QPass privacy policy
 

Pursuant to current privacy legislation (European Regulation 2016/679 "GDPR" and Legislative Decree no. 196/03 and subsequent amendments and additions) the following policy is provided in relation to the use of the Q-Pass service through which the passenger can book online the time slot to access the security checkpoints at Fiumicino Airport.

1. DATA CONTROLLER
Aeroporti di Roma S.p.A. (ADR) with registered office at Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome).
 
2. DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer. The contact details of the Data Protection Officer are available at www.adr.it.

3. PURPOSE AND LEGAL BASIS OF THE PROCESSING
ADR will process personal data in order to allow the user to book a time slot for the subsequent access, by scanning their boarding pass, to the dedicated security checkpoints at Fiumicino airport (Q-Pass service).
The data entered will be processed for the purpose of providing the user with the requested service (Art. 6(1)(b) GDPR) and requesting feedback regarding the enjoyment of the service used.
The provision of data is necessary for the pursuit of the above-mentioned purpose; in the event of refusal to process the data, it will not be possible to provide the user with the requested service.
In addition, Aeroporti di Roma, may process personal data for marketing purposes, with prior express, free and specific consent of the user, pursuant to art. 6, paragraph 1, lett. a GDPR, to send newsletters, commercial information and surveys by e-mail from Aeroporti di Roma relating to discounts, promotions, airport news and institutional initiatives.
Failure to consent to processing will not allow marketing activities, but will in no way affect the data subject's ability to make use of the Q-Pass service.
 
4. TYPES OF DATA PROCESSED
The data processed by ADR includes common personal data such as the first and last names of passengers/accompanying persons entered in the online booking form, the e-mail address of the form filler and additional information such as flight number, flight date, airline company.
If the user enters personal data on behalf of someone else, he/she must ensure, in advance, that they have read this Privacy Policy.
By reading this policy, the person making the booking on behalf of other passengers declares:

• to undertake to duly inform the person concerned about the communication of their data to ADR for the request in question and to inform them of the contents of this policy;

• to expressly hold ADR harmless from any liability deriving from the unlawful communication of said data.

5. PROCESSING METHODS
The data are processed in compliance with the regulations in force by means of manual, IT and electronic tools, with logic strictly related to the above-mentioned purpose, so as to guarantee the security and confidentiality of the data.
It is understood that passengers using the Q-Pass service will have to scan their boarding pass according to the ordinary access procedures, for which please refer to the privacy policy on the processing of personal data in the context of security checkpoints https://www.adr.it/web/aeroporti-di-roma-en/privacy-security-control.
Appointment reservation via the Q-Pass service and the provision of personal data will allow passengers to automatically gain access with their boarding pass via the service's dedicated fast lane / Q-Pass entrance. Once the reservation has been made, in fact, the scanning of the QR code on the passenger's boarding pass will automatically be recognised as enabled for the Q-Pass service by the appropriate scanners.
The user will receive by e-mail a message confirming that the reservation has been made, containing, in addition, a unique and specific QR Code which, in the event of a malfunction in the reading of the boarding pass, will allow all passengers included in the reservation made to access security controls via the dedicated fast lane / Q-Pass entrance.
It will be possible, at any time, to modify, cancel or view the reservation using the appropriate link associated with the reservation ID, accessible from the confirmation e-mail received.
After using the service or in the event of non-use of the service, the user will receive a service e-mail allowing them to evaluate the Q-Pass service.
In the event of problems with the operation of the gate, passengers will still be able to access by the ordinary means.

6. DATA RETENTION PERIOD
Personal data relating to the booking and use of the service will only be kept for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Art. 5.1, letter c GDPR. In particular, the data entered for the Q-Pass service are retained from the time of booking and up to 72 h after the use of the service, after which they are deleted.
It is understood that personal data acquired for the access to boarding areas are stored in the ordinary manner in relation to which please refer to the privacy policy on the processing of personal data in the context of security checkpoints https://www.adr.it/web/aeroporti-di-roma-en/privacy-security-control.
With reference to promotional and marketing purposes, if the user voluntarily activates the receipt of content, personal data will be processed until consent is withdrawn and/or the right to object to processing (opt-out) is exercised in the manner set out in paragraph 9 below.
In any case, we will potentially refresh the consent given for that purpose in order to respect the user's choice.

7. DATA RECIPIENTS
Within ADR S.p.A., only the subjects appointed to process the data by the Data Controller and authorised to carry out the processing operations to meet the purposes set out in point 3 may become aware of the data provided.
Moreover, the data may only be processed by third party companies to which ADR entrusts specific activities and services connected to the management of the booking service.
In particular, the data may be processed by the subjects the Data Controller uses to maintain and manage the systems in their role as External Data Processors and the Sub-Processors they use. For a complete list of Data Processors and Sub-Processors, please contact the Data Controller at any time.
In addition, ADR makes use of cloud services in order to optimise the performance of the www.adr.it website. ADR has signed a special Enterprise Agreement with Amazon Web Service EMEA SARL (https://aws.amazon.com/), selecting sites available within the European Economic Area for storing its content. In any case, the supplier in question does not access users' personal data acquired on the website, limiting itself to using the information essential to provide and maintain the cloud services.
The data may be communicated to the competent public authorities in order to comply with legal obligations. In any case, your personal data will not be disseminated.
 
8. NON-EU DATA TRANSFER
Data will not be disclosed and/or communicated to third parties located outside of the European Economic Area.
 
9. RIGHTS OF THE DATA SUBJECTS
Lastly, please be informed that Articles 15-22 of the GDPR give data subjects the possibility to exercise specific rights under certain conditions; data subjects can obtain, from the Data Controller: access, rectification, deletion, limitation of processing, withdrawal of consent as well as the portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Data Controller reserves the right not to proceed with the request and, therefore, to continue the processing, in the event that there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedom of the data subject.
The aforementioned rights may be exercised by accessing your reservation which can be found in the e-mail received, or by withdrawing your consent to receive commercial and promotional information via the link available at the bottom of the e-mails received (opt-out), or by making a request addressed without formalities to the Data Protection Officer (DPO) at dpo@adr.it.
The data subjects right to file a complaint with the Italian Data Protection Authority pursuant to Article 77, GDPR remains unaffected.
 
The Data Controller reserves the right to update this policy.
 
Date of last update, October 2024