ChatBot Privacy Policy 

Pursuant to Articles 13 and 14 of European Regulation 2016/679 (“GDPR”) the following policy is provided in relation to the automatic messaging service (CHATBOT) on the site https://www.adr.it/web/aeroporti-di-roma-en/ (hereinafter also defined as the “Service”). The Service is provided through AIRPORT A.I. Please refer to the limitations contained in the legal notices https://www.adr.it/web/aeroporti-di-roma-en/azn-copyright.

1. DATA CONTROLLER

Aeroporti di Roma S.p.A. (hereinafter also defined as “ADR” or “the Controller”) with registered office in via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome).

2. DATA PROTECTION OFFICER

ADR has appointed a Data Protection Officer. The contact details of the Data Protection Officer can be found at https://www.adr.it/web/aeroporti-di-roma-en/

3. TYPES OF DATA PROCESSED, PURPOSES AND LEGAL BASIS OF THE PROCESSING

This policy concerns the personal data[1] processing activities carried out for the purposes of allowing the user to make use of the Service in order to respond to requests made by the user in accordance with Article 6, letter b, GDPR (i.e. request for information on flights, services at the airport, parking, etc.). The request for information can be made by the user using the appropriate buttons on the main menu, by sending a message and/or recording a voice note with his/her voice through his/her device and then sending it. It should be noted that the operating logic of the Service does not require the user to identify him/herself and/or to enter personal data by means of chat or by recording and sending a voice note. The personal information voluntarily entered by the user is not processed by the CHATBOT in order to formulate automatic replies, but is only recorded on the system in use. There are no cookies and/or other tracking tools that allow tracing the user and the information about him/her (including, date and time of the flight for which the user requests information or activates notifications, language used, rating assigned by the user to the quality of the Chatbot Service, etc.). Chat/conversation contents are visualised by ADR on the system in use.
If push notifications are activated to receive flight updates via Meta's Facebook Messenger, the data are processed autonomously by the latter (please refer to the policies of the operator of such instant messaging platform). In this case, through the system in use ADR does not visualise the data relating to the Meta account used by the user (e.g. name and surname) but only the contents of the chats/conversations.
The Service does not ask the user to transmit information relating to special categories of data, such as data relating to one's state of health, sexual orientation, political opinions, etc. The user is kindly requested not to enter this information in the chat. Any entries of such data made freely and unconditionally (based on free consent art. 6.1, letter a), GDPR and pursuant to art. 9.1, letter a) GDPR) and for purposes in line with the user's expectations will not be processed by ADR but will follow the aforementioned processing logic.

4. PROCESSING METHODS

Data are processed in compliance with the regulations in force by means of IT and electronic tools, with logic strictly associated with the purpose above mentioned, in order to guarantee the security and confidentiality of the data.

5. DATA RETENTION PERIODS

Notwithstanding the fact that - as represented in point 3 of this policy - the activation of the Service may not result in the processing of personal data, any personal data processed will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Article 5.1, letter c) GDPR.
The content of the chats is kept for 5 years after the messages are received. After this period, ADR retains only anonymous and aggregated information for the purpose of carrying out statistical analysis on the use of the Service.

6. DATA RECIPIENTS

Within ADR S.p.A., only the persons appointed for processing by the Data Controller and authorised to carry out the processing operations on the aforementioned activities may become aware of the personal data provided by the user.
In addition, the data may be processed by the supplier Airport AI, which ADR uses to provide the Service as a data processor pursuant to Article 28, GDPR.
If push notifications are activated to receive flight updates via Meta's Facebook Messenger, the data are processed autonomously by Meta (please refer to the policies of the operator of that instant messaging platform).
Furthermore, ADR makes use of cloud services in order to optimise the performance of the www.adr.it site. ADR has signed a special Enterprise Agreement with Amazon Web Service EMEA SARL (https://aws.amazon.com/), selecting sites available within the European Economic Area for storing its content. In any case, the supplier in question does not access the personal data of users acquired on the ADR site/app, limiting itself to using the essential information to deliver and keep active the cloud services.
Data may be communicated to the competent Public Authorities in fulfilment of legal obligations.

7. DATA TRANSFER OUTSIDE THE EU

Data will not be disclosed and/or communicated to third parties located outside the European Economic Area (EEA).

8. RIGHTS OF THE DATA SUBJECTS

Lastly, please be informed that articles 15-22 of the GDPR give data subjects the possibility to exercise specific rights under certain conditions; data subjects can obtain, from the Data Controller: access, rectification, erasure, restriction of processing, as well as the portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Data Controller reserves the right not to proceed with the request and, therefore, to continue the processing, in the event that there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedom of the data subject.
The aforementioned rights may be exercised by making a request addressed without formalities to the Data Protection Officer (DPO) at dpo@adr.it.
The data subjects right to file a complaint with the Italian Data Protection Authority pursuant to Article 77, GDPR remains unaffected.
The Data Controller reserves the right to update this policy.

Date of last update
April 2024
 
 

Privacy Policy Chatbot WhatsApp ADR


Pursuant to Articles 13 and 14 of the European Regulation 2016/679 (“GDPR”) the following policy is provided in relation to the CHATBOT (hereinafter also referred to as the “Service”)
which can be used via the WhatsApp instant messaging channel accessible from the website https://www.adr.it/web/aeroporti-di-roma-en/ or by scanning the QR Codes at FCO and CIA airports.
By using the service, the user may receive information/notifications in connection with the services requested, flight status information, commercial information, etc.
The Service is provided through AIRPORT A.I. Please refer to the limitations contained in the legal notices https://www.adr.it/web/aeroporti-di-roma-en/azn-copyright.
 
  1. DATA CONTROLLER
Aeroporti di Roma S.p.A. (hereinafter also referred to as “ADR” or “the Controller”) with registered office in via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome).
 
  1. DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer. Contact details of the Data Protection Officer are available on https://www.adr.it/web/aeroporti-di-roma-en/
 
  1. TYPES OF DATA PROCESSED, PURPOSE AND LEGAL BASIS OF THE PROCESSING
This policy concerns the personal data [1] processing activities carried out in order to allow the user to make use of the automatic messaging Service with a view to responding to requests made by the user pursuant to Article 6, letter b, GDPR (i.e. request for information on flights, services at the airport, parking, etc.).  
The user can acces the automatic messaging service CHATBOT WhatsApp through the specific section available on https://www.adr.it/web/aeroporti-di-roma-en/ website or by scanning the QR Codes at FCO and CIA airports. Replies to messages are generated automatically.
The request for information can be made by the user through the appropriate functions available on the WhatsApp chat (e.g. text message, recording with one's own voice and sending a voice note).
It should be noted that the operating logic of the Service does not require the user to identify themselves and/or to enter personal data via chat or by recording and sending a voice note. The personal information voluntarily entered by the user is not processed by the CHATBOT to formulate automatic replies but is only recorded on the system in use.
The contents of the chats/conversations are displayed by ADR on the system in use.
The data may also be processed for the possible and voluntary activation of push notifications for the reception flight status updates. Following the passenger's activation of the notifications, the Chatbot will automatically send updates on WhatsApp on the status of the flight until its Take Off/Landing. The receipt of such updates can be stopped by the user at any time by means of the appropriate button “Stop updates” in the conversation.
The logics of subscription to and use of this instant messaging channel are governed by the Policy, to which we refer, defined by the network operator (i.e. META) acting as data controller pursuant to Articles 4 and 24, GDPR.
Within the Service, personal data relating to the Whatsapp account used by the user (e.g. first and/or last name, nickname and telephone number) and the contents of chats/conversations are processed.
The Service does not ask the user to transmit information relating to special categories of data, such as data relating to one's state of health, sexual orientation, political opinions, etc. The user is requested not to enter this information in the chat. Any entries of such data made freely and unconditionally (based on free consent pursuant to article 6.1, letter a), GDPR and pursuant to article 9.1, letter a) GDPR) and for purposes in line with the user's expectations will not be processed by ADR but will follow the aforementioned processing logic.

Finally, Aeroporti di Roma may use, with the prior express free and specific consent of the user, the WhatsApp account to send updates and information on airport news, discounts, promotions and institutional initiatives. The reception of such messages may be interrupted at any time by the user by means of the appropriate button "Stop updates" available in the conversation and in any case by means of the "unsubscribe" button available in each subsequent message.

These communications may take place by means of automated contact methods (WhatsApp messaging) In this regard, the user may object to receiving the aforementioned information in the manner described above.

The legal basis for the processing is the express consent pursuant to Art. 6, letter a, GDPR. The provision of data is optional for this purpose, in the event of failure to consent to the processing, the user may use the Service without prejudice, but will not receive commercial and promotional communications. The user may withdraw their consent (opt-out) at any time by means of the appropriate buttons accessible from the WhatsApp communications received, as well as by means of the procedures set out in point 8 below.
 
  1. PROCESSING METHODS
Data are processed in accordance with the regulations in force by means of IT and telematic tools, with logic strictly related to the stated purpose, so as to ensure the security and confidentiality of the data.
 
  1. DATA RETENTION PERIOD
The personal data processed will only be kept for as long as necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to article 5.1, letter c), GDPR.
The content of the chats is retained for 5 years after the messages are received. After this period, ADR retains only anonymous and aggregate information for carrying out statistical analysis on the use of the Service.
ADR does not directly display the telephone numbers of users who use the Service, which are only received by the system in use and retained for a period of three months. After this period, the telephone numbers are anonymised and subsequently deleted.

With reference to promotional and marketing purposes, if the user voluntarily activates the receipt of content, personal data will be processed until consent is withdrawn and/or the right to object to processing (opt-out) is exercised in the manner described above and/or indicated in paragraph 8 below.

In any case, we will eventually refresh the consent given for this purpose in order to respect the user's choice.
 
  1. DATA RECIPIENTS
Within ADR S.p.A., only those individuals entrusted with the processing by the Controller and authorized to carry out the processing operations on the above mentioned activities may become aware of the personal data provided by the user.
Moreover, the data may be processed by the supplier of the chatbot service Airport AI and by the supplier of the system of the WhatsApp channel Infobip, which ADR uses to provide the Service, as data processors pursuant to article 28, GDPR.

The data may be disclosed to the relevant public authorities in compliance with legal obligations.
 
  1. DATA TRANSFER OUTSIDE THE EU
Data will not be disclosed and/or communicated to third parties located outside of the European Economic Area.
 
  1. RIGHTS OF THE DATA SUBJECT
Finally, we hereby inform you that Articles 15-22 GDPR grant data subjects specific rights that can be exercised under certain conditions; data subjects may obtain from the Data Controller: access, rectification, erasure, restriction of processing and portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Controller reserves the right not to comply with the request, and thus to continue processing, if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject.
The above rights may be exercised by making an informal request to the Data Protection Officer at the following address: dpo@adr.it.
This is without prejudice to the data subject's right to file a complaint with the Supervisory Authority pursuant to Article 77, GDPR.

The Controller reserves the right to update this privacy policy.
Last updated, October 2024
 

[1] Personal data are understood under the GDPR as: "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (the "Data").

 

[2] Personal data shall be understood under the GDPR as: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person””(the “Data”).