Data Subject Access Request
Exercise your data protection rights under applicable privacy law
1. Your Data Protection Rights
Under applicable data protection legislation, you have the following rights regarding your personal data held by GIORIZZ S.r.l. These rights may vary depending on your jurisdiction.
| Right | Description | Legal Basis |
|---|---|---|
| Access | Obtain a copy of all personal data we hold about you, along with information about how it is processed | GDPR Art 15, CCPA §1798.100 |
| Rectification | Correct inaccurate or incomplete personal data | GDPR Art 16, CCPA §1798.106 |
| Erasure | Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations | GDPR Art 17, CCPA §1798.105 |
| Portability | Receive your data in a structured, machine-readable format (JSON or CSV) and transfer it to another controller | GDPR Art 20, CCPA §1798.130 |
| Restriction | Restrict processing of your data while a dispute or objection is being resolved | GDPR Art 18 |
| Objection | Object to processing based on legitimate interest, including profiling and direct marketing | GDPR Art 21 |
| Withdraw Consent | Withdraw previously given consent at any time, without affecting the lawfulness of processing prior to withdrawal | GDPR Art 7(3) |
| Opt-Out of Sale/Sharing | Direct us not to sell or share your personal information (California residents) | CCPA §1798.120 |
| Limit Sensitive PI | Limit the use of sensitive personal information, including precise geolocation (California residents) | CCPA §1798.121 |
| Automated Decisions | Request human review of decisions made solely by automated processing that produce legal or significant effects | GDPR Art 22, Quebec Law 25 |
2. How to Submit a Request
To exercise any of the rights listed above, please contact our Data Protection team:
| info@giorizz.com | |
| Subject Line | DSAR — [Your Full Name] — [Right Requested] |
| Postal Address | GIORIZZ S.r.l., Via Alcibiade 8, Siracusa (SR), Italy |
To help us process your request efficiently, please include:
- Full name as used on your GIORIZZ account
- Email address associated with your account
- Specific right(s) you wish to exercise
- Details of the data or processing activity your request relates to
- Preferred format for data portability requests (JSON or CSV)
- Proof of identity (see Section 3 below)
3. Identity Verification
To protect your personal data from unauthorised access, we are required to verify your identity before processing any DSAR. Verification is conducted in accordance with GDPR Article 12(6) and CCPA §1798.140.
We may request one or more of the following:
- Confirmation from the email address registered on your GIORIZZ account
- A government-issued identity document (passport, national ID card, or driving licence) — we will use this solely for verification and delete it once your request is processed
- Booking reference numbers or other account-specific information to corroborate your identity
Authorised agents: If you are submitting a request on behalf of another individual (e.g., as a legal representative or authorised agent under CCPA), please provide written authorisation from the data subject, along with proof of your own identity and authority to act.
4. Processing Timeline
| Stage | Timeframe | Notes |
|---|---|---|
| Acknowledgement | Within 3 business days | Confirmation of receipt and verification requirements |
| Identity verification | 1–5 business days | Depends on documents provided |
| Response / fulfilment | Within 30 days of verified request | GDPR Art 12(3); CCPA: 45 days |
| Extension (if complex) | Up to 60 additional days | You will be informed of the reason for the delay |
There is no fee for exercising your data protection rights. However, if requests are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable administrative fee or refuse the request, in accordance with GDPR Article 12(5).
5. What We Provide in Response
For an access request, we will provide:
- All personal data we hold about you, organised by category
- The purposes of processing for each category
- The lawful basis for each processing activity
- Categories of recipients with whom data has been shared
- Retention periods applicable to each data category
- Information about any automated decision-making, including the logic involved
- The source of data, if not collected directly from you
- Details of any international transfers and the safeguards in place
Data will be provided in a commonly used, machine-readable format (JSON or CSV for portability requests, PDF for general access requests) via a secure, time-limited download link.
6. Limitations on Erasure
The right to erasure is not absolute. We may retain certain data where required or permitted by law, including:
- Tax records: Booking and invoice data must be retained for 7–10 years under Italian fiscal law (DPR 600/73, Art 2220 Civil Code)
- Legal claims: Data relevant to pending or anticipated legal proceedings may be retained
- Fraud prevention: Account data may be retained for up to 3 years post-deletion to prevent re-registration fraud
- Regulatory compliance: Anti-money laundering (AML) and know-your-customer (KYC) records for agency partners
- Consent records: Records of consent are retained for the duration of processing plus 5 years to demonstrate compliance
Where we cannot fully erase your data, we will anonymise it so that it can no longer be linked to you, and we will inform you of the specific legal basis for each retained category.
7. Jurisdiction-Specific Information
7.1 European Economic Area (GDPR)
If you are located in the EEA, your request will be handled in accordance with EU Regulation 2016/679. You have the right to lodge a complaint with your national supervisory authority. In Italy, this is the Garante per la protezione dei dati personali (garanteprivacy.it).
7.2 United Kingdom (UK GDPR)
UK residents may exercise rights under the UK GDPR (Data Protection Act 2018). Complaints may be directed to the Information Commissioner’s Office (ICO) at ico.org.uk.
7.3 California (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These include the right to opt out of the sale or sharing of personal information and the right to limit the use of sensitive personal information (including precise geolocation data such as pickup and drop-off addresses).
GIORIZZ does not sell personal information. We do not discriminate against consumers who exercise their privacy rights.
7.4 Brazil (LGPD)
Brazilian data subjects may exercise rights under the Lei Geral de Proteção de Dados (Law 13.709/2018). The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).
7.5 Switzerland (nFADP)
Swiss residents may exercise rights under the Federal Act on Data Protection (nFADP/DSG, in force since 1 September 2023). The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
7.6 Other Jurisdictions
If you are located in another jurisdiction with applicable data protection laws (including UAE, Saudi Arabia, Singapore, Japan, South Korea, Australia, India, Canada, Turkey, or Quebec), we will process your request in accordance with the relevant local legislation. Please indicate your country of residence in your request so we can apply the correct legal framework.
8. Non-Discrimination
We will not discriminate against you for exercising any of your data protection rights. This means we will not:
- Deny you services
- Charge you different prices or rates
- Provide you with a different level or quality of service
- Suggest that you may receive a different level of service
This guarantee applies under GDPR Article 21(4), CCPA §1798.125, and equivalent provisions in all applicable jurisdictions.
9. Categories of Data We Process
For a complete overview of the personal data categories we collect, the purposes for which they are processed, and the retention periods applicable to each, please refer to our Privacy Policy.
In summary, we process the following categories:
| Category | Examples | Retention |
|---|---|---|
| Account data | Name, email, phone, hashed password | 3 years post-deletion |
| Booking data | Pickup/drop-off, dates, vehicle, flight details | 7 years |
| Payment data | Card via Stripe, invoice amounts | 10 years |
| Accessibility data | Wheelchair requirements (special category) | Duration of booking |
| Location data | Pickup/drop-off addresses, IP-derived location | 7 years (with booking) |
| Communication logs | Emails and SMS | 2 years |
| Analytics | Usage data, device info (anonymised) | Indefinite (anonymised) |
10. Contact and Further Information
For questions about this page, your rights, or our data protection practices:
| Data Protection Email | info@giorizz.com |
| General Support | info@giorizz.com |
| Postal Address | GIORIZZ S.r.l., Via Alcibiade 8, Siracusa (SR), Italy |
Related documents:
- Privacy Policy — full details on data collection and processing
- Cookie Policy — cookies and tracking technologies
- Sub-processor List — third-party services processing your data
- Terms of Service — general terms and conditions