Dear User,

Ges.A.P. S.p.A., with registered office at Palermo Airport – 90045 – Cinisi (PA), informs you that the processing of data supplied by you will be based on principles of correctness, lawfulness, transparency and protection of your privacy and your rights. This information is provided in your capacity as Controller of the personal data of users who surf the web and who are registered on the Site, as well as, having regard to video surveillance systems of those who transit in the Airport, in accordance with current legislation (Article 13 of EU Regulation 2016/679 of 27 April 2016), unified in the contents relating to data processing and management, of which the Company is the owner.

The data supply is optional, however the refusal to provide them will determine the impossibility for the Controller to process them and, consequently, the impossibility to improve the services and / or performances of your interest . Please do not to enter sensitive data (such as, for example, non-exhaustive: belonging to protected categories,) unless they are considered strictly necessary for the provision of the services requested. If you enter such data, we invite you to express your consent to the processing.

PURPOSE OF THE PROCESSING OF PERSONAL DATA

1. VIP Room – Personal data are processed in order to respond to requests for information on Vip services and related services, including the purchase of the same.

2. Contacts – The personal data given are used to respond to requests submitted in the contact form. If you provide your explicit authorization, the data may be optionally processed for sending commercial or advertising communications from Ges.A.P. S.p.A. ..

3. Online e-commerce services – Personal data are processed in order to purchase online services made available by GESAP on its corporate website and provide information on availability and / or reservations. They will also be processed to implement the pre-contractual and contractual obligations assumed towards customers and deriving from purchase transactions, including administrative and accounting management and payments, for the protection of the contractual rights of Ges.A.P. S.p.A. as well as to ensure compliance with explicit obligations of national and international law.

4. Curricula – Data voluntarily provided will be processed by Ges.A.P. S.p.A. exclusively for the research and selection of personnel, for current and future open positions, with the support of paper, computerized or telematic means, however suitable to guarantee the security and confidentiality of the relative treatment.

5. Site browsing – In relation to the possibility of gathering the necessary User data at a technical level, such as for example the IP address while browsing the site, the information collected is as follows:

1. type of browser and device parameters used to connect to the Site;
2. addresses in Uniform Resource Identifier (URI) notation of the requested resources or the method used in submitting the request to the server;
3. name of the Internet service provider (ISP);
4. visit date and time;
5. web page of origin (referral) and exit of the User;
6. possible number of clicks;
7. the size of the file obtained in response;
8. the numerical code indicating the status of the response given by the server (good order, error, etc.);
9. other parameters related to the operating system and the IT environment of your device

6. Administrative and accounting purposes – The data provided are processed to carry out activities of an organizational, administrative, financial, accounting, tax nature and, in general, all the internal activities necessary for the fulfillment of contractual and pre-contractual obligations;

7. Obligations of the law – The data supplied are processed in order to fulfill the obligations established by law, by the Authority, by a regulation or by European and international regulations, as well as to fulfill the obligations deriving from the concession of airport management of Palermo airport and the related qualification of Airport manager;

8. Registration on the “supplier register” portal – The data provided are processed for the assignment of works, supplies and services below the community threshold;

9. Airport registration and Safety, Security and ADC (Airside Driving Certificate) Courses – The data provided are processed for the completion of training courses, the issue of airport ID cards and ADC airport licenses, which constitute, based on areas and tasks , qualifications necessary to operate within airport areas;

10. Access to the document area – The data are acquired for the purposes of registration and access to the documentation area of the IT platform for the consultation of the documents contained therein (such as, for example, but not limited to the Airport Manual, Airport Rules and attached procedures, Airport emergency plans, MOGC 231, Legality Protocol, Ethical Pact etc.);

11. Reports and complaints – the data provided are processed in order to reply to reports and complaints received from passengers and from the users of the Customer Care Servic;

12. Request PPR (Parking Permission Request) – The data provided are processed in order to respond to requests for reservations of PPR according to Airport Regulations and related obligations;

13. Newsletter and promotional activities – Personal data are processed in order to provide the service for sending information relating to the activities of Ges.A.P. S.p.A. and sending newsletters. If your explicit authorization will be provided, the data may be optionally processed for sending commercial or advertising messages from Ges.A.P.

With reference to the purposes set out in points (1,2,3,6,8,9,11,12) of the previous paragraph, the legal basis of the processing is in fact the execution of the services provided through the web and requested by you ( pursuant to article 6, paragraph 1, letter b of the 2016/679 Privacy Regulation). With reference to the purposes set out in paragraphs (4.5.13) of the previous paragraph, the legal basis of the processing is your consent freely expressed (pursuant to Article 6, paragraph 1, letter a of the 2016 Privacy Regulation / 679). With reference to the 3 purposes set out in paragraphs (7.8) of the previous paragraph, the legal basis of the processing is to fulfill a legal obligation to which the data controller is subject (pursuant to Article 6, paragraph 1, letter c) of the 2016/679 Privacy Regulation).

DATA CONTROLLERS AND PROCESSING METHODS

Ges.A.P. S.p.A. as data controller, collects and processes your personal data, provided with this registration for the provision of specific services that you may require, by paper, automated and telematic and by logics strictly related to the purposes mentioned above. The data you provide will be kept for the time strictly necessary for the fulfillment of the requests forwarded, without prejudice to the user’s request for cancellation or modification of the data as required by current legislation. Your data may still be kept to comply with specific legal obligations. The data referred to in point 4) will be processed for a period of 24 months and then canceled. The data processed for the purposes of sending the newsletter and marketing referred to in point 13) will be managed according to the principle of OPT-IN (voluntary entry), then up to the request by the party concerned not to receive promotional and marketing communications.

FAILURE TO PROVIDE DATA AND NO CONSENT TO TREATMENT

The provision of your personal data is always optional. Therefore, in the absence of data in the form and any subsequent collection forms, the Service or any part thereof it can not be supplied.

RIGHTS OF THE INTERESTED PARTY

We inform you that, pursuant to articles 15-22 of the GDPR, you are permitted to exercise the rights governed by current legislation, including the right to freely access data, to obtain rectification, deletion and limitation of his data.

The above rights may be exercised to the Responsible for Data Protection – RPO socalled DPO (Data Protection Officer) of the Company by making a request, informally, to the following address: [email protected].

PEOPLE WHO CAN GAIN ACCESS TO YOUR DATA

Your personal data collected with this registration may be processed by Processors responsible for the management of the services requested and by the Data Processors.

This disclosure may be supplemented by further information following the request for specific services.

SUBJECTS TO WHICH YOUR PERSONAL DATA MAY BE COMMUNICATED IN ITALY

Your personal data may be disclosed to third parties in compliance with specific legal provisions or in compliance with orders from public authorities, for the exercise of a right in court. They are also communicated to external companies for the pursuit of the same purposes for which they were collected. Data is not subject to disclosure.

VIDEO SURVEILLANCE IN PALERMO AIRPORT

This is a disclosure – pursuant to current legislation and the provisions of the Privacy Guarantor regarding Video Surveillance – on the use of images and recordings managed through video surveillance systems operating at the “Falcone Borsellino” Airport of Palermo. The data controller is Ges.A.P. S.p.A., with registered office at Palermo Airport – 90045 – Cinisi (PA) tax code and VAT number 03244190827, hereinafter referred to as GESAP.

The CCTV systems installed by the company GESAP are used for the purposes of protection of security and public order, at the express request of the Law Enforcement Units , such as the Border Police (Polaria) and “Guardia di Finanza”. With regard to these plants, the aforementioned State Bodies are “Data Controllers”, pursuant to the Privacy Code and can access the recording of images through an Operative Room and dedicated stations, with access credentials of the operators, specific and separated by those of the Gesap staff.

Other plants are installed by GESAP for airport safety and security purposes, operational purposes and to protect corporate assets. The recorded images are stored by GESAP, according to specific operational needs and purposes, for a maximum period of 7 days (as provided for cases of particular risk by the Provision of the Privacy Guarantor of 2010), after which the registrations are automatically deleted .

The interested party can request the rights provided by the current legislation regarding access and deletion of personal data concerning him by contacting GESAP as explained in this information page. The areas subject to CCTV are indicated by appropriate information.

The contact details of the Guarantor for the protection of personal data: Piazza di Monte Citorio n. 121 – 00186 Rome www.garanteprivacy.it

DATA PROTECTION OFFICER (“DPO”)

Ges.A.P. S.p.A., owner of personal data processing, has appointed, pursuant to art. 37 of EU Regulation 2016/679 “GDPR” a R.P.D. Responsible for Data Protection (so-called “D.P.O.” Data Protection Officer).

Contact details: Company headquarters: Ges.A.P. S.p.A., Palermo “Falcone Borsellino” Airport – 90045 – Cinisi (PA) (tel .: 091/7020111)

Mail: [email protected]

The user can request from the Data Protection Officer the possibility to exercise specific rights by completing and sending the downloadable form below. The rights referred to in articles 15 and ss. of the 2016/679 EU Regulation refer to access, rectification, cancellation, limitation of processing and / or opposition to processing. In the event that the right to object is exercised, the Controller reserves the right not to proceed with the request and, therefore, to continue the processing, this when there are legitimate reasons arising from regulations cogent to the Privacy to proceed to the treatment that prevail on the interests, rights and liberties of the interested party.

GESAP is not responsible for the processing of personal data acquired by third parties operating at the airport for the performance of operational and / or commercial activities and services to users, such as for example. merchant / subconcessional commercial services (food & beverage, retail, car rental, car valet), airlines and ground handling service providers.