Privacy notice on the processing of personal data provided for the management of structured parking facilities and parking lots “with differentiated charges", under the responsibility of ATAC S.p.A

Pursuant  to articles 13 and 14 of EU Regulation 2016/679 on personal data protection (hereinafter “GDPR”), we offer the necessary information about the processing of personal data (hereinafter also “Data”).

The Data Controller is ATAC S.p.A (hereinafter “Controller”), whose identification and contact details are listed in paragraph 9. 

The data collected and processed for the management of structured parking facilities and parking lots “with differentiated charges" are: a) common data: e.g. personal data, contact details, vehicle registration number, etc; b) particular data: number of the vehicle parking permit issued to people with disabilities provided by the user of the services and collected and processed by ATAC S.p.A.

Data is collected through optical license plate readers positioned at the entrance and exit of the parking facilities, where installed. Data is processed by automated systems of ATAC S.p.A. on local servers placed inside the parking facilities, that link license plate number, date, start time and end time of parking, in order to allow the use of automated payment.

1. Legal basis and purpose of data processing

Data processing is aimed at fulfilling the following contractual and legal obligations:

a.     management of the sale and issue of hourly, daily or periodic parking tickets;

b.     management of the issue and renewal of subscriptions;

c.     account management and fulfilment of administrative and tax obligations.

2. Data provision and refusal

The provision of data in parking areas with differentiated charges is optional, but refusal to provide that data makes it impossible to access the parking facility.

3.  Data Communication

The provided personal Data will be processed only by authorized and appropriately trained and instructed persons and may be disclosed to public and private bodies, competent authorities as well as other bodies connected to ATAC S.p.A. Subjects belonging to the categories to which Data may be communicated, will process and use them, on a case by case basis, acting as Data Processors  expressly appointed by the Data Controller pursuant to art. 28 of the GDPR, or rather as independent Data Controllers. 
Furthermore, Data may be viewed by companies authorized by ATAC S.p.A. acting as independent Controllers/Processors as suppliers of goods/services for maintenance and/or inspection of procedures and IT equipment. Data transmitted by a third party operator to ATAC as independent Controller or data Processor is regulated pursuant to Articles 26 and 28 of the GDPR and by the Legislative Decree 196/2003 and subsequent amendments. The processing of data relating to free parking permits issued to people with disabilities has been authorized by Roma Capitale acting as Data Controller since necessary for the pursuit of the purposes referred to in paragraph 1. 

The Data are not subject to disclosure.

4. Data retention and security measures

The digitally processed data (vehicle license plate and subscriber data) are stored on local ATAC S.p.A. servers situated in parking lots with differentiated charges.
On paper processed data (subscriptions) are stored at the competent company offices. In any case, they are processed and stored in compliance with the security measures provided for by Article 32 of the GDPR and are not subject to any further processing.

5. Transfer of personal data to third countries

The data will not be transferred outside the European Union.

6. Processing methods

The processing is based on the principles of fairness, legality and  transparency. The Data are subjected to both paper and electronic processing carried out by the Data Controller, by persons expressly authorized for the time necessary to fulfil the above-mentioned purposes. The processing logics are strictly related to the purposes for which the data were collected and, in any case, in such a way as to guarantee their security, integrity and confidentiality.

7. Data retention period

Data are retained for a time strictly necessary for the pursuit of the purposes for which they were collected.
Digitally collected data pertaining to hourly or daily parking are kept for 24 hours following the end time of parking and then deleted. Subscriber data will be kept for a period not exceeding 5 years from the end of validity of the last subscription without renewal, without prejudice to any retention terms provided for by laws or regulations for fiscal and judicial purposes.

8. Rights of the data subject

At any time, pursuant to articles 15-22 of EU Regulation no. 2016/679, the data subject has the right to:

a. ask the Data Controller to access the data and correct or cancel them, ask for the integration of incomplete data, as well as to limit their processing in the cases provided for by art. 18 of the GDPR;

b. oppose the processing at any time, in whole or in part , also in the case of processing  of data necessary for the legitimate pursuit of the Controller's interest;

c. in case there are the conditions to exercise his right to data portability pursuant to art. 20 of the GDPR, receive the data provided to the Controller in a structured and commonly used format and readable by an automatic device, and transmit them to another data Controller without hindrance;

d. withdraw consent at any time;

e. submit a complaint to the supervisory authority.

The data subject can exercise his rights through a written request, by filling in the appropriate form that can be downloaded on the ATAC website, section “Privacy information” -  Form to contact the data controller or data processors - and sending it to the Data Controller or the Data Protection Officer to the postal address of the registered office or to the email/certified email address indicated in paragraphs 9 and 10 of this notice.


9. Identity and contact details of the data Controller
The Controller of the processing of your personal data is ATAC S.p.A. in the person of its pro tempore legal representative, with registered office in Rome Via Prenestina n. 45 - 00176. To exercise the rights provided for by the law and better specified above, you can contact the Controller at the following certified email address:


10. Contact details of the Data Protection Officer of ATAC S.p.A.
Hereinafter the contact details of the Data Protection Officer (DPO): Via Prenestina n. 45 - 00176 Rome, email: