PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION NO. 679/2016 (GDPR)

DATA CONTROLLER AND CONTACT INFORMATION

The Data Controller is Azienda Trasporti Milanesi S.p.A. (ATM), with registered office at Foro Buonaparte 61, 20121, Milan (MI), Italy. The Data Protection Officer (DPO), whom you may contact to exercise your rights concerning the protection of personal data and/or for further information regarding data protection, can be reached at the following email address: rpd@atm.it.

PURPOSES OF DATA PROCESSING AND LEGAL BASIS

The purposes for processing data in the event of registration with the ATM App are:

1. Registration on the ATM App to access services relating to local public transport, including receipt of confirmation and summary emails regarding the purchase of transport passes or subscriptions;
2. Sending newsletters about events, initiatives, services, activities, and partnerships of the ATM Group;
3. Sending emails concerning traffic changes for specific lines, if selected by the user;
4. Sending reminder emails regarding subscription or card expiration dates, if the card has been saved in the user’s personal area on atm.it;
5. Requesting the initial issuance of a personalized digital electronic card; linking/replacing an existing personalized electronic card.

If the user does not register, the purposes of data processing are:

6. Provision of geolocation services, third-party map services, and app activity tracking.

Geolocation services, if the user consents, are only active during use of the “ATM Milano” app.
Geolocation data is not stored by the ATM Group and is managed by third-party map providers:

• Google for Android systems (Privacy Policy: https://policies.google.com/privacy?hl=en)
• Apple for iOS systems (Privacy Policy: https://www.apple.com/privacy/)
• Windows for Windows systems (Privacy Policy: https://privacy.microsoft.com/)
• Firebase (Privacy Policy: https://firebase.google.com/support/privacy?hl=en

The tracking service also allows users to choose whether the ATM App is permitted to track their activities, with the purpose of improving app functionality.

7. Purchasing standard tickets using only the purchaser’s email address, solely for ticket delivery;
8. Managing user navigation within the App.

Additionally, the Controller may process your data for the following purposes:

9. Safeguarding the rights of the Controller, including, if necessary, in legal proceedings;
10. Complying with legal obligations imposed on the Controller.

Legal basis for processing:

• For purposes a), e), g), and h), the legal basis is the performance of a contract to which the data subject is a party or actions taken at the data subject’s request prior to entering into a contract (Art. 6(1)(b) GDPR).
• For purposes b), c), d), and f), the legal basis is the data subject's freely given consent (Art. 6(1)(a) GDPR).
• For purpose i), the legal basis is the Controller’s legitimate interest in protecting its rights, including through legal proceedings if necessary (Art. 6(1)(f) GDPR).
• For purpose j), the legal basis is the necessity to comply with a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).

PROVISION OF DATA

Failure to provide the necessary data for executing contractual or pre-contractual measures will make it impossible for the Controller to provide the requested service.

Failure to provide data for purposes requiring the user’s consent will not affect the use of the App; however, the user will not be able to receive the services that are based on consent, as listed above.

CATEGORIES OF DATA PROCESSED AND RECIPIENTS

The following categories of common personal data may be processed: identification data, contact information, browsing data, image, ID, data relating to actions performed by the user on the App (such as ticket or pass purchases), and geolocation data.

Personal data is processed by personnel authorized by the Controller and may be shared with third parties, duly appointed as processors where necessary, who are essential for the provision of the described services.

METHOD OF PROCESSING AND POSSIBLE DATA TRANSFER

Data is processed solely for the purposes mentioned above and in accordance with the principles of lawfulness, fairness, transparency, accuracy, integrity, and confidentiality as established by applicable law. The processing of personal data is carried out through automated and computerized procedures.

No transfer of personal data outside the European Economic Area is foreseen.

DATA RETENTION PERIOD

Collected data will be deleted within 10 years for tax and regulatory compliance, both in relation to users who made purchases via the app and users whose profiles have been inactive for 10 years.

• In the case of “guest” purchases (without registration) of standard tickets, the email address will be deleted 2 years after purchase.
• If the user wishes to unsubscribe from the newsletter but not from the website and/or App, they may do so independently via the unsubscribe link available at the end of the newsletter (or at the end of traffic-related emails for specific lines).

DATA SUBJECT RIGHTS

The Controller informs you that, within the limits set by the Regulation, you have the right to:

• obtain information and confirmation as to whether or not personal data concerning you are being processed, particularly regarding the type of data processed, the purposes of processing, the duration of processing, and the recipients of such data (“right of access”);
• obtain the rectification or completion of inaccurate personal data (“right to rectification”);
• obtain the erasure of personal data (“right to erasure” or “right to be forgotten”);
• request that the personal data may only be stored, without further use (“right to restriction of processing”);
• object at any time to the processing of your personal data, particularly for marketing and profiling purposes, where applicable (“right to object”);
• receive your personal data in a structured, commonly used, machine-readable, and interoperable format where the processing is carried out by automated means based on contract or consent, and/or transmit those data to another controller where feasible (“right to data portability”);
• withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

These rights may be exercised by sending a request to the dedicated email address rpd@atm.it or by written communication to the Controller’s address listed above.

RIGHT TO LODGE A COMPLAINT

If you believe that the processing of your personal data violates the Regulation, you have the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), as provided by Article 77 of the Regulation, or to seek judicial remedy as provided by Article 79 of the Regulation.