ChatBot Privacy Policy 

Pursuant to Articles 13 and 14 of European Regulation 2016/679 (“GDPR”) the following policy is provided in relation to the automatic messaging service (CHATBOT) on the site https://www.adr.it/web/aeroporti-di-roma-en/ (hereinafter also defined as the “Service”). The Service is provided through AIRPORT A.I. Please refer to the limitations contained in the legal notices https://www.adr.it/web/aeroporti-di-roma-en/azn-copyright.

1. DATA CONTROLLER

Aeroporti di Roma S.p.A. (hereinafter also defined as “ADR” or “the Controller”) with registered office in via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome).

2. DATA PROTECTION OFFICER

ADR has appointed a Data Protection Officer. The contact details of the Data Protection Officer can be found at https://www.adr.it/web/aeroporti-di-roma-en/

3. TYPES OF DATA PROCESSED, PURPOSES AND LEGAL BASIS OF THE PROCESSING

This policy concerns the personal data[1] processing activities carried out for the purposes of allowing the user to make use of the Service in order to respond to requests made by the user in accordance with Article 6, letter b, GDPR (i.e. request for information on flights, services at the airport, parking, etc.). The request for information can be made by the user using the appropriate buttons on the main menu, by sending a message and/or recording a voice note with his/her voice through his/her device and then sending it. It should be noted that the operating logic of the Service does not require the user to identify him/herself and/or to enter personal data by means of chat or by recording and sending a voice note. The personal information voluntarily entered by the user is not processed by the CHATBOT in order to formulate automatic replies, but is only recorded on the system in use. There are no cookies and/or other tracking tools that allow tracing the user and the information about him/her (including, date and time of the flight for which the user requests information or activates notifications, language used, rating assigned by the user to the quality of the Chatbot Service, etc.). Chat/conversation contents are visualised by ADR on the system in use.
If push notifications are activated to receive flight updates via Meta's Facebook Messenger, the data are processed autonomously by the latter (please refer to the policies of the operator of such instant messaging platform). In this case, through the system in use ADR does not visualise the data relating to the Meta account used by the user (e.g. name and surname) but only the contents of the chats/conversations.
The Service does not ask the user to transmit information relating to special categories of data, such as data relating to one's state of health, sexual orientation, political opinions, etc. The user is kindly requested not to enter this information in the chat. Any entries of such data made freely and unconditionally (based on free consent art. 6.1, letter a), GDPR and pursuant to art. 9.1, letter a) GDPR) and for purposes in line with the user's expectations will not be processed by ADR but will follow the aforementioned processing logic.

4. PROCESSING METHODS

Data are processed in compliance with the regulations in force by means of IT and electronic tools, with logic strictly associated with the purpose above mentioned, in order to guarantee the security and confidentiality of the data.

5. DATA RETENTION PERIODS

Notwithstanding the fact that - as represented in point 3 of this policy - the activation of the Service may not result in the processing of personal data, any personal data processed will be kept only for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Article 5.1, letter c) GDPR.
The content of the chats is kept for 5 years after the messages are received. After this period, ADR retains only anonymous and aggregated information for the purpose of carrying out statistical analysis on the use of the Service.

6. DATA RECIPIENTS

Within ADR S.p.A., only the persons appointed for processing by the Data Controller and authorised to carry out the processing operations on the aforementioned activities may become aware of the personal data provided by the user.
In addition, the data may be processed by the supplier Airport AI, which ADR uses to provide the Service as a data processor pursuant to Article 28, GDPR.
If push notifications are activated to receive flight updates via Meta's Facebook Messenger, the data are processed autonomously by Meta (please refer to the policies of the operator of that instant messaging platform).
Furthermore, ADR makes use of cloud services in order to optimise the performance of the www.adr.it site. ADR has signed a special Enterprise Agreement with Amazon Web Service EMEA SARL (https://aws.amazon.com/), selecting sites available within the European Economic Area for storing its content. In any case, the supplier in question does not access the personal data of users acquired on the ADR site/app, limiting itself to using the essential information to deliver and keep active the cloud services.
Data may be communicated to the competent Public Authorities in fulfilment of legal obligations.

7. DATA TRANSFER OUTSIDE THE EU

Data will not be disclosed and/or communicated to third parties located outside the European Economic Area (EEA).

8. RIGHTS OF THE DATA SUBJECTS

Lastly, please be informed that articles 15-22 of the GDPR give data subjects the possibility to exercise specific rights under certain conditions; data subjects can obtain, from the Data Controller: access, rectification, erasure, restriction of processing, as well as the portability of data concerning them.
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Data Controller reserves the right not to proceed with the request and, therefore, to continue the processing, in the event that there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedom of the data subject.
The aforementioned rights may be exercised by making a request addressed without formalities to the Data Protection Officer (DPO) at dpo@adr.it.
The data subjects right to file a complaint with the Italian Data Protection Authority pursuant to Article 77, GDPR remains unaffected.
The Data Controller reserves the right to update this policy.

Date of last update
April 2024