Privacy notice for the processing of personal data pursuant to articles 13 and 14 of the General Data Protection Regulation 2016/679 - GDPR

ATAC S.p.A. (hereinafter "Controller"), acting as data controller, informs you that the personal data (hereinafter, "data") provided by you, will be processed by Atac S.p.A. in the manner and for the purposes specified below, pursuant to articles 13 and 14 of the (EU) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”).

1. Legal basis and purpose of data processing

The processing is aimed at fulfilling:

  • mobility information services;
  • telephone support services;
  • issue of Metrebus card travel passes;
  • mobile payment services for ATAC parking areas and local public transport;
  • management of ATAC S.p.A. parking lots with differentiated charges 
  • management of administrative sanctions;
  • management of reports pertaining to the offered services;
  • compliance with tax and/or financial obligations;
  • supplier management;
  • protection of company assets;
  • safety of workers and customers;
  • provisions made by Public Authorities in the interest of public safety.

We’d like to specify that for the following services:

  • management of metered on-street parking (blue stripes) and park & ride areas
  • mobile payment services for on-street parking and park & ride areas

ATAC S.p.A. fulfils the public service contract (hereinafter “service contract”) approved with Resolution n. 70/2020 of the City Council - regulating the assignment of services that are complementary to local public transport relating to the management of park & ride areas and metered on-street parking under the responsibility of Roma Capitale - signed on 30.04.2020 with Roma Capitale and in which the latter assumes the role of data processor. For the data processing by ATAC S.p.A. in execution of the aforementioned service contract, please consult the relevant information on the site in the section Privacy/Parking.

In addition, only with your specific and free consent (article 7 of the GDPR), your data will be processed for the following marketing purposes:

  • to send commercial communications, advertising and informative material (e.g. a newsletter) via email, mail and/or sms and/or phone contacts, on products or services offered by the Controller or to detect the customer satisfaction related to service quality;
  • to send commercial and/or promotional communications of third parties (e.g. institutional sponsors, business partners etc.) via email, mail and/or sms and/or phone contacts.

The Controller of personal data (name, surname, identity document and copy of the same, phone number, email address, etc.) and/or special categories of personal data (former sensitive data) shall process the data exclusively for the purposes for which they are collected.

2. Data provision and refusal

The provision of personal, common and sensitive data is necessary to carry out the activities referred to in paragraph 1. and the failure to provide personal data makes it impossible to fulfil them.

3. Data communication

Only data processors may get to know personal data and communicate them to internal and/or external partners and to all legal entities - public and private - to whom communication is necessary for the correct fulfilment of the customer’s request and for the execution of specific legal obligations.

Personal data cannot be disclosed, but to implement the correct execution of contractual obligations and, if it is instrumental to the pursuit of the aforementioned purposes, these data may be disclosed to third parties (professional, consultancy and auditing firms , law enforcement agencies, public bodies, only if provided by law, and to organizations that perform outsourcing activities for ATAC S.p.A.).

To execute these obligations, specific contractual clauses are foreseen (nomination as external data processor), with the obligation to adopt suitable security measures in terms of personal data protection, in accordance with the provisions of the Privacy legislation.

4. Transfer of personal data to third countries

Personal data are stored on servers located within the European Union at our data centres in Via Sondrio n. 18 and/or Via Prenestina n. 45 - 00176 Rome; the data will not be transferred outside the European Union.

Data sent by email or certified email are entirely managed by third party operators, the location of their data centres and infrastructures is at the discretion of the operators and sited in different parts of the world.

5. Processing methods

The processing of your personal data is based on the principles of fairness, legality and transparency. Your personal data are subjected to both paper and electronic processing. 

The processing is carried out by the Controller and by persons specifically authorized by the Controller for the time necessary to fulfil the above mentioned purposes.

The processing will be strictly related to the indicated purposes and use methods that guarantee security and confidentiality of the data and, in any case, is in compliance with the security measures prescribed by law. 

Personal data provided by interested parties who submit requests for information, reports or complaints, will be used by ATAC S.p.A. to answer to the received requests.

Upon prior consent, it might be possible to send useful information/communications to citizens about the use of public transport and urban mobility in general to the addresses communicated by the user.

The management of the IT platform as well as the related security measures are entrusted to the pro tempore manager of the ICT systems of ATAC S.p.A.

6. Provision of data through self-certification

Self-certification of data includes verification and authenticity control of the declared data reported on the self-certification forms for discounted travel passes.

The data declared by the user might be subject to administrative and institutional controls on behalf of the responsible bodies, in order to ascertain the veracity of the statements.

7. Optional nature of data provision

The optional, explicit and voluntary transmission of communications by mail, fax, telephone or email, involves the acquisition of the sender´s address and of any other included personal data. They will be processed in compliance with the law and in accordance to the purposes for which they were transmitted. Users/customers will be free to provide further personal information requested by ATAC S.p.A. for possible subsequent communications and inquiries regarding the services offered and provided by ATAC S.p.A. Notices sent to users by ATAC S.p.A. contain a “disclaimer” at the bottom of the page that allows the automatic removal of the email address from the mailing list of the company. For such notices, the provision of data is optional and is done through a specific processing authorization at the moment of the request; missing data will not prevent the supply of the requested service.

If necessary, synthetic information sheets about particular activities and services will be displayed on the website or at the various premises of ATAC S.p.A, with the request of a specific consent to the processing of personal data.

In case of personnel recruitment, ATAC S.p.A. will consider documentation and/or curricula sent in response to a notice of recruitment. It also informs that, in order to be accepted, curricula must include the consent to the processing of personal data in compliance with current legislation. They may be sent to the company´s headquarters in Via Prenestina n. 45 - 00176 Rome.

Please note that the selection of external personnel is governed by a specific company procedure, published on the company's website, in the section "Società trasparente” (Transparency) / “selezione del personale esterno” (selection of external personnel) and that also the section "lavora con noi" (work with us) is active.

The processing of data belonging to persons interested in the selection procedures is illustrated in specific notices published on the website.

8. Metrebus Card - data anonymization

Once the absence of anomalies in the use of the electronic card has been ascertained, the validation data referred to individual subscribers are made anonymous - within 72 hours from transmission to the database, in the company’s data centre and after maximum 10 validation operations, in the smart cards of the subscribers.

The anonymization activity is carried out to allow the subsequent processing of the data for statistical analysis and data processing related to mobility information services.

9. Supplier management

The platform is owned by third parties, therefore the information (art.13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are entirely managed by the third party operator.

Personal data of users who have given consent to the processing that are stored in the third party’s portal are used by ATAC exclusively for e-procurement activities.

10. Video surveillance and geolocation systems

Atac S.p.A. has surveyed, identified and analyzed all systems installed in its business areas capable of collecting data, including audio-visual and geolocation systems, has ascertained their purpose and the reasons for their use; specific risks and the use of data deriving from them are assessed, correlated, declared and processed in compliance with current legislation, implementing minimum security measures to guarantee the data subject (regulations/procedures/work instructions/ technological protection measures).

The use of the systems registered by Atac and the followed purposes are summarized below:

  • check of the regularity and quality of the transport service, support to the management of maintenance, planning and assessment activities of the service;
  • safety of public transport, users and operational staff;
  • protection of corporate assets;
  • anonymous statistical analysis of the driving mode;
  • legal protection in controversies for personnel and company;
  • urban security;
  • public safety in the case of a specific formal request from the Judicial Authority for the prevention, detection or repression of crimes.

Recordings are processed by specifically appointed personnel and kept in compliance with the law (provision of the Guarantor Authority in the field of video surveillance of 8th April 2010 - extension of 24 hours to a maximum of 7 days for the conservation of images in case of particular riskiness of the activity carried out by the Controller). To read the full text of the Privacy Policy in the field of video surveillance click here.

11. Rights of the data subject

At any time, pursuant to articles 15-22 of EU Regulation no. 2016/679, you have the right to:

a) ask for confirmation of the existence or not of your personal data;

b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, their retention period;

c) obtain the correction and deletion of data;

d) obtain the limitation of the processing;

e) obtain data portability, i.e. receive them from a data Controller, in a structured and commonly used format and readable by an automatic device, and transmit them to another data Controller without hindrance;

f) oppose the processing at any time, also in the case of processing  for direct marketing purposes;

g) oppose an automated decision-making process relating to natural persons, profiling included;

h) ask the data Controller access to your personal data and correct or cancel them, limit their processing or oppose their processing, in addition to the right to data portability;

i) withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;

j) submit a complaint to the supervisory authority.

You can exercise your rights, in whole or in part, for reasons legitimate to the processing of your personal data, even if pertinent to the purpose of the collection. In particular, the data subject has the right to object to the processing of personal data concerning him for the purpose of sending commercial advertising material or commercial communications.

You will have to send a written request via email to the contacts of the Data Controller or of the Data Protection Officer, that you find in paragraphs 18 and 19 of this notice, by filling in the appropriate form that can be downloaded by clicking here.

12. Minors

The website and its institutional content are intended also for use by minors under 18 years of age.

13. Apps for the purchase of paperless tickets

The Application software is owned by third parties, therefore the information (art.13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by third party operators and can be viewed within the company website in the section tickets and passes, B+.

14. Apps for the purchase of paperless parking  tickets

The Application software is owned by third parties, therefore the information (art. 13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by third party operators and can be viewed within the company website in the section Atac parking.

Personal data transmitted (electronically) to ATAC, as external data processor, by third parties and regulated pursuant to art. 28 of the GDPR are the following:

personal data and tax code of users who purchase a monthly subscription (that necessarily has to be personalized) are collected from the information that the customer has communicated to the supplier registering on the App managed by the third party operator and transmitted to Atac S.p.A. electronically by the same operator.

15. Atac Vantaggi portal

The platform is owned by third parties, therefore the information (art. 13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by the third party operator.

Personal data transmitted (electronically) by the third party to ATAC for the sole purpose of sending newsletters are the following:

name, surname, email address, only for users registered on the site who have given their consent to receive newsletters.

16. Identity and contact details of the data Controller

The Controller of the processing of your personal data is ATAC S.p.A. in the person of its pro tempore legal representative, with registered office in Rome Via Prenestina n. 45 - 00176. To exercise the rights provided for by the law and better specified above, you can contact the Controller at the following certified email address: protocollo@cert2.atac.roma.it

17. Contact details of the Data Protection Officer

Hereinafter the contact details of the Data Protection Officer (DPO): Via Prenestina n. 45 - 00176 Rome, email: responsabileprotezionedati@atac.roma.it

18. Updates

Data will be kept for a period strictly necessary to pursue the purposes referred to in paragraph 1.

This Privacy notice might change over time - for example due to the introduction of new regulations for the sector, the updating or provision of new services as well as technological innovations - therefore we invite users/visitors to check this page periodically.