Privacy policy - pursuant to article 13 of the GDPR (General Data Protection Regulation) 2016/679

This document has been written pursuant to EU Regulation 2016/679 (hereinafter: "Regulation") in order to allow you to be acquainted with our privacy policy, to understand how your personal information is managed when you use our site (www.atac.roma.it, hereinafter "site") and, if you want, to express aware consent to the processing of your personal data. The provided information and data or otherwise acquired in the context of the use of navigation services and access to the reserved area of the site (marketing newsletter), will be processed in compliance with the provisions of the Regulation and the confidentiality obligations that inspire the activity of Atac S.p.A.

According to the rules of the Regulation and of the Privacy Code, the data processing carried out by Atac S.p.A. will be based on the principles of lawfulness, correctness, transparency, purpose and conservation time limitations, minimization of data, accuracy, integrity and confidentiality, as well as on the principle of accountability pursuant to art. 5 of the Regulation.

Personal data being processed

We inform you that the personal data being processed may consist of identifiable information such as your name and surname, email address, company or role covered within it, telephone number, VAT number, an identification number, location data or online identifiers, depending on the requested service.

Furthermore, personal data processed through our site are the following:

1. Navigation data

During their normal operation, the IT systems and software procedures used to operate the site automatically collect information relating to web browsing, the transmission of which is implicit in the use of Internet communication protocols. This kind of data is not collected to be associated with identified subjects but by its nature it could, through associations and processing with data held by third parties, allow the identification of users or surfers. This category includes information on IP addresses, domain names of computers used by persons who connect to the site, URI (Uniform Resource Identifier) addresses of the requested resources, time of request, method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the web server (successful, error, etc.) as well as other parameters relating to the operating system and the computer environment of the user. These data are used for the sole purpose of obtaining anonymous statistical information on the use of this website and to check its correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. This data could be used to ascertain responsibility in case of hypothetical cybercrimes against the site or third parties.

You’ll find specific information in the sections of the website set up for particular services, accessible also after registration, where personal data are requested.

2. Cookies

What are cookies

Browsing this website involves the receipt of cookies, short text strings that the visited websites send to the user's browser (i.e. to the program used to surf such as, for example, Chrome, Explorer, Mozilla, etc.) where they are stored and then retransmitted to the same websites during subsequent visits. While browsing a site, the user can also receive cookies set by websites or web servers other than the one he is currently on (so-called third-party cookies).

It is possible to discern technical cookies, which allow the carrying out of activities strictly related to the functioning of the site and can be used freely, from profiling cookies, used to send advertising messages in line with the preferences shown by the user during navigation on the web and for which it is necessary to collect the user's consent.

Through this site the user's browser can receive technical cookies as well as third-party profiling cookies.

Technical cookies

In particular, technical cookies are used to allow navigation in order to store the user's browsing preferences and to improve the browsing experience on the site as well as analytical cookies (specifically Google Analytics provided by Google Inc. - hereinafter "Google"), which collect, in an anonymous and aggregate form, statistical information on how users navigate (for example, number of pages visited and accesses, time spent on the site), useful to understand how to improve the website experience.

For more information about the processing of data carried out by Google through Google Analytics service, you can:

The use of these cookies does not require the user's consent, although he can decide to disable their use on his browser. Moreover, Google Analytics cookies can be specifically rejected using the special tool provided by Google:

Third-party profiling cookies

Some pages of this website also allow to receive third-party profiling cookies in your browser, for example to consent the display of content hosted on external platforms and interact with them (e.g. YouTube). For this reason, when accessing these pages, a banner is shown to inform the user and allow him to give his consent to the receipt of such cookies, by closing the banner or clicking on any other element of the page, outside the banner.

Atac S.p.A. has no access to information collected by third-party cookies, which are used in full autonomy by the managers of the aforementioned services. For further information on how the data collected through these cookies is processed, please consult the privacy information notes of the single service providers.

In particular, the third-party cookies used on this site are the following:

You can disable cookies placed by the third parties listed above by clicking on the indicated links.

In case there are no links:

How to manage cookies on your browser

The user can set his browser in such a way as to be warned of the presence of cookies and decide whether or not to accept a specific cookie or to automatically reject all cookies. Below the references on how to manage the activation/deactivation of cookies for the main browsers:

If you decide to refuse cookies, it may happen that some interactive feature offered by the site may not be utilized, in whole or in part.

3. Purposes of processing

Your personal data will be processed by the Data Controller for the following purposes:

3.1 to allow website navigation and the provision of the services made available by the owner;

3.2 to fulfil obligations under applicable laws, regulations or community legislation, or to satisfy requests from authorities;

3.3 for the compilation of statistics, without the possibility to trace your identity;

3.4 to send newsletters and promotional communications for direct marketing purposes through email, sms, MMS, fax, conventional mail or by telephone with operator, where the promoted products may also belong to other partner companies.
Specific security measures are adopted to prevent data loss, illicit or incorrect use and unauthorized access.

4. Legal basis and mandatory or optional nature of the processing

The legal basis for the processing of personal data for the purposes referred to in paragraph 3.1 is art. 6.1.b) of the Regulation, since the processing is necessary for the provision of services or in response to the requests of the interested party. The legal basis for the processing of personal data for the purposes referred to in paragraph 3.2 is art. 6.1.c) of the Regulation ("processing is necessary for compliance with a legal obligation to which the controller is subject”). The provision of personal data for these purposes is optional, but any failure to provide them would make it impossible to activate the requested services. It should be noted, however, that the treatment referred to in paragraph 3.3 is not performed on the basis of personal data and, therefore, can be freely carried out by the Data Controller.

The legal basis for the processing of personal data for the purposes referred to in paragraph 3.4 is art. 6.1.a) of the Regulation since it is based on consent. The consent is optional and can  be reviewed at any time without any consequence (except for the fact that you will no longer receive marketing communications and/or that no profiling activity will be made). Previously granted consent can be revoked following the indications described in paragraph 8 of this note.

The legal basis for the processing of your data for this purpose is art. 6, paragraph 1, lett. f) of the Regulation. The facutlty to oppose processing at any time remains unaffected, from the beginning or with subsequent communications, by written notice to the contact details indicated in the paragraph “Identity and contact details" of this note, as well as the opportunity to obtain a notice that confirms the interruption of the processing. (art.15 of the Regulation).

5. Recipients of personal data

Your personal data may be shared, for the purposes referred to in paragraph 3 of this note, with:

5.1. subjects who typically act as data processors pursuant to art. 28 of the Regulation, that is, subjects who cooperate with the Data Controller for the pursuit of the aforementioned purposes, including subjects designated to carry out technical maintenance activities (collectively "Recipients"); the list of data processors who process data can be requested from the Data Controller or the DPO by writing to the contacts indicated in the “Identity and contact details" paragraph of this note;

5.2 persons, bodies or authorities to whom it is mandatory to communicate your personal data due to legal provisions or orders issued by authorities;

5.3 persons authorized by the Data Controller, pursuant to art. 29 of the Regulation, to the processing of personal data necessary to carry out activities strictly related to the provision of services, which are bound by the duty of confidentiality or, in any case, have a legal obligation of confidentiality.

The updated list of subjects who may process your personal data as data processors is available by sending a written request to the Data Controller at the contact details you find below.

6. Transfer of personal data

Personal data are stored on servers located within the European Union at our data centre in Via Sondrio n. 18 - 00176 Rome; the data will not be transferred outside the European Union.

7. Data retention

Personal data processed for the purposes referred to in paragraph 3.1 will be kept for a period strictly necessary to pursue the purposes for which they were collected. In any case, since the treatments are carried out for the provision of services, the Data Controller will keep personal data for the period of time envisaged and permitted by Italian law to protect his interests (Article 2946 of the Italian Civil Code and subsequent amendments).

Personal data processed for the purposes referred to in paragraph 3.2 will be kept for the time required by the specific obligation or applicable law.

More information about the data retention period and the criteria used to determine this period can be demanded by sending a written request to the Data Controller or the DPO at the contacts indicated in the “Identity and contact details" paragraph of this note.

In any case, the Data Controller has the opportunity to keep your personal data for the period of time provided for and permitted by Italian law to protect his interests (Article 2947 of the Italian Civil Code).

8. Rights of the data subject

At any time, pursuant to articles 15-22 of EU Regulation no. 2016/679, you have the right to:

a) ask for confirmation of the existence or not of your personal data;
b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, their retention period;
c) obtain the correction and deletion of data;
d) obtain the limitation of the treatment;
e) obtain data portability, i.e. receive them from a Data Controller, in a structured and commonly used format and readable by an automatic device, and transmit them to another Data Controller without hindrance;
f) oppose the processing at any time, also in the case of processing  for direct marketing purposes;
g) oppose an automated decision-making process relating to natural persons, profiling included;
h) ask the Data Controller access to your personal data and correct or cancel them or limit their processing or oppose their processing, in addition to the right to data portability;
i) withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;
j) submit a complaint to the supervisory authority.

You can exercise your rights, in whole or in part, for legitimate reasons, to the processing of your personal data, even if pertinent to the purpose of the collection. In particular, the data subject has the right to object to the processing of personal data concerning him for the purpose of sending commercial advertising material or commercial communications.

You will have to send a written request to the contact of the Data Controller or of the Data Protection Officer, that you find in sections 18 and 19 of this note, by filling in the downloadable form at the bottom of the page.

9. Transfer of personal data to third countries

Personal data are stored on servers located within the European Union at our data centre in Via Sondrio n. 18 - 00176 Rome; the data will not be transferred outside the European Union.

10. Identity and contact details of the Data Controller

The Controller of the processing of your personal data is ATAC S.p.A. in the person of its pro tempore legal representative, with registered office in Rome Via Prenestina n. 45- 00176. To exercise the rights provided for by the law and better specified above, you can contact the Controller at the following certified email address: protocollo@cert2.atac.roma.it

11. Contact details of the Data Protection Officer

Hereinafter the contact details of the Data Protection Officer (DPO): Via Prenestina n. 45 - 00176 Rome, email: responsabileprotezionedati@atac.roma.it

12. Changes and/or updates

The Controller reserves the right to change or simply update the content of this policy, in part or completely, also due to variations in the applicable legislation. We therefore invite you to to check this page periodically in order to be always updated on data collection and on the use made of tour personal data by Atac S.p.A.