QPass privacy policy
 

Pursuant to current privacy legislation (European Regulation 2016/679 "GDPR" and Legislative Decree no. 196/03 and subsequent amendments and additions) the following policy is provided in relation to the use of the Q-Pass service through which the passenger can book online the time slot to access the security checkpoints at Fiumicino Airport. 

1. Data Controller

Aeroporti di Roma S.p.A. (ADR) with registered office at Via Pier Paolo Racchetti, 1 - 00054 Fiumicino (Rome). 

2. Data Protection Officer

ADR has appointed a Data Protection Officer. The contact details of the Data Protection Officer are available at www.adr.it. 

3. Purpose and legal basis of the processing

ADR processes your data for one or more of the following purposes, in consideration of the legal basis indicated in each case.  

1. Management of the service: ADR will process personal data in order to allow the user to book a time slot for the subsequent access, by scanning their boarding pass, to the dedicated security checkpoints at Fiumicino airport (Q-Pass service).
   The data entered will be processed for the purpose of providing the user with the requested service (Article 6(1)(b) GDPR). The provision of data is necessary for the pursuit of the above-mentioned purpose. In the event of refusal to process the data, it will not be possible to provide the user with the requested service. 
2. Customer satisfaction: after using the service, the user will receive an e-mail from ADR containing options to voluntarily indicate their level of satisfaction, provide a review on the service and their airport experience. In case of non-use of the service, the user will receive an email to voluntarily indicate the reason.
   The legal basis for the processing is the controller’s legitimate interest (Article 6(1)(f) GDPR), namely the interest in monitoring customer satisfaction in order to ensure high quality standards. 
3. Marketing: with prior express free and specific consent of the user, ADR will process the personal data to send commercial/promotional information and/or surveys relating to discounts, promotions, news at the airport and institutional initiatives. Marketing communications may take place via automated contact methods (e-mail).
   The legal basis for the processing is the user’s consent (Article 6, paragraph 1, lett. a GDPR). The provision of data is optional for this purpose, in the event of failure to consent to the processing, you will be able to use the Q-Pass service without suffering any prejudice, but you will not receive commercial and promotional communications.
   You may withdraw your consent (opt-out) at any time through the appropriate link which can be accessed from the e-mail communications received, as well as through the methods referred to in point 9 below.  

4. Types of data processed

The data processed by ADR includes common personal data such as the first and last names of passengers/accompanying persons entered in the online booking form, the e-mail address of the form filler and additional information such as flight number, flight date, airline company. 
If the user enters personal data on behalf of someone else, he/she must ensure, in advance, that they have read this Privacy Policy.  
By reading this policy, the person making the booking on behalf of other passengers declares:  

• to undertake to duly inform the person concerned about the communication of their data to ADR for the request in question and to inform them of the contents of this policy; 
• to expressly hold ADR harmless from any liability deriving from the unlawful communication of said data. 

5. Processing methods

The data are processed in compliance with the regulations in force by means of manual, IT and electronic tools, with logic strictly related to the above-mentioned purpose, so as to guarantee the security and confidentiality of the data. It is understood that passengers using the Q-Pass service will have to scan their boarding pass according to the ordinary access procedures, for which please refer to the privacy policy on the processing of personal data in the context of security checkpoints. 
Appointment reservation via the Q-Pass service and the provision of personal data will allow passengers to automatically gain access with their boarding pass via the service's dedicated fast lane/Q-Pass entrance. Once the reservation has been made, in fact, the scanning of the QR code on the passenger's boarding pass will automatically be recognised as enabled for the Q-Pass service by the appropriate scanners. 
The user will receive an e-mail message confirming the reservation. 
It will be possible, at any time, to modify, cancel or view the reservation using the appropriate link associated with the reservation ID, accessible from the confirmation e-mail received. 
After using the service or in the event of non-use of the service, the user will receive a service e-mail allowing them to evaluate the Q-Pass service. 
In the event of problems with the operation of the gate, passengers will still be able to access by the ordinary means.  

6. Data retention period

Personal data relating to the booking and use of the service will only be kept for the time necessary for the purposes for which they are collected in compliance with the principle of minimisation pursuant to Art. 5.1, letter c GDPR. In particular, the data entered for the Q-Pass service are retained from the time of booking and up to 72 h after the use of the service, after which they are deleted. 
It is understood that personal data acquired for the access to boarding areas are stored in the ordinary manner in relation to which please refer to the privacy policy on the processing of personal data in the context of security checkpoints.
With reference to promotional and marketing purposes, if the user voluntarily activates the receipt of content, personal data will be processed until consent is withdrawn and/or the right to object to processing (opt-out) is exercised in the manner set out in paragraph 9 below. 
In any case, we will potentially refresh the consent given for that purpose in order to respect the user's choice. 

7. Data recipients

Within ADR S.p.A., only the subjects appointed to process the data by the Data Controller and authorised to carry out the processing operations to meet the purposes set out in point 3 may become aware of the data provided. 
Moreover, the data may only be processed by third party companies to which ADR entrusts specific activities and services connected to the management of the booking service. 
In particular, the data may be processed by the subjects the Data Controller uses to maintain and manage the systems in their role as External Data Processors and the Sub-Processors they use. For a complete list of Data Processors and Sub-Processors, please contact the Data Controller at any time. 
In addition, ADR makes use of cloud services in order to optimise the performance of the www.adr.it website. ADR has signed a special Enterprise Agreement with Amazon Web Service EMEA SARL, selecting sites available within the European Economic Area for storing its content. In any case, the supplier in question does not access users' personal data acquired on the website, limiting itself to using the information essential to provide and maintain the cloud services. 
The data may be communicated to the competent public authorities in order to comply with legal obligations. In any case, your personal data will not be disseminated. 

8. Non-EU data transfer

Data will not be disclosed and/or communicated to third parties located outside of the European Economic Area. 

8. Rights of the data subjects

Lastly, please be informed that Articles 15-22 of the GDPR give data subjects the possibility to exercise specific rights under certain conditions; data subjects can obtain, from the Data Controller: access, rectification, deletion, limitation of processing, withdrawal of consent as well as the portability of data concerning them. 
Data subjects also have the right to object to the processing. In the event that the right to object is exercised, the Data Controller reserves the right not to proceed with the request and, therefore, to continue the processing, in the event that there are compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedom of the data subject. 
The aforementioned rights may be exercised by accessing your reservation which can be found in the e-mail received, or by withdrawing your consent to receive commercial and promotional information via the link available at the bottom of the e-mails received (opt-out), 
or by making a request addressed without formalities to the Data Protection Officer (DPO) at dpo@adr.it. 
The data subjects right to file a complaint with the Italian Data Protection Authority pursuant to Article 77, GDPR remains unaffected. 
The Data Controller reserves the right to update this policy.

Date of last update, March 2026