As part of the activities carried out to manage the Purchasing Portal/Qualification System and the contractual procedures, Rete Ferroviaria Italiana S.p.A. processes the personal data of the Economic Operators and Contractors of which RFI has become aware of for the purposes connected with the above activity, the management of tender procedures, the negotiation, finalisation and execution of Contracts, as well as the management of any additional and amending acts, termination and transactions, as detailed below.

This section provides details concerning the subjects responsible for the procedure

• Rete Ferroviaria Italiana S.p.A., Data Controller, represented by the pro-tempore Chief Executive Officer, can be contacted at the e-mail address titolaretrattamento@rfi.it, with registered office in Piazza della Croce Rossa n. 1, Roma.
• The Data Protection Officer can be contacted at the e-mail address protezionedati@rfi.it 

This section indicates the types of data requested from you

The personal data (of the Economic Operators and Contractors represented by natural persons or of the natural persons, including those indicated in the statements made for the purpose of carrying out the preliminary verifications, belonging to their organisations) to be processed fall into the following categories: 

• Common Data acquired directly from the contractor or the contractor's employees: personal data, tax identification code (driver's licence/Identity Card/Passport number), contact data (certified e-mail, e-mail, telephone contacts). Other data such as bank details, economic/financial data, income data, vehicle registration number plate, credentials, personal identification code (CID), credit card number, credit card transactions, data contained in CVs (educational qualifications, affiliation to professional associations/categories) are also processed as necessary for individual contractual procedures..
• Data on the Economic Operator and the Contractor acquired from Public Administrations and Judicial Authorities as part of the management of the fulfilments relating to the performance of the contractual procedures: judicial data for the verification of grounds for exclusion in accordance with the provisions of current legislation on public contracts (Legislative Decree 50/2016 as amended and Legislative Decree 36/2023 as amended), including anti-mafia investigations in accordance with current legislation (Legislative Decree 159/2011 as amended); data regarding the fulfilment of contribution and tax obligations.
  Judicial data is only processed as part of the contractual procedures carried out in accordance with current legislation on public contracts or in the event of the conclusion of legal protocols.  
• Personal data on marital, civil partnership or common-law partnership relationships (special data pursuant to Article 9 EU Regulation 2016/679): which may have been provided in the forms used for the preliminary checks.

The data mentioned above will be processed using electronic and hard copy media to ensure that suitable security and privacy measures are adopted.

This section tells you why we are asking for your data

The data that we ask you to provide is collected and processed for the management of the Purchasing Portal/Qualification System, for the execution of tender procedures, for the negotiation, completion and execution of Contracts, for managing any additional and amending acts and terminations of Contracts, as well as for managing transactions.

Personal data is processed on the following legal bases:

1. processing required for the conclusion and execution of the contract, including in the pre-contractual phase of the Economic Operator/Contractor's registration or qualification on the Procurement Portal/Qualification System and during the tendering and negotiation phase (Article 6, paragraph 1, letter b of EU Regulation 2016/679);

2. processing required to fulfil legal obligations to which the data controller is subject (Article 6, paragraph 1, letter c of EU Regulation 2016/679);1.       processing required to fulfil legal obligations to which the data controller is subject (Article 6, paragraph 1, letter c of EU Regulation 2016/679);; 

3. legitimate interest in checking the absence of causes of conflict of interest/correlation/revolving doors.

Judicial data is processed to verify the absence of causes of exclusion under current legislation on public contracts, pursuant to the provisions of letter i) paragraph 3 of Article 2 - octies of Legislative Decree 196/03, as amended, as well as for the purposes related to the conclusion of legality protocols, pursuant to the provisions of letter h) paragraph 3 of Article 2 - octies of Legislative Decree 196/03, as amended, or in fulfilment of the obligations provided for by law on anti-mafia communications and information or on the prevention of mafia-type crime and other serious forms of social security violations.

We assure you that the data provided by filling in the forms used to carry out the preliminary verifications will be processed exclusively for the above-mentioned purposes. The provision of the data required to pursue the above-mentioned purposes is mandatory and any refusal to do so may make it impossible for RFI to manage the activities related to contractual procedures in accordance with the law.

This section indicates the subjects who will receive and process your personal details

Personal data provided for the pursuit of the above-mentioned purposes will be processed by the following entities:

Scope related to RFI S.p.A.

• Persons authorised to process data: personal data will only be made accessible to people working for RFI, who require the data to carry out their tasks or because of the hierarchical position held. These people will have been suitably trained in order to prevent any loss, unauthorised access or unauthorised processing of the data.
• FS Italiane Group companies, which in turn may disclose the data, or grant access to it, to their employees and any consultants, to the extent that this is functional to the pursuit of the purposes provided for in sub III
• IT service providers of RFI

These companies act as Data Processors on behalf of RFI and have signed a special Data Protection Agreement governing in detail the processing operations entrusted to them and their obligations regarding data protection and security measures.

Scope not related to RFI S.p.A.

Personal data may be forwarded, in accordance with laws or regulations, to Public Administrations and Judicial Authorities acting as Independent Data Controllers.

This section presents our warranty that your data will not be disseminated

Personal data will not be disseminated. Information on contractual procedures required to comply with legal obligations concerning the publicity of contracts, transparency and anti-corruption are subject to institutional publication.

This section provides an indication of the period of time during which we will store your data

The personal data provided and collected will be retained:

• For purposes under 1 and 2: The personal data you have provided us with will be kept for 12 months from the three-year expiry date of your registration in the Qualification System and for a period of time not exceeding 10 years from the expiry date of the Contract entered into or from the date of assignment for the further purposes stated above, without prejudice to other requirements in case of requests from the Judicial Authorities and/or Authorities equivalent to the latter, or in case of litigation before the competent courts.
• For the purpose under 3, limited to the period of time necessary for the pursuit of that purpose and, in any case, for a period of time not exceeding 3 years after removal from the Qualification System.

This section provides details on your guaranteed rights

In accordance with the provisions of Articles 15 to 23 of EU Regulation 2016/679 the Data Subjects involved are entitled to exercise specific rights. Specifically, in relation to the processing of personal data, the Data Subject has the right to ask RFI for:

• Access - you may request confirmation as to whether or not data concerning you is being processed, along with further clarification of the information referred to in this Policy;
• Rectification - you may ask to rectify or integrate the data you have provided if the details are inaccurate or incomplete;
• Erasure - you may request that your data be deleted if it is no longer necessary for our purposes, if your consent is withdrawn or you object to processing, if processing is unlawful or if there is a legal obligation to erase;
• Restriction of processing - you may request that your data only be processed for the purpose of retention, with the exclusion of other processing operations, for the period necessary to rectify your data, in the event of unlawful processing for which you object to the erasure, whereby you must exercise your rights in court and the data stored by us may of use to you and, finally, if you object to processing and a check is being carried out as to whether our legitimate reasons prevail over your own;
• Objection - at any time, you may object to the processing of your data, except whereby legitimate grounds for processing persist and which override your own, for example for the exercise or defence of our rights in court;
• Portability - you may request to receive or to have your data transmitted to another data controller indicated by you, in a structured, commonly-used and machine-readable format.

Moreover, should the Data Subject consider that his or her rights have been violated, the Data Subject has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Garante per la Protezione dei Dati Personali.

The Data Subject may exercise his or her rights against RFI by contacting the same at titolaretrattamento@rfi.it or contacting the Data Protection Officer who can be contacted at the e-mail address protezionedati@rfi.it.