Quick Links

Personal Data Protection Policy 


Azienda Trasporti Milanesi S.p.A. (ATM), in compliance with EU Regulation No. 679/2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, hereby intends to provide information on the methods of processing personal data and related rights regarding users of the website www.atm.it. This information does not concern other websites linked to ATM's website.

The Data Controller is Azienda Trasporti Milanesi S.p.A. (ATM), with registered office in Foro Buonaparte 61, 20121, Milan (Italy). The Data Protection Officer, whom you can contact to exercise your rights under art. 13 and/or for any clarifications regarding personal data protection, can be contacted at the following email address: rpd@atm.it.

PURPOSES OF THE PROCESSING (for detailed information about the processing click on the relevant link below)
The purposes of data processing by the ATM Group are to provide local public transport services, mobility services for urban and suburban areas and related services, specified as follows:

Tramway restaurant "Atmosfera”
Historic tram rental
Parking and car parks - Online subscriptions
Parking stop with number plate recognition
Parking stops - Exemptions
Regulated street parking
Vehicle removal and storage
Notification of sanctions management and collection
Site/app and newsletter subscription
Relations with customers and third parties
Large Customer Desk Reservations
Video surveillance
Staff selection
Card issue for TPL passes via site/app
Card issue for TPL passes at the phisical location
Reimbursement/replacement of tickets and reimbursement of TPL season passes
Z301 line seat reservation platform

ATM processes personal data if one of the following conditions is met (art. 6 of EU Regulation No. 679/2016):
• the data subject has given consent for one or more specific purposes;
• the processing is necessary for the performance of a contract or pre-contractual measures;
• the processing is necessary to fulfil a legal obligation to which the Controller is subject;
• the processing is necessary for the performance of a task in the public interest or for the exercise of public authority vested in the Controller;
• the processing is necessary to safeguard the vital interests of the data subject or of another natural person;
• the processing is necessary for the pursuit of legitimate interest by the Data Controller or third parties, unless the data subject’s interests or fundamental rights and freedoms prevail, which require personal data protection, in particular when the data subject is a minor.

Data processed are ordinary personal data. Personal data are processed by personnel authorized by the data controller and may be communicated to companies supplying goods and/or services related to the processing. The data pertaining to each specific processing instance are shown in the related information sheet.

The data are processed only for the purposes mentioned above and according to the principles of lawfulness, correctness, transparency, accuracy, integrity and confidentiality, established by the regulations in force. The  personal data management may also take place through automated and computerized processes. The personal data collected will not be transferred outside the European Economic Area. However, it is not possible to exclude a priori that, for some of the purposes, personal data may be transferred outside the European Economic Area, including through databases shared and managed by third companies. As part of the management of such databases, the data processing will be limited to the purposes for which the data was collected and will be carried out in compliance with the standards of confidentiality and security established by the personal data protection laws in force.

The data is stored for the time strictly necessary to achieve the purposes for which it was collected. The storage period specifically for each processing is indicated in the relevant information sheet.

All the rights of the data subject are guaranteed in accordance with the provisions of Articles 15, 16, 17, 18, 20, 21, 22 and 77 of the GDPR:
• right of access to your personal data and all information on the processing carried out;
• right to rectification of inaccurate personal data and integration of incomplete data;
• right to erasure (‘right to be forgotten’);
• right to limit the processing of your personal data;
• right to data portability;
• right to object to the processing of your personal data;
• right not to be subject to a decision based solely on automated processing;
• right to lodge a complaint with the Italian Data Protection Authority in case a violation is thought to have been carried out.

In the case of minors under 16 years of age, or in any case under the age established by current legislation, the rights specified above may be exercised by individuals having parental authority.


Processing methods and Cookies
Cookies are text files containing small amounts of information that are downloaded to the user's device, if enabled, when browsing the Azienda Trasporti Milanesi S.p.A. website and mobile app ATM Milano official app.
No personal data is acquired by the site unless knowingly provided by the user.
ATM Group doesn’t use cookies to pass on natural person information, although cookies are used in an aggregate way, not in order to identifythe website visitors, nor to monitor customers’ browsing habits. In this field, ATM Group web activities are focused only  to improve the service offered and to make browsing on the site more secure and efficient.
Azienda Trasporti Milanesi S.p.A. uses "cookies" in order to provide the website’s visitors with contextualised information and to obtain access statistics (using the Google Analytics service) https://support.google.com/analytics/answer/6004245?hl=en

The site uses cookies in accordance with the following purposes and classification:

System cookies
These cookies allow the user to browse the site and use its functions, for example, to access the sites and ATM Milano official app secure areas. Without these cookies, it will not always be possible to provide the authentication and correct functioning of the website.
These cookies are not defined by Azienda Trasporti Milanesi S.p.A.; rather they are generated and used automatically by the software platforms used.
Nevertheless, they are intended for the purpose of general functioning and do not have any effect on the protection of the user's personal data.

Cookies for performance and browsing analysis statistics
Azienda Trasporti Milanesi S.p.A. uses the Google Analytics statistics platform and incorporates its cookies and access methods.
This analytical tool collects the standard log information used on the Internet and anonymous information on the visitor's browsing behaviour.
Should you wish not to choose be analyzed by Google Analytics on all websites, visit https://tools.google.com/dlpage/gaoptout, and follow Google's instructions.

Technical Cookies
The cookies used are considered technical, also called "session" or "temporary", which help the user browse the site and remember the choices made during the session. They are deactivated as soon as you leave the site via the log out procedure or after a period of inactivity. Profiling cookies are not used.

Registering to the site and creating an account
When registering to the ATM Group website services, the user must create a personal account from the registration page. To do this, the user must enter some basic personal data, a user ID (e-mail) and a password.
The user is responsible for the correctness and truthfulness of the information, as well as the safe custody of access credentials and the website activities attributable to their identity.

How to delete your profile
To delete your ATM profile it is necessary to enter your personal area and, in the "Profile section", click on the "Delete profile" button (at the bottom of the page).

Location services and third part map services
The location access is not mandatory and can be refused by the user letting him free to use all the ATM Milano app's functions. The location services, when allowed by the user, are active only when the app is active. The locations are not stored by ATM Group and are managed by the following maps services:
- Google for Android (read their policy https://policies.google.com/privacy?hl=en&gl=ZZ)
- Apple for iOs (read their policy https://www.apple.com/uk/privacy/)
- Windows for Windows (read their policy https://privacy.microsoft.com/)