Privacy security checkpoints

Personal data are processed for the following purposes:

• to verify the validity of the travel ticket in compliance with the applicable regulations and to allow passengers to enter the boarding areas;

• to manage passenger security at the airport and optimise boarding operations in compliance with industry regulations;

• to comply with the legal regulations applicable to ADR in its capacity as airport operator;

• for related administrative purposes.

The legal basis for the Controller to process personal data is – pursuant to Art. 6(c) GDPR – the compliance with legal obligations, in particular:

• the compliance with obligations imposed by airport security regulations (including Ministerial Decree 85/99, Regulation 300/2008/EC and Regulation (EU) 2015/1998, and the National Security Plan);

• the compliance with legal obligations regarding invoicing and bookkeeping.

Refusal by passengers to provide their data by presenting their travel ticket shall prevent them from entering the boarding areas.

4. PROCESSING METHODS AND TYPES OF DATA PROCESSED

Aeroporti di Roma processes the following categories of common personal data of passengers:

• data on the boarding card scanned at the security checkpoint using special scanners (so called PAXTRACK);

• data relating to the purchase and use of the 'fast track' service which gives priority access to boarding areas;

• security checkpoint data (i.e. date and time of access);

• data relating to the passenger's hand baggage and checked baggage that are subject to the checks required by the relevant regulations and in accordance with industry best practices;

• data collected during further security checks, including through the use of metal detectors, body scanners (where used) and X-ray machines for baggage screening.

Data are processed using computerised, telematic and manual tools, with logics strictly related with the aforementioned purposes and, in any case, in such a way as to guarantee the protection, confidentiality and security of the data and with tools designed to guarantee access only to persons authorised to carry out the processing operations at the aforementioned activities.
In particular:        

1. travel tickets are checked at the gates using special palmtops or automated gates that collect – by reading the code – the personal data of passengers about to board (for example, name, surname, carrier, flight date and time, ticket class) shown on the boarding card as well as the date and time of passage. This data is recorded in a special database of the Controller;

2. in addition to that outlined in section a) above, in the event of the passenger using the 'fast track’ service, passage data are recorded for administrative and billing purposes, including for the purpose of billing the cost of passage to the airline used by the passenger, where applicable/required;

3. passenger access to boarding areas (sterile or airside areas) is subject to security checks at the appropriate checkpoints – manned by employees of the ADR Security company and/or companies acting on its behalf – and equipped with metal detectors and other security equipment;

4. within the scope of security checks – carried out by ADR Security in its capacity as Data Processor and/or companies acting on its behalf – further personal information referring to passengers may be processed following the manual inspection required in order to guarantee security for access to so called sterile areas including via the metal detector, the Body Scanner system (where used) and the X-ray machines for screening hand baggage and checked baggage. Baggage is subjected to X-ray screening in accordance with industry regulations. ADR proceeds - as part of the security checks carried out in accordance with the applicable regulations and the provisions of the National Civil Aviation Authority, ENAC - to detain objects not allowed in the cabin (so-called O.N.A.C.) and their subsequent disposal. For the purposes of this procedure, the following data are recorded on the "Detection of objects not allowed in the cabin" form for control traceability and statistics purposes: Object description, Quantity, Person/Entity that carried out the baggage check, Flight, Destination, Passenger name. In the event of anomalies – and in accordance with the law – the competent authorities/police forces are alerted for the relevant procedures in the presence of the passenger. For baggage image control, APIDS (Automatic Prohibited Items Detection System) solutions can be used on the machines in use to provide support to security agents, via artificial intelligence algorithms, in identifying prohibited items;

5. pursuant to the Fiumicino and Ciampino Airport Regulations, ADR, in its capacity as airport operator, receives from the carriers operating at the airports special messaging on checked baggage during departure, transit and redelivery, also in accordance with the provisions of IATA Resolution 753, which provides for the implementation of tracking mechanisms for all baggage. The systems at Fiumicino airport allow ADR – within the processes of baggage loading, sorting, reconciliation and redelivery to passengers – to access the information referred to on the baggage label generated by the reference airline/handler during boarding at the airport of departure, such as: name, surname, flight, date of flight, destination, receipt number. Baggage is registered in the international WorldTracer system. This allows - in the event of potential baggage search requests by the passenger - unlabelled baggage to be traced back to the passenger.

For Fiumicino Airport, ADR makes available on the airport systems – limited to the timeframe of the flight boarding – the consultation of the data on passage through security (i.e. time) of passengers on a given flight to the Handler of that flight, in order to guarantee the optimal management of airside flows and optimise boarding operations. The Handlers act as data processors and are appointed by ADR pursuant to Art. 28, GDPR. For their own flights, self-handling carriers have access to the same information, in their capacity as autonomous data controllers. 

5. DATA RETENTION PERIODS

Personal data are only stored for as long as necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Art. 5.1(c) GDPR. See the following table for details.

In the event of accidents, interventions to restore security, audits, inspections and/or requests by public authorities/police forces and/or the initiation of legal proceedings, data may be stored, within the limits of the law, for a longer period of time than indicated.

6. DATA RECIPIENTS

Within ADR S.p.A., the personal data you have provided shall be disclosed only to those persons entrusted with the processing by the Data Controller and authorised to carry out processing operations as part of the aforementioned activities.
For the pursuit of the above-mentioned purposes, personal data may be processed by the following categories of recipients:

• Companies that ADR uses to carry out security checks, including ADR Security, specifically appointed as data processor pursuant to Article 28, GDPR and any external companies that ADR Security uses that act as sub-processors pursuant to Article 28, GDPR;

• IT service providers, suppliers providing management and maintenance services for servers and databases, manufacturers and suppliers of maintenance services for machines, technologies and systems used in the context of security checks, who may act in various capacities as data processors/sub-processors pursuant to Article 28, GDPR or as autonomous data controllers;

• Third parties, such as operators managing passenger boarding operations (airlines as autonomous data controllers and handlers as data processors) – already in possession of the data contained in the travel ticket/boarding card – to whom the information on passage through security is made available as described above;

• Public Authorities/Police Forces, as autonomous data controllers acting under the applicable legislation. 

In any event, your personal data shall not be disseminated.

7. TRANSFER OF PERSONAL DATA

Personal data are managed and stored on servers of the Data Controller and/or third-party companies appointed as Data Processors. The servers on which personal data are stored are located in Italy and within the European Union. Personal data shall not be disseminated and/or disclosed to third parties located outside the European Economic Area.
It is in any case understood that the Data Controller – should it become necessary – shall have the right to move the location of the archives and servers in Italy and/or the European Union and/or to countries outside the EU. In this case, the Data Controller hereby ensures that the transfer of data outside the EU shall take place in accordance with Chapter V of the GDPR and the relevant measures adopted by the competent authorities.

8. RIGHTS OF DATA SUBJECTS AND THEIR EXERCISE

Finally, we hereby inform you that Articles 15-22 GDPR grant data subjects specific rights that can be exercised under certain conditions; data subjects may obtain from the Data Controller: access, rectification, erasure, restriction of processing and portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Data Controller reserves the right not to comply with the request, and thus to continue processing, if there are compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject.

The above rights may be exercised by making an informal request to the company's Data Protection Officer at the following address: dpo@adr.it. The contact details of the Data Protection Officer can be found at https://www.adr.it/web/aeroporti-di-roma-en/
This is without prejudice to the data subject's right to to file a complaint with the Italian Data Protection Authority pursuant to Article 77, GDPR.

9. CHANGES AND UPDATES

The Data Controller reserves the right to change and update this privacy policy over time.

last updated January 2024