Privacy Policy

Cotral pays great attention to personal data protection and information security.

In the exercise of its institutional duties, it is constantly committed to putting in place specific measures for the protection of data that relate to service users, our employees and collaborators, including possible candidates for employment, and in general to all individuals who relate to Cotral, such as the staff of Service Provider Organizations, or Customer Organizations that may purchase advertising space or services from Cotral. Obviously, the need for confidentiality is balanced by the requirements to protect the safety of public transport and assets, as well as by transparency and anti-corruption regulations. In this section we therefore present information for interested parties. Pursuant to the European Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter also “Regulation”, or “GDPR”) intends to explain to data subjects the necessary information on the use of collected data. The Data Controller is Cotral with headquarters at Via Bernardino Alimena, 105, 00173 Rome. The Data Protection Officer (DPO, or DPO) can be contacted at dpo@pec.cotralspa.it. We ask you to fill in the master information strictly necessary for user identification, and contact details to handle requests, service communications and ancillary activities with the consent of the data subject; photographs and identity documents are also required for the issuance of Travel Tickets. Under certain circumstances, (e.g. for concessions or gratuities or for services reserved for the disabled or minors) “special categories of personal data” may be processed. The provision of data is optional; obviously, any refusal or incorrect or insufficient communication of data suitable for completing the request may result in the total or partial impossibility of carrying out the operations.

Information for those who contact us

Users’ personal data are processed mainly to operate the public transportation service under legal bases such as:

  • The execution of the contract or pre-contractual measures at the request of the data subject;
  • legal obligations;
  • The performance of a task of public interest or necessity connected with the exercise of public authority vested in the data controller.

You can see in the full policy statement all the specific purposes of the treatments.

In addition, with the consent of the interested parties, Cotral may contact users, directly or through third parties, to detect customer satisfaction with the quality of services rendered and the activity carried out, to profile service usage data for customized infomobility solutions and/or on-demand services, or to send promotional communications.

In addition to sharing personal data with Law Enforcement and Public Authorities when necessary or mandatory, it is good to know that some personal data, as part of the operation of regional public transportation, i.e., in the Metrebus Integrated Electronic Ticketing System, are recorded in the central Regional Information Systems to which the Lazio Region and other transportation companies such as ATAC S.p.A., Trenitalia S.p.A., Gruppo Ferrovie dello Stato, or service companies of the Lazio Region that operate in the management of regional information systems may have access.

Personal data are not subject to dissemination or automated decision-making, and specific security measures are observed to prevent data loss, unlawful or incorrect use, and unauthorized access.

Cotral retains your data for a period of time identified according to the criteria of civil prescription and in compliance with specific sector laws, as well as according to the terms necessary for the proper pursuit of the identified control purposes.

Cotral is available to receive any requests for the exercise of Data Subjects’ rights, which should be sent to the e-mail address privacy@cotralspa.it or to the Data Protection Officer.

Web site navigation policy

This policy describes the methods of management of the Cotral portal (hereinafter also only the “Portal “or “website”) with reference to the processing of personal data of users, identified or identifiable, who consult it and interact with it and with the regional web services accessible by telematic means.

The information is provided in accordance with Art.art.13 of the Regulation General Data Protection Regulation (EU Regulation 679/2016) and relate exclusively to the navigation within this portal (and the use of the App owned by Cotral) identified by the domain www.cotralspa.it and not for other external websites, which may be consulted by the user through links on the pages of the site itself.

Purposes of processing The processing of personal data carried out within this portal is aimed at the provision of specific services pertaining to public transport in the Lazio regional territory (including rental services, school transport service, disabled service, etc.). In particular, the Portal aims to provide users with all necessary information, including through newsletters, regarding the aforementioned suburban public transport.

The legitimacy bases of these processing activities may include contractual necessity or pre-contractual measures, but also processing, publications, controls and verifications necessary for the fulfillment of provisions arising from legal obligations.

Other activities, such as monitoring the use of web services, managing electronic processing systems and the website, and using advertising space, may be based on the assumption of the legitimate interest of the Data Controller.

The activation of the (optional) geolocation sharing function, which can be exercised only on the user’s specific choice for the “SEARCH ON MAP” function, is intended to show the location of vehicles in real time and to provide the user with an infomobility service that allows him/her to calculate travel times and choose which vehicles can be used.

Data Controller and Data Protection Officer The Data Controller is Cotral with headquarters in Rome, via Bernardino Alimena, 105 – 00173.

Cotral has identified a Data Protection Officer, in implementation of EU Regulation 679/2016, cha the task of monitoring and assisting the Data Controller and Data Processors in ensuring compliance with the rules and respect for the rights of data subjects.

The data protection officer (DPO, or DPO) can be contacted at. dpo@pec.cotralspa.it .

Place of data processing Processing related to the web services of this site takes place at the aforementioned headquarters of the transport company by the technical personnel in charge of processing, or by any persons in charge of occasional maintenance operations. No data from the web service is disseminated except in cases expressly provided for by law. Personal data provided by users are used only to perform the service or provision requested and expressed in the purposes of processing and are not disclosed to third parties outside Cotral.

Types of data processed

Navigation data: The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the Portal, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Portal and to check its correct functioning and are kept for the time strictly necessary. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.

Data provided voluntarily by the user: The optional, explicit and voluntary sending of electronic mail to the addresses possibly indicated on this site involves the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message. Specific summary information will be progressively reported or displayed on the Portal pages prepared for particular services on request.

Optional provision of data: apart from what has been specified for navigation data, the user is free to provide the personal data reported in any request forms to the Company. Failure to provide them may result in the impossibility of obtaining what has been requested.

Method of processing: personal data are processed by automated tools for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

Policy on “Cookies”

With this notice, in accordance with the provisions of the General Provision of the Privacy Guarantor “Identification of the simplified procedures for information and acquisition of consent for the use of cookies” of May 8, 2014 (web doc 3118884), Cotral , Data Controller, provides users of the site www.cotralspa.it with some information regarding the cookies used.

What are ‘cookies’

A “cookie” is a small text file created on the user’s computer at the time the user accesses a particular site, for the purpose of storing and transporting information. Cookies are sent from a web server (which is the computer on which the visited website is running) to the user’s browser (e.g., Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and stored on the user’s device; they are then re-sent to the website on subsequent visits. In the course of browsing, the user may also receive on his or her device cookies from different websites ( so-called “third-party” cookies ) set directly by the operators of those websites and used for the purposes and in the manner defined by them.

Types of cookies used

The site does not use navigation or session cookies.

Rights of data subjects

The subjects to whom the personal data refer have the right at any time to obtain confirmation of the existence or non-existence of such data and to know their content and origin, verify their accuracy or request their integration or updating, or the rectification, cancellation, transformation into anonymous form or blocking of data processed in violation of the law, as well as to oppose in any case, for legitimate reasons, to their processing, unless Cotral proves the existence of compelling legitimate reasons to proceed with the processing that override the interests, rights and freedoms of the subjects to whom the data refer, or in case of ascertainment, exercise or defense of a right in court. To exercise the rights listed above, data subjects may contact the Data Controller at the following address:

via e-mail, at: dpo@pec.cotralspa.it; dpoteam@cotralspa.it

via mail to COTRAL S.p.A. – based in Rome, Via Bernardino Alimena, 105 – 00173 to the attention of the DPO Team.

Web site navigation policy

This policy describes the methods of management of the Cotral portal (hereinafter also only the “Portal “or “website”) with reference to the processing of personal data of users, identified or identifiable, who consult it and interact with it and with the regional web services accessible by telematic means.

The information is provided in accordance with Art.art.13 of the Regulation General Data Protection Regulation (EU Regulation 679/2016) and relate exclusively to the navigation within this portal (and the use of the App owned by Cotral) identified by the domain www.cotralspa.it and not for other external websites, which may be consulted by the user through links on the pages of the site itself.

Purposes of processing The processing of personal data carried out within this portal is aimed at the provision of specific services pertaining to public transport in the Lazio regional territory (including rental services, school transport service, disabled service, etc.). In particular, the Portal aims to provide users with all necessary information, including through newsletters, regarding the aforementioned suburban public transport.

The legitimacy bases of these processing activities may include contractual necessity or pre-contractual measures, but also processing, publications, controls and verifications necessary for the fulfillment of provisions arising from legal obligations.

Other activities, such as monitoring the use of web services, managing electronic processing systems and the website, and using advertising space, may be based on the assumption of the legitimate interest of the Data Controller.

The activation of the (optional) geolocation sharing function, which can be exercised only on the user’s specific choice for the “SEARCH ON MAP” function, is intended to show the location of vehicles in real time and to provide the user with an infomobility service that allows him/her to calculate travel times and choose which vehicles can be used.

Data Controller and Data Protection Officer The Data Controller is Cotral with headquarters in Rome, via Bernardino Alimena, 105 – 00173.

Cotral has identified a Data Protection Officer, in implementation of EU Regulation 679/2016, cha the task of monitoring and assisting the Data Controller and Data Processors in ensuring compliance with the rules and respect for the rights of data subjects.

The data protection officer (DPO, or DPO) can be contacted at. dpo@pec.cotralspa.it .

Place of data processing Processing related to the web services of this site takes place at the aforementioned headquarters of the transport company by the technical personnel in charge of processing, or by any persons in charge of occasional maintenance operations. No data from the web service is disseminated except in cases expressly provided for by law. Personal data provided by users are used only to perform the service or provision requested and expressed in the purposes of processing and are not disclosed to third parties outside Cotral.

Types of data processed

Navigation data: The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the Portal, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Portal and to check its correct functioning and are kept for the time strictly necessary. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.

Data provided voluntarily by the user: The optional, explicit and voluntary sending of electronic mail to the addresses possibly indicated on this site involves the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data included in the message. Specific summary information will be progressively reported or displayed on the Portal pages prepared for particular services on request.

Optional provision of data: apart from what has been specified for navigation data, the user is free to provide the personal data reported in any request forms to the Company. Failure to provide them may result in the impossibility of obtaining what has been requested.

Method of processing: personal data are processed by automated tools for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

Policy on “Cookies”

With this notice, in accordance with the provisions of the General Provision of the Privacy Guarantor “Identification of the simplified procedures for information and acquisition of consent for the use of cookies” of May 8, 2014 (web doc 3118884), Cotral , Data Controller, provides users of the site www.cotralspa.it with some information regarding the cookies used.

What are ‘cookies’

A “cookie” is a small text file created on the user’s computer at the time the user accesses a particular site, for the purpose of storing and transporting information. Cookies are sent from a web server (which is the computer on which the visited website is running) to the user’s browser (e.g., Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and stored on the user’s device; they are then re-sent to the website on subsequent visits. In the course of browsing, the user may also receive on his or her device cookies from different websites ( so-called “third-party” cookies ) set directly by the operators of those websites and used for the purposes and in the manner defined by them.

Types of cookies used

The site does not use navigation or session cookies.

Rights of data subjects

The subjects to whom the personal data refer have the right at any time to obtain confirmation of the existence or non-existence of such data and to know their content and origin, verify their accuracy or request their integration or updating, or the rectification, cancellation, transformation into anonymous form or blocking of data processed in violation of the law, as well as to oppose in any case, for legitimate reasons, to their processing, unless Cotral proves the existence of compelling legitimate reasons to proceed with the processing that override the interests, rights and freedoms of the subjects to whom the data refer, or in case of ascertainment, exercise or defense of a right in court. To exercise the rights listed above, data subjects may contact the Data Controller at the following address:

via e-mail, at: dpo@pec.cotralspa.it; dpoteam@cotralspa.it

via mail to COTRAL S.p.A. – based in Rome, Via Bernardino Alimena, 105 – 00173 to the attention of the DPO Team.

Information for those traveling by our means

The use of Cotral S.p.A.’s public transport services is allowed to the holders of tickets; while some tickets do not provide for the identification of the holder, others may refer to identified or identifiable persons registered in Cotral’s databases, for example when the tickets relate to season tickets or are granted against concessions or other rights to free or reduced fares. A further case of identification of service users is that required by law in the case of checks of travel tickets; in this case, the verifiers or drivers, holders of administrative police badges, proceed to identify the persons concerned, and in cases of fines being levied, acquire personal data in accordance with current legal regulations, using electronic instruments or paper forms. In any case, the processing of personal data carried out by Cotral personnel is based on the principles of lawfulness and proportionality and is carried out in accordance with the service contract and in relation to legal obligations; the legal prerequisite that allows for the possible processing of special categories of personal data (such as the possible state of health or disability) is the relevant public interest, pursuant to Art. 9 Par 2 g) and Art. 2 sexies of the Personal Data Protection Code Legislative Decree 196/2003 as amended by Legislative Decree 101/2018. It is also important to know that Cotral S.p.A., in order to facilitate the mobility services provided for public transport and in the legitimate interest of the company, has installed inside the cars:

  • Geolocation systems that enable real-time knowledge of the vehicle’s location, for the protection of the safety of people, property, and assets, as well as for checking the validity of travel tickets in relation to the permitted travel ranges;
  • Surveillance cameras that meet the needs of internal security, asset protection, and the prevention of unlawful acts of any nature.

The purposes meet the principles of correctness and lawfulness and compliance with the legal provisions on the protection of confidentiality of passenger and staff data; in particular, the geolocation system transmits to the Cotral control centers only the data of the vehicle, while the automatic video surveillance systems allow the recording of images in an encryption-protected medium, and the data are stored for 7 days with an automatic overwriting system. Data in geolocation and video surveillance systems are processed only by authorized Cotral personnel. The location of the vehicle may be communicated to infomobility systems and applications such as Citymapper and Moovit, while access to image recordings, protected in encrypted media, takes place exclusively on the occasion of requests received from judicial authorities in the event of the need for investigations following unlawful acts, in compliance with specific legal obligations. The interested parties may exercise towards Cotral S.p.A., Data Controller, according to the type of data, the rights exercisable under the Regulation (EU) 2016/679 of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data; in particular:

  • Right of access: You may ask Cotral to confirm whether or not personal data concerning you is being processed and if so, to obtain access to the personal data;
  • Right of rectification: You may obtain from Cotral the rectification of inaccurate personal biographical data, recorded in Cotral systems, concerning you;
  • Right to cancellation/oblivion: You may, under certain circumstances, obtain from Cotral the cancellation of personal data concerning you (e.g. unsubscription informative newsletter, deletion of personal data no longer necessary because it relates to contractual relationships that have ceased and for which there is no legal obligation to retain);
  • Right to portability: You may, under certain circumstances, obtain from Cotral your personal data in a structured, commonly used and machine-readable format. You also have the right to transmit them to another data controller without hindrance from Cotral;
  • Right to limitation of processing: You may, under certain circumstances, obtain limitation of processing from Cotral;
  • Right to object to processing: You may object at any time, on grounds related to your particular situation, to the processing of personal data concerning you; Cotral will refrain from further processing your personal data, unless you demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or in the case of establishing, exercising or defending a right in a court of law.

Interested parties may also submit any complaints to the Data Protection Authority by the means explained on the Authority’s website.

To exercise your rights, or for any information or request for clarification, you can contact the Data Protection Officer of Cotral S.p.A. by writing to dpoteam@cotralspa.it or by certified mail to dpo@pec.cotralspa.it

Information for candidates

Purpose and legal basis for processing

The personal data provided, both of contact and related to studies, acquired skills and previous professional experience, are processed for purposes related to selection and possible recruitment of personnel for Cotral, scheduling of activities, internal control services, through processing, including electronic processing of professional profiles, and inherent consultation and comparison.

Curricula vitae sent spontaneously will, if deemed not of interest, be destroyed and not stored; otherwise, however, the candidate will be promptly inquired about the request for the preservation of the curriculum vitae on electronic/paper media and will be provided, in addition, with this notice.

The basis of legitimacy for these processing activities may include the need for pre-contractual measures, but also necessary processing, monitoring and verification based on the assumption of the legitimate interest of the Data Controller.

The Processing of the Data Subject’s data may involve “special categories of personal data,” i.e., those personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to a person’s health or sex life or sexual orientation.

For example, the candidate might spontaneously include membership in protected categories in the CV;

The prerequisite for processing, if any, such data of a “particular” nature, if indicated in the curriculum vitae, is that the data are rendered directly by the data subject and that their processing may be necessary to fulfill the obligations and exercise the specific rights of the data controller or the data subject in the field of labor and social security law and social protection.

Methods of data collection, processing and storage

The processing of personal data of data subjects will be based on the principles of fairness, lawfulness and transparency, and the rights to privacy protection, and will be carried out by manual, paper and automated means for the time strictly necessary to achieve the purposes for which they were collected.

Curricula retained for further future selection processes are kept in digital format in special protected folders with no expiration date limit, unless interested parties wish to request removal, or send us an updated cv. Specific security measures are observed to prevent data loss, illicit or incorrect use, and unauthorized access.

The selection processes, if any, may include paper notes, for the evaluation of resources, which are, however, immediately destroyed after the selection process.

In any selection processes, personal data will be retained for the duration of the same processes, and as long as obligations or fulfillments related to the execution thereof persist, or for compliance with legal and regulatory obligations, as well as for its own or third party defense purposes (e.g., requests for access to records).

Personal data may be subject to processing in compliance with applicable regulations and in accordance with the confidentiality obligations imposed on authorized personnel and any external parties that perform processing as Processors on behalf of Cotral, such as email system operators.

His rights

EU Regulation 2016/679 (Articles 15 to 23) grants data subjects the exercise of specific rights. In particular, in relation to the processing of your personal data, you have the right to request from Cotral, by contacting the office preferably by email at privacy@cotralspa.it: access to your data; rectification, deletion and portability of your data; restriction of processing; opposition to processing.

Specifically:

It can, in addition, file a complaint against the Supervisory Authority, which in Italy is the Garante per la Protezione dei Dati Personali.

Right of access: You may ask Cotral to confirm whether or not personal data concerning you is being processed and if so, to obtain access to the personal data;

Right of rectification: You may obtain from Cotral the rectification of inaccurate personal data concerning you;

Right to erasure/oblivion: You may, under certain circumstances, obtain from Cotral the erasure of personal data concerning you;

Right to portability: You may, under certain circumstances, obtain from Cotral your personal data in a structured, commonly used and machine-readable format. You also have the right to transmit them to another data controller without hindrance from Cotral;

Right to limitation of processing: You may, under certain circumstances, obtain limitation of processing from Cotral;

Right to object to processing: You may object at any time, on grounds related to your particular situation, to the processing of personal data concerning you; Cotral will refrain from further processing your personal data, unless you demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or in the case of establishing, exercising or defending a right in a court of law.

Information for customers and suppliers

Who we are and why we process your data

The following information is intended to describe the processing of personal data that takes place in the relationships with Customers, Partners and Suppliers of Cotral in relation to the services rendered, in compliance with the General Data Protection Regulation 2016/679 (hereinafter, “GDPR” or “Regulation”) applicable since May 25, 2018 in every Member State of the European Union, and the national legislation (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018).

Specifically, those affected by the processing activities are the following natural persons who, in employment or other type of relationship with legal entities, Partners or suppliers, operationally are involved in commercial, pre-contractual and contractual communications. Although often the relationships are between legal persons, the contact persons of these are natural persons who communicate with each other and process data; thus, the personal data processed are contact details (telephone numbers, email addresses and other references). In other cases, the supplier may be a professional or sole proprietor, so other data are also processed for administrative-accounting activities or product/service controls.

Cotral, based in Via B. Alimena, 105 – 00173 Rome(hereinafter, also referred to as “COTRAL”) is the Data Controller of your personal data (hereinafter, also the “Data Controller” or “we”).

For any questions concerning the processing of personal data, you can contact the e-mail address privacy@cotralspa.it.

A Data Protection Officer (DPO, or DPO) has also been designated to monitor and assist the Data Controller and Processors in ensuring compliance and respect for the rights of data subjects. The DPO can be contacted at dpoteam@cotralspa.it

Purpose and legal basis of processing

Personal contact data are processed for purposes related and instrumental to the collection of contractual and pre-contractual information, and for the execution of the contractual and/or collaborative relationship, as well as for purposes related to the management of related obligations (e.g. accounting and/or tax) and for tasks of a technical-organizational nature.

The bases of legitimacy of these processing activities may include contractual necessity or pre-contractual measures, but also processing, monitoring and verification necessary for the fulfillment of provisions arising from legal obligations.

Other activities, such as service/product control, management of electronic processing systems, or communications pertaining to the relationship contracted or being finalized, could be based on the assumption of the legitimate interest of the Data Controller.

Methods of data collection, processing and storage

The personal data processed are contact data, as well as additional identifying and economic-financial information in the case of contractual relationships entered into with individuals.

The processing of information of legal persons entities and Suppliers and personal data of interested parties, i.e. natural persons employees/collaborators of them, will be based on the principles of fairness, lawfulness and transparency, and the protection of privacy rights, and will be carried out by manual, paper and automated means for the time strictly necessary to achieve the purposes for which they were collected.

Specific security measures are observed to prevent data loss, illegal or incorrect use, and unauthorized access.

Personal data will be kept for the duration of the contract and as long as obligations or fulfillments related to its execution persist.

Even after the termination of the contractual relationship, Cotral and any other authorized parties may retain your personal data of an administrative-accounting nature – including for compliance with legal and regulatory obligations, as well as for their own or third parties’ defensive purposes – or for the fulfillment of specific legal obligations, until the expiration of the regulatory retention period applicable on a case-by-case basis.

Personal data will be processed in compliance with applicable regulations and in accordance with the confidentiality obligations imposed on authorized personnel and external parties who perform processing as Processors on behalf of Cotral.

His rights

EU Regulation 2016/679 (Articles 15 to 23) grants data subjects the exercise of specific rights. In particular, in relation to the processing of your personal data, you have the right to request from Cotral: access to your data; rectification, erasure and portability of your data; restriction of processing; and opposition to processing.

Specifically:

It can, in addition, file a complaint against the Supervisory Authority, which in Italy is the Italian Data Protection Authority.

Right of access: You may ask Cotral to confirm whether or not personal data concerning you is being processed and if so, to obtain access to the personal data;

Right of rectification: You may obtain from Cotral the rectification of inaccurate personal data concerning you;

Right to erasure/oblivion: You may, under certain circumstances, obtain from Cotral the erasure of personal data concerning you;

Right to portability: You may, under certain circumstances, obtain from Cotral your personal data in a structured, commonly used and machine-readable format. You also have the right to transmit them to another data controller without hindrance from COTRAL;

Right to limitation of processing: You may, under certain circumstances, obtain limitation of processing from Cotral;

Right to object to processing: You may object at any time, on grounds related to your particular situation, to the processing of personal data concerning you; Cotral will refrain from further processing your personal data, unless you demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms or in the case of establishing, exercising or defending a right in a court of law.

Information on personal data app, site and call center

Cotral in accordance with the European Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter also “Regulation”, or “GDPR”) intends to explain to interested parties the necessary information on the use of the data of its users, collected through the use of the application for smartphones “BusCotral”, by calling the Contact Center or by filling out the information request forms on the Company’s website. We recommend that you read this information carefully to understand how we process personal data and what your rights are.

Type of personal data

By“personal data“, we mean any information capable of identifying, directly or indirectly, a natural person (so-called “Data Subject”). The personal data you provide, will be used in accordance with the principles of lawfulness, relevance and necessity of processing provided by the data protection regulations.

You will be asked for the biographical information strictly necessary for user identification and for eventual registration with the “BusCotral” application, and contact information to handle requests; photographs will also be required for the issuance of Travel Tickets.

In the case of acquisition of these data from third parties such as in the case of Social log-in through Facebook, Apple, Google for registration and access to the application “BusCotral” will be processed only the data that, according to privacy preferences, the user has set on these Social Networks.

Under certain circumstances, (e.g., for facilities or gratuities) the information to be provided, then, in processing the request, for services reserved for the disabled or beneficiaries of special facilities under the law, “special categories of personal data,” such as health status information, may be processed.

In relation to calls to the Contact Center, whose operators are located throughout the country, please be advised that the same may:

  • Be recorded for purposes of monitoring the quality of the service provided;
  • transcribed in real time through the use of special software, for the purpose of improving the service provided.

The provision of data is optional; of course, any refusal or incorrect or insufficient communication of data suitable to meet the request may result in the total or partial impossibility to implement the operations. The “BusCotral” application can also be used without the user’s registration, but only for the purpose of consulting the ride schedules. If the user wishes to make full use of the functionality of the application (e.g. purchase of the ticket), he/she must register by providing the minimum necessary data (First Name, Last Name, email, phone number) for the normal execution of the requested services. The data are processed by the Owner and the Co-Owners or Managers and under no circumstances are they transferred or sold to third parties. However, specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access.

Purpose and legal basis of processing

The data that are the subject of processing are processed and used for the following purposes:

  • Fulfilling requests for information sent by the data subjects themselves; in this case the legal basis for such processing is the execution of pre-contractual measures; establishing or updating the Register of Users, and managing the contractual relationship: the processing of the Data Subject’s personal data is carried out in order to give effect to the issuance of the Securities and to manage public transport services; the legal basis for such processing is the execution of the contract; purposes related to the obligations provided for by laws, regulations and EU legislation as well as provisions issued by authorities legitimized to do so and by supervisory and control bodies, as well as obligations in tax and accounting matters; these purposes also include those of verification of the validity of the Travel Tickets and the management of fines and penalties in case of violations; for communication activities related to public transport; in this case the legal basis is the task of public interest;
  • Purposes functional to the activity of the Company for the management of public transport, exercised in the legitimate interest of the Owner after the establishment of the relationship. The following activities fall into this category:
    • Survey of customer satisfaction with the quality of services rendered and activities performed, carried out directly or through third parties;
    • control, including through geolocation and video surveillance systems on board transportation vehicles, in the interest of people’s safety and for the protection of Cotral’s assets;
    • Statistical (anonymous) processing of travel data for studies related to wheeled transportation needs.

In addition, for further processing such as promotional and marketing activities or profiling of your travel preferences, you will be asked to give or withhold optional consent to the processing. Any consent given with respect to these purposes is freely revocable at any time, without prejudice to the lawfulness of the processing carried out before revocation.

Requested information belonging to special categories of personal data (e.g., visual and/or motor disabilities) and information on minors is processed exclusively for purposes of significant public interest (particularly for granting and revoking benefits, and for social welfare activities to protect minors and needy, dependent and incapacitated individuals).

How personal data are processed and stored

The processing will be carried out both in paper form and with the aid of electronic and/or automated tools; the data recorded in Cotral’s computer systems can only be accessed by Cotral’s authorized internal persons or employees of external companies, specially appointed Data Processors.

The recording of the footage taken by the video surveillance systems may be made available to the Company’s internal control functions and possibly handed over to judicial police bodies in charge of public security audits, or to insurance companies in the event of a claim. In any case, all personal data acquired are not subject to dissemination or automated decision-making, and specific security measures are observed to prevent data loss, illegal or incorrect use and unauthorized access.

Cotral retains your data for a period of time identified according to the criteria of civil prescription and in compliance with specific sector laws, as well as according to the terms necessary for the proper pursuit of the control purposes identified above. Specifically, data recorded in video surveillance systems are automatically overwritten (and stored encrypted for up to 7 days). Recordings and transcripts of calls to the Contact Center will be retained for a maximum of 7 days and will be automatically erased from the systems.

Some personal data, as part of the operation of regional public transport, i.e., in the Metrebus Integrated Electronic Ticketing System, are recorded in the central Regional Information Systems to which the Lazio Region and other transport companies such as ATAC S.p.A., Trenitalia S.p.A., Gruppo Ferrovie dello Stato, or service companies of the Lazio Region operating the systems may have access.

Cotral may also disclose the personal data of service users to law enforcement agencies or other public administrations pursuant to legal obligations or the exercise of rights of defense in court. No personal data provided by users is transferred outside the European Union.

What are the rights for data subjects

Cotral is available to receive any requests to exercise the rights of interested parties, which should be addressed to the e-mail address: privacy@cotralspa.it or dpoteam@cotralspa.it;

At any time you may exercise against the Data Controller the rights to protect the data subjects, in particular:

Propose, in addition, complaints to the Supervisory Authority, in the cases and for the effects expressed by the current legislation, in the manner described on the website of the Authority for the Protection of Personal Data – https://www.garanteprivacy.it; mandate a non-profit body, organization or association, which are duly constituted according to the law of the Italian State, to propose on your behalf and to exercise on your behalf the complaints to the Authority for the Protection of Personal Data.

obtain confirmation of the existence or otherwise of personal data concerning him/her and their communication in intelligible form; obtain indications regarding: a) the purposes and methods of processing; b) the logic applied in case of processing carried out with the aid of electronic instruments;

to know the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as managers or authorized persons; to obtain, also: a) access to the personal data processed by Cotral; b) the updating, rectification or, when there should be an interest, and if possible, the cancellation of the data; c) the portability, for certain services rendered, of the data provided; to oppose, in whole or in part, the processing of your personal data in cases where this is expressly permitted by laws or regulations;

Using the user’s location on our mobile app (Android and iOS)

Our app uses users’ precise location data to ensure the proper operation of certain services, such as real-time schedules, suggestion of stops near the user, and departure locations near the user. Location access is used solely to improve the user experience and will not be shared with third parties without the user’s consent.

Users have the option to disable geolocation at any time through their device settings. However, disabling this feature may limit some features of the app.

Information Notice on the Processing of Personal Data Requested from Customers for Issuing Onboard Travel Tickets and Cash Payments

This notice concerns the processing of personal data of customers purchasing travel tickets onboard public transportation vehicles with cash payment.

DATA CONTROLLER

COTRAL S.p.A., headquartered at Via B. Alimena, 105 – 00173 Rome, represented by its Legal Representative (hereinafter referred to as ‘Cotral’), acts as the Data Controller of your personal data (hereinafter also referred to as the ‘Controller’).

For matters related to personal data processing, you may contact the email address privacy@cotralspa.it.

A Data Protection Officer (DPO) has been appointed to monitor and assist the Controller and the Data Processors in ensuring compliance with regulations and protecting the rights of data subjects.
The DPO can be reached at dpoteam@cotralspa.it.

PURPOSES OF PROCESSING AND LEGAL BASIS

The purpose of the data processing is to enable the sale of travel tickets onboard public transportation vehicles with cash payment. Once the authorized personnel receive the cash payment for the travel ticket, they collect the customer’s mobile phone number to send a confirmation SMS for the ticket purchase.

The processing is lawful as it is based on the Controller’s legitimate interest in ensuring organizational needs, enhancing the ticket sales system, and reducing fare evasion.

CATEGORIES OF DATA PROCESSED AND RECIPIENTS

Personal data refers to any information that can identify, directly or indirectly, a natural person.

In this case, certain basic customer data is collected and processed, such as the customer’s mobile phone number (stored in encrypted form with partial number masking), geolocation data, and the location, date, and time of the transaction. The data is handled by personnel authorized for processing.

Where necessary, the personal data of customers (referred to as ‘Data Subjects’) may be disclosed to entities granted access rights under national or European Union laws, Cotral employees and collaborators within their respective duties, and any appointed data processors.

PROCESSING METHODS AND POSSIBLE DATA TRANSFER

The data is processed solely for the aforementioned purpose and in compliance with the principles of lawfulness, fairness, transparency, accuracy, integrity, and confidentiality established by current regulations.

Data processing may involve automated and computerized processes.

Privacy Notice on the Processing of Personal Data Required for Access to Cotral SpA Premises

COTRAL S.p.A. is committed to ensuring the protection of personal data for visitors who access its company premises for various reasons.

This notice applies to the processing of personal data of individuals (e.g., suppliers, visitors, contractors, and employees from other locations) who, for different purposes, access company premises using a temporary badge.

For Cotral employees, it is clarified that the data processing complies with Article 4 of Law No. 300 of 1970, and this notice is provided in adherence to the provisions of the aforementioned legislation.

DATA CONTROLLER

COTRAL S.p.A., headquartered at Via B. Alimena, 105 – 00173 Rome, represented by its Legal Representative (hereinafter referred to as ‘Cotral’), acts as the Data Controller of your personal data (hereinafter also referred to as the ‘Controller’).

For matters related to personal data processing, you may contact the email address privacy@cotralspa.it.

A Data Protection Officer (DPO) has been appointed to monitor and assist the Controller and the Data Processors in ensuring compliance with regulations and protecting the rights of data subjects.
The DPO can be reached at dpoteam@cotralspa.it.

PURPOSES OF PROCESSING AND LEGAL BASIS

The purpose of data processing is to allow access to the company premises exclusively to authorized personnel by verifying the visitor’s identity, completing the company form, and cross-checking with the hosting personnel.

The processing is lawful and based on the Controller’s legitimate interest in ensuring organizational needs, security, and asset protection. For Cotral employees, the legal basis is the performance of a contractual obligation (employment contract to which the data subject is a party).

CATEGORIES OF DATA PROCESSED AND RECIPIENTS

Personal data refers to any information that can identify, directly or indirectly, a natural person.

For the purpose described, certain basic visitor data is collected and processed, including:

  • Name and surname,
  • Name of the company the visitor may represent,
  • Identification document details (issue and date),
  • Entry and exit times.

The data is processed by personnel authorized to handle such information.

Suppliers, visitors, contractors, and employees from other locations (referred to as ‘Data Subjects’) are permitted access to Cotral premises during working hours if authorized, following the procedures outlined in the applicable company policies.

Privacy Notice on the Processing of Personal Data Related to the Use of the Health Card for Access to Railway Stations on the Rome–Ostia Lido and Rome–Viterbo Lines

This notice concerns the processing of personal data related to the use of the health card for accessing station gates on the Rome–Ostia Lido and Rome–Viterbo railway lines. This applies to personnel of Cotral and Astral companies, as well as their authorized suppliers/consultants who require access for work-related purposes.

For Cotral employees, it is clarified that the data processing complies with Article 4 of Law No. 300 of 1970, and this notice is provided in adherence to the provisions of the aforementioned legislation.

DATA CONTROLLER

COTRAL S.p.A., headquartered at Via B. Alimena, 105 – 00173 Rome, represented by its Legal Representative (hereinafter referred to as ‘Cotral’), acts as the Data Controller of personal data (hereinafter also referred to as the ‘Controller’).

For matters related to personal data processing, you may contact the email address privacy@cotralspa.it.

A Data Protection Officer (DPO) has been appointed to monitor and assist the Controller and Data Processors in ensuring compliance with regulations and protecting the rights of data subjects. The DPO can be reached at dpoteam@cotralspa.it.

PURPOSES OF PROCESSING AND LEGAL BASIS

The purpose of the processing is to enable access to the station gates on the Rome–Ostia Lido and Rome–Viterbo railway lines for work-related purposes. Access is granted to personnel listed in the designated register from Cotral and Astral companies and their authorized suppliers/consultants.

The processing is lawful and based:

  • For Cotral personnel, on the performance of a contractual obligation (employment contract to which the data subject is a party);
  • For other data subjects (Astral personnel and Cotral/Astral suppliers/consultants), on the legitimate interest of the Controller (for organizational and security purposes).

CATEGORIES OF DATA PROCESSED AND RECIPIENTS

Personal data refers to any information that can identify, directly or indirectly, a natural person.

For the purpose of this processing, the following basic personal data is collected and processed:

  • Name and surname,
  • Tax code,
  • Date and place of birth,
  • Employee number,
  • Date and time of access.

Where necessary, the personal data of data subjects may be shared with entities granted access rights under national and European Union laws, with Astral, and with Cotral employees and collaborators as part of their duties, including any designated data processors.

Privacy Notice for Members of the Board of Directors and Statutory Auditors of Cotral Regarding the Processing of Personal Data

In compliance with Article 13 of Regulation (EU) No. 679/2016 – the General Data Protection Regulation (hereinafter referred to as the “Regulation”) – and concerning the personal data (hereinafter referred to as “Individual Data”) related to you (as the “Data Subject”) and/or, if applicable, to your family members or relatives (hereinafter referred to as “Family Data,” and together with Individual Data as “Personal Data”), which may be requested or acquired and processed by Cotral S.p.A. (hereinafter referred to as the “Company” or the “Controller”) in connection with your role as a member of the Board of Directors or Statutory Auditor, we provide you with the following information:

1. Data Controller

Cotral S.p.A., headquartered at Via B. Alimena, 105 – 00173 Rome, represented by the Chairperson and Legal Representative, is the Data Controller responsible for processing your Personal Data.

2. Data Protection Officer (DPO)

The Data Controller has appointed a Data Protection Officer (DPO) to monitor and assist the Controller and any Data Processors in ensuring compliance with regulations and safeguarding the rights of data subjects. The DPO can be contacted at dpoteam@cotralspa.it.

3. Purpose and Legal Basis for Processing

The processing is carried out exclusively to enable the Company to perform activities related to your role as:
(i) A member of the Board of Directors, or
(ii) A Statutory Auditor of the Company.

In particular, the processing concerns the administrative management of personal data (both common and special categories) for:

  • Fulfilling obligations imposed by laws, regulations, or other national or EU regulatory requirements.
  • Meeting publication requirements on the Company’s institutional website as prescribed by applicable laws.
  • Verifying declarations made annually by Board members, in line with national regulations and the Company’s approved Three-Year Anti-Corruption and Transparency Plan.

The types of data processed include:
a) Common Data: Such as identification and contact details, including full name, date and place of birth, tax identification number, physical and/or electronic addresses, and phone numbers (landline and/or mobile).
b) Other Personal Data: Including special category data under Article 9 of the GDPR (“sensitive data”) or legal data under Article 10 of the GDPR, as necessary for the stated purposes.
c) Banking Data: For payment-related purposes.

The legal basis for the processing is the fulfillment of legal obligations.

4. Methods of Data Processing

The processing of data, as defined by Article 4(1)(2) of the Regulation, involves any operation or set of operations conducted using manual, electronic, or telematic tools. The methods used are strictly aligned with the purposes outlined in Section 3, ensuring the security and confidentiality of Personal Data.
Within the Company, Personal Data is processed by authorized personnel in accordance with instructions received, whether for internal purposes or compliance with legal obligations related to the processing’s purposes.

5. Provision of Data

While the provision of Personal Data, including Individual Data or, where applicable, Family Data, is subject to your discretion, it may be:
a) Strictly necessary for the assumption of your role as a member of the Board of Directors or the Statutory Auditors’ Committee.
b) Mandatory under national or EU laws, regulations, or other provisions.

Refusal to provide the required Personal Data, in cases specified above, may result in the Company being unable to fulfill regulatory requirements related to your role.

6. Disclosure of Data

Personal Data may be disclosed to third parties to comply with obligations under national or EU laws, regulations, or other provisions, or upon directives issued by authorized entities.

Individual Data may also be shared with banks and credit institutions solely for processing payments, such as compensation or fees.

Information notice regarding the processing of personal data with bodycam use

this privacy notice pertains to the processing of personal data related to the use of bodycams (wearable audio, video, or photographic recording devices) provided to personnel responsible for ticket verification. the use of these devices aims to ensure the protection, safety, and safeguarding of people or property, as well as to reduce assaults on onboard staff by collecting multimedia data useful for reconstructing potential illegal incidents.


Data controller

cotral s.p.a., headquartered at via b. alimena, 105 – 00173 rome, represented by its legal representative (hereinafter referred to as “cotral”), is the data controller of your personal data (hereinafter also referred to as the “controller”).

for matters related to personal data processing, you can contact the email address privacy@cotralspa.it.

a data protection officer (dpo) has been appointed to monitor and assist the controller and processors in ensuring compliance with regulations and respect for the rights of data subjects. the dpo can be contacted at dpoteam@cotralspa.it and dpo@pec.cotralspa.it.


Purpose and legal basis for processing

the purpose of the data processing is the protection, safety, and safeguarding of people or property, as well as deterrence to reduce assaults on onboard staff.

the legal basis for the processing is established under article 6(1)(e) of eu regulation 2016/679, referring to the public interest, including control, inspection, sanctioning, and protective activities in administrative and/or judicial contexts.

processing is also necessary for the pursuit of the legitimate interest of the controller in ensuring the protection, safety, and safeguarding of people or property and reducing fare evasion under article 6(1)(f) of eu regulation 2016/679.


Category of data processed and recipients

personal data refers to any information that can directly or indirectly identify a natural person.

for the processing in question, multimedia data (images, video, and audio) recorded by bodycam devices are collected and processed, along with the gps positioning data of the device and the date and time of recording.

such personal data, where necessary, may be processed by cotral employees and collaborators who are properly trained and authorized, within the scope of their respective roles, including any data processors specifically appointed for this purpose.

this data may also be communicated to public security authorities, the judiciary, and other entities granted access rights under national or eu law.


Processing methods and potential data transfer

data is processed exclusively for the purposes outlined above and in accordance with the principles of lawfulness, fairness, transparency, accuracy, integrity, and confidentiality as required by current regulations.

data processing involves activating the bodycam device by onboard personnel only when necessary, such as during verbal and/or physical assaults, vandalism, property damage, safety risks for passengers or staff, or intimidation.

a flashing red light on the upper part of the device indicates that video recording is active. the bodycam records video and audio, gps positioning data, and the date and time of recording from activation until deactivation.

images may also be viewed in real time by cotral’s operations center staff to notify public security authorities when necessary.

data processing is carried out with every precaution to ensure security and confidentiality. personal data is processed under the principle of data minimization in accordance with articles 5(1)(c) and 25(2) of eu regulation 2016/679. the data collected is relevant and not excessive in relation to the purposes of processing.

no transfer of the collected data outside the european economic area (eea) is anticipated.


Provision of data

the provision of data for the purposes indicated is mandatory.


Data retention period

multimedia data collected through wearable bodycam devices will be stored for a maximum period of 7 days from the date of recording, after which it will be automatically deleted.

however, the data may be retained beyond the specified period if requested by public security authorities or the judiciary, or in cases where the recordings may constitute evidence of criminal, civil, or administrative significance. such recordings, which may serve as evidence, will be retained until the related proceedings are concluded.


Rights of the data subject

data subjects, i.e., individuals whose personal data is being processed, are entitled to the rights provided by eu regulation 2016/679, articles 15–23 and 77, where applicable to the processing in question.

to exercise these rights, request clarifications, or communicate with the data controller, data subjects can contact the dpo at dpoteam@cotralspa.it and dpo@pec.cotralspa.it.

data subjects who believe their data has been processed in violation of eu regulation 2016/679 have the right to file a complaint with the supervisory authority, which in italy is the “garante per la protezione dei dati personali” (italian data protection authority).