Privacy Policy - Airport Services

1 PRIVACY POLICY - MEMBERSHIP

Pursuant to Articles 13 and 14 of the European Regulation 2016/679 "GDPR", the following information is provided.                                                                                   

1.1 DATA CONTROLLER

Aeroporti di Roma S.p.A. with registered office in Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome), hereinafter also referred to as ‘ADR’ or the ‘Controller’.   

1.2 DATA PROTECTION OFFICER

ADR has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address dpo@adr.it.

1.3 TYPES OF DATA PROCESSED

The data processed by ADR include personal identity document information such as first name, last name, etc., and additional data required to process your request for an airport pass, such as data on declaration of professional activity, education and training, as well as data on any training courses and/or qualifications required, and any verification of contribution regularity. All requested data are to be considered mandatory. The issuance of the pass is conditional on the positive outcome of the check by the Police Authorities; the latter acquire your data in their capacity of Autonomous Data Controller and do not provide ADR with the reasons for any negative outcome of the check.

Otherwise, for passes with  'escorted access', ADR only collects the escorted persons’ identity document data via the escort.

In the event of a positive outcome of the application and issue of the pass, ADR will process additional data concerning information relating to entry and exit to certain airport areas with limited access to which you will be authorised (i.e. passage through dedicated gates equipped with badge readers that retain access data for 180 days).

1.4 PROCESSING METHOD
The data are processed in compliance with the regulations in effect by means of computerised and electronic tools, with logic strictly associated with the purposes specified, in order to guarantee the security and confidentiality of the data.

1.5 PURPOSE AND LEGAL BASIS OF PROCESSING
ADR S.p.A. will process your personal data, pursuant to Art. 6 par. 1 lett. c) GDPR to comply with a legal obligation on the holder laid down in the relevant legislation (Airport Regulations, EU Reg. 300/2008, EU Reg. 1998/2015) in order to manage issuance of the pass. The provision of the data is necessary for the pursuit of the above-mentioned purpose; in the event of your refusal to provide the data, it will not be possible to provide the requested services.

If the request is made on behalf of the data subject by a third party commissioned to initiate the membership practice/request, ADR collects the data from such parties pursuant to Article 14 GDPR. By taking note of this Information Notice, the person applying for the card on behalf of third parties (employees, suppliers, colleagues, etc.) declares: (i) to undertake to duly inform the person concerned about the communication of data to ADR for the request in question and to inform them of the content of this information notice (ii) to expressly indemnify ADR from any liability arising from the unlawful communication of said data.

1.6 DATA RETENTION PERIODS
Your Personal Data will only be kept for as long as necessary for the purposes for which it is collected in compliance with the principle of minimisation pursuant to Art. 5.1.c) GDPR.                                      In particular, the data required for the issuance of the pass are retained for 10 years from the return of the pass, unless a further prescriptive period applies following disputes and/or litigation. Data stored following the use of the pass is kept for 180 days.

1.7 DATA TRANSFER OUTSIDE THE EU
Personal data are not subject to disclosure and/or communication to third parties located outside of the European Economic Area.

1.8 DATA RECIPIENTS
Only those within ADR S.p.A. who are entrusted with processing by the Data Controller and authorised to carry out processing operations in order to meet the purposes of the aforementioned activities may come into contact with the personal data provided. In addition, your data may be processed by the authorised officers of the ADR Group companies solely for the purposes related to your request or other companies appointed to maintain the controller's information systems. The data may be communicated to the competent Public Authorities such as ENAC and Polizia di Stato-Polaria, in the exercise of their respective powers under the law, as autonomous data controllers. Your personal data will not be further communicated or disseminated.

1.9 RIGHTS OF DATA SUBJECTS
Finally, we would like to inform you that Articles 15-22 GDPR give data subjects the possibility of exercising specific rights, where the conditions are met; the data subject may obtain the following from the data controller: access, rectification, cancellation, restriction of processing. In the event that the aforementioned rights are exercised, the Data Controller reserves the right not to process the request if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject. The above rights may be exercised by contacting ADR's Data Protection Officer (DPO) at dpo@adr.it. The contact details of the Data Protection Officer, and the forms for exercising the rights of data subjects are available at www.adr.it. This is without prejudice to the fact that the data subject has the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR.
 

2. PRIVACY POLICY - AIRPORT DRIVING QUALIFICATION 'LICENCES’
Pursuant to Articles 13 and 14 of the European Regulation 2016/679 "GDPR", the following information is provided.

2.1 DATA CONTROLLER
Aeroporti di Roma S.p.A. with registered office in Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome), hereinafter also referred to as ‘ADR’ or the ‘Controller’.

2.2 DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address: dpo@adr.it

2.3 TYPES OF DATA PROCESSED
The data processed by ADR include common data such as personal information in the application form and personal driving licence, as well as airport pass data. All requested data are to be considered mandatory. In addition, personal data relating to the airport licence may be processed as part of checks, controls, sanctions on airside traffic in accordance with applicable airport regulations.

2.4 PROCESSING METHOD
The data are processed in compliance with the regulations in force by means of IT and electronic tools, with logic strictly associated with the purposes specified, in order to guarantee the security and confidentiality of the data.

2.5 PURPOSE AND LEGAL BASIS OF PROCESSING
ADR S.p.A. will process your personal data, pursuant to Art. 6 par. 1 lett. c) GDPR to comply with a legal obligation on the holder laid down in the relevant legislation (Airport Regulations, EU Reg. 300/2008, EU Reg. 1998/2015) in order to manage issuance of airport driving qualification 'licences’. The provision of the data is necessary for the pursuit of the above-mentioned purpose; in the event of your refusal to provide the data, it will not be possible to provide the requested services. If the request is made on behalf of the data subject by a third party commissioned to initiate the membership practice/request, ADR collects the data from such parties pursuant to Article 14 GDPR. By taking note of this Information Notice, the person applying for the card on behalf of third parties (employees, suppliers, colleagues, etc.) declares: (i) to undertake to duly inform the person concerned about the communication of data to ADR for the request in question and to inform them of the content of this information notice (ii) to expressly indemnify ADR from any liability arising from the unlawful communication of said data.

2.6 DATA RETENTION PERIODS
Your Personal Data will only be kept for as long as necessary for the purposes for which it is collected in compliance with the principle of minimisation pursuant to Art. 5.1.c) GDPR. In particular, the data required for the issuance of the pass are retained for 10 years from the return of the pass, unless a further prescriptive period applies following disputes and/or litigation.

2.7 DATA TRANSFER OUTSIDE THE EU
Personal data are not subject to disclosure and/or communication to third parties located outside of the European Economic Area.

2.8 DATA RECIPIENTS
Only those within ADR S.p.A. who are entrusted with processing by the Data Controller and authorised to carry out processing operations in order to meet the purposes of the aforementioned activities may come into contact with the personal data provided. In addition, your data may be processed by the authorised officers of the ADR Group companies solely for the purposes related to your request or other companies appointed to maintain the controller's information systems. The data may be communicated to the competent Public Authorities such as ENAC and Polizia di Stato-Polaria, in the exercise of their respective powers under the law, as autonomous data controllers. Your personal data will not be further communicated or disseminated.

2.9 RIGHTS OF DATA SUBJECTS
Finally, we would like to inform you that Articles 15-22 GDPR give data subjects the possibility of exercising specific rights, where the conditions are met; the data subject may obtain the following from the data controller: access, rectification, cancellation, restriction of processing. In the event that the aforementioned rights are exercised, the Data Controller reserves the right not to process the request if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject. The above rights may be exercised by contacting ADR's Data Protection Officer (DPO) at dpo@adr.it. The contact details of the Data Protection Officer, and the forms for exercising the rights of data subjects are available at www.adr.it. This is without prejudice to the fact that the data subject has the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR.

3. PRIVACY POLICY - KNOWN SUPPLIERS FOR AIRPORT SUPPLIES
Pursuant to current legislation regarding privacy (European Regulation 2016/679 "GDPR" and Legislative Decree no. 196/03 and subsequent amendments and additions) the following information is provided:

3.1 DATA CONTROLLER
Aeroporti di Roma S.p.A. with registered office in Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome), hereinafter also referred to as ‘ADR’ or the ‘Controller’.

3.2 DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address dpo@adr.it.

3.3 TYPE OF DATA PROCESSED
The data processed by ADR include personal information of employees or collaborators of the requesting company who will be authorised to access the restricted areas for airport supplies.     In particular, the requesting company will be asked for the first name, surname, identity document, tax code of its personnel, and further data necessary to process the request for the issuing of the deed for a known supplier of airport supplies. All requested data are to be considered mandatory. The granting of authorisation is subject to a positive outcome of the check by the Police Authorities, which will also process the data relating to the background check. These authorities acquire the data as autonomous data controllers and do not provide ADR with the reasons for any negative outcome of the check.

If your application is successful, further data will be processed by ADR concerning information relating to entry and exit to certain restricted airport areas to which you and the personnel in charge will be authorised.

3.4 PROCESSING METHOD
The data are processed in compliance with the regulations in force by means of IT and electronic tools, with logic strictly associated with the purposes specified, in order to guarantee the security and confidentiality of the data.

3.5 PURPOSE AND LEGAL BASIS OF PROCESSING
ADR S.p.A. will process your personal data, pursuant to Art. 6 par. 1 lett. c) GDPR to comply with a legal obligation on the holder laid down in the relevant legislation (Airport Regulations, EU Reg. 300/2008, EU Reg. 1998/2015) in order to authorised to access the restricted areas for airport supplies. The provision of the data is necessary for the pursuit of the above-mentioned purpose; in the event of your refusal to provide the data, it will not be possible to provide the requested services.

By acknowledging this Information Notice, the person making this request declares: (i) to undertake to duly inform the person concerned (employees, suppliers, colleagues, etc.) about the communication of data to ADR for the request in question and to inform them of the content of this information notice (ii) to expressly indemnify ADR from any liability arising from the unlawful communication of said data.

3.6 DATA RETENTION PERIODS
Personal Data will only be kept for as long as necessary for the purposes for which they are collected in compliance with the principle of minimisation ex art. 5.1.c) GDPR. In particular, the data required to process the designation/renewal validation file are retained for 10 years, unless a further prescriptive period applies following disputes and/or litigation.

3.7 DATA TRANSFER OUTSIDE THE EU
Personal data are not subject to disclosure and/or communication to third parties located outside of the European Economic Area.

3.8 DATA RECIPIENTS
Only those within ADR S.p.A. who are entrusted with processing by the Data Controller and authorised to carry out processing operations in order to meet the purposes of the aforementioned activities may come into contact with the personal data provided. In addition, the data may be processed by the authorised officers of the ADR Group companies solely for the purposes related to your request or other companies appointed to maintain the controller's information systems. The data may be communicated to the competent Public Authorities such as ENAC and Polizia di Stato-Polaria, in the exercise of their respective powers under the law, as autonomous data controllers. Your personal data will not be further communicated or disseminated.

3.9 RIGHTS OF DATA SUBJECTS
Finally, we would like to inform you that Articles 15-22 GDPR give data subjects the possibility of exercising specific rights, where the conditions are met; the data subject may obtain the following from the data controller: access, rectification, cancellation, restriction of processing. In the event that the aforementioned rights are exercised, the Data Controller reserves the right not to process the request if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject. The above rights may be exercised by contacting ADR's Data Protection Officer (DPO) at dpo@adr.it. The contact details of the Data Protection Officer, and the forms for exercising the rights of data subjects are available at www.adr.it. This is without prejudice to the fact that the data subject has the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR.

4. PRIVACY POLICY - STRENGTHENED BACKGROUND CHECK
Pursuant to EU Reg.  1583/2019 which amended EU Reg.  2015/1998 containing detailed provisions for the implementation of the common basic standards for aviation security, Aeroporti di Roma S.p.A. (hereinafter also referred to as ADR) transmits to the competent authorities the data of all persons1 who have System Administrator rights and/or unrestricted access to data and core technology and communication systems (hereinafter also referred to as data subjects) in order to enable the performance of the checks required by the applicable legislation.

a) Even if they work in companies that have a contractual relationship with ADR/ADR TEL for supply/service/maintenance activities related to ICT systems.

b) Personal data understood under the GDPR as: "any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, by particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity" (the "Data"). The GDPR defines special categories of personal data as those capable of revealing 'racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data intended to uniquely identify a natural person, data concerning a person's health or sex life or sexual orientation'.

These checks are carried out pursuant to EU Regulation 1583/2019, which lays down detailed provisions for the implementation of the common basic standards on aviation security, with regard to cyber security measures. With this information notice, ADR intends to provide you with information pursuant to Art. 13 EU Reg. 2016/679 (hereinafter referred to as the 'GDPR') concerning the processing of personal data in connection with the cyber-security check also referred to as an enhanced background check.

4.1 DATA CONTROLLER
Aeroporti di Roma S.p.A. with registered office in Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome), is the Data Controller ("the Controller").

4.2 THE DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer ('DPO' or 'Data Protection Officer') who can be contacted at the following e-mail address: dpo@adr.it.                   

4.3 TYPES AND METHODS OF PROCESSING 
In compliance with the principles sanctioned by the regulations in effect, the personal data2 subject to processing are those collected by ADR in order for the competent authorities to carry out the  "reinforced back-ground check" on the persons concerned (i.e. personal and contact data collected by means of the appropriate forms, data present on the identity document, types of duties carried out with reference to Aeroporti di Roma ICT systems, professional activities or studies carried out in the last 5 years Pursuant to Article 14 of the GDPR, the Data Controller also informs that some data may also be obtained from the data subject's employer.

The check is carried out by the competent police authorities who simply provide ADR with a positive and/or negative result. ADR does not receive any information from the supervisory authorities regarding any circumstances that have arisen in the course of the activities and/or the reasons for any negative outcome of the inspection.

The data are processed in compliance with the regulations in effect by means of computerised, telematic and manual tools with logic strictly related to the purposes indicated, so as to guarantee the security and confidentiality of the data.

4.4 PURPOSE AND LEGAL BASIS OF PROCESSING
The processing of personal data is carried out by Aeroporti di Roma S.p.A. exclusively for the purpose of enabling the above-mentioned cyber security checks (enhanced background check) to be carried out by the competent authorities in line with the provisions of the regulations applicable to ADR as airport operator.

The provision of data is necessary for the pursuit of the above-mentioned purpose; in the event of refusal to provide data, it is not possible to perform the task of System Administrator and/or access ADR's ICT systems.
The processing is necessary in accordance with Art. 6 par. 1 lett. c) GDPR for the performance of a legal obligation to which ADR is subject as an airport operator (i.e. aviation security regulations such as EU REG. 1583/2019 which amended EU Reg. 2015/1998 containing detailed provisions for the implementation of the common basic standards for aviation security).

4.5 DATA RECIPIENTS
Within ADR S.p.A., only the persons assigned to the processing by the Data Controller and authorised to carry out the processing operations within the scope of the aforementioned activities can become aware of the personal data supplied. The data will be communicated to the competent authorities - acting as autonomous data controllers - in fulfilment of legal obligations. Your personal data will not be further communicated or disseminated. The data may be processed by the competent Police Forces in fulfilment of legal obligations.

Your data may also be processed by the entities the Data Controller uses to maintain and manage the IT platforms used or the physical archives.

Under no circumstances will your personal data be disseminated.

4.6 DATA TRANSFER OUTSIDE THE EU
Data are not subject to disclosure and/or communication to third parties located outside of the European Economic Area.

4.7 DATA RETENTION PERIODS
Personal data will only be kept for the time necessary for the purposes for which they are collected and processed in compliance with the principle of minimisation pursuant to art. 5.1.c) GDPR, and in particular for a period of ten years from the termination of the supply/service/maintenance contractual relationship inherent to the ICT systems between ADR and the Company where the data subject works, except for any need for further retention of information in order to protect a right in court.

4.8 RIGHTS OF DATA SUBJECTS
Data subjects (i.e. the persons to whom the data refer) may, at any time, exercise the following rights vis-à-vis ADR, as data controller, as provided for in Art. 15 ff. GDPR: the right to access the data and, where applicable, the rights of rectification and restriction.

The above rights may be exercised by contacting the Data Protection Officer at the following e-mail address dpo@adr.it or by writing to the attention of the DPO at the following address: Via Pier Paolo Racchetti , 1 00054 Fiumicino (RM).

The data subject has the right to lodge a complaint directly with the Data Protection Authority pursuant to Article 77 GDPR.

4.9 CHANGES TO THE POLICY
The Controller reserves the right to amend and update this policy over time.

 

Date of document update: 21/12/2021