Video surveillance

Video surveillance at the airport. Privacy aspects for the protection of passengers

Pursuant to current privacy regulations (European Regulation 2016/679 "GDPR" and Legislative Decree No.  196/03 and subsequent amendments and additions) the following information is provided regarding the processing of personal data collected through video surveillance systems present at the "Leonardo da Vinci" Fiumicino and "Giovan Battista Pastine" Ciampino Airports.

1.    DATA CONTROLLER 
Aeroporti di Roma S.p.A. with headquarters at Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome) (hereinafter also ADR) is the Autonomous Data Controller with regard to data processed through the video surveillance systems installed at Fiumicino and Ciampino airports. 
The video surveillance systems have been installed by ADR in accordance with current airport security regulations (such as, for example, EU Regulation 1998/2015 as amended, EU Regulation 300/2008 as amended, National Civil Aviation Security Program). 
Some of these systems are installed at the request of state agencies/police forces, for the purpose of protecting public safety and maintaining order, as well as for the purpose of preventing terrorism and acts of unlawful interference with air transportation. With regard to these facilities, State Entities act as autonomous controllers of personal data under the applicable regulations. 
ADR also uses video surveillance systems for its own security, operational and corporate asset protection purposes as an airport operator. The data collected through the latter facilities is processed by ADR as an autonomous Data Controller, however the manner of processing is limited to instant viewing only. 
The video surveillance systems are spanned across multiple facilities located at different airport areas and consist of more than 4,000 cameras, designed to ensure the most complete security and the highest standard of monitoring. 
                                   
2.     DATA PROTECTION OFFICER 
ADR has appointed a Data Protection Officer ("DPO" or "Data Protection Officer") who can be contacted at the following email address: dpo@adr.it   

3.    TYPE OF DATA PROCESSED
The personal data  processed by ADR S.p.A. consists of images taken through video surveillance systems that are viewed by operators in instant/live display. 
Images may also refer to specific data categories  under Art. 9 GDPR. 
 
4.    PURPOSE AND LEGAL BASIS OF PROCESSING
The data collected are processed through video surveillance systems within the airport areas and parking facilities at Fiumicino and Ciampino airports by the ADR Data Controller for purposes of protection and integrity of corporate assets, airport safety and security, and logistical and operational purposes related to applicable regulatory provisions. 
The legal bases for processing are: 
• Art. 6, p.1 letter e., GDPR - legitimate interest
The processing operations in question are necessary for the pursuit of a legitimate interest of ADR, justified by reason of the obligations to which this entity is bound as airport operator.

• Art. 6, p.1 letter c., GDPR legal obligation 
In relation to the security purpose, the applicable regulations stipulate that ADR - as airport operator - must ensure that public areas and terminal areas reserved for passengers are equipped with electronic monitoring systems as an aid to security activities. 
In order to fulfil a legal obligation, referred to in Art. 6, p.1 letter c., GDPR related to the applicable legislation on facilities for public use, there are also: 
• Camera systems inside public lifts that are activated on call in the event of an emergency, putting the user in contact with the technical facilities. These cameras only allow for the live connection of images and audio and are not subject to recording; 
• Camera systems in the vicinity of escalators and escalator conveyors are also subject to video surveillance, in order to allow the system to be restarted (tele-restart in the event of a system blockage) that further allow ADR to retrieve images in the event of an accident/adverse event. 
The images are connected to the police forces operating as autonomous controllers. 

5.    PROCESSING METHOD
The data are processed in compliance with the regulations in effect by means of computerised and telematic tools, with procedures strictly related to the indicated purposes, so as to guarantee the security and confidentiality of the data.
 
6.    DATA RECIPIENTS
The data collected through the video surveillance systems are only processed by ADR's authorised operators for the exclusive pursuit of the purposes and obligations of ADR as airport operator.
In line with applicable legislation, the data may be made available to State/Police Forces and Public Authorities and in order to fulfil legal obligations. 
They also access a live image display: 

• ADR Security S.r.l., an ADR Group company that provides airport security monitoring services for ADR at Fiumicino and Ciampino airports, specifically appointed as External Data Processor pursuant to Article 28, GDPR; 
• ADR Mobility S.r.l., an ADR Group company that manages the areas designated for parking vehicles and motorbikes, whose operators access live images collected by the cameras in the parking areas of Fiumicino and Ciampino airports, for the purposes of asset protection and facility management.  ADR Mobility has been specially appointed as external data processor pursuant to Article 28, GDPR. 

The table below shows the data recipients for each type of camera system/installation. 
Within the scope of the processing activities carried out by ADR, only designated persons authorised to process the data will have access to the images. Under no circumstances will personal data be disclosed.
Finally, specialised providers of technical, IT and maintenance services appointed as Data Processors, pursuant to Article 28 of the GDPR, may have access to the data. 
 
7.    PRESERVATION TIMES
The camera images are displayed by ADR in live mode only, with the possibility of displaying the images of the previous 24 hours authorised by the competent bodies for operational purposes. 
The systems store images for access solely by State Entities/Police Forces for a 7-day history. Therefore, in the 7 days following collection, the images remain fort the exclusive availability of State Bodies/Police Forces.
The table below shows the retention times for each type of facility/system, as well as the subjects accessing the images.

8.    DATA TRANSFER OUTSIDE THE EU
Personal data will not be disclosed and/or communicated to third parties located outside the European Economic Area.
 
9.    RIGHTS OF THE DATA SUBJECTS
Finally, we would like to inform you that those affected by the personal data processing activities referred to in this notice may exercise their rights under  EU Reg. 2016/679 (GDPR): 

• The right of access under Art. 15 exclusively where the prerequisites are met and insofar as the exercise of this right does not infringe the rights and freedoms of other subjects (as indicated by the European Data Protection Board Guidelines of 29 January 2020 on the processing of personal data by video devices). This is without prejudice to the fact that in cases where the images are subject to exclusive availability by the State/Police Forces (see table below), ADR, as it is not in possession of the images, is not in a position to comply with any requests made by the person concerned.
• The right to object under Art. 21. In the event that the right to object is exercised, the Data Controller reserves the right not to proceed with the request and, therefore, to continue the processing, in the event that there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedom of the data subject.

The above rights may be exercised with a request sent without formalities to the Data Protection Officer (DPO) at dpo@adr.it. Further information on how to contact the Data Protection Officer is available at link. 
In the event that the Controller refuses to comply with your request, the reasons for the refusal will be provided. 
The right to lodge a complaint directly with the Supervisory Authority as provided for in Article 77 GDPR remains unaffected.
 
10.    AMENDMENTS AND UPDATES
The Data Controller reserves the right to amend/update this information. 

Last Update May 2022