Contractors privacy policy

 

Privacy policy on the processing of Personal Data pursuant to articles 13 and 14 of Reg. EU 2016/679

Article 4(1) of the European Regulation 2016/679 ‘GDPR’ defines personal data as any information relating to an identified or identifiable natural person.
Pursuant to current privacy legislation (European Regulation 2016/679 ‘GDPR’ and Legislative Decree No. 196/2003 and subsequent amendments and additions) the following privacy policy is provided regarding the processing of personal data related to the establishment and management of any contractual relationship with Aeroporti di Roma S.p.A.


1. DATA CONTROLLER

Aeroporti di Roma S.p.A. with registered office in via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome) (hereinafter also “ADR”) is the Data Controller with regard to personal data processed for the establishment and management of the contractual relationship.

2. DATA PROTECTION OFFICER

ADR has appointed a Data Protection Officer (“DPO”) who can be contacted at the following e-mail address: dpo@adr.it.

3. TYPES OF DATA PROCESSED

ADR processes personal data (pursuant to article 4 GDPR) attributable to legal representatives/corporate representatives/collaborators/employees of the third party contractor within the establishment of the contractual relationship, the execution of pre-contractual measures and the subsequent phases of management and termination of the relationship.
Depending on the type of contractual relationship, processing may involve the following categories of personal data: 
  1. identifying, personal and contact data  of the corporate representatives/collaborators/employees and/or legal representatives of the counterparty and, where applicable, a copy of the identity document of the signatory of the contract, as well as any references relating to the method and details of payment;
  2. personal data contained in the documentation acquired in compliance with Article 26 of Legislative Decree no. 81/2008 and Ministerial Decree 10/03/98 (e.g. list of personnel and single workbook (LUL, "Libro Unico del Lavoro"), copy of the UNILAV, list of personnel designated for fire prevention, firefighting and emergency management and their valid training certificates, list of Workers trained and instructed in Work at Height who will carry out the work and Category III PPE);
  3. personal data and data relating to criminal convictions and offences (so-called judicial data pursuant to Article 10, GDPR) of the legal representatives and, where applicable, of their adult family members, contained in the documentation acquired pursuant to the Italian Public Contracts Code, including that for the verification of the grounds for exclusion pursuant to Articles 94 et seq. and the requirements set out in Legislative Decree no. 159/2011 “Code of anti-mafia laws and prevention measures”;
  4. personal data relating to legal representatives/directors necessary for the implementation of third-party anti-corruption due diligence carried out in accordance with the UNI ISO 37001 standard;
  5. contact and identifying personal data of the counterparty's contact persons/employees/collaborators necessary for the counterparty's corporate representatives to enable and access computer systems and programmes;
  6. identifying and contact details of the contact persons/employees/collaborators of the counterparty's suppliers and technical partners for maintenance, technical assistance, software house, and all other activities necessary for the management of the contract;
  7. where the counterparty employs ‘System Administrators’ within the contractual relationship, ADR processes the personal data of the latters in order to allow the performance of cyber security checks (so-called enhanced background check) by the competent authorities in line with the provisions of the regulations applicable to ADR as an aviation security operator such as EU REG. 1583/2019 which amended EU REG. 2015/1998, containing detailed provisions for the implementation of the common basic standards for aviation security). For more information, please refer to the policy available on the website www.adr.it at the airport services privacy policy page.

In the event of the need to obtain an airport card/airport licence/qualification of known supplier/by collaborators/employees of the contracting third party, ADR will process personal data relating to the management of the request for the issue of the same in relation to which please refer to the specific policy available on the website www.adr.it on the airport services privacy policy page.

4. PURPOSES AND LEGAL BASES OF PROCESSING
 
  1. The processing of the personal data referred to in point 3 numbers 1, 4, 5, 6 above carried out by ADR is aimed at following up pre-contractual measures and the establishment and management of the contractual relationship and, therefore, the legal basis is to be found in the fulfilment of pre-contractual and contractual obligations in line with the provisions of art. 6 letter b), GDPR.
     
  2. ADR's processing of the personal data referred to in point 3 numbers 2, 3 and 7 above is carried out for the purpose of complying with legal obligations provided for by specific regulations, as the case may be, applicable to the contractual relationship and, therefore, the legal basis is to be found in the fulfilment of legal obligations in line with the provisions of art. 6, letter c), GDPR.

In view of the fact that the processing of data for the purposes referred to in points 1. and 2. of this paragraph is necessary, respectively, for the performance of contractual and pre-contractual obligations and the fulfilment of legal obligations, the consent of the data subjects is not required.

This is without prejudice to ADR's right and/or obligation to be able to process the aforementioned personal data for specific purposes, even after the termination of the contractual relationship, in order to fulfil specific legal obligations or to exercise or defend its own rights in court.
The communication of the above-mentioned personal data is strictly necessary in order to carry out the activities described in points 1. and 2. of this paragraph. Any refusal by the interested parties to provide personal data will make it impossible for ADR to carry out the activities deriving from the contractual relationship and to fulfil the above-mentioned obligations.
If, in the context of the contractual relationship with ADR, the third party contractor provides personal data relating to its legal representatives/contact persons/collaborators/employees, ADR will collect such data from the third party contractor pursuant to Article 14 GDPR. By reading this notice the third party contractor declares:
  • to undertake to duly inform the person concerned about the disclosure of data to ADR and to inform him/her of the content of this notice;
  • to expressly hold ADR harmless from any liability arising from the unlawful disclosure of such data.

5. PROCESSING METHODS

The data are processed in compliance with the regulations in force, also by means of IT and telematic tools, with logic strictly related to the purposes indicated, so as to guarantee the security and confidentiality of the data.
 
6. DATA RECIPIENTS

The data are processed only by authorised ADR employees/collaborators/operators for the exclusive pursuit of the purposes set out in paragraph 4.
Finally, external parties managing services and/or information systems on behalf of the data controller, appointed as Data Processors pursuant to Article 28 GDPR, may have access to the data. The updated list of Data Processors is available at ADR.
In line with the applicable legislation, the data may be provided to State/Police Forces and Public Authorities when the legal requirements are met.
 
7. DATA RETENTION PERIOD

Personal data will only be kept for the time necessary for the purposes for which they are collected and for the subsequent applicable prescriptive period in compliance with the principle of minimisation pursuant to Art. 5.1 letter c) GDPR. In particular, personal data will be retained for the entire duration of the contractual relationship and for the subsequent period necessary to prove the regular performance of the contractual relationship. From the date of termination of the contract for any reason or cause whatsoever, personal data shall be retained for the prescriptive terms applicable by law. This is without prejudice to the Data Controller's right and/or obligation to be able to continue to store personal data, in whole or in part and for specific purposes, upon termination of the contractual relationship, in order to comply with specific legal obligations or to exercise or defend its own rights in court.


8. DATA TRANSFER OUTSIDE THE EU

Personal Data will not be disclosed and/or communicated to third parties located outside of the European Economic Area.
 
9. RIGHTS OF THE DATA SUBJECT

Finally, we hereby inform you that Articles 15-22 GDPR grant data subjects specific rights that can be exercised under certain conditions; data subjects may obtain from the Data Controller: access, rectification, erasure, restriction of processing and portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Controller reserves the right not to comply with the request, and thus to continue processing, if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject.
The above rights may be exercised by making an informal request to the Data Protection Officer (DPO) at the following address: dpo@adr.it.
This is without prejudice to the data subject's right to file a complaint with the Supervisory Authority pursuant to Article 77, GDPR.
 
10. AMENDEMENTS AND UPDATES

The Data Controller reserves the right to amend/update this information.