Star adventure privacy

Pursuant to the current privacy legislation (European Regulation 2016/679 “GDPR” and Legislative Decree No. 196/03 and subsequent amendments and additions), the following information is provided regarding the treasure hunt initiative dedicated to children departing from Fiumicino Airport, who will have the opportunity to receive the “Traveler’s Certificate.”

1. DATA CONTROLLER
Aeroporti di Roma S.p.A. (ADR) with registered office at Via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome).

2. DATA PROTECTION OFFICER
ADR has appointed a Data Protection Officer pursuant to Article 37 of the GDPR, who can be contacted at the following email address:dpo@adr.it.

3. TYPES OF DATA PROCESSED
In compliance with the principles established by current legislation, the personal data processed refer to the data entered in the participation request form for the “treasure hunt” initiative, including in particular the first and last name of the participating child and the parent’s email address, as well as additional information related to the child’s age and nationality.
The data are processed in compliance with applicable laws using IT, telematic, and manual tools with logics strictly connected to the purposes indicated, in a way that guarantees the security and confidentiality of the data.

4. PURPOSES AND LEGAL BASIS OF THE PROCESSING
ADR processes the data in order to provide the requested service (Article 6(1)(b) GDPR). The request will be made by the person holding parental responsibility or acting on behalf of a minor. The provision of data is necessary to achieve the above-mentioned purpose; refusal to provide data will make it impossible to provide the requested service.
Furthermore, ADR may process the email address for marketing purposes, subject to the user’s explicit, free, and specific consent for sending newsletters, commercial information, and surveys by Aeroporti di Roma regarding discounts, promotions, airport news, and institutional initiatives. The legal basis for this processing is the expressed consent (pursuant to Article 6(1)(a) GDPR).
Marketing communications may be carried out through automated contact methods (email).
Providing data for this purpose is optional; if consent is not given, no commercial or promotional communications will be received, but this will not affect the possibility of participating in the “treasure hunt” initiative. The data subject may withdraw consent (opt-out) at any time via the appropriate link accessible from the received emails, as well as by the methods described in section 9 below.

5. METHODS OF PROCESSING
Data are processed in compliance with applicable laws using IT and telematic tools, with logics strictly connected to the indicated purposes, ensuring the security and confidentiality of the data.

6. DATA RETENTION PERIOD
In compliance with the minimization principle under Article 5(1)(c) GDPR, data will be retained only for as long as necessary to achieve the purposes for which they were collected.
For commercial and promotional communications, where the user has voluntarily activated the reception of content, personal data will be processed as long as the user uses the services, unless consent is revoked or objection to processing (opt-out) occurs, as indicated in paragraph 9 below.
With specific regard to requests from authorities or to comply with legal obligations, or in case of safeguarding our rights in court, data will be retained for the time necessary to comply with such obligations or to protect our rights.

7. DATA RECIPIENTS
Within ADR, personal data may be accessed exclusively by persons authorized by the Data Controller to carry out processing operations for the activities described. Additionally, data may be processed by appointed third-party data processors who provide support for service delivery and/or IT system functioning.
Data may be disclosed to competent Public Authorities to comply with legal obligations.
In any case, data will not be subject to dissemination.

8. TRANSFER OF DATA OUTSIDE THE EEA
Data will not be disseminated and/or communicated to third parties located outside the European Economic Area (EEA).

9. RIGHTS OF DATA SUBJECTS
Data subjects may at any time exercise their rights towards ADR, as Data Controller, pursuant to Articles 15 et seq. GDPR, including the right of access to their data, rectification or integration if inaccurate, portability, deletion, and restriction of processing, where applicable.
Data subjects also have the right to object to processing. In case of objection, the Controller reserves the right not to comply with the request and continue processing where there are compelling legitimate grounds overriding the interests, rights, and freedoms of the data subject.
Regarding processing for marketing purposes, consent may be revoked without prejudice to the lawfulness of processing performed before the revocation.
At any time, the data subject may withdraw consent to receive commercial and promotional information via the link provided at the bottom of received emails (opt-out).
The above rights may be exercised by submitting a request to the Data Protection Officer (DPO) at the following email address: dpo@adr.it or by writing to the attention of the DPO at Via Pier Paolo Racchetti, 1 00054 Fiumicino (RM).
The data subject also has the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR if deemed necessary to protect their rights.
The Data Controller reserves the right to update this notice.

Last update
June 2025