Quick Links

Personal Data Protection Policy 

INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF EU REGULATION NO. 679/2016

Azienda Trasporti Milanesi S.p.A. (ATM), in compliance with EU Regulation No. 679/2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, hereby intends to provide information on the methods of processing personal data and related rights regarding users of the website www.atm.it. This information does not concern other websites linked to ATM's website.

DATA CONTROLLER AND CONTACTS
The Data Controller is Azienda Trasporti Milanesi S.p.A. (ATM), with registered office in Foro Buonaparte 61, 20121, Milan (Italy). The Data Protection Officer, whom you can contact to exercise your rights under art. 13 and/or for any clarifications regarding personal data protection, can be contacted at the following email address: rpd@atm.it.

PURPOSES OF THE PROCESSING (for detailed information about the processing click on the relevant link below)
The purposes of data processing by the ATM Group are to provide local public transport services, mobility services for urban and suburban areas and related services, specified as follows:

Tramway restaurant "Atmosfera”
Historic tram rental
Parking and car parks - Online subscriptions
Parking stop with number plate recognition
Parking stops - Exemptions
Regulated street parking
Vehicle removal and storage
Notification of sanctions management and collection
Site/app and newsletter subscription
Relations with customers and third parties
Large Customer Desk Reservations
Video surveillance
Staff selection
Card issue for TPL passes via site/app
Card issue for TPL passes at the phisical location
Reimbursement/replacement of tickets and reimbursement of TPL season passes
Z301 line seat reservation platform

LEGAL BASIS OF THE PROCESSING
ATM processes personal data if one of the following conditions is met (art. 6 of EU Regulation No. 679/2016):
• the data subject has given consent for one or more specific purposes;
• the processing is necessary for the performance of a contract or pre-contractual measures;
• the processing is necessary to fulfil a legal obligation to which the Controller is subject;
• the processing is necessary for the performance of a task in the public interest or for the exercise of public authority vested in the Controller;
• the processing is necessary to safeguard the vital interests of the data subject or of another natural person;
• the processing is necessary for the pursuit of legitimate interest by the Data Controller or third parties, unless the data subject’s interests or fundamental rights and freedoms prevail, which require personal data protection, in particular when the data subject is a minor.

CATEGORIES OF DATA PROCESSED AND RECIPIENTS
Data processed are ordinary personal data. Personal data are processed by personnel authorized by the data controller and may be communicated to companies supplying goods and/or services related to the processing. The data pertaining to each specific processing instance are shown in the related information sheet.

PROCESSING METHODS AND POSSIBLE DATA TRANSFER
The data are processed only for the purposes mentioned above and according to the principles of lawfulness, correctness, transparency, accuracy, integrity and confidentiality, established by the regulations in force. The  personal data management may also take place through automated and computerized processes. The personal data collected will not be transferred outside the European Economic Area. However, it is not possible to exclude a priori that, for some of the purposes, personal data may be transferred outside the European Economic Area, including through databases shared and managed by third companies. As part of the management of such databases, the data processing will be limited to the purposes for which the data was collected and will be carried out in compliance with the standards of confidentiality and security established by the personal data protection laws in force.

DATA RETENTION PERIOD
The data is stored for the time strictly necessary to achieve the purposes for which it was collected. The storage period specifically for each processing is indicated in the relevant information sheet.

DATA SUBJECT RIGHTS
All the rights of the data subject are guaranteed in accordance with the provisions of Articles 15, 16, 17, 18, 20, 21, 22 and 77 of the GDPR:
• right of access to your personal data and all information on the processing carried out;
• right to rectification of inaccurate personal data and integration of incomplete data;
• right to erasure (‘right to be forgotten’);
• right to limit the processing of your personal data;
• right to data portability;
• right to object to the processing of your personal data;
• right not to be subject to a decision based solely on automated processing;
• right to lodge a complaint with the Italian Data Protection Authority in case a violation is thought to have been carried out.

In the case of minors under 16 years of age, or in any case under the age established by current legislation, the rights specified above may be exercised by individuals having parental authority.

COMMUNICATION RELATING TO COMPUTER SYSTEMS
This notice is also addressed to all natural persons interacting electronically with web services provided in these websistes and web applications:
• www.atm.it
• www.atm-mi.it
• www.atm-alert.it
• www.lavorareinatm.it
• www.nordesttrasporti.it
• www.atmosfera.atm.it
• ATM Milano Official App mobile application owned by Azienda Trasporti Milanesi S.p.A.
• ATM Group newsletter.

Personal data will be processed using IT/electronic tools for newsletter services and will be used for anonymous statistical and market research studies, always due to service offered.

The information is valid only for the above-mentioned websites and not for other sites that can be consulted by link to third-party websites.

This information is also based on Recommendation n. 2/2001 adopted by the European Authorities in order to identify the requirements for collecting personal data online with the methods, timing, and nature of the data provided by the controllers to end users when they connect to web pages, regardless of the purposes of the connection.

Another processing purpose, in this specific case, is the correct browsing on ATM Group's websites indicated above, as well as the use of services provided by ATM Group to those who register theirselves.

TYPES OF DATA PROCESSED
During normal functioning, computer systems in general, Internet transmission protocols and the based site software collect  some  personal data.
The information is not collected for identification purposes, although this may be possible through processing by the competent Authorities.

DATA COLLECTED
The data collected refers to: IP addresses; Uniform Resource Identifier (URI) addresses of the requested resources; time of the request; methodology used for the server request; size of the file obtained in response; numerical code indicating the status of the response given by the server (successful outcome, error, etc.) and other parameters relating to the operating system and the user's computer environment.
Appropriate security measures are applied for all data processing in order to prevent the loss of information, illegal or improper use and incorrect or unauthorized access.
This data will be used only for anonymous statistical purposes and for managing the sites and the mobile application ATM Milano official app.

PROCESSING METHODS AND COOKIES
Cookies are text files containing small amounts of information that are downloaded to the user's device, if enabled, when browsing the Azienda Trasporti Milanesi S.p.A. website and mobile app ATM Milano official app.
No personal data is acquired by the site unless knowingly provided by the user.
ATM Group doesn’t use cookies to pass on natural person information, although cookies are used in an aggregate way, not in order to identifythe website visitors, nor to monitor customers’ browsing habits. In this field, ATM Group web activities are focused only  to improve the service offered and to make browsing on the site more secure and efficient.
Azienda Trasporti Milanesi S.p.A. uses "cookies" in order to provide the website’s visitors with contextualised information and to obtain access statistics (using the Google Analytics service) https://support.google.com/analytics/answer/6004245?hl=en

The site uses cookies in accordance with the following purposes and classification:

SYSTEM COOKIES
These cookies allow the user to browse the site and use its functions, for example, to access the sites and ATM Milano official app secure areas. Without these cookies, it will not always be possible to provide the authentication and correct functioning of the website.
These cookies are not defined by Azienda Trasporti Milanesi S.p.A.; rather they are generated and used automatically by the software platforms used.
Nevertheless, they are intended for the purpose of general functioning and do not have any effect on the protection of the user's personal data.

COOKIES FOR PERFOMANCES AND BROWSING ANALYSIS STATISTICS
Azienda Trasporti Milanesi S.p.A. uses the Google Analytics statistics platform and incorporates its cookies and access methods.
https://support.google.com/analytics/answer/6004245?hl=en
This analytical tool collects the standard log information used on the Internet and anonymous information on the visitor's browsing behaviour.
Should you wish not to choose be analyzed by Google Analytics on all websites, visit https://tools.google.com/dlpage/gaoptout, and follow Google's instructions.

TECHNICAL COOKIES
The cookies used are considered technical, also called "session" or "temporary", which help the user browse the site and remember the choices made during the session. They are deactivated as soon as you leave the site via the log out procedure or after a period of inactivity. Profiling cookies are not used.

REGISTERING TO THE SITE AND CREATING AN ACCOUNT
When registering to the ATM Group website services, the user must create a personal account from the registration page. To do this, the user must enter some basic personal data, a user ID (e-mail) and a password.
The user is responsible for the correctness and truthfulness of the information, as well as the safe custody of access credentials and the website activities attributable to their identity.

HOW TO DELETE YOUR PROFILE
To delete your ATM profile it is necessary to enter your personal area and, in the "Profile section", click on the "Delete profile" button (at the bottom of the page).

LOCATION SERVICES AND THIRD PART MAP SERVICES
The location access is not mandatory and can be refused by the user letting him free to use all the ATM Milano app's functions. The location services, when allowed by the user, are active only when the app is active. The locations are not stored by ATM Group and are managed by the following maps services:
- Google for Android (read their policy https://policies.google.com/privacy?hl=en&gl=ZZ)
- Apple for iOs (read their policy https://www.apple.com/uk/privacy/)
- Windows for Windows (read their policy https://privacy.microsoft.com/)