We apologize for the inconvenience. Currently this section is available only in Italian
ATAC S.p.A. - Azienda per la Mobilità, acting as Data Controller, hereby informs users of the Roma Capitale Local Public Transport service who use the digital services provided by ATAC (the “Data Subject”) via (i) the “MyAtac” e-commerce portal, accessible from ATAC’s institutional website (the “MyAtac Portal”) and the “ATAC App” mobile application (the “App”, and together with the MyAtac Portal, the “MyAtac Channels”), that their personal data will be processed for the purposes and in the manner described below.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER (“DPO”)
The Data Controller is ATAC S.p.A. - Azienda per la Mobilità, with registered office at Via Prenestina 45 - 00176 Rome, Italy, Tax Code and VAT No. 06341981006 (hereinafter “ATAC”, the “Company” or the “Controller”). The Controller may be contacted by registered post to the above address or via certified e-mail (PEC) at: protocollo@cert2.atac.roma.it.
ATAC has appointed a Data Protection Officer (“DPO”), who may be contacted at the following e-mail address: responsabileprotezionedati@atac.roma.it.
2. SOURCE OF THE DATA
The personal data indicated below are primarily collected directly from the Data Subject through the MyAtac Channels, by completing dedicated forms, entering information necessary from time to time for the provision of services, and/or uploading documentation supporting specific requests. Technical and usage data necessary for the functioning of the MyAtac Portal and the App are also processed (e.g., IP address, session identifiers, access and system logs, device data, App/operating system version, browser/connection technical information). For further details regarding cookies and tracking tools (where applicable), please refer to the respective Cookie Policies of the ATAC website and App.
In certain cases, to process requests and enable MyAtac functionalities, ATAC may obtain or derive data:
a) from relevant ATAC systems (e.g., ticketing systems and dedicated application components) through system integrations and targeted queries activated when specific functionalities are used;
b) from third parties involved in the provision of specific services (e.g., payment providers, Tap&Go services), limited to strictly necessary data (typically transaction outcomes and technical identifiers);
c) from the Data Subject’s device, within the limits of permissions granted (e.g., geolocation, notifications), where enabled.
Where certain functionalities concern third parties (e.g., travel passes/benefits issued in the name of minors or third parties), the Data Subject may enter personal data relating to those individuals. In such cases, the Data Subject is responsible for providing them with this Privacy Notice.
- Minors
The MyAtac Portal and App are not intended for autonomous registration by minors; account creation is permitted only to users aged 18 or over. Any requests concerning minors (e.g., personalised or discounted travel passes) must be submitted by a parent or legal guardian, acting in the minor’s interest and providing only the data strictly necessary. ATAC adopts technical measures designed, as far as possible, to prevent direct registration by minors.
3. CATEGORIES OF DATA PROCESSED
Depending on the purposes described below, ATAC may process the following categories of data:
- Ordinary Personal Data
a) Identification and personal details: (e.g. first name, surname, e-mail address; and, for personalised services, tax code or equivalent data for foreign citizens such as date of birth and nationality), login credentials and authentication data (password and e-mail verification OTP);
b) Contact details: (e-mail address – required for account creation/activation – and optional telephone number);
c) Address details and additional administrative data: (home address, postcode and other information required for specific procedures);
d) Data relating to tickets/transactions and service usage: (e.g. issue/renewal/top-up requests, ticket validation data, investigation outcomes, vouchers and e-wallet, Tap&Go derived data (such as amount, outcome, time and technical token), transaction history and related metadata;
e) Documents and images uploaded in support of applications: (ID documents, passport photo, ISEE certificates, theft/loss reports, supporting documentation);
f) Location data: (geolocation), where enabled by the Data Subject, for App functionalities (e.g. nearby stops search) and/or refund management;
g) Technical data and logs: (e.g. IP address, system logs, device/App/browser information). Such information is typically inherent in the use of digital services and applications and may only be reduced by limiting the use of the App or uninstalling it.
- Special Categories of Personal Data (Article 9 GDPR)
Special category data within the meaning of Article 9 GDPR are processed exclusively in the context of discounted fare applications and limited to documentation necessary to demonstrate eligibility (e.g. information revealing health status or disability).
(Ordinary personal data and special categories of personal data are collectively referred to as the “Data”.)
4. PURPOSES OF PROCESSING AND LEGAL BASIS
Depending on the service requested, ATAC processes the Data of the Data Subject for one or more of the following purposes, in accordance with the corresponding legal bases indicated below:
a) Registration, account management and access to ATAC digital services
ATAC collects and processes the Data Subject’s first name, surname and e-mail address in order to enable the creation and management of the account and login credentials for access to the restricted area of the MyAtac Channels, as well as the continuous use of functionalities that require identification of the Data Subject in order to ensure the provision of ongoing services (e.g. management of account settings, consultation of transaction history, management and monitoring of requests/applications and their outcomes, as well as access to restricted functionalities connected to MyAtac digital services). ATAC also processes such data for the purpose of sending operational and recurring communications strictly related to the account and its security/operation (e.g. OTPs, technical confirmations, security alerts, service communications and messages necessary to complete access or ensure the proper use of restricted functionalities). It remains understood that the information and journey planning services available through the App may also be used without creating an account, in “guest” mode (see purpose e).
Legal basis: performance of a contract to which the Data Subject is party or the implementation of pre-contractual measures taken at the Data Subject’s request pursuant to Article 6(1)(b) GDPR. Provision of such data is necessary in order to create a MyAtac account; failing this, the Data Subject will not be able to register on the MyAtac Channels and, consequently, will not be able to use digital services requiring identification, without prejudice to the possibility of using exclusively the functionalities available in “guest” mode via the App (see purpose e) below).
b) Management of travel passes (season tickets and tickets) and strictly related purposes
ATAC processes identification and personal data (including, where required, tax code or equivalent data for foreign citizens) and Data relating to tickets/transactions and service usage in order to allow the Data Subject to purchase, issue, renew/top up and manage travel passes and digital ticketing services available through the MyAtac Channels. In particular, such processing is necessary in order to:
a) top up and manage personalised Metrebus season tickets, ensuring the unique association of the pass with the Data Subject and the correct recording of transactions carried out;
b) request the personalised physical medium (Metrebus Card) for reloading travel passes (tickets and season tickets) and manage administrative and operational activities strictly connected with the production, delivery and activation of the card;
c) renew ordinary personalised season tickets;
d) use additional e-commerce functionalities connected to travel passes (with differences between the Portal and the App depending on the types of passes made available by ATAC, e.g. purchase of a single BIT ticket exclusively via the App).
Depending on the specific transaction requested and the method of service provision, ATAC may also process, within the limits of necessity: (i) contact details, for operational communications strictly related to the application (e.g. confirmations, updates, outcomes); (ii) residence/domicile data and additional administrative data, where required (e.g. administrative checks or management of physical media/delivery details); (iii) uploaded documents and images, where necessary for identification, verification of entitlement to the pass or verification of requirements under the applicable regulations.
Legal basis: for the issue, renewal/top-up and management of travel passes and personalised season tickets requested by the Data Subject, as well as activities strictly necessary for the provision of the digital service and administrative management of the relevant procedures, the legal basis is the performance of a contract or pre-contractual measures requested by the Data Subject pursuant to Article 6(1)(b) GDPR. For compliance with tax/accounting and reporting obligations, where applicable, including communication to the Italian Revenue Agency of expenses relating to the purchase of local, regional and interregional public transport season tickets pursuant to Article 1 of the Ministerial Decree of the Ministry of Economy and Finance of 29 March 2023 and its implementing measures, the legal basis is compliance with a legal obligation to which the Controller is subject pursuant to Article 6(1)(c) GDPR.
c) Discounted personalised season tickets
ATAC processes identification and personal data (including, where required, tax code or equivalent data for foreign citizens), Data relating to tickets/transactions and service usage and, where applicable, contact details, residence/domicile data and additional administrative data, as well as uploaded documents and images, in order to assess applications and manage the issue/renewal of discounted personalised season tickets, verifying the existence of the requirements laid down by applicable regulations (including regulatory/fare provisions issued by the competent authority, such as Roma Capitale and/or Regione Lazio, as applicable) and recording the outcome of the assessment. Renewal of discounted personalised season tickets is available exclusively through the MyAtac Portal.
Within the context of such procedures, the Data Subject may be required to provide supporting documentation which, depending on the circumstances, may include special categories of personal data pursuant to Article 9 GDPR (e.g. information and documentation capable of revealing health status/disability), processed exclusively for the purpose of verifying eligibility requirements and within the limits strictly necessary for carrying out the assessment.
Legal basis: for management of the discounted fare application (submission, assessment, outcome and strictly related administrative activities), the legal basis for ordinary personal data is Article 6(1)(b) GDPR. For compliance with tax/accounting and reporting obligations, where applicable, including communication to the Italian Revenue Agency pursuant to the above-mentioned Ministerial Decree, the legal basis is Article 6(1)(c) GDPR. With regard to special categories of personal data processed in the context of discounted fares, the condition for lawful processing is the Data Subject’s explicit consent pursuant to Article 9(2)(a) GDPR. Provision of such special category data (and the related consent) is necessary for the assessment of the discounted fare application; failing this, ATAC will not be able to verify eligibility requirements and therefore to grant the discounted season ticket, without prejudice to the possibility of applying for an ordinary season ticket. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
d) Issue and management of personalised free circulation cards
ATAC processes identification and personal data, contact details, residence/domicile data and additional data (e.g. indication of the command/unit of affiliation and place of work), in order to assess and manage applications for personalised free circulation cards (e.g. first issue or duplicates due to deterioration, theft/loss or change/reissue) submitted by entitled Data Subjects (e.g. law enforcement, armed forces, ANAS personnel) through the MyAtac Portal, as well as to carry out the related administrative and operational activities. ATAC may also process uploaded documents and images supporting the application, within the limits strictly necessary to verify identity and/or entitlement and compliance with applicable requirements.
Legal basis: processing is necessary in order to handle the Data Subject’s request and manage administrative and operational activities strictly connected with the issue/management of the card (Article 6(1)(b) GDPR). Where, for the specific type of card, assessment, verification and/or issue derive from legislative provisions and/or regulatory, fare or administrative acts applicable (including, by way of example, provisions of the competent authority and/or applicable organisational rules), processing is also carried out for compliance with a legal obligation (Article 6(1)(c) GDPR) and/or for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR). In such cases, the legal basis is identified, pursuant to Article 2-ter of Legislative Decree 196/2003 as amended (“Privacy Code”), in the applicable legislation and/or regulatory/administrative acts relating to the specific card. Provision of such data is necessary to manage and process the application; failing this, ATAC will not be able to proceed.
e) Information services and journey planning (App) and “guest” mode
ATAC processes exclusively the Technical and log Data necessary for the operation of the App and for the use of information and journey planning services, which do not require the creation of any account and may be used by the Data Subject in “guest” mode (e.g. consultation of timetables, arrival forecasts and service status, as well as route planning). Where the Data Subject enables geolocation on their device, ATAC may process Location Data exclusively within the limits strictly necessary to provide the requested function (e.g. search for nearby stops, display of nearby services, location-based itineraries) and for the time strictly necessary to provide the specific function; in the absence of authorisation, location-based functionalities may not be available or may be limited, while non-location-based information and planning functionalities remain available.
Legal basis: performance of a contract to which the Data Subject is party or implementation of pre-contractual measures taken at the Data Subject’s request pursuant to Article 6(1)(b) GDPR. Technical and log Data are necessary for use of the App and provision of “guest” services; geolocation is optional, but failure to provide it may prevent or limit functionalities requiring the use of Location Data.
f) Tap&Go (reporting and display of access/account statements)
ATAC processes identification and personal data and Data relating to tickets/transactions and service usage necessary to make Tap&Go reports and account statements available on the MyAtac Portal, through integration with the payment partner’s web services and the use of tokenisation mechanisms. Processing of payment data takes place within the provider’s systems (e.g. Nexi), which acts as an independent controller; ATAC receives exclusively derived and non-financial data (e.g. outcome, amount, timestamps) and a substitute identifier (so-called technical token) necessary to link the statements to the Data Subject.
Legal basis: performance of a contract to which the Data Subject is party or implementation of pre-contractual measures taken at the Data Subject’s request pursuant to Article 6(1)(b) GDPR. Provision of such data is necessary in order to use the Tap&Go functionality; failing this, the functionality cannot be made available.
g) Refunds for delays and compensation measures via App (vouchers and e-wallet)
ATAC processes identification and personal data, contact details and Data relating to tickets/transactions and service usage in order to assess and manage, at the Data Subject’s request, refund procedures for delays (surface and metro services) and/or compensation measures via the App, with issuance and management of digital vouchers in the Data Subject’s electronic wallet. Depending on the scenario provided for by the procedure: (i) where the request is made following boarding and validation, the system acquires the necessary data through the validation systems and the Data Subject associates/indicates the season ticket number at least upon the first request; (ii) where the request is made without boarding, geolocation must be enabled and ATAC processes Location Data within the limits strictly necessary to verify presence at the stop and to assess the request; failing this, the request cannot be processed.
Legal basis: performance of a contract to which the Data Subject is party or implementation of pre-contractual measures taken at the Data Subject’s request pursuant to Article 6(1)(b) GDPR. Provision of such data is necessary in order to process the Data Subject’s request and for the issuance/management of the voucher; failing this, the Controller will not be able to process the Data Subject’s request.
h) “+Ricicli +Viaggi” Cashback (App)
ATAC processes identification and personal data and Data relating to tickets/transactions and service usage in order to allow the Data Subject to participate in the cashback programme available via the App and to manage activities strictly connected thereto (e.g. calculation/allocation of benefits, management of any accrued balance/credit and use thereof).
Legal basis: performance of a contract to which the Data Subject is party or implementation of pre-contractual measures taken at the Data Subject’s request pursuant to Article 6(1)(b) GDPR. Provision of such data is necessary in order to process the Data Subject’s request; failing this, the Controller will not be able to proceed with the Data Subject’s request.
i) ATAC Newsletter
The Controller processes contact details (in particular, the e-mail address associated with the account) for the purpose of sending periodic informational and/or promotional communications regarding ATAC services and initiatives. Subscription occurs exclusively at the initiative of the Data Subject through the dedicated functionality; withdrawal is available at any time through the available methods, without affecting the lawfulness of processing carried out prior to withdrawal.
Legal basis: consent of the Data Subject pursuant to Article 6(1)(a) GDPR. Provision of contact details (as well as consent) for this purpose is optional. Failure to provide such data does not preclude nor entail consequences for registration with MyAtac or use of the services offered therein, but will prevent the Data Subject from receiving commercial and marketing communications and from being informed about ATAC initiatives and additional services. Withdrawal of consent, which may be exercised at any time, does not affect the lawfulness of processing carried out prior to withdrawal.
4.l) Defence of rights in judicial, administrative or out-of-court proceedings, Security, prevention of misuse/fraud
Where necessary, ATAC will process the Data Subject’s Data in order to ensure system security, prevent and counter improper/abusive use or attempts at fraud, ensure continuity and integrity of services, as well as to establish, exercise or defend a right of ATAC or third parties in judicial, administrative or out-of-court proceedings, or to comply with requests from the competent Authority.
Legal basis: pursuit of the legitimate interests of ATAC or third parties pursuant to Article 6(1)(f) GDPR, aimed at protecting its rights and defence in legal proceedings. No specific provision of data is required, as ATAC may process, within the limits of necessity, data already collected for the above purposes also for these further purposes, as they are related to and compatible with the original purposes. Where processing is necessary to comply with specific requests/orders of the competent Authority or with legal obligations, the legal basis is Article 6(1)(c) GDPR (legal obligation). With reference to special categories of personal data that may be processed in this context, the condition for lawful processing is Article 9(2)(f) GDPR.
5. METHODS OF PROCESSING AND TRANSFER OF DATA ABROAD
ATAC processes the Data primarily by means of IT and telematic tools, according to logic strictly related to the purposes indicated in paragraph 4 above and in compliance with the principles of lawfulness, fairness, transparency and data minimisation provided for by the GDPR. Appropriate technical and organisational measures are adopted to ensure the security, integrity and confidentiality of the Data, including in order to prevent unauthorised access, loss or unlawful use. With reference to functionalities available in “guest” mode, the App allows the use of information and journey planning services without the creation of an account and without associating such use with identification and personal data or contact details, unless the Data Subject chooses to register in order to access additional functionalities.
Following the operations that require it (e.g. purchase, renewal or top-up), the MyAtac systems interface with the relevant ATAC systems (e.g. electronic ticketing systems and/or dedicated application components) for the generation, activation and/or provision of the ticket or outcome, in accordance with the applicable operational procedures. With reference to Tap&Go, ATAC makes available to the Data Subject reporting based on derived/technical data and a token, without receiving or processing payment card data; processing of payment data remains within the scope of the payment provider (e.g. Nexi) acting as an independent controller, in accordance with its own privacy notice. As a rule, ATAC receives only the outcomes and technical identifiers strictly necessary to make the functionality available.
With reference to refunds/compensation measures, the assessment of requests and management of vouchers also take place through an integrated application platform (Mendix), by means of application exchanges between MyAtac/App and the platform services and, where necessary, via API connections with the relevant ATAC systems for functional checks and operations. The providers that make available and manage such components act, where applicable, as processors/sub-processors pursuant to Article 28 GDPR, on the basis of documented instructions and appropriate contractual arrangements.
Processing activities are configured so as to be necessary and proportionate to the requested digital services and connected to local public transport (TPL): data collected at the registration stage are limited to those that are essential; additional data and documents are requested only in relation to specific procedures; payment data are not processed by ATAC; where provided, geolocation is activated at the initiative of the Data Subject and used within the limits and for the time strictly necessary for the specific functionality.
ATAC does not carry out solely automated decision-making processes that produce legal effects concerning the Data Subject or similarly significantly affect him/her pursuant to Article 22 GDPR.
Access to the Data is permitted exclusively to ATAC personnel expressly authorised and instructed pursuant to Article 29 GDPR. For the performance of certain activities, ATAC may disclose the Data to external parties (e.g. consultants, providers supporting the delivery and management of MyAtac services, as well as entities, bodies or authorities to whom disclosure is required by law or upon request/order of the competent Authority). Such parties process the Data, as the case may be, as independent controllers or as processors appointed by ATAC pursuant to Article 28 GDPR.
The Data are processed mainly within the European Economic Area (EEA). However, the use of certain tools and/or providers may, on a residual basis, entail transfers of Data to countries outside the EU/EEA. In such cases, the transfer takes place in compliance with Chapter V of the GDPR, on the basis of an adequacy decision or by means of appropriate safeguards and, where necessary, supplementary measures.
The updated list of processors may be requested at any time from the Controller using the contact details indicated in this privacy notice.
The Data will not be disclosed to the public.
6. DATA RETENTION PERIODS
The Data of the registered Data Subject, the documentation uploaded to the account and the history of transactions and operations carried out through MyAtac are retained for a period of 10 years from the last access or from the date of deactivation of the account by the Data Subject; upon expiry of this period, automatic deletion of the Data is provided for.
Technical and usage Data are processed for the time strictly necessary for the operation of the MyAtac channels and for the provision of the individual functionalities; system logs and the Data Subject’s access logs are retained for 6 months, unless further retention is necessary in the event of security incidents, disputes, litigation or requests/orders from the competent Authority.
Data processed for the management of refunds for delays and compensation measures are retained for the time necessary for the assessment procedure (with a maximum period of 30 days from submission of the request for communication of the outcome), for the issuance and use of vouchers and for the management of any disputes; in any case, they are retained for a period of 5 years from communication to the Data Subject of the negative outcome of voucher issuance or from the expiry/use of the voucher, unless disputes or litigation arise. Data necessary solely for accounting and tax purposes are retained for the periods provided for by the applicable legislation pursuant to Article 2220 of the Italian Civil Code.
Personal data processed for the sending of the newsletter are retained until withdrawal of consent or unsubscription, which may be carried out at any time through the available methods; thereafter, ATAC may retain minimal evidence of the withdrawal/objection (e.g. e-mail address and date of the request) solely for the purpose of ensuring compliance with the Data Subject’s choices and preventing unwanted communications.
In any event, where it is necessary to establish, exercise or defend a right in judicial, administrative or out-of-court proceedings, or to comply with requests from the Authority, the Data may be retained for the period strictly necessary for such purposes, within the limits permitted by law or, in any case, until the expiry of the limitation periods for bringing and/or appealing actions, or for the purpose of protecting its rights.
7. RIGHTS OF THE DATA SUBJECT
The Data Subject may, at any time, exercise the rights provided for in Articles 15 to 22 of the GDPR by contacting the Controller in order to request:
a) access to the Data, as provided for in Article 15 GDPR;
b) rectification and completion of Data considered inaccurate, as provided for in Article 16 GDPR;
c) erasure of Data for which ATAC no longer has any legal basis for processing, as provided for in Article 17 GDPR;
d) restriction of the manner in which ATAC processes the Data Subject’s Data where one of the circumstances set out in Article 18 GDPR applies;
e) a copy of the Data that the Data Subject has provided to us, in a structured, commonly used and machine-readable format, for processing based on the contractual relationship (so-called portability), as provided for in Article 20 GDPR;
f) withdrawal of consent at any time, where processing is based on consent. It is specified that any withdrawal of consent shall have effect only with regard to subsequent processing and shall not affect the lawfulness of processing carried out prior to such withdrawal.
Right to object: in addition to the rights listed above, the Data Subject has the right to object at any time, on grounds relating to his/her particular situation, to the processing of personal data carried out for the purposes of pursuing the legitimate interests of the Controller.
The Data Subject may exercise the above rights by completing and submitting the form available at the following link, or by writing to the certified e-mail address (PEC) protocollo@cert2.atac.roma.it or, alternatively, by registered letter with return receipt to the registered office of ATAC (see the contact details referred to in paragraph 1 above).
Where the Data Subject considers that the processing of personal data is carried out in breach of the GDPR, he/she has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), using the contact details available on the website www.garanteprivacy.it, or to bring proceedings before the competent judicial authorities.