Privacy Policy

Information Notice for the Processing of Personal Data
(Under Articles 12 and 13 of EU Regulation 2016/679 of the European Parliament and Council)

L’ASTROLABIO S.r.l., with its registered office at Via Appiani, 5 – 20121 Milan (MI), in its capacity as Data Controller, informs you that EU Regulation 2016/679 of the European Parliament and the Council (“General Data Protection Regulation” or GDPR) establishes rules concerning the protection of individuals with regard to the processing of personal data, as well as rules relating to the free movement of such data.

The regulation safeguards the fundamental rights and freedoms of individuals, particularly the right to the protection of personal data. The Data Controller (the natural or legal person determining the purposes and means of personal data processing) takes appropriate measures to provide data subjects with all relevant information regarding the processing of their data.

According to the regulations, the processing of your data will be carried out lawfully, fairly, and transparently, ensuring your privacy and rights. Under Articles 12 and 13 of the GDPR, if personal data is collected from the data subject, the Data Controller provides the following information at the time of data collection:

1. Processing of Personal Data

The Data Controller processes personal data identifying an individual (data subject), such as name, surname, identification number, company name, address, telephone number, email, banking details, and payment details. These details are provided when entering into contracts for services with the Data Controller. Personal health data may also be collected (at the time of booking) to safeguard the data subject’s vital interests during travel/stay and for the legitimate interest of the Data Controller.

2. Purposes of Processing

The provided data will be processed without explicit consent for the following purposes:

• (2A) Execution of a contract
• (3A) Execution of pre-contractual measures
• (4A) Compliance with legal obligations to which the Data Controller is subject
• (5A) Protection of the vital interests of the data subject or another natural person
• (7A) Pursuit of the legitimate interest of the Data Controller or third parties

The provided data will be processed with specific explicit consent for the following purposes (where applicable):

• (1B) Sending newsletters
• (2B) Publishing photographs and videos in the company catalogue and on the company website
• (3B) Sending the company catalogue
• (4B) Transfer of personal data and photographs to a third country or an international organisation without an adequacy decision by the Commission
• (5B) Communicating health-related data (such as general health status, health issues, dietary restrictions, mobility limitations, and specific assistance requests)

The processing of data is lawful because:

• (1C) The data subject has given explicit consent (for cases 1B, 2B, 3B, 4B)
• (2C) The processing is necessary for the execution of a contract or pre-contractual measures requested by the data subject
• (3C) The processing is necessary for compliance with a legal obligation
• (4C) The processing is necessary to protect the vital interests of the data subject or another person
• (6C) The processing is necessary for the legitimate interests of the Data Controller or third parties, provided these do not override the rights and freedoms of the data subject

The Data Controller, in compliance with Article 13(3), undertakes not to use personal data for purposes other than those for which they were collected without providing further information or obtaining additional consent.

3. Method of Processing

The processing of personal data includes the following operations, as per Article 4(2): collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication via transmission, dissemination, comparison or interconnection, restriction, erasure, or destruction.

Processing is carried out using tools and procedures suitable for ensuring security and confidentiality. Data processing will be performed using:

• Manual paper-based systems
• Manual computer-based systems (without automated decision-making processes)

4. Security
The Data Controller has adopted a variety of security measures to protect data against loss, misuse, or alteration. The processing is carried out using appropriate security measures to minimise unauthorised access, destruction, or deterioration of data, ensuring confidentiality under Article 32 of the GDPR.

5. Data Sharing

Without requiring explicit consent (under Article 6(b) and (c)), the Data Controller may share personal data for the above purposes with:

• Supervisory bodies
• Judicial authorities
• Insurance companies
• Other entities to whom disclosure is required by law

These entities will process the data as independent data controllers.

Data may also be shared with:

• External data processors involved in business operations to comply with legal and contractual obligations
• Public and private entities for welfare, assistance, and insurance purposes
• Supervisory bodies and regulatory authorities

6. Data Transfer to Third Countries or International Organisations

Personal data may be transferred to a third country or international organisation without an adequacy decision by the Commission.

• Third countries/international organisations involved: Russia and Africa

Personal data may also be transferred to a country with an adequacy decision by the Commission.

• Third countries/international organisations involved: United States and Australia

7. Nature of Data Provision and Consequences of Refusal

The Data Controller must inform the data subject whether the provision of personal data is a legal or contractual obligation or a requirement necessary for concluding a contract.

Data provision is:

• Mandatory for purposes in section 4A
• Optional for purposes in section 4B

If providing data is mandatory, refusal may result in:

• The inability to execute the contract
• Partial contract execution
• Termination of the relationship
• Inability to provide services

If providing data is optional, refusal may still lead to the same consequences.

Nel caso in cui il conferimento dei dati per le finalità indicate non è obbligatorio l’eventuale rifiuto di fornire tali dati:
■ potrebbe comportare la mancata esecuzione del contratto,
■ potrebbe comportare la parziale esecuzione del contratto,
■ la mancata prosecuzione del rapporto,
■ la mancata erogazione dei servizi.

8. Data Retention
Personal data will be processed for as long as necessary to fulfil the purposes mentioned above and will be retained for no more than 10 years after contract termination.

9. Rights of the Data Subject

The data subject has the right to:

• Access data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase data (Right to be Forgotten, Art. 17)
• Restrict data processing (Art. 18)
• Object to data processing (Art. 21)
• Request data portability (Art. 20)
• Withdraw consent (Art. 7)
• Lodge a complaint with a supervisory authority (Art. 77)

Further details on these rights are available in the attached document.

10. Exercising Your Rights

The data subject can exercise their rights by sending:

• A registered letter with acknowledgment of receipt to:
  L’ASTROLABIO S.r.l., Via Appiani, 5 – 20121 Milan (MI), P.IVA 10213670150, Tel: +39 02 72003311, info@astrolabiostudytravel.com
• An email to: lastrolabio.pec@legalmail.it

11. Minors

Processing is only lawful if data provision and consent are given or authorised by the holder of parental responsibility.

This document ensures compliance with Articles 13-21 of the GDPR regarding data subjects’ rights.

THE RIGHTS OF THE DATA SUBJECT (Art. 13-21)

Right of Access to Personal Data (art. 15)

1. The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed and, if so, to access the personal data and the following information:
   a) the purposes of the processing;
   b) the categories of personal data concerned;
   c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if they are recipients in third countries or international organisations;
   d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   e) the existence of the right to request from the data controller rectification or erasure of personal data, or restriction of processing concerning the data subject, or to object to such processing;
   f) the right to lodge a complaint with a supervisory authority;
   g) where the personal data is not collected from the data subject, any available information as to its source;
   h) the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
2. Where personal data is transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The data controller shall provide a copy of the personal data undergoing processing. If the data subject requests further copies, the controller may charge a reasonable fee based on administrative costs. If the request is made electronically, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.
4. The right to obtain a copy as referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Rights to Rectify Personal Data (Art. 16)
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to Erasure of Personal Data (“Right to be Forgotten”) (Art. 17)
The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the controller has the obligation to erase such data without undue delay where one of the following grounds applies:
a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data has been unlawfully processed;
e) the personal data must be erased to comply with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data has been collected in relation to the offer of information society services as referred to in Article 8(1).

Right to Restriction of Processing Personal Data (Art. 18)

1. The data subject has the right to obtain from the data controller restriction of processing where one of the following applies:
   a) the data subject contests the accuracy of the personal data, for a period enabling the controller to verify its accuracy;
   b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
   c) the controller no longer needs the personal data for processing purposes, but it is required by the data subject for the establishment, exercise, or defence of legal claims;
   d) the data subject has objected to processing pursuant to Article 21(1), pending verification of whether the controller’s legitimate grounds override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, except for storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest in the Union or a Member State.
3. A data subject who has obtained restriction of processing under paragraph 1 shall be informed by the controller before the restriction is lifted.

Right to Object to Processing of Personal Data (Art. 21)

1. The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them under Article 6(1)(e) or (f), including profiling based on those provisions.
   The controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing for such purposes, including profiling to the extent that it is related to such direct marketing.
3. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the data subject’s attention and presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.
6. Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject has the right to object to processing concerning them, unless the processing is necessary for the performance of a task carried out in the public interest.

Right to Data Portability (Art. 20)

1. The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller without hindrance from the controller to which the data was provided where:
   a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and
   b) the processing is carried out by automated means.
2. In exercising their right to data portability under paragraph 1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. Exercising the right referred to in paragraph 1 shall not affect Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.