Personal Data Protection Notice
Privacy Notice pursuant to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR).
The Data Controller is STAR S.p.A.
The contact details of the Data Controller and the Data Protection Officer (DPO) are provided at the end of this Privacy Notice.
Purpose of the Processing
Contractual and Service Provision Purposes
The personal data processing activities described below are carried out for the purpose of providing local public transport services, urban and suburban mobility services within the company’s area of operation, and related services, including, in particular:
- management of passenger and goods transport services, including the planning and operational organization required for the performance of public service contracts, including services dedicated to persons with disabilities and school transport services;
- management and settlement of claims arising on board vehicles and/or during road traffic;
- subscription management (both through authorized retailers and the Data Controller’s offices, as well as through the e-commerce service);
- ticket inspection and enforcement activities;
- management of paid parking facilities and parking areas;
- sending service-related communications (including subscription expiry and renewal reminders);
- management of personnel recruitment and selection procedures;
- carrying out customer satisfaction surveys to assess the quality of the services provided;
- sending marketing communications.
Personal data will not be processed, disclosed, used or retained for purposes other than those related to the relevant business processes and the services provided.
Legal Basis for Processing
With reference to the purposes listed in points 1 to 7 above, the processing of personal data carried out by the Data Controller is lawful pursuant to Article 6(1)(b) and (e) of the GDPR:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
Accordingly, the Data Controller is not required to obtain the data subject’s consent for these purposes.
Conversely, processing for the purpose of sending marketing communications is subject to the data subject’s freely given, specific and separate consent. The data subject may exercise at any time the rights guaranteed under Articles 15–22 of Regulation (EU) 2016/679.
Categories of Personal Data Processed
Personal identification data are generally processed solely for the purposes described above.
For certain services and specific purposes, it may also be necessary to process special categories of personal data (for example, the issuance of free travel passes requires the processing of personal data relating to persons with disabilities).
Special Categories of Personal Data
The Data Controller may occasionally process special categories of customers’ personal data in connection with the management of claims arising on board vehicles or from road traffic accidents.
Such data are generally transmitted to the insurance companies with which the Data Controller has entered into appropriate data processing agreements pursuant to the GDPR and are subsequently deleted from the Data Controller’s systems and records.
Children’s Personal Data
The Data Controller may process personal data relating to minors for the purpose of providing school transport services or applying dedicated fare conditions (student subscriptions).
The processing of such data is carried out by implementing specific security measures designed to ensure enhanced protection of the personal data of minors collected for these services.
Rights of Data Subjects
Data subjects are guaranteed all the rights provided for under Articles 15–22 of Regulation (EU) 2016/679, including:
- Article 15 – Right of access;
- Article 16 – Right to rectification;
- Article 17 – Right to erasure (“right to be forgotten”);
- Article 18 – Right to restriction of processing;
- Article 19 – Notification obligation regarding rectification, erasure or restriction of processing;
- Article 20 – Right to data portability;
- Article 21 – Right to object to processing;
- Article 22 – Right not to be subject to a decision based solely on automated processing.
Personal data may also be processed by means of automated procedures based on computer algorithms.
Data Retention
Personal data are retained for the period necessary to achieve the purposes related to the relevant business processes and to comply with applicable legal obligations (including accounting, tax, anti-money laundering and other statutory obligations).
Transfers of Personal Data Outside the European Union
No transfer of the personal data collected to countries outside the European Union is envisaged.
Data Processors
Data Processors are natural or legal persons, public authorities, agencies or other bodies that process personal data on behalf of the Data Controller.
They process personal data only to the extent necessary to perform the professional services entrusted to them and/or to comply with applicable legal obligations.
An updated list of the Data Processors that regularly process personal data on behalf of the Data Controller may be requested using the contact details provided at the end of this Privacy Notice.
Persons Authorized to Process Personal Data
Personal data may be processed by persons authorized to process such data and may be disclosed to collaborators and/or other parties where such disclosure is necessary for the provision of the services.
Website Browsing
This Privacy Notice also applies to users who access and interact electronically with the web services provided through the following website:
gruppostarlodi.it
This Privacy Notice applies exclusively to the above-mentioned website and does not apply to third-party websites that may be accessed through hyperlinks.
This Privacy Notice is also based on Recommendation No. 2/2001 adopted by the European Data Protection Authorities concerning the minimum requirements for the online collection of personal data, including the methods, timing and nature of the information that data controllers must provide to users when they access web pages, regardless of the purpose of their visit.
In this context, an additional purpose of processing is to ensure the proper functioning of the STAR S.p.A. website and the provision of services to users who register.
Information on the use of cookies is available in the Cookie Policy.
Contact Details
Data Controller
STAR S.p.A.
Registered Office: Viale Italia, 100 – 26900 Lodi (LO), Italy
Email: direzione@starlodi.it
Data Protection Officer (DPO)
SeeFree S.a.s.
Email: dpo@seefree.it