Privacy Chatbot

1. GENERAL INFORMATION ON THE TECHNOLOGY USED FOR THE CHATBOT

The Chatbot is an automated system based on generative artificial intelligence (LLM-Large Language Model), trained with data from ADR websites and designed to respond to user requests related to airport services.

Although the underlying technology is generative and provided by Amazon Web Services Enea Sarl, the system made available by ADR is aimed at a specific and determined purpose and is limited to airport-related topics and services. Therefore, it does not fall under the definition of a “general-purpose AI system” as per the AI Act.

The Service does not require user identification and is intended for adults or minors aged fourteen and above. For more details on the AI system’s functionalities, limitations, and logic, please refer to the Terms & Conditions.

2. DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)

Data Controller

Contact Details of the Data Controller

Contact details of the DPO

Aeroporti di Roma S.p.A., (hereinafter also referred to as “ADR” or the “Controller”).

Registered office in Via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome)

The Data Protection Officer (also referred to as “DPO”) of ADR can be contacted via email at: dpo@adr.it or by writing to the contact details of the Controller indicated above.

3. SOURCE AND CATEGORIES OF DATA

The Service is designed to function without identifying the user. The only personal data collected and processed by ADR are those provided directly by the user during the use and conversation with the virtual assistant/Chatbot, including: phone number (WhatsApp), expressed preferences (e.g., notification activation), inputs selected from available options, and technical data (e.g., language, conversation rating, any flight details/times entered).

Users are strongly advised not to share personal data beyond those listed above, especially data belonging to special categories (e.g. health, religion, etc.). Any personal data entered during interaction with the Chatbot (texts and/or voice notes) will only be recorded in the chat but not processed to provide the requested response and will not be stored or used for other purposes. 

Preventive measures and IT mechanisms (so-called guardrails) are implemented to avoid processing any personal data voluntarily entered by the user. Personal information is not processed by the Chatbot, which does not provide responses based on such information. Personal data is not used for training generative artificial intelligence models.

No cookies or other tracking tools are used to identify or profile the user.

4. PURPOSE OF PROCESSING, LEGAL BASIS, NATURE OF PROVISION, AND DATA RETENTION PERIOD

PURPOSE OF PROCESSING, LEGAL BASIS and NATURE OF PROVISION

DATA RETENTION PERIOD

1. Handling user information requests via Chatbot

ADR processes personal data through the Chatbot to manage information requests voluntarily submitted by users, related to airport services (e.g., flight information, access, parking, assistance, schedules, commercial services, etc.).

The Chatbot also enables optional features activated directly by the user during interaction, such as push notifications related to the selected flight, which include service information (e.g., services available in the departure area).

These notifications are not commercial communications but purely informative service messages. They can be deactivated at any time by clicking the “Stop updates” button. Additionally, the user may receive a service message to rate the responses (optional).

Legal basis: performance of a contract to which the user is a party or pre-contractual measures taken at the user’s request (Art. 6(1)(b) GDPR).

If the user chooses not to provide their WhatsApp number, ADR will not be able to respond via WhatsApp Chatbot, requiring alternative contact channels.

If the user voluntarily provides special category data (e.g., health data) during interaction, such data will be processed based on explicit consent (Art. 9(2)(a) GDPR) but will remain only in the chat and will not be processed by the AI system to generate responses. ADR recommends avoiding the communication of such data.

Consent can be withdrawn at any time by writing to the DPO at dpo@adr.it  and requesting deletion of any mistakenly provided data.

Chat contents are stored in ADR’s system for 6 months from receipt. They also remain on the user’s WhatsApp app and under their exclusive control.

Phone numbers (WhatsApp) are stored for 3 months and then anonymized.

2. Sending promotional and informational messages via WhatsApp

With prior consent, ADR will use the phone number associated with the user’s WhatsApp account to send updates and information about airport news, commercial promotions, discounts, and institutional initiatives.

Messages will be sent via automated tools (push notifications, WhatsApp) at a maximum frequency of about one message per week, and in a non-repetitive or intrusive manner.

Legal basis: user consent (Art. 6(1)(a) GDPR). Consent is obtained within the WhatsApp conversation through an unequivocal user action.

Providing data and consent for this purpose is optional: refusal does not affect Chatbot use but prevents receiving such communications.

The user can object or withdraw consent at any time without affecting the lawfulness of prior processing, by clicking “Stop updates” in the WhatsApp chat or using the “Unsubscribe” option in each subsequent message, or by contacting the Controller.

The user’s phone number will be stored until consent is withdrawn (opt-out) or the user unsubscribes.

After withdrawal, the number will still be processed for the lawful purpose under point A, but not for promotional/informational messages.

ADR periodically runs consent renewal campaigns.

5. PROCESSING METHODS AND EXTRA-EEA data TRANSFERS

Personal data is processed using IT and telematic tools, in compliance with current data protection laws and in line with the purposes described above, adopting appropriate measures to ensure confidentiality, security, and data integrity.

ADR has implemented technical and organizational measures to mitigate privacy and AI bias risks, including filters, guardrails, human oversight, post-monitoring, error tracking, alert mechanisms, audits, and continuous testing.

The system is hosted on infrastructure located within the European Economic Area (EEA), with no data transfers to third countries. The cloud technology provider (AWS) does not access users’ personal data under current contractual agreements.

The Chatbot does not require user identification. Users may voluntarily enter personal data in text or voice content. ADR advises users not to enter personal data (their own or others’), which in any case will not be used to generate responses.

Conversation content (text messages, voice commands) is viewable by ADR and processed solely to provide the Service, with limited retention and a “stateless” logic (no profiling or chat history reconstruction).

The Service does not involve automated decision-making processes under Art. 22 of the GDPR. Chatbot responses are automated but do not produce legal effects or significantly affect the user.

6. DATA RECIPIENTS

Within ADR S.p.A., only individuals specifically appointed/authorized by the Controller and permitted to carry out processing operations related to the above activities may access the personal data provided by the user.

Additionally, the data may be processed by service providers engaged by ADR to deliver the Service, acting as data processors pursuant to Article 28 of the GDPR.

For communications sent via WhatsApp, Meta Inc., the provider of the instant messaging platform, acts as an independent data controller regarding user account data (e.g., name and profile picture) and app usage policies (please, refer to the policies of the messaging platform provider). Messages are received through Meta’s WhatsApp service, which protects them using encryption protocols. The user retains full control of the conversations and may interrupt and/or block the chat at any time.

In this context, ADR does not access the user’s WhatsApp profile name data but only receives content relevant to the interaction (flight requests, responses, preferences, any text commands) and messages transmitted by the user to the systems used. The user’s personal data is processed by ADR through personnel specifically appointed/authorized for processing.

Personal data will be known exclusively by ADR personnel expressly authorized for processing, based on specific authorization profiles.

ADR also uses external providers, appointed as data processors under Article 28 of the GDPR, involved in processing related to system development and maintenance, WhatsApp Business channel management, and cloud computing services used in the Service.

Finally, data may be disclosed to competent public authorities in compliance with legal obligations.

7. DATA SUBJECTS RIGHTS

Under Articles 15–21 of the GDPR, the user has the right to request from ADR:

1. confirmation as to whether or not personal data concerning them is being processed and, if so, access to and a copy of their personal data (Right of access – Art. 15 GDPR);
2. the updating, rectification, or, where interested, integration of the data without undue delay (Right to rectification – Art. 16 GDPR);
3. the erasure of data for which there is no longer any legal basis for processing (Right to erasure – Art. 17 GDPR);
4. the restriction of the way personal data is processed where one of the conditions set out in Art. 18 GDPR applies;
5. a copy of the personal data in a structured, commonly used, and machine-readable format for processing based on a contractual relationship (so-called portability), as provided by Art. 20 GDPR;
6. the withdrawal of consent at any time, where processing is based on consent, as provided by Art. 7 GDPR. Withdrawal of consent will only affect future processing and does not affect the lawfulness of processing based on consent before its withdrawal.

Right to object: in addition to the above rights, the user may always object at any time if personal data is processed for marketing purposes. The user may object to receiving such communications or withdraw consent by clicking the “Stop updates” button in the WhatsApp conversation or using the “Unsubscribe” option in each subsequent message, or by writing to the Controller’s contact details.

If the right to object is exercised, the Controller reserves the right not to comply with the request and, therefore, to continue the processing if there are compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.

The above rights may be exercised by submitting a request without formalities to the Data Protection Officer (DPO) at dpo@adr.it.

If the user believes that the processing of personal data violates the GDPR, they have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) using the contact details available at www.garanteprivacy.it or to take legal action.