. S.p.A., GESAC Headquarters - Capodichino Airport, 80144 – Naples, VAT and Tax Code 03166090633, email privacy@gesac.it (hereinafter, "GESAC" or the "Data Controller").
The Data Controller has appointed a Data Protection Officer, who can be freely contacted by sending a registered letter to the company's legal office or by emailing
privacy@gesac.it.
2. Categories of Processed Personal Data It is possible to download and access the App without registering a personal profile, in order to use services that, by nature, do not require authentication. In such cases, the use of the App will not involve any processing of personal data, except for browsing data (see pt. a) and, if the User consents to its processing, geolocation data (see pt. c).
The App involves (or may involve) the processing of the following categories of personal data (hereinafter referred to as "Personal Data"), depending on the features used:
a) Browsing Data: Information collected automatically, such as IP addresses, browser type, operating system, website domain and addresses, and others during normal usage.
b) Data for Registration in the Loyalty Program "FlyYou": Personal and contact information needed to complete the registration form.
c) Geolocation Data and Push Notifications: Location data collected with consent and utilized to send area-specific alerts and notifications.
d) Data for Purchasing Products or Services: Refer to the specific sections of the App for complete privacy details.
3. Purposes of Processing Personal Data will be used for:
a) Utilizing and monitoring the App.
b) Creating an account on the App.
c) Purchasing products/services via the App.
d) Sending promotional communications via email or notifications.
4. Nature and Legal Basis of Data Processing Providing Personal Data is mandatory for certain purposes but optional for promotional profiling. The processing is either necessary for contractual obligations or based on the User's consent.
5. Categories of Recipients Personal Data may be shared with GESAC personnel assigned specific roles, third-party companies designated as "Data Processors" as per GDPR Article 28, or competent authorities for security purposes.
6. Processing Methods GESAC employs secure, manual, and automated systems for handling Personal Data. Measures include antivirus, firewalls, and restricted access physical locations.
7. Retention Period of Personal Data The processing of Personal Data for the purposes outlined in points 3.a), 3.b), and 3.c) will last for the time necessary to fulfill GESAC's obligations arising from the provision of the service, to which an additional period might be added as required by current civil, fiscal, and tax legislation.
User geolocation will occur until: i) The User is at the airport; or, if earlier, ii) The User decides to withdraw their consent, as they can suspend tracking at any time.
The Personal Data collected for marketing purposes (purpose 3.d)) and profiling purposes (purpose 3.e)) will be stored until the User revokes their consent or the purposes for which the data was collected cease, unless an extension is required for legal defense or compliance. Purchase details will be retained for no more than 24 months and 12 months, respectively, from their recording. Upon expiration, collected data will either be deleted or anonymized if technical means do not allow deletion, ensuring that the individual cannot be identified.
8. Rights of the Data Subject The Data Controller will facilitate the exercise of the rights guaranteed to the Data Subject under current regulations. These include the right to request access to, rectification, or deletion of Personal Data, the right to restrict or oppose its processing, and the right to data portability.
The Data Subject also has the right to file a complaint with a supervisory authority (Data Protection Authority).
If the Data Subject informs the Data Controller of their intent to exercise one or more rights under applicable laws, the Data Controller will provide the requested information without undue delay and within one month.
Specifically, the Data Subject has the following rights: i) Right to access their data. ii) Right to rectify data. iii) Right to data erasure. iv) Right to restrict processing. v) Right to receive notification in case of rectification, deletion, or restriction. vi) Right to data portability. vii) Right to object to processing. viii) Right not to be subjected to decisions based solely on automated
processing.
To exercise any of these rights, the Data Subject can contact the Data Controller through the above-mentioned contacts.
9. Policy Updates This Privacy Notice is subject to occasional revisions. If any changes to data processing occur, the Data Controller will notify the Data Subject. Where required by applicable laws, the Data Subject may consent to new processing activities. In case of refusal, the Data Subject’s data will not be processed under the modified policy.
10. Data Transfers Abroad The Personal Data of the Data Subject may be transferred to countries outside the EU, provided that these countries have regulations ensuring a level of protection substantially equivalent to that of the EU. Such transfers will be conducted in compliance with the guarantees prescribed by EU Regulation 679/2016. Specifically, this is based on adequate guarantees according to Articles 45 and 46 of EU Regulation 679/2016 and on the standard contractual clauses attached to the European Commission Decision 2021/914/EU of June 4, 2021.
