Video surveillance - pursuant to article 13 of the General Data Protection Regulation 2016/679 - GDPR

ATAC S.p.A. (hereinafter "Controller"), acting as data controller, pursuant to article 13 of the EU Regulation 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data (hereinafter, "data"), informs you that, for reasons of prevention, security and protection of corporate assets , the company premises and a certain number of buses - properly signalled by specific signage as requested by the Italian Data Protection Authority - are equipped with video surveillance systems.  Video surveillance falls into the category of personal data and will be processed by Atac S.p.A. in the manner and for the purposes specified below.

1. Legal basis and purpose of data processing

Images, as well as other personal information, are personal data subject to EU Regulation 2016/679 of the European Parliament and Council concerning the protection of natural persons. 
For this reason these particular personal data are collected and stored by Atac S.p.A. for the time strictly necessary to prevent illegal activities, ensure the safety of company sites and on board of company vehicles, guarantee workplace safety for employees and users of the local public transport services and allow protection of company assets - all in compliance with the provisions of EU Regulation 2016/679 and the requirements imposed by the Data Protection Authority. The adopted system does not link, relate or compare the images collected with other personal data or identification codes.

2. Data communication

The processed data will not be disclosed to third parties. However, the following subjects may become aware of your data, in relation to the processing purposes illustrated above:

  • subjects who have access to the data by virtue of legal provisions of the European Union or of the Member State of the data Controller;
  • our employees, provided they are acting under the authority of the controller pursuant to Article 29 of the European Regulation, or as system administrators;
  • subjects (external security and surveillance companies) who, within the borders of the European Union, act as Data Processors appointed by Atac S.p.A., for purposes that are auxiliary to the activities and services referred to in paragraph 1.

Access requests to recorded images and videos may come from:

  • the Judicial Authority or Judicial Police for legal purposes, investigative reasons and in all cases provided for by law.  The "Sala Sistema Roma of Roma Capitale” has the task of linking, coordinating and analysing  the requests made by the Authorities that, for judicial reasons and in all cases provided for by law, ask the City Council to acquire the recordings of images and/or videos from video surveillance systems pertaining to Roma Capitale pursuant to the Mayor's ordinance no. 63 of 28/02/2011;
  • company structures, for internal investigations (e.g. commissions of inquiry).

Images extracted in response to requests received from the Judicial Authority or the Judicial Police are delivered in single copy and Atac S.p.A. does not keep any further copy deleting the images from any support used for the extraction.

3. Transfer of personal data to third countries

Personal data are stored on servers located within the European Union at our data centres in Via Sondrio n. 18 and/or Via Prenestina n. 45 - 00176 Rome; the data will not be transferred outside the European Union.

4. Processing methods

The processing of your personal data is based on the principles of fairness, legality and transparency. Your personal data are subject to both paper and electronic processing. It is carried out by the Controller and by persons specifically authorized by the Controller for the time necessary to fulfil the above mentioned purposes.

The processing will be strictly related to the indicated purposes and use methods that guarantee security and confidentiality of the data.

5. Data retention period

The Controller or Data Processor retain the images deriving  from video surveillance activity for a period not exceeding the time necessary to achieve the purposes for which those data are processed; in fact, on company vehicles that are equipped with video surveillance, Atac S.p.A. uses a system that records and files images in a circular way storing them in encrypted format on a DVR (Digital Video Recorder) placed on board of the vehicle. The retention period is variable and depends on the specific characteristics of the system and on its configuration, set in compliance with the law. The system automatically deletes images recorded on board of buses by overwriting (after 48/140/160 hours of service, depending on the bus model); in any case, the images are deleted after 7 days from recording.

Even in company premises and stations the storage of images is done using a system that overwrites the encrypted images after a period of time not exceeding the time necessary to achieve the purposes for which they are processed and in any case no longer than 7 days.

The use of the images for other purposes is not envisaged and, in particular, remote employee activity monitoring is excluded according to the provisions of article 4 of the Workers' Statute, law n.300/70.

The company documentation produced, such as requests for access to images, requests to download images, image extraction certificate, traceability register, image delivery report (on paper and computerized), will be retained  for a period strictly necessary to achieve the purposes for which data were collected and in any case no longer than ten years.

6. Rights of the data subject

At any time, pursuant to articles 15-22 of EU Regulation no. 2016/679, you have the right to:

a) ask for confirmation of the existence or not of your personal data;

b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, their retention period;

c) obtain the correction and deletion of data;

d) obtain the limitation of the processing;

e) obtain data portability, i.e. receive them from a data Controller, in a structured and commonly used format and readable by an automatic device, and transmit them to another data Controller without hindrance;

f) oppose the processing at any time, also in the case of processing  for direct marketing purposes;

g) oppose an automated decision-making process relating to natural persons, profiling included;

h) ask the data Controller access to your personal data and correct or cancel them, limit their processing or oppose their processing, in addition to the right to data portability;

i) withdraw consent at any time without prejudice to the lawfulness of the processing based on the consent given before the withdrawal;

j) submit a complaint to the supervisory authority.

You can exercise your rights, in whole or in part, for reasons legitimate to the processing of your personal data, even if pertinent to the purpose of the collection. In particular, the data subject has the right to object to the processing of personal data concerning him for the purpose of sending commercial advertising material or commercial communications.

You will have to send a written request via email to the contacts of the Data Controller or of the Data Protection Officer, that you find in paragraphs 8 and 9 of this notice, by filling in the appropriate form that can be downloaded by clicking here.

8. Contact details of the data Controller

The Controller of the processing of your personal data is ATAC S.p.A. in the person of its pro tempore legal representative, with registered office in Rome Via Prenestina n. 45 - 00176. To exercise the rights provided for by the law and better specified above, you can contact the Controller at the following certified email address:

9. Contact details of the Data Protection Officer

Hereinafter the contact details of the Data Protection Officer (DPO): Via Prenestina n. 45 - 00176 Rome, email: