Privacy and cookie policy

For the purposes of the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as “GDPR”) on the protection of natural persons with regard to the processing of personal data, STA – Südtiroler Transportstrukturen AG/STA – Strutture Trasporto Alto Adige SpA in its position as data controller (hereinafter referred to as “Company” or “Controller”) is obliged to provide information on personal data that may have been collected on natural persons (“Data Subjects”).

The data held by the Controller is typically collected directly from the Data Subjects and occasionally also from third parties.

Pursuant to Article 14 g) of the GDPR, the Controller hereby informs all Data Subjects that, if and when personal data is not collected directly from a Data Subject, no automated decision-making processes are used; this includes profiling as referred to in Article 22, paragraphs (1) and (4) of the GDPR.

Purposes of data processing

Any data is processed as part of the Controller’s regular operations in connection with the issuing of and payment for tickets.

Tickets can be purchased online using the ticket shop function of the südtirolmobil app.

All ticket payment is processed by LogPay Financial Services GmbH, which acts as a separate Controller.

https://documents.logpay.de/en/datenschutzinformationen.pdf

Any personal data collected in connection with the above activities is processed for the following purposes:

• for purposes closely related to the contract and the performance of the obligations deriving from the contract itself;
• for purposes related to obligations arising from national and/or international laws or regulations, as well as from measures adopted by national or international bodies or authorities. Where applicable, this includes activities required in order to comply with obligations arising from anti-money laundering legislation.

No consent is required for the processing of this personal data. Processing this data is permitted under Art. 6 b), c), e) and f) of the General Data Protection Regulation (EU) 2016/679 (GDPR).

Data processing methods

Any data collected may be processed manually or electronically with the help of IT systems; all such methods are designed to safeguard and guarantee data security, confidentiality and availability.

Providing your data for the purposes set forth in 1) is optional; on a practical level, however, refusal to do so would make it impossible to perform the existing pre-contractual and/or contractual relations. Providing your data for the purposes set forth in 2) is mandatory, since it is necessary in order to fulfil any regulatory obligations.

Disclosure of personal data

Collected data may be passed on to any legal entity (office, body or public administration organ, company or institution) that are legally required or entitled to have knowledge of such data, as well as to any person with a right of access (diritto di accesso/Aktenzugriffsrecht) or a so-called right of generalised civic access (diritto di accesso civico generalizzato/allgemeiner Bürgerzugang). In the case of special data and/or data relating to criminal convictions and offences, data may be passed on to legal entities as set forth in the regulations for the processing of sensitive and judicial data, as outlined by the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) on 30/05/2005. Moreover, data may also be passed on to any consultants, insurers and other service providers for processing in connection with the aforementioned purposes.

No consent is required for the processing of data pertaining to the above-mentioned categories.

Scope of availability of personal data within the Company

The data collected may be made available to the Data Controller, their Data Protection Officer and their Data Processing Officers.

Time limits for the processing and storage of personal data

The data processing referred to in this present notice will be limited to the duration strictly necessary to provide the services of the online ticket shop, after which all data will be deleted.

Data Controller and Data Protection Officer

As the Data Controller, STA – Strutture Trasporto Alto Adige SpA/STA – Südtiroler Transportstrukturen AG (Via dei Conciapelli/Gerbergasse 60, 39100 Bolzano/Bozen) is responsible for all data processing.
E-mail address: info@sta.bz.it;
As the Data Protection Officer, Paolo Recla is the person responsible for the protection of personal data; for this purpose, they are based at the registered office of this Company.
Certified e-mail address (in Italy: PEC): paolorecla.dpo@legalmail.it

Rights of the persons affected

In accordance with Articles 15 to 22 of the GDPR, all Data Subjects are entitled to exercise certain rights. In relation to their personal data in particular, all Data Subjects are entitled to obtain the following from the Data Controller: the right to lodge a complaint with a supervisory authority (Art. 13, paragraph [2] d); the right of access (Art. 15); the right to rectification (Art. 16); the right to erasure (“right to be forgotten”, Art. 17); the right to restriction of processing (Art. 18); the right to be notified of any rectification, erasure of personal data or restriction of processing (Art. 19); the right to data portability (Art. 20); the right to object to the processing of their personal data (Art. 21) and the right not to be subject to automated decision-making processes including profiling (Art. 22).

Information on processing personal data for südtirolmobil passes

This privacy policy is provided by Südtiroler Transportstrukturen AG/Strutture Trasporto Alto Adige SpA (hereinafter STA), the data controller, pursuant to Article 13 of EU Regulation 679/2016. It is intended to describe in a clear and comprehensive manner the processing that will be carried out on the data provided by users of südtirolmobil pass travel tickets. The Company's registered office is located in Bozen/Bolzano at Gerbergasse 60/Via Conciapelli, 60. If you require any further information, please contact the company's office at Sta – Südtiroler Transportstrukturen AG/Strutture Trasporto Alto Adige SpA, Gerbergasse 60/Via Conciapelli 60, I-39100 Bozen/Bolzano (BZ), or call us on +39 0471 312888. You can also email us at info@sta.bz.it.

Purpose and methods of data processing

In accordance with the relevant resolutions of the Provincial Council of the Autonomous Province of Bozen/Bolzano, the provision of services necessary for the definition and management of the contract involves the processing (i.e. collection and use) of three types of personal data: a) Personal data provided by the user when requesting a pass and subsequently when the contract is defined. b) Data relating to the user's movements consisting of the recording of dates, times, and places of validation at railway stations, fixed installations or on means of transport ('geolocation' data). c) Billing data resulting from the use of geolocation data services.

Personal and billing data is mainly processed digitally using computer systems.

Geolocation data is collected automatically when validations are recorded, which occurs when users voluntarily present their travel passes to the recording devices present on public transport.

All data collected and processed is used solely and exclusively for managing the information necessary for providing the service in accordance with the procedures established by Provincial Council Resolutions Nos. 979 of 20 June 2011 (replaced by Resolutions Nos. 1336 of 11 November 2014 and 760 of 5 July 2016), and for all accounting, tax and administrative obligations arising therefrom, as well as enforcing any rights arising from the existing contractual relationship.

All data is anonymised and used solely for statistical purposes once the stated purposes have been achieved and the necessary period has elapsed. The legal basis for processing is therefore the need to execute the transport contract signed by the data subject.

Personal data may also be used to invite participants to take part in anonymous, aggregated-data surveys.

Further details on the processing of geolocation data

The travel passes (badges) used by service users contain their identification details and a user identification code.

When the pass is scanned, the user code, date, and time of validation, and location are recorded in the validation system.

The location is identified by recording the 'stop code', which can be detected using the GPS system on the vehicles. This 'stop code' is internal information within the STA computer system and does not directly reveal the location.

As soon as possible, the collected data is acquired by the central processing systems and used to carry out the activities provided for in the contract, such as kilometre calculation, identification of the applicable fare, charging the user and execution of administrative obligations.

The geolocation data is simultaneously deleted from the validation systems' memories.

The geolocation data temporarily stored on the validation systems contains only a user identification code that does not allow immediate identification and is stored in encrypted form to prevent third parties from acquiring or modifying it.

Geolocation data is stored in STA's IT systems in an adequately protected manner for the time strictly necessary to manage legal and contractual obligations and document charges, including those following user requests. This period does not exceed three months from the end of the service billing month. After this period, the data is anonymised so that the user cannot be identified and is used exclusively for statistical analysis of service usage. This includes requests received from the Autonomous Province of Bozen/Bolzano relating to the management of the SII Inter-company Information System for integrated public transport.

Details of the geolocation data relating to journeys (dates, times, and places of boarding and alighting) are not included in invoices (unless expressly requested by the user), which only contain summaries of kilometres travelled and fares applied.

Geolocation data can only be accessed by the relevant user by: a) accessing the suedtirolmobil.info portal using their SPID, CIE or active service card credentials, or the individual authentication credentials assigned to them at the time of signing the contract and configured to ensure adequate security and protection measures are adopted. Users are advised to take great care when storing their authentication credentials to prevent third parties from accessing this detailed information. They should also immediately change their confidential password using the procedures described on the website if they suspect it is known to third parties. b) requesting documentation detailing the geolocation data relating to the journeys made, either at the time of signing the contract or at a later date.

The user may request the deletion of the geolocation data previously requested for subsequent billing by contacting the Südtirol Pass office or using the website functions indicated when accessing their user account. c) Users without a personal user account may request information in paper form by contacting authorised ticket offices.

The mandatory or optional nature of data provision and the consequences of refusing to provide data

The user is required to provide personal and fiscal data when requesting the service and when the relevant contract is being finalised, in order to perform the necessary administrative tasks.

If the requested data is not provided, it will not be possible to follow up on requests or applications.

The automatic acquisition of geolocation data is essential for managing the pricing system in accordance with the Provincial Council's relevant resolutions.

Failure to register access constitutes a breach of the user's contractual obligations, which may result in administrative penalties being applied in accordance with the aforementioned resolutions and provincial law no. 15/2015.

Data processors and areas of communication

Personal and contractual data may be disclosed to administrative and IT staff, as well as to staff at the Südtirol Pass office and authorised ticket offices.

These individuals have received the necessary instructions to ensure the protection of personal data in their capacity as data processors.

Geolocation data may be accessed by IT staff at the STA Company or appointed external data processors.

Personal and contractual data may only be disclosed to third parties (such as the bank indicated by the user for direct debit issuance) for activities directly related to existing contractual agreements. Under the existing concession agreement, personal and contractual data may also be disclosed to the Mobility Department of the Autonomous Province of Bozen/Bolzano, provided that such data is transmitted anonymously wherever possible.

No form of dissemination of any of the personal data processed is envisaged, i.e. indiscriminate disclosure to unidentifiable third parties. This does not affect the right to disclose data to third parties, such as public bodies, the police, judicial authorities and/or judicial police, in accordance with legal or regulatory obligations.

User rights regarding processed data

Finally, Articles 15 to 22 of the EU Regulation grant specific rights to data subjects. In particular, data subjects may request the following from the data controller with regard to their personal data:  - the right to lodge a complaint with a supervisory authority (Article 13, paragraph 2, letter d);  - access (Article 15);  - rectification (Article 16);  - erasure ('right to be forgotten') (Article 17);  - restriction of processing (Article 18);  - notification in the event of rectification, erasure or restriction (Article 19);  - portability (Article 20);  - the right to object (Article 21);  - not to be subject to automated decision-making and profiling (Article 22).

Data controller and data protection officer

The data controller for all personal data identified herein is  Südtiroler Transportstrukturen AG/Strutture Trasporto Alto Adige SpA, Gerbergasse 60/Via Conciapelli 60, Bozen/Bolzano. The data protection officer is Paolo Recla, a lawyer domiciled for this purpose at the company's registered office.

PEC (certified email): paolorecla.dpo@legalmail.it  

The list of data processors is available upon request at info@sta.bz.it.

Protection of personal data

STA informs all users that it has implemented technical tools and organisational procedures aimed at minimising the risks of destruction or loss of the data itself, unauthorised access or processing that is not permitted or does not comply with the purposes of collection. These risks are minimised through the adoption of appropriate and preventive security measures, taking into account the nature of the data and the specific characteristics of the processing, as well as the knowledge acquired on the basis of technical progress.

STA also informs users that processing is carried out in full compliance with the provisions of the Measure of 9 March 2005 on guarantees for the use of RFID tags and the Data Protection Authority's provisions on geolocation.