Società per azioni Esercizi Aeroportuali S.E.A., with registered office in Segrate (Milan) - 20090 - at the Milan-Linate Airport, ("SEA
"), as data controller, processes the personal data provided by you if you have chosen to participate in the pilot project launched by SEA and board the aircraft using facial recognition technology.
1. Types of data processed
SEA will process the personal data communicated by you during boarding operations using facial recognition technology ("Personal Data
"). In particular, the following Personal Data is processed:
Passport (or other accepted ICAO document) and data contained therein, such as: first name, last name, date of issue and expiry date, photograph;
Biometric data relating to the characteristics of your face (facial images will not be stored, but used to create a biometric model);
Boarding pass and the data it contains, such as: date and number of the flight booked by you, airline, first and last name.
2. Purpose and legal basis of the processing
Personal Data are acquired and processed for the sole purpose of carrying out the identification operations required by the applicable legislation during the execution of normal security checks for boarding a scheduled flight carried out with the innovative methods of facial recognition technology. The legal basis for the processing is your explicit consent. Only Personal Data related to the boarding pass may be shared with the competent judicial and police authorities where such sharing is necessary to comply with a legal obligation.
3.Mandatory or optional provision of Personal Data for the relevant purposes
Provision of Personal Data is required to carry out identification operations using facial recognition technology. However, you may choose to undergo security checks and carry out boarding operations performed by an operator, according to traditional methods.
4.Automated decision making, logic used and effects
The choice to carry out identification operations using facial recognition technology means that verification of your identity will be fully automated. In particular, SEA will use a fully automated system to assess the validity of your identity document, whether it matches the data on your boarding pass and whether the image in your identity document corresponds to your face. If the identification process is unsuccessful, SEA may delay or deny passage through the security turnstiles and/or boarding the flight you have booked. In any case, you will have the right to challenge the decision reached and request that security and boarding checks be repeated by a SEA operator.
5.Recipients of Personal Data
Subject to compliance with the principle of minimisation and proportionality, Personal Data may be made accessible to the following parties for the purposes listed above:
a. SEA employees and collaborators, based on instructions received from and under the authority of SEA;
b. companies, consultants or professionals that SEA uses to deliver its services, including, in particular, the supplier responsible for the development and technical management of the facial recognition system; and
c. with regard only to personal data related to boarding passes, any parties (including public authorities) that have access to personal data by virtue of legislative or administrative provisions.
Personal Data will be subject to the highest security standards and will be stored exclusively in encrypted form. Under no circumstances will Personal Data be circulated or, in any case, disclosed to an indeterminate number of parties.
6.Transfer of Personal Data
Personal Data will be processed within the European Union.
7. Retention period of Personal Data
a) Images of your face will not be stored and they will be used exclusively to create the biometric model. It is understood that only the Personal Data relating to your boarding pass will be deleted 24 hours after flight departure; while the Personal Data relating to the passport will be stored - in encrypted form - for a period ranging from 24 hours to 31 August 2021 depending on the consent you have given. After this period, all Personal Data will be irreversibly deleted. In particular, the data relating to the characteristics of your face will be deleted 24 hours after collection, unless you agree to keep such data for the entire duration of the pilot project, so that you can again carry out the security checks and boarding operations via facial recognition system without making a new registration. This being the case, your Personal Data will be deleted at the end of the pilot project, set for 31 August 2021.
b) If you have completed the registration procedure before 28 October 2020, we confirm that, as per the information contained in the Privacy Notice at the time communicated to you, your Personal Data relating to the passport will be kept - in encrypted form - for a period that varies from 24 hours to 31 December 2020 depending on the consent provided by you at that time. We also specify that the content of this Privacy Notice shall remain unchanged except for the retention period under previous 7 a), exclusively applicable to those who will perform the registration procedure as of 28 October 2020.
In any case, if you intend to give your consent for the storage of your Personal Data relating to the passport until 31 August 2021, you need to carry out the registration procedure again starting from 1 January 2021 at the kiosks available at the airport. This is necessary because, in the event of your registration before 28 October 2020, your Personal Data will be deleted according to the disposal under first paragraph of section 7 b) hereabove.
In relation to the processing of Personal Data, you may exercise the rights set out in Articles 15 to 22 of the General Data Protection Regulation 2016/679. In particular, you have the right to obtain from SEA rectification, integration or deletion (so-called right to be forgotten) of Personal Data; the right to obtain limitation of the processing and the right to portability of Personal Data and the right to lodge a complaint to the Supervisory Authority. You also have the right to revoke your consent to processing (without prejudice to the lawfulness of the processing carried out before the revocation) and to challenge the automated decision taken by SEA, as well as to request human checks by a SEA operator.
You may exercise these rights orally (by requesting checks to be made by the specially provided SEA operator). Alternatively, you may exercise these rights after boarding by sending your request to the Data Protection Officer at the following address email@example.com
or by ordinary mail addressed to the Data Protection Officer - 20090 Segrate (Milan), at Milan Linate Airport.
Exercising of such rights is not subject to any formal restriction and is free of charge.
9.Data Protection Officer (DPO)
You can also contact the Data Protection Officer, to exercise your rights as a data subject referred to in the previous point, by sending an e-mail to firstname.lastname@example.org