Privacy Policy

Back to top

(in accordance with the Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR))

Pursuant to Articles 12, 13 and 14 of Regulation (EU) 2016/679 and in relation to the information and personal data that shall come into its possession, Autolinee Toscane S.p.A., as Data Controller, informs you of the following.

As part of its business activities, Autolinee Toscane S.p.A. is required to process the personal data of its customers, potential customers, users, suppliers, job candidates or other data subjects. Autolinee Toscane S.p.A. attaches particular importance to the protection of personal data and makes it a real priority in its daily activities. For this purpose, it has adopted suitable technological tools to ensure the correct and secure processing of data and an organisational structure that provides for the continuous training of the persons in charge of the data processing and the appointment of figures in charge of compliance with current legislation. Such figures include the DPO “Data Protection Officer”, responsible for observing, assessing and organising the management of the processing of personal data and its protection.

This Privacy Policy is aimed at users who access the Autolinee Toscane S.p.A. website.

  • The Data Controller is Autolinee Toscane S.p.A. with registered office in Viale del Progresso, 6 – 50032 Borgo San Lorenzo (FI) – Italy, hereinafter referred to as “AT” or “the Data Controller”.

  • AT has identified a person responsible for the protection of personal data (DPO - Data Protection Officer) who can be contacted by mail at Autolinee Toscane

S.p.A. – Data Protection Officer – Viale del Progresso, 6, 50032 Borgo San Lorenzo (FI) – Italy or by email at

  • The term “data processing” shall mean any activity concerning the collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison,

use, interconnection, blocking, communication, dissemination, deletion or destruction of personal data. For example, when a user’s name, surname and address are requested: entering this data represents one of the possible methods of processing the data subject’s personal data.

  • The term “personal data” shall mean information that identifies or makes a natural person identifiable and that can provide information on the same, directly (personal data such as

for example the name and surname and photos) or indirectly (for example tax code and IP address). “Special data”, on the other hand, is a type of personal data that reveals the racial or ethnic origin, religious and philosophical beliefs, political opinions, trade union membership, relating to the user’s health or sexual life, genetic data and biometric data. Finally, “judicial data” is personal data relating to criminal convictions and offenses. Personal data also includes data relating to electronic communications, via the Internet or telephone and those that allow geolocation, providing information on places frequented and on movements.

With reference to its customers, AT shall process personal data for the following purposes:

  1. Management of contractual relations (e.g. the purchase of tickets and season passes, personnel selection);

  2. Management of the functionality and use of the services available on the Website;

  3. Processing of requests and complaints;

  4. Management of after-sales support;

  5. Management of items lost or found online;

  6. Carrying out direct marketing and commercial sales activities;

  7. Management and monitoring of tickets and collection of fines;

  8. Management of legal, judicial and insurance practices.

  9. Selection and recruitment of personnel through the portal available on the Company’s Website.

For each of the aforementioned purposes, an explicit and distinct consent from the user shall be requested, in the appropriate forms.

Through its Website, AT can process the following types of personal data.


During normal operation, computer systems and software procedures responsible for keeping this Website operational collect some personal information whose transmission is implicit in the use of Internet communication protocols.

This data category includes IP addresses or the domain names of computers and terminals used by users, URI/URL addresses (Uniform Resource Identifier/Locator) of resources requested, time of the request, method used to submit the request to the server, size of the files obtained in response, the numerical code indicating the response status given by the server and other parameters related to the user’s operating system and computer environment.

Such data, necessary for the use of the web services, is also processed in order to obtain statistical information on the use of the services and verify the correct functioning of the services offered. The data is used for the minimum period of time provided for by current legislation. The data could be used to ascertain responsibility in the event of any IT crimes against the Website and/or users.


The optional, explicit and voluntary sending of messages to the AT’s contact details, as well as the compilation and submission of the forms available on the Website, involve the acquisition of the user’s contact data, necessary to respond to their request, as well as of all personal data included in the communications.

In general, the data provided voluntarily by users can consist of:

  1. user identification data (e.g. name, surname, date of birth, language, country, copy of identity document, etc.);
  2. contact details (e.g. email address, telephone number, residential or domicile address, etc.)
  3. connection, geolocation and navigation data (e.g. IP address, mobile app);
  4. commercial data (e.g. newsletter subscription);
  5. health data;
  6. income data;
  7. data relating to the user’s marital status;
  8. education data;
  9. data relating to training and professional skills.

In particular, the following types of data shall be processed:

  • When registering on the site: the user’s email address.

  • When purchasing travel tickets online: the user’s name and surname, tax code, residential address, nationality, telephone number and copy of an identity document.

  • For managing the functionality and use of the services available on the website: the user’s navigation data.

  • For the management of complaints: the user’s name, surname, email address and/or telephone number.

  • For the selection of job applications: the user’s name, surname, personal data, nationality, telephone number, tax data, data relating to training and work skills, health data or data suitable for determining the state of health and any other information that the candidate has entered in their Curriculum Vitae.

  • To facilitate access to concessions or discounts: depending on the case, data relating to the user’s marital status, income conditions and health status. Information relating to the state of health shall be processed as special data pursuant to Article 9 of the GDPR and only with the user’s express consent. Specific Privacy Policies shall be published by AT on the Website pages corresponding to the provision of individual services.


Third-party companies, which have agreements in place with AT for subscriptions at reduced rates for employees, may send AT the names of those who intend to subscribe to its services and benefit from economic benefits. AT shall provide such individuals with a suitable Privacy Policy pursuant to Article 13 of the GDPR at the time of their registration on the Portal.

4 - Legal basis

Personal data is lawfully processed by AT, in relation of the aforementioned purposes, on the basis of one or more of the following legal bases:

  • for the purposes referred to in points no. 1, 3, 4, 8 and 9 in the performance of a contract to which the data subject is a party or to facilitate the implementation of precontractual measures adopted at the request of the same;

  • for the purposes referred to in points no. 2, 5, 7 for the legitimate interest pursuant to Article 6, paragraph 1, letter f);

  • for the purposes referred to in point 6, with the specific and express consent of the data subject.

  • The personal data provided shall be processed in compliance with the principles of lawfulness, relevance and necessity of the processing provided for by applicable regulations on data protection.

  • The data shall be processed on paper and/or with the aid of electronic and automated tools and exclusively by employees and/or collaborators of AT, authorised for such purposecand appropriately trained. The aforementioned data may also be accessed by employees of external companies, appointed as external data processors.

  • AT observes specific security measures to prevent the loss of data, to prevent its illicit or incorrect use as well as to prevent unauthorised access to the same data.

6.1. On board AT means of transport, geolocation systems and surveillance cameras are installed, to ensure the best management of the mobility services offered and in the legitimate interest of the company (legitimate interest legal basis pursuant to Article 6, paragraph 1, letter f) of the GDPR. For the processing of data that may be collected by these systems, please refer to the separate Privacy Policy available on the AT website. The legal basis for this data processing is the legitimate interest of AT pursuant to Article 6, paragraph 1, letter f).

6.2. On the AT website, in the “TRAVEL” section, the “SALES POINTS” service is offered with which the user can search for the AT ticket office closest to them. This service requires AT to activate the geolocation system of the device with which the user is connected. The purpose of this data processing is the provision of a service for the benefit of the customer. The legal basis of this data processing is the consent of the data subject, pursuant to Article 6, paragraph 1, letter a).

If the data subject wishes to file complaints and/or reports of anomalies regarding the transport service, using the form available in the “Talk with AT” section or by email sent to or by contacting AT’s official pages available on the company’s social media networks or by calling AT’s or the Region of Tuscany’s call centre or via AT’s user desks, he/she must provide their name and surname and email address or telephone number, where no email address is available, in order to allow AT to handle the complaint promptly and accurately, to defend themselves against the claims made and to respond to the reports submitted by the same data subject.

  • The data may be visible by companies, bodies and/or professionals appointed by AT to review its IT procedures and for needs related to the management of the transport service.

  • Some personal data in the context of the operation of regional public transport or in the integrated electronic ticketing system is stored in the centralised regional information systems to which the Region or companies operating in the management of IT systems may have access.

  • AT may also communicate the personal data of users of its services to law enforcement agencies, other public administrations by virtue of legal obligations or exercising the right of defense in court.

  • Based on the specific case, the aforementioned subjects will act as co-data controllers, processors or autonomous data controllers. The updated list of data recipients can be requested from the Autolinee Toscane DPO at the addresses indicated above.

  • AT shall not transfer data to a third country or to an international organisation.

  • All personal data provided by the user shall be retained only for the time strictly necessary for the purposes for which it was collected and unless the data subject revokes their consent.

  • The personal data collected during registration on the AT Website and during the purchase of travel tickets shall be retained for the time strictly necessary to manage post-sale activities and, in any case, for a maximum period of 5 years.

  • Customer data for processing complaints and inquiries shall be retained 3 years from the last contact with the same customer.

  • Data acquired for direct marketing purposes shall be retained for a period not exceeding 24 months from its registration.

  • The data processed in the context of judicial proceedings shall be retained for the duration of the proceedings, plus 5 years.

  • For foreign users without an Italian tax code, during the registration phase, AT processes the data subject’s data by generating a temporary alphanumeric code necessary exclusively for the provision of the ticket/season pass requested. This data processing, therefore, does not provide for the storage and/or recording of data on any corporate database.

  • At the end of the retention period, the data shall be deleted or otherwise irreversibly de-identified (based on anonymisation procedures), unless the further retention of some or all of the data is required by law.

The Data Subject may exercise the rights provided for by Articles 15 to 22 of the GDPR. By way of example, the data subject has the right to request from AT:

  • the confirmation as to whether or not personal data concerning him or her is being processed and, in this case, to obtain access to such data as well as provide for the correction of inaccurate personal data (Articles 15 and 16 of Regulation (EU) 2016/679)

  • the deletion of the processed data (Article 17), only if the personal data is no longer necessary in relation to the purposes for which the same data was collected or otherwise processed;

  • the limitation of the data processing (Article 18) for the time necessary for the Data Controller to verify the personal data processed when the data subject disputes its accuracy;

  • the portability of data (Article 20) to another Data Controller;

  • to oppose to the processing of his or her data at any time in the cases provided for by Article 21;

The data subject can exercise all rights provided for by sending the request via registered letter with return receipt to Autolinee Toscane S.p.A. – Data Protection Officer – Viale del Progresso, 6, 50032 Borgo San Lorenzo (FI) – Italy or via mail at

If the data subject considers that the data processing that concerns him or her violates the provisions of Regulation (EU) 2016/679, he/she is entitled to lodge a complaint with the Authority for the Protection of Personal Data in the manner described on the website of the same Authority available at

Users who believe that the data processing carried out on the Website is in violation of the GDPR are entitled to lodge a complaint with the Supervisory Authority, pursuant to and by effect of Article 77 of the GDPR or pursuant to Article 78 of the GDPR, to refer the matter to the competent courts.

With regard to the data processing indicated, in no case shall the Data Controller carry out data processing activities consisting of automated decision-making processes on the data of natural persons, nor shall the data be used for profiling purposes.

This Privacy Policy may undergo further subsequent changes, also related to the possible entry into force of new sector regulations, to the updating or provision of new services by the Data Controller or to technological innovations.

In all these cases, the user is invited to read the Privacy Policy available on the Website.