ATAC S.p.A. (hereinafter "Controller"), acting as data controller, informs you that the personal data (hereinafter, "data") provided by you, will be processed by Atac S.p.A. in the manner and for the purposes specified below, pursuant to articles 13 and 14 of the (EU) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”).
1. Legal basis and purpose of data processing
The processing is aimed at fulfilling:
We’d like to specify that for the following services:
ATAC S.p.A. fulfils the Service Contract with Roma Capitale, that regulates the assignment of services complementary to local public transport such as the management of park & ride areas and metered street parking under the responsibility of Roma Capitale as well as article 17, par. 1), letter a) of the Service Contract that regulates the assignment of local public transport services and for which the latter assumes the role of data processor. For the data processing by ATAC S.p.A. in execution of the aforementioned service contracts, please consult the relevant information on the company’s website (Privacy notice/Parking/ Surveillance of protected lanes, stop and terminus areas).
In addition, only with your specific and free consent (article 7 of the GDPR), your data will be processed for the following marketing purposes:
The Controller of personal data (name, surname, identity document and copy of the same, phone number, email address, etc.) and/or special categories of personal data (former sensitive data) shall process the data exclusively for the purposes for which they are collected.
2. Data provision and refusal
The provision of personal, common and sensitive data is necessary to carry out the activities referred to in paragraph 1. and the failure to provide personal data makes it impossible to fulfil them.
3. Data communication
Only data processors may get to know personal data and communicate them to internal and/or external partners and to all legal entities - public and private - to whom communication is necessary for the correct fulfilment of the customer’s request and for the execution of specific legal obligations.
Personal data cannot be disclosed, but to implement the correct execution of contractual obligations and, if it is instrumental to the pursuit of the aforementioned purposes, these data may be disclosed to third parties (professional, consultancy and auditing firms , law enforcement agencies, public bodies, only if provided by law, and to organizations that perform outsourcing activities for ATAC S.p.A.).
To execute these obligations, specific contractual clauses are foreseen (nomination as external data processor), with the obligation to adopt suitable security measures in terms of personal data protection, in accordance with the provisions of the Privacy legislation.
4. Transfer of personal data to third countries
Personal data are stored on servers located within the European Union at our data centres in Via Sondrio n. 18 and/or Via Prenestina n. 45 - 00176 Rome; the data will not be transferred outside the European Union.
Data sent by email or certified email are entirely managed by third party operators, the location of their data centres and infrastructures is at the discretion of the operators and sited in different parts of the world.
5. Processing methods
The processing of your personal data is based on the principles of fairness, legality and transparency. Your personal data are subjected to both paper and electronic processing.
The processing is carried out by the Controller and by persons specifically authorized by the Controller for the time necessary to fulfil the above mentioned purposes.
The processing will be strictly related to the indicated purposes and use methods that guarantee security and confidentiality of the data and, in any case, is in compliance with the security measures prescribed by law.
Personal data provided by interested parties who submit requests for information, reports or complaints, will be used by ATAC S.p.A. to answer to the received requests.
Upon prior consent, it might be possible to send useful information/communications to citizens about the use of public transport and urban mobility in general to the addresses communicated by the user.
The management of the IT platform as well as the related security measures are entrusted to the pro tempore manager of the ICT systems of ATAC S.p.A.
6. Provision of data through self-certification
Self-certification of data includes verification and authenticity control of the declared data reported on the self-certification forms for discounted travel passes.
The data declared by the user might be subject to administrative and institutional controls on behalf of the responsible bodies, in order to ascertain the veracity of the statements.
7. Optional nature of data provision
The optional, explicit and voluntary transmission of communications by mail, fax, telephone or email, involves the acquisition of the sender´s address and of any other included personal data. They will be processed in compliance with the law and in accordance to the purposes for which they were transmitted. Users/customers will be free to provide further personal information requested by ATAC S.p.A. for possible subsequent communications and inquiries regarding the services offered and provided by ATAC S.p.A. Notices sent to users by ATAC S.p.A. contain a “disclaimer” at the bottom of the page that allows the automatic removal of the email address from the mailing list of the company. For such notices, the provision of data is optional and is done through a specific processing authorization at the moment of the request; missing data will not prevent the supply of the requested service.
If necessary, synthetic information sheets about particular activities and services will be displayed on the website or at the various premises of ATAC S.p.A, with the request of a specific consent to the processing of personal data.
In case of personnel recruitment, ATAC S.p.A. will consider documentation and/or curricula sent in response to a notice of recruitment. It also informs that, in order to be accepted, curricula must include the consent to the processing of personal data in compliance with current legislation. They may be sent to the company´s headquarters in Via Prenestina n. 45 - 00176 Rome.
Please note that the selection of external personnel is governed by a specific company procedure, published on the company's website, in the section "Società trasparente” (Transparency) / “selezione del personale esterno” (selection of external personnel) and that also the section "lavora con noi" (work with us) is active.
The processing of data belonging to persons interested in the selection procedures is illustrated in specific notices published on the website.
8. Metrebus Card - data anonymization
Once the absence of anomalies in the use of the electronic card has been ascertained, the validation data referred to individual subscribers are made anonymous within 72 hours from transmission to the database, in the company’s data centre and after maximum 10 validation operations, in the smart cards of the subscribers.
The anonymization activity is carried out to allow the subsequent processing of the data for statistical analysis and data processing related to mobility information services.
9. Supplier management
The platform is owned by third parties, therefore the information (art.13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are entirely managed by the third party operator.
Personal data of users who have given consent to the processing that are stored in the third party’s portal are used by ATAC exclusively for e-procurement activities.
10. Video surveillance and geolocation systems
Atac S.p.A. has surveyed, identified and analyzed all systems installed in its business areas capable of collecting data, including audio-visual and geolocation systems, has ascertained their purpose and the reasons for their use; specific risks and the use of data deriving from them are assessed, correlated, declared and processed in compliance with current legislation, implementing minimum security measures to guarantee the data subject (regulations/procedures/work instructions/ technological protection measures).
The use of the systems registered by Atac and the followed purposes are summarized below:
11. Rights of the data subject
At any time, pursuant to articles 15-22 of EU Regulation no. 2016/679, you have the right to:
a) ask for confirmation of the existence or not of your personal data;
b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, their retention period;
c) obtain the correction and deletion of data;
d) obtain the limitation of the processing;
e) obtain data portability, i.e. receive them from a data Controller, in a structured and commonly used format and readable by an automatic device, and transmit them to another data Controller without hindrance;
f) oppose the processing at any time, also in the case of processing for direct marketing purposes;
g) oppose an automated decision-making process relating to natural persons, profiling included;
h) ask the data Controller access to your personal data and correct or cancel them, limit their processing or oppose their processing, in addition to the right to data portability;
i) withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
j) submit a complaint to the supervisory authority.
You can exercise your rights, in whole or in part, for reasons legitimate to the processing of your personal data, even if pertinent to the purpose of the collection. In particular, the data subject has the right to object to the processing of personal data concerning him for the purpose of sending commercial advertising material or commercial communications.
You will have to send a written request via email to the contacts of the Data Controller or of the Data Protection Officer, that you find in paragraphs 16 and 17 of this notice, by filling in the appropriate form at the bottom of the page.
The website and its institutional content are intended also for use by minors under 18 years of age.
13. Apps for the purchase of paperless tickets
The Application software is owned by third parties, therefore the information (art.13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by third party operators and can be viewed within the company website in the section tickets and passes, B+.
14. Apps for the purchase of paperless parking tickets
The Application software is owned by third parties, therefore the information (art. 13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by third party operators and can be viewed within the company website in the section Atac parking, “How to pay for parking in the city”.
Personal data transmitted (electronically) to ATAC, as external data processor, by third parties and regulated pursuant to art. 28 of the GDPR are the following:
personal data and tax code of users who purchase a monthly subscription (that necessarily has to be personalized) are collected from the information that the customer has communicated to the supplier registering on the App managed by the third party operator and transmitted to Atac S.p.A. electronically by the same operator.
15. Atac Vantaggi portal
The platform is owned by third parties, therefore the information (art. 13 of the GDPR) and the collection of consent (art. 7 of the GDPR) are managed entirely by the third party operator.
Personal data transmitted (electronically) by the third party to ATAC for the sole purpose of sending newsletters are the following:
name, surname, email address, only for users registered on the site who have given their consent to receive newsletters.
16. Identity and contact details of the data Controller
The Controller of the processing of your personal data is ATAC S.p.A. in the person of its pro tempore legal representative, with registered office in Rome Via Prenestina n. 45 - 00176. To exercise the rights provided for by the law and better specified above, you can contact the Controller at the following certified email address: firstname.lastname@example.org
17. Contact details of the Data Protection Officer
Hereinafter the contact details of the Data Protection Officer (DPO): Via Prenestina n. 45 - 00176 Rome, email: email@example.com
18. Data retention and Updates
Data will be kept for a period strictly necessary to pursue the purposes referred to in paragraph 1, and in any case for a period not exceeding 10 years.
This Privacy notice might change over time - for example due to the introduction of new regulations for the sector, the updating or provision of new services as well as technological innovations - therefore we invite users/visitors to check this page periodically.