On 6 April 2016, the European Union approved an important reform to the regulatory framework on personal data protection by adopting the “General Data Protection Regulation or Regulation), directly application in Member States. The Regulation replaces Directive 95/46.EC (“Data Protection Directive”) and its application was mandatory from 25 May 2018, two years after it came into force.

The new Regulation consolidates the safeguarding of the right to protection of personal data (Data Protection), in line with the recognition of the protection of personal data as a fundamental right in the EU. The Regulation is also a necessary and urgent response to the challenges posed by technological developments that allow the collection and processing of large amounts of personal data in real time, enabling the development of automated decisions beyond human intervention. The Regulation meets the need for privacy protection that is increasingly felt by European citizens.

Rete Ferroviaria Italiana considers the protection of the personal data of its customers, employees and suppliers to be an obligation that goes beyond mere regulatory compliance. For this reason, it has adopted its own Data Protection Framework, intended as a set of roles and responsibilities, internal rules and methodologies, aimed at ensuring the management and mitigation of risks to the rights and freedoms of individuals related to the processing of personal data.

THE DATA PROTECTION OFFICER

The changes introduced by the GDPR include the role of the 'Data Protection Officer' (DPO), responsible for monitoring compliance with the Regulation. For Rete Ferroviaria Italiana, the following individual was appointed as Data Protection Officer by the Board of Directors at its meeting on 20/01/2020:

Carla Cioffi
Piazza della Croce Rossa, 1- 00161 Roma

protezionedati@rfi.it

RIGHTS OF DATA SUBJECTS

The EU Regulation 2016/679 (Articles 15 to 23) confers specific rights on data subjects. In particular, in relation to the processing of your personal data, you are entitled to request the following from Rete Ferroviaria Italiana S.p.A: access to their data; amendment, deletion and portability of their data; limitation of processing; objection to processing. More specifically:

  • Right of access: You may ask Rete Ferroviaria Italiana S.p.A. to confirm whether or not your personal data are being processed and, if so, to have access to the personal data;
  • Right of amendment: You may have Rete Ferroviaria Italiana S.p.A. amend your incorrect personal data;
  • Right to deletion/right to be forgotten: You may, in certain circumstances, have Rete Ferroviaria Italiana S.p.A. delete your personal data;
  • Right to portability: You may, in certain circumstances, obtain from Rete Ferroviaria Italiana S.p.A. your personal data in a structured format that is commonly used and is legible from an automatic device. You are also entitled to send them to another data controller without impediment from Rete Ferroviaria Italiana S.p.A.
  • Right to limit processing: You may, in certain circumstances, have Rete Ferroviaria Italiana S.p.A. limit your personal data;
  • Right to object to the processing: You may object at any time, for reasons related to your particular situation, to your personal data being processed; Rete Ferroviaria Italiana S.p.A. will refrain from processing your personal data further, unless it can provide that there are compelling legitimate reasons for going ahead with the processing that prevail over your interests, rights and freedoms or in the event of a right being assessed, exercised or defended in court.

In addition, you may lodge a complaint with the Supervisory Authority, which in Italy is the Italian Data Protection Authority. At any time, you may contact Rete Ferroviaria Italiana S.p.A. to exercise your rights at titolaretrattamento@rfi.it or by emailing the Data Protection Officer at protezionedati@rfi.it.

PERSONAL DATA PROTECTION POLICY - Processing of Personal Data of users who access the website www.rfi.it

This policy (together with other documents referred to in this document) describes the personal data that we collect from users and how we process them. The policy strictly relates to the processing, for the purposes specifically identified below, of personal data of users who consult the website rfi.it and does not concern any of the information collected through other methods, sources or any other websites accessible by the user through links on the same, unless this is expressly specified. 

Please refer to the specific policies provided when the data is collected for details on each processing. Rete Ferroviaria Italiana considers the protection of the personal data of its customers, employees and suppliers to be an obligation that goes beyond mere regulatory compliance. For this reason, we are updating the Personal Data Protection policies and we have adopted a Data Protection Framework, intended as a set of roles and responsibilities, internal rules and methodologies, aimed at ensuring the management and mitigation of risks to the rights and freedoms of individuals related to the processing of personal data.

The contacts for Rete Ferroviaria Italiana S.p.A can be found below:

  • Rete Ferroviaria Italiana S.p.A., Data Controller, is represented by the pro-tempore Chief Executive Officer with registered office in Piazza della Croce Rossa, 1 - 00161 (Rome), who can be contacted at the following e-mail address titolaretrattamento@rfi.it;
  • The Data Protection Officer can be contacted at protezionedati@rfi.it.

The personal data processed through the website within the limits of the purposes defined in this policy are indicated below:

  • personal data supplied voluntarily (e.g. first name, surname, email address, etc.) will be processed for the purposes described in the specific “Personal Data Protection Policies” provided by the Controller for the various online services. These policies, which can be consulted at the time the data is provided, will provide additional information, such as the legal bases of the processing, the possible recipients of the personal data, the storage period of the personal data (or the criterion for determining this period), the existence of automated decision-making processes, including profiling, as well as all the useful information, which can also be found at the end of this section, for the exercise of privacy rights;
  • by voluntarily sending an email to the address indicated on this website, the email address and any other personal data entered in the email, as well as the details of the sender, needed to answer the requests, will be subsequently acquired. These data are used solely for provided the information requested;
  • the data will not be used for other purposes without the explicit consent of the data subject;
  • when visitors browse the website, technical information on the hardware and software they use are collected. This information does not provide any personal data about the User, but only technical/informational data that is used in an aggregate and anonymous manner for the sole purpose of improving the quality of the service and providing statistics on the use of the Website. For further information, see the section on cookies.

The personal data will be processed using automated tools for the time needed to achieve the purposes for which they were provided and the relevant IT media will be protected by adopted adequate technical and organisational measures pursuant to art. 32 of the GDPR.

The person sending the personal data to Rete Ferroviaria Italiana S.p.A. is responsible for ensuring they are accurate and truthful.