Privacy Chatbot

1. GENERAL INFORMATION ON THE TECHNOLOGY USED FOR THE CHATBOT

The Chatbot is an automated system based on generative artificial intelligence, trained with data from ADR websites and designed to respond to user requests related to airport services.
Although the underlying technology is generative and provided by Amazon Web Services Enea Sarl, the system made available by ADR is aimed at a specific and determined purpose and is limited to airport-related topics and services. Therefore, it does not fall under the definition of a “general-purpose AI system” as per the AI Act.
The Service does not require user identification and is intended for adults or minors aged fourteen and above. For more details on the AI system’s functionalities, limitations, and logic, please refer to the Terms & Conditions.

2. DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)

Data Controller

Contact Details of the Data Controller

Contact details of the DPO

Aeroporti di Roma S.p.A., (hereinafter also referred to as “ADR” or the “Controller”).

Registered office in Via Pier Paolo Racchetti 1 - 00054 Fiumicino (Rome)

The Data Protection Officer (also referred to as “DPO”) of ADR can be contacted via email at: dpo@adr.it or by writing to the contact details of the Controller indicated above.

3. SOURCE AND CATEGORIES OF DATA

The Service is designed to function without identifying the user. The only personal data collected and processed by ADR are those provided directly by the user during the use and conversation with the virtual assistant/Chatbot, including: phone number (WhatsApp), expressed preferences (e.g., notification activation), inputs selected from available options, and technical data (e.g., language, conversation rating, any flight details/times entered).
An optional voice interaction feature is available, which involves the recording of the user’s voice for the sole purpose of ensuring service quality and the performance of the speech-to-text function. The user receives a brief notification at the start of the conversation, following which they may decide whether or not to continue the call, whilst still being able to interact via the traditional text-based method.
At the end of the call, the User will be provided with a brief summary of the information requested.
Interaction via a recorded call is a purely optional feature and not mandatory for the User, who is free to choose whether to interact with the Chatbot via the traditional text-based method or via a voice call.
Users are strongly advised not to share personal data beyond those listed above, especially data belonging to special categories (e.g. health, religion, etc.). Any personal data entered during interaction with the Chatbot (texts and/or voice notes/phone conversations) will only be recorded in the chat but not processed to provide the requested response and will not be stored or used for other purposes.
Preventive measures and IT mechanisms (so-called guardrails) are implemented to avoid processing any personal data voluntarily entered by the user. Personal information is not processed by the Chatbot, which does not provide responses based on such information.
No cookies or other tracking tools are used to identify or profile the user.

4. PURPOSE OF PROCESSING, LEGAL BASIS, NATURE OF PROVISION, AND DATA RETENTION PERIOD

PURPOSE OF PROCESSING, LEGAL BASIS and NATURE OF PROVISION

DATA RETENTION PERIOD

1. Handling user information requests via Chatbot

ADR processes personal data through the Chatbot to manage information requests voluntarily submitted by users, related to airport services (e.g., flight information, access, parking, assistance, schedules, commercial services, etc.).

The Chatbot also enables optional features activated directly by the user during interaction, such as push notifications related to the selected flight, which includes sending service information relating, for example, to the services available at the selected flight departure point.

These notifications are not commercial communications but purely informative service messages. They can be deactivated at any time by clicking the “Stop updates” button.

Legal basis: performance of a contract to which the user is a party or pre-contractual measures taken at the user’s request (Art. 6(1)(b) GDPR). Data may be provided when using the service.
If the user chooses not to provide their WhatsApp number, ADR will not be able to respond via WhatsApp Chatbot, requiring alternative contact channels.
If the user voluntarily provides special category data pursuant to art.9 GDPR (e.g., health data) during interaction with the Chatbot, such data will be processed based on explicit consent of the User (Art. 9(2)(a) GDPR) but will remain only in the chat/interaction and will not be processed by the AI system to generate responses. The provision of such special data is not necessary and ADR recommends avoiding the communication of such data during the use of the Service.

Consent can be withdrawn at any time by writing to the DPO at dpo@adr.it and requesting deletion of any mistakenly provided data. 

In addition, the user may receive a service message inviting them to express their level of satisfaction on the Chatbot (optional), as well as service communications regarding petitions or voting initiatives related to airport activities (optional).

Legal basis: the legitimate interests pursued by the Controller (Article 6(1)(f) of the GDPR), namely the interest in monitoring customer satisfaction levels and ensuring high quality standards, as well as providing users with relevant and useful information for the assessment of airport services.

The contents of the chats, including the summaries of information provided at the end of calls, are stored on the system used by ADR for six months from the date of receipt. The contents of the chats also remain on the user’s WhatsApp application and are accessible only to the user. 
Phone numbers (WhatsApp) are stored for 3 months and then anonymized.

2. Sending promotional and informational messages via WhatsApp

With prior consent, ADR will use the phone number associated with the user’s WhatsApp account to send updates and information about airport news, commercial promotions, discounts, and institutional initiatives.
Messages will be sent via automated tools (push notifications, WhatsApp) at a maximum frequency of about one message per week, and in a non-repetitive or intrusive manner. 

Legal basis: user consent (Art. 6(1)(a) GDPR). Consent is obtained within the WhatsApp conversation through an unequivocal user action.
Providing data and consent for this purpose is optional: refusal does not affect Chatbot use but prevents receiving such communications.
The user can object or withdraw consent at any time without affecting the lawfulness of prior processing, by clicking “Stop updates” in the WhatsApp chat or using the “Unsubscribe” option in each subsequent message, or by contacting the Controller. 

The user’s phone number will be stored until consent is withdrawn (opt-out) or the user unsubscribes from the receiving of information.
After withdrawal, the number will still be processed for the lawful purpose under point A, but not for sending  promotional/informational messages.
ADR periodically runs consent renewal campaigns.

3. Conversation analysis and call recording

Provided that the conversations do not contain any personal references, the Data Controller processes the content of conversations with the virtual assistant and the recordings/transcripts of calls for the purposes of service quality, the controlled improvement of conversational flows and the performance of the support service, as well as the monitoring of the AI system’s performance levels. The data contained in recorded conversations, chats and transcripts are not used to train, retrain or optimise artificial intelligence algorithms or models.

Legal basis: the Data Controller’s legitimate interest (Article 6(1)(f) of the GDPR), linked to the need to monitor service performance, with particular reference to the speech-to-text functionality (accuracy of conversation transcriptions).

Recorded conversations/calls, chats and their transcripts are retained for a period not exceeding six months from the date of collection, as this timeframe is considered appropriate and proportionate to the purposes of verifying service quality, the controlled improvement of conversational flows and the performance of the support service, as well as monitoring the performance levels of the AI system. This period enables the Data Controller to analyse a temporally significant sample of interactions, identify any recurring anomalies, assess the consistency and effectiveness of the responses provided by the system, and implement the necessary corrective or organisational optimisation measures, in accordance with the principles of data minimisation and storage limitation. Upon expiry of this period, the data is deleted or anonymised. This is without prejudice to the Data Controller’s right to provide for further retention where necessary for the establishment, exercise or defence of a legal claim and/or the fulfilment of a legal obligation.
This is without prejudice to the anonymisation of telephone numbers after the three-month period.

5. PROCESSING METHODS AND EXTRA-EEA DATA TRANSFERS

Personal data is processed using IT and telematic tools, in compliance with current data protection laws and in line with the purposes described above, adopting appropriate measures to ensure confidentiality, security, and data integrity.
ADR has implemented technical and organizational measures to mitigate privacy and AI bias risks, including filters, guardrails, human oversight, post-monitoring, error tracking, alert mechanisms, audits, and continuous testing.
The system is hosted on infrastructure located within the European Economic Area (EEA), with no data transfers to third countries. The cloud technology provider (AWS) does not access users’ personal data under current contractual agreements.
The Chatbot does not require user identification. Users may voluntarily enter personal data in text or voice content. ADR advises users not to enter personal data (their own or others’), which in any case will not be used to generate responses.
Conversation content (text messages, voice commands or calls) is viewable by ADR and processed solely to provide the Service, with limited retention and a “stateless” logic (no profiling or chat history reconstruction).
Responses to messages, voice notes and requests made during the user’s call are generated automatically by the chatbot using artificial intelligence, without any interaction with human operators.
The Service does not involve automated decision-making processes under Art. 22 of the GDPR. Chatbot responses are automated but do not produce legal effects or significantly affect the user. 

6. DATA RECIPIENTS

Within ADR S.p.A., only individuals specifically appointed/authorized by the Controller and permitted to carry out processing operations related to the above activities may access the personal data provided by the user.
Additionally, the data may be processed by service providers engaged by ADR to deliver the Service, acting as data processors pursuant to Article 28 of the GDPR.
For communications sent via WhatsApp, Meta Inc., the provider of the instant messaging platform, acts as an independent data controller regarding user account data (e.g., name and profile picture) and app usage policies (please, refer to the policies of the messaging platform provider). Messages are received through Meta’s WhatsApp service, which protects them using encryption protocols. The user retains full control of the conversations and may interrupt and/or block the chat at any time.
In this context, ADR does not access the user’s WhatsApp profile name data but only receives content relevant to the interaction (flight requests, responses, preferences, any text commands) and messages transmitted by the user to the systems used. The user’s personal data is processed by ADR through personnel specifically appointed/authorized for processing.
Personal data will be known exclusively by ADR personnel expressly authorized for processing, based on specific authorization profiles.
ADR also uses external providers, appointed as data processors under Article 28 of the GDPR, involved in processing related to system development and maintenance, WhatsApp Business channel management, and cloud computing services used in the Service.
Finally, data may be disclosed to competent public authorities in compliance with legal obligations.

7. DATA SUBJECTS RIGHTS

Under Articles 15–21 of the GDPR, the user has the right to request from ADR:

1. confirmation as to whether or not personal data concerning them is being processed and, if so, access to and a copy of their personal data (Right of access – Art. 15 GDPR);
2. the updating, rectification, or, where interested, integration of the data without undue delay (Right to rectification – Art. 16 GDPR);
3. the erasure of data for which there is no longer any legal basis for processing (Right to erasure – Art. 17 GDPR);
4. the restriction of the way personal data is processed where one of the conditions set out in Art. 18 GDPR applies;
5. a copy of the personal data in a structured, commonly used, and machine-readable format for processing based on a contractual relationship (so-called portability), as provided by Art. 20 GDPR;
6. the withdrawal of consent at any time, where processing is based on consent, as provided by Art. 7 GDPR. Withdrawal of consent will only affect future processing and does not affect the lawfulness of processing based on consent before its withdrawal.

Right to object: in addition to the above rights, the user may always object at any time if personal data is processed for marketing purposes. The user may object to receiving such communications or withdraw consent by clicking the “Stop updates” button in the WhatsApp conversation or using the “Unsubscribe” option in each subsequent message, or by writing to the Controller’s contact details.
If the right to object is exercised, the Controller reserves the right not to comply with the request and, therefore, to continue the processing if there are compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject.
The above rights may be exercised by submitting a request without formalities to the Data Protection Officer (DPO) at dpo@adr.it. 

If the user believes that the processing of personal data violates the GDPR, they have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) using the contact details available at www.garanteprivacy.it or to take legal action.