We apologize for the inconvenience. Currently this section is available only in Italian
Atac S.p.A., as Data Controller (details provided in paragraph 8 below), issues this privacy notice pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”), in relation to the automated messaging service (the “Chatbot” or the “Service”) accessible via the instant messaging chat available on the website www.atac.roma.it.
The Chatbot is an automated system powered by data taken from Atac S.p.A.’s websites and designed to respond to user requests relating to Local Public Transport services provided by the company.
The system made available by Atac S.p.A. serves a specific and clearly defined purpose and is limited to topics and transport services offered by Atac. As it is not based on generative Artificial Intelligence systems, it does not fall under the definition of “general-purpose AI system” within the meaning of the AI Act.
Use of the Service does not require user identification and is intended for adults or minors aged fourteen and above.
1. Categories of data processed
The Service is designed to operate without identifying the user. The only data collected and processed by Atac are those directly provided by the user while using and interacting with the virtual assistant/Chatbot, namely: geographical location and Metrebus card number (when using the service that checks the card’s validity).
Users are advised not to share any personal data, especially special categories of data (e.g., health data, religious beliefs, etc.). Any personal data entered during interaction with the Chatbot may temporarily appear in the chat but will not be processed to generate the requested response, nor will it be stored or used for any further purpose.
No cookies or other tracking tools are used to identify or profile the user.
2. Purpose and legal basis of the processing
Atac processes user data through the Chatbot for the purpose of managing information requests relating to Local Public Transport services (e.g. bus arrival times at stops, nearby park&ride facilities, Metrebus card validity, metro timetables, strikes, information on submitting complaints, etc.).
The legal basis for the processing is Article 6 par. 1 lett.b) GDPR - performance of a contract to which the user is party, or performance of pre-contractual measures taken at the user’s request.
If access to the device’s location is required to provide the requested information, the user will be asked to grant authorisation. If authorisation is denied, location-based information (e.g. waiting times at nearby stops or availability of nearby park& ride facilities) cannot be provided.
3. Data disclosure
Data provided may be disclosed in anonymous and aggregated form for statistical purposes.
Data may also be disclosed to competent public authorities where required by law.
4. Data transfers outside the EU
The system is hosted on infrastructure located on Atac S.p.A.’s servers within the European Economic Area (EEA), with no data transfers to third countries.
The technology provider does not access users’ personal data under the contractual agreements in place.
5. Methods of processing
Data processing is carried out in accordance with the principles of fairness, lawfulness, and transparency, and with the adoption of appropriate technical and organisational security measures pursuant to Article 32 GDPR.
Data are processed electronically and automatically, with measures in place to minimise processing with regard to data types, access permissions, and retention periods.
The Service does not involve automated decision-making as defined in Article 22 GDPR. Responses generated by the Chatbot are automated but produce no legal effects for users.
Data may be processed in anonymous form by the Data Controller for statistical purposes.
6. Data retention period
Personal data provided by the user, processed in compliance with the GDPR principle of data minimisation (Article 5.1 GDPR), are not stored by the Data Controller.
7. Rights of the data subject
At any time, users may exercise the rights provided for in Articles 15-22 of Regulation (EU) 2016/679 by writing to the Data Controller or to the Data Protection Officer (DPO) of Atac S.p.A. at the addresses listed below.
Users also have the right to lodge a complaint with the Italian Data Protection Authority if they believe that their rights have been violated, pursuant to Article 33 GDPR.
Requests must be submitted in writing using the appropriate form available on the website and sent to the Data Controller together with a copy of a valid identity document.
8. Identity and contact details of the Data Controller
ATAC S.p.A., represented by its legal representative pro tempore, with registered office in Via Prenestina 45, 00176 Rome, Italy.
To exercise the rights provided for under applicable law, users may write to the following certified email address (PEC): protocollo@cert2.atac.roma.it
9. Contact details of the Data Protection Officer (DPO)
Data Protection Officer, Via Prenestina 45, 00176 Rome, Italy