Pursuant to current privacy legislation (European Regulation 2016/679 "GDPR" and Legislative Decree No. 196/03 and subsequent amendments and additions) the following information is provided on the methods of use of personal data acquired in the context of security controls carried out at the "Leonardo da Vinci" airports of Fiumicino and "Giovan Battista Pastine" of Ciampino.

1. DATA CONTROLLER
 

Aeroporti di Roma S.p.A. with headquarters in via Pier Paolo Racchetti, 1- 00054 Fiumicino (Rome).
 

2. FINALITY AND LEGAL BASIS OF THE PROCESSING

Personal data are processed for the following purposes:
 

to verify the validity of the travel document in compliance with the regulations dictated in the matter and to allow passengers access to the boarding areas;
to manage the safety of passengers inside the airport and optimize boarding operations;
for compliance with the laws applicable to the airport manager;
for administrative related purposes.

 

The legal basis that allows the Data Controller to process personal data are:
 

the fulfillment of the obligations imposed by airport security regulations (DM 85/99, EC Regulation 300/2008 and EU Regulation 2015/1998, and the National Security Plan);
the fulfillment of legal obligations regarding invoicing and book-keeping.

 

The refusal to provide data by presenting the travel documents prevents the passenger from accessing to the boarding area.
 

3. PROCESSING METHODS AND TYPES OF DATA PROCESSED

3.1 Types of data processed

Aeroporti di Roma processes the following data of passengers:

Data on the boarding card detected at the security gate (Pax Track);
Data relating to the use of the “Fast Track” service;
Data about the passengers transit from security gates (i.e. transit time);
Data detected by the metal detector and body scanner (when used).

 3.2  Methods for the data processing

Data processing is carried out using IT, telematics and manual tools. The aforementioned processing is performed with logics strictly related to the above purposes in order to guarantee the protection, confidentiality and security of data and with tools designed to guarantee access only to authorized persons.

More in particular:
a) travel document control is carried out at the appropriate gates through the use of PDAs or automated gates that collect the personal data of embarking passengers (such as name, surname, carrier, date and time flight, ticket class, transit time) present in the boarding pass. These data are recorded in a dedicated database of the Data Controller and / or third party companies appointed as Data Processors for operational purposes.
b) In addition to what was said in the previous point a), in case of use of the "Fast track" service, the passing data are recorded for administrative purposes and also with the purpose of invoicing the cost of the passage to the passenger's reference airline.
c) Access to the boarding areas (sterile areas or Air Side) by passengers is subject to security controls at the appropriate gates manned by ADR Security personnel and equipped with metal detectors and other safety equipment.
d) As part of the security controls - carried out by ADR Security as Data Processor - additional personal information regarding the passenger, can be treated following a hand search necessary to ensure a compliant access (in terms of security) to sterile areas and also through the metal detector or the system called "Body Scanner" (when used). Any personal data acquired during these controls are not recorded in computerized or paper databases.

 

4. DATA RETENTION

Data Type	Retention Time
Boarding Pass data took at the security gate	48 hours
“Fast Track” service data	4 months
Security Check data	48 hours
Metal detector or body scanner data	Not Stored
Hand search data	Not Stored

 

In the event of accidents, interventions to restore safety, investigations or inspections by Public Authorities or legal proceedings, data may be stored for a longer period of time than indicated.

 

5. DATA RECIPIENTS
 
To pursue the aforementioned purposes it may be necessary for the Data Controller to communicate the personal data of passengers to the following categories of recipients:
a) Society of the group headed by Aeroporti di Roma S.p.A. ("ADR Group");
b) Any IT service provider to the ADR Group companies whose business involves the processing of passengers' personal data;
c) Third parties, such as operators that manage passenger boarding operations (airlines and handlers) - already in possession of the data contained in the ticket / boarding pass - to which passengers information are made available when passing through security gates;
d) Authority following a formal request and in compliance with legal obligations (for example, judicial, administrative, public safety and air transport, etc ...).
 
The companies of the ADR Group and the third parties to whom personal data may be communicated act as follows: 1) Data Controllers, that are the subjects that determine the purposes and means of the processing of personal data; 2) Data Processors, that are the subjects who process personal data on behalf of the Controller; 3) Sub-Processors, that are the subjects that perform services for the Processor.
 
In any case, your personal data will not be disclosed.
 

6. TRANSFERS OF PERSONAL DATA

The management and retention of data takes place on the server of the data controller and / or third party companies appointed as data processors. The servers on which the data are stored are located in Italy and within the European Union. Personal Data are not transferred outside the European Union.
In any case, it is understood that the Data Controller, if necessary, will have the right to move the location of the archives and servers in Italy and / or in the European Union and / or in non-EU countries. In this case, the Data Controller ensures that the extra-EU data transfer will take place in compliance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and / or adopting the standard contractual clauses provided for by the European Commission.

 

7. RIGHTS OF THE DATA SUBJECTS AND THEIR EXERCISE

We inform you that the articles 15-22 GDPR give data subjects the opportunity to exercise specific rights; the data subjects can obtain from the Data Controller: access, rectification, cancellation, limitation of the processing.

The abovementioned rights may be exercised with an informal request to the Company's Data Protection Officer at the following address dpo@adr.it. The contact details of the Data Protection Officer are available on www.adr.it.

The deadline for responding to the data subjects is thirty days, extendable for a further two months in particularly complex cases; in these cases, the Data Controller provides at least a communication to the data subject within the term of thirty days.

8. CHANGES TO THIS INFORMATION

The Data Controller reserves the right to modify and update this information over time.