Go2RAIL's Privacy Policy
Last Update: 14th of July 2023

1. General Provisions

1.1. Controller. Go2RAIL A.P.S. (hereinafter referred to as “Go2RAIL”), whose contact details are provided in the “footer” of its website reachable at the URL: http://www.go2rail.eu / (“Site”), in its capacity as controller (“Controller”), is committed to protecting personal data in accordance with (i) Regulation (EU) 679/2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) as well as (ii) applicable Italian legislation on personal data protection (“National Data Protection Laws”).
1.2. Amendments. The Controller reserves the right to amend and update the Privacy Policy, also taking into account any further additions and/or amendments of any national and/or EU legislation regarding the protection of personal data. For this reason, the Privacy Policy is published and marked with progressive identification numbers and month of publication. Any new release of the Privacy Policy shall be published on the Website as a replacement of the previous version and shall be valid and enforceable from the publication date, unless otherwise specified.
1.3. Applicable rules. The Controller processes personal data in accordance with (i) the GDPR; (ii) the provisions of the National Data Protection Laws; (iii) guidelines issued by the Italian Data Protection Authority.
1.4. Cookies. Cookies are small text files that, in the course of navigation within the Site, are sent to the data subjects’ terminal equipment, where Cookies are stored to be then re-transmitted to the Site during data subjects’ subsequent visits to the Site. For information on personal data and on the information processed through cookies, all persons concerned are invited to read the Cookie Policy (“Cookie Policy”), reachable by the Site footer.
1.5. Cross-reference. This Privacy Policy supplements the provisions contained in the Conditions and in the Cookie Policy and in any other information/messages published on the Site.
1.6. Extended applicability to social networks. This Privacy Policy – as far as compatible and attributable to Go2RAIL – has also an extended applicability to accounts, directly or indirectly, managed by the Controller on the main social network channels (“Social Channels”, such as, for example, Telegram ™), in any way connected to the Controller, provided however that – as indicated in the Conditions – each Participant will autonomously create its own account and provide the information requested by the Social Channel concerned for the relevant access.
1.7. Definitions. In this document, the terms generally indicated with a capital letter (whether they are singular or plural), save as otherwise specified herein, shall have the meaning set out in the Conditions.

2. Data Subjects. Activities Carried Out Through yhe Site.

2.1. Data Subjects. The category of data subjects consists of: (i) Participants, as identified in the Conditions; (ii) internationalization officers of Universities accessing the webpage www.go2rail.eu/go2unis of the Site and submitting the required information and personal data (“Officers”); (iii) simple internet users, who use the Site, also when surfing, as simple reader or navigator (“Users”) (Participants, Officers and Users are hereinafter jointly defined as “Data Subjects”).
2.2. Activities carried out through the Site. Through the Site, the following activities are carried out by Go2RAIL:
a. As regards Participants: Collection of their Common Personal Data, as respectively identified hereinbelow, in order to pursue the purposes of the Project and, in particular - when possible - in order to provide promo codes applicable to train tickets and additional discounts, as specified in the Conditions;
b. As regards Officers: Collection of their Common Personal Data, in order to draft and execute the agreement to become part of the network of universities supporting the Project.;
c. As regards Data Subjects: Provision of contents of various nature on the Project and various activities of Go2RAIL, including, forwarding of newsletters and informational materials.

3. Source and Personal Data Processed

3.1. Source. The Controller processes personal data:
a. Voluntarily provided by Participants or Officers by filling in the specific forms of the Site/Platform or sent to the Controller in the context of the Project or the services offered by the Controller;
b. Voluntarily provided by Data Subjects, when signing up to the newsletter, and requiring the Controller to provide information;
c. Collected according to the Cookie Policy, by surfing the Website.
3.2. Exclusion of Special Data. In addition to personal data covered by the Cookie Policy, the Controller processes common personal data (“Common Personal Data”) which are not comprised in the definition of sensitive data and/or judicial data and in the definition of special categories of personal data of the GDPR (hereinafter jointly defined as “Special Data”).
3.3. Common Personal Data processed. Common Personal Data may consist of the following data, including:
a. As regards Participants: for those accessing the webpage www.go2rail.eu/city-go2rail of the Site: name/surname, institutional e-mail address, home institution, host institution, currently enrolled education level, disciplinary area, departure date, preferences on additional promo codes; for those accessing the web page https://www.go2rail.eu/eaie-form-no-city of the Site: name, surname, email address, organization of affiliation, title of the covered position, departure city, day and part of the day for the departure to the event’s venue and return destination  when different from the one of departure;
b. As regards Officers: name and surname of natural persons, including name and surname of representatives of legal persons, organizations and associations, by virtue of their powers to act as representatives or authorized contact persons, name and business name, tax code number, VAT number, residence for tax purposes, full references, physical and telephone numbers, facsimile and e-mail addresses, Postal Code Numbers, information needed to execute contracts, bank account details and data referred to payments;
c. As regards Data Subjects: for the newsletter subscription, name and surname and e-mail addresses for communications sent to Controller, name and surname and e-mail addresses.
3.4. Browsing data. The Controller processes hidden Common Personal Data, collected in the course of browsing by Users, according to the Cookie Policy.

4. Purposes and Legal Basis of the Processing. Consequences In Case of Failure To Provide

4.1. Purposes and legal basis. The Controller shall process Common Personal Data for the following purposes and legal basis, as specified in the lines below:
A - Purpose: process Common Personal Data of Participants – as respectively identified above – collected through the Platform/Site according to instructions specified in the Conditions and/or communicated by Go2RAIL in order to pursue the purposes of the Project (in particular, facilitating networking among Participants involved in the same route and – where applicable – providing them with promo codes applicable to train tickets and additional discounts)
A - Legal basis: The data processing is necessary for the performance of a contract or to take steps prior to entering into a contract
B - Purpose: Process Common Personal Data of Officers in order to draft the agreement to become part of the network of universities supporting the Project.
B - Legal basis: The data processing is necessary for the performance of a contract or to take steps prior to entering into a contract
C - Purpose: Provide, through the Site/Platform, services as agreed with Data Subjects;
C - Legal basis: The data processing is necessary for the performance of a contract or to take steps prior to entering into a contract
D - Purpose: send to Data Subjects newsletters and informational material in relation to the Project or the activities carried out by Go2RAIL
D - Legal basis: Consent.

4.2. Optional/mandatory nature of provision of personal data. The provision of Common Personal Data by Data Subjects is necessary to allow Go2RAIL to fulfil its contractual obligations or to respond to pre-contractual requests. Any refusal to provide the personal data concerned, in whole or in part, will not allow Go2RAIL to respond to the requests, to perform the contract and/or carry out further activities according to the Conditions or this Privacy Policy.
4.3. Giving and withdrawal of consent. In relation to the purpose set out in the Table under letter D, the consent is deemed given by Data Subjects when they have checked the appropriate box in the registration or compilation form. Data Subjects may withdraw their own consent at any time according to the instructions given in every newsletter or in the Site. Once a withdrawal of consent has been expressed, the data in question will be cancelled from the Controller’s databases and lists.

5. Persons In Charge of the Processing and Processors

5.1. Persons in charge of the processing. Personal data are processed by persons in charge of the processing, who have been appropriately instructed. 5.2. Processors/recipients of data. Personal data may be disclosed to data processors, who process data based on previous agreements with Go2RAIL. Data processors may belong to the following categories: (i) suppliers of implementation, management, assistance and maintenance services applied to the Platform/Site and the IT infrastructure; (ii) suppliers of software, applications and hardware and related technical support/maintenance services; (iii) suppliers of connectivity services, email services and related management, assistance/maintenance services; (iv) accounting and tax consultants.
In addition, personal data may be disclosed to third parties, acting as independent data controllers, such as for example: (i) legal consultants; (ii) public authorities; (iii) certification entities and bodies; (iv) subjects to whom disclosure is mandatory by law.
Go2RAIL provides specific information on data processors and recipients, at the request of the Data Subject.

6. Methods of Processing and Security Measures

6.1. Methods of processing. The Common Personal Data of Data Subjects are processed almost exclusively by automated procedures, by using computerized systems or in a limited number of cases through manual means, but in any case, by adopting methods which are strictly related to the purposes for which data have been collected and anyway to guarantee their security.
6.2. Place of processing. Processing of Data Subjects’ Common Personal Data is made in the head offices of the Controller and/or – if appointed – of the processors. Common Personal Data of Data Subjects are collected in one or more electronic databases, hosted on servers/data centers located in the European Union.
6.3. Data retention period. Common Personal Data of Participants are processed as long as any Participant decides to avail itself of the services provided or the activities carried out by Go2RAIL through the Site/Platform. The Controller will cancel, at the Participants’ request, their Common Personal Data, which are not necessary to comply with legal obligations and/or to exercise the right of defense and to manage/resolve a dispute. Common Personal Data of Officers are retained for the entire duration of the contractual relationship and are then cancelled ten years and six months after the termination of the same for defensive purposes, unless there is and objection/dispute, in which case the data will be kept for the time necessary to exercise the right of defense and to manage/resolve the dispute. Common Personal Data used for the purpose of sending newsletters/informative communications regarding the Project or the activities of Go2RAIL are retained until the withdrawal of consent by the Data Subject concerned and then are cancelled from Go2RAIL ‘s databases and lists.
6.4. Personal Data transfer abroad. Currently, the Controller has no intention to transfer personal data to third countries extra EU. In any case, the transfer – if any – will take place only after verification of compliance with the provisions contained in articles 44 and following of the GDPR and, in particular, upon previous communications concerning the extra EU country in question and the appropriate safeguards according to the GDPR provisions.

7. Data Subjects’ Rights

7.1. Rights. Data Subjects as natural persons may directly address to the Controller in order to enforce their rights according to the GDPR (articles 15 et seq.) and, in particular, to access their own personal data, request the rectification, updating, cancellation or limitation of said data, as well as to request the portability of said data; Go2RAIL may be contacted using the contact details as set out above or, with specific regard to the newsletter, by clicking the “unsubscribe” button.
7.2. Complaint. Any Data Subject who believes that the processing of data concerning him or her is in violation of the GDPR, in accordance with the provision of article 77 of the GDPR, may lodge a complaint with a supervisory authority where the data subject usually lives or works or with a supervisory authority where the alleged infringement has occurred.