Privacy Notice

Regulation 679/2016/EU

Information for Data Subjects – Tourist Virtual Assistant (TVA) for accessing relevant data

Pursuant to and for the purposes of Article 13 of Regulation 679/2016/EU "General Data Protection Regulation", we inform you that Roma Capitale processes the personal data you have voluntarily provided for the use of the digital platform Tourist Virtual Assistant (TVA), which allows users to request information and receive services by interacting with a virtual assistant supported by semantic artificial intelligence (chatbot). Roma Capitale ensures that your personal data are processed in compliance with fundamental rights and freedoms, as well as your dignity, with particular reference to privacy, personal identity, and data protection rights.

  1. Data Controller (Art. 13.1.a Regulation 679/2016/EU)

    The Data Controller is Roma Capitale (hereinafter also referred to as "Controller"). At the date of this notice, all information regarding the Controller, together with the updated list of Data Processors and designated System Administrators, is available at Palazzo Senatorio, via del Campidoglio 1, 00186 Rome; PEC: protocollo.gabinettosindaco@pec.comune.roma.it.

  2. Data Protection Officer (DPO) / Responsible for Data Protection (RDP) (Art. 13.1.b Regulation 679/2016/EU)

    The Data Protection Officer (DPO) of Roma Capitale can be reached at the following email address: dpo@comune.roma.it

  3. Purposes of processing personal data and legal bases (Art. 13.1.c Regulation 679/2016/EU)

    1. For the proper functioning of the TVA, the Controller may process personal data contained in the requests made to the chatbot, including the collection of the history of interactions maintained by the user through all available contact channels, with the aim of offering citizens and tourists useful services and information already provided through other more traditional public channels. For this purpose, the Controller may also process personal data belonging to the categories of Articles 9 and 10 of the GDPR - Regulation 679/2016/EU, if they are freely and autonomously provided by the data subject within the requests made to the chatbot and strictly to the extent necessary to provide the requested information and/or services.
      The legal basis of the described processing is therefore the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller (Article 6.1.e, Article 9.2.g Regulation 679/2016/EU).
    2. To have more targeted support and/or submit a report to an operator of 060606/060608, the Controller may also record, enter, and manage some user identification data through the CRM of Roma Capitale (mandatory: email address, mobile number, first name, last name, nationality; optional: personal identification code, period of stay, place of stay). For this purpose, the chatbot interface does not allow the entry or collection of such data but provides the user with a registration link that will redirect them to the CRM of Roma Capitale.
      This additional service will be provided only with the free, specific, informed, and unequivocal consent of the data subject (Article 6.1.a and Article 9.2.a Reg. EU 679/2016).

  4. Methods of processing personal data

    The processing of your personal data takes place at the premises and offices of the Controller or, if necessary, at the subjects indicated in paragraph 6, using both paper and electronic media, by telephone and electronic means, also through automated tools aimed at storing, managing and transmitting data, with the observance of every precautionary measure that guarantees their security and confidentiality.
    The processing takes place through a AI-powered chatbot, but the data of the data subject is never used for training or for purposes other than those described above.
    The processing will be developed to minimize the risk of destruction or loss, unauthorized access, processing not compliant with the purposes of data collection. Your personal data are processed in compliance with all the general principles of Article 5 of Regulation 679/2016/EU, and in particular:

    • in compliance with the principle of minimization, pursuant to Articles 5.1.c and 25.2 of Regulation 679/2016/EU;
    • in a lawful and fair manner.

    Your data are collected:

    • for specific, explicit, and legitimate purposes;
    • accurate and, if necessary, updated;
    • relevant, complete, and not excessive concerning the purposes of the processing.

  5. Nature of the collection and consequences of any failure to provide personal data (Art. 13.2.e Regulation 679/2016/EU)

    Providing your personal data are entirely voluntary. However, the failure to provide such data may result in the inability of the Controller to provide the requested service in whole or in part, correctly and/or in compliance with the legal obligations imposed on the Controller. Your data are stored at the offices and services of Roma Capitale and external data holders. If necessary, your data will also may be stored by other subjects indicated in paragraph 6.

  6. Communication and dissemination of personal data (Art. 13.1.e Regulation 679/2016/EU)

    If necessary, your personal data may be communicated (i.e. shared with one or more specific subjects) to:

    • entities authorized to access the data under legal, secondary law, and EU regulations;
    • Collaborators, employees, and consultants of Roma Capitale, within the scope of their duties and/or any contractual obligations;
    • suppliers, including Data Processors designated, pursuant to Article 28 of Regulation 679/2016/EU, who act on behalf of Roma Capitale;
    • physical and/or legal persons, public and/or private, when communication is necessary or functional to the activities of Roma Capitale in the ways and for aforementioned the purposes.

    Your personal data would never be disclosed, i.e. shared in any way to other subjects, except for legal obligations.

  7. Criteria Used to Determine the Retention Period (Art. 13.2.a Regulation 679/2016/EU)

    The personal data of the data subject processed in the normal use of the chatbot will be kept for a maximum of 24 hours after collection and, in any case, only for the time necessary to recover the conversation with the user. If, on the other hand, the user decides to proceed with the registration as specified in point b) of paragraph 3, the data will be kept until the data subject withdraws its consent and, in any case, only for the time necessary to comply with the terms of the current regulations (90 days).

  8. Rights of the Data Subject (Art. 13.2.b Regulation 679/2016/EU)

    The data subjects may exercise the following rights at any time:

    • The right to access their personal data held by the Data Controller, pursuant to Art. 15 Reg. 679/2016/EU;
    • The right to request the rectification of their personal data from the Data Controller, pursuant to Art. 16 Reg. 679/2016/EU, unless it contradicts current data retention legislation;
    • The right to request the deletion of their personal data from the Data Controller, pursuant to Art. 17 Reg. 679/2016/EU, unless it contradicts current data retention legislation;
    • The right to request the restriction of processing of their personal data from the Data Controller, pursuant to Art. 18 Reg. 679/2016/EU;
    • The right to object to the processing, pursuant to Art. 21 Reg. 679/2016/EU.

    The above rights can be exercised by contacting the following address: supporto.julia@comune.roma.it

  9. Right to Lodge a Complaint (Art. 13.2.d Regulation 679/2016/EU)

    It is hereby noted to the data subjects that they have the right to lodge a complaint with a supervisory authority (specifically the Data Protection Authority, available at www.garanteprivacy.it).

Return to Homepage