in accordance with EU Regulation 2016/679

The following Privacy Policy allows the customers to know how the Observatory Transport Compliance Rating (hereinafter referred as “O.T.C.R.”) will process the Personal Data collected through this Website.

A. Data to be processed

The Data Controller will process the personal data (e.g. name and surname, telephone number, e-mail address) – hereinafter referred as “Personal Data” or “Data” – provided by you through this Website and the downloadable forms.

B. Purposes of data processing

The Data Controller will process the Personal Data if one of the following conditions exists:

a) Management of User’s requests made through the compilation of the Contact Form, O.T.C.R. or TCR Protocol Application Forms, or the use of contact addresses on the Website: the optional, explicit and voluntary sending of Personal Data through the Contact Form and Contact addresses set out in this Website implies the acquisition of the User address, necessary to respond to requests (e.g. membership application to TCR Protocol or to O.T.C.R., request for information, request of documentation concerning TCR Protocol or to O.T.C.R, access to the reserved area of the site, etc.). If the User decides not to give consent to the processing of the Personal Data, it is impossible to proceed with the request.

b) Receipt of newsletters and messages from O.T.C.R: the User can choose to subscribe to the newsletter, giving prior consent to it. The User consent is given at the time of subscription. At any time, the User has the right to revoke his/her consent to the processing by clicking on the link provided in every newsletter email or by writing an e-mail to

c) Activities related to the User interaction with the TCR Website accessible through the address (which corresponds to the Website Homepage), the web portals, the website sections, including the reserved area, and the web pages accessible by mobile phone, tablets and pcs. Other websites that can be reached through links posted on the TCR website are excluded.

d) Activities related to the User interaction and his/her posts on TCR social networks.

e) Performance of a contract with the User and/or pre-contractual measures.

f) Furthermore, even in the absence of the User’s consent, O.T.C.R. can process your Personal Data in order to:

– To fulfil obligations set out by legislation (e.g. accounting, administrative, tax obligations, etc) to which the Data Controller is subjected
– Managing any dispute or litigation or the pursuit of a legitimate interest of the Data Controller or third parties.
– The Personal Data is processed in the public interest, in the exercise of public authority to which the Data Controller is invested.

However, it will always be possible for the User to request the Data Controller to clarify the specific legal basis that applies to the Personal Data processing and in particular whether the processing is based on the law, provided for by a contract or necessary to conclude a contract.

The Data Controller may be contacted to the following e-mail address:

C. Method of processing
The Data processing is made through IT and/or telematic tools, by implementing organizational methods and strategies connected to the purposes of the activity. The Persona Data will be processed under rules of legality, fairness, transparency, proportionality, accuracy, temporal delimitations, integrity and responsibility. In addition to the Data Controller, The Data may be accessed by other people involved in the organization of the work (administrative, commercial, marketing, legal staff, system administrators) or external parties (companies related to O.T.C.R., partners, hosting providers, IT companies, communication agencies) which might be appointed as Data Processors by the Data Controller.

D. Access to data
The Data may be accessed, for the purposes set out in point C., by the Data Controller’s employees and contract workers, in their role as persons authorised to process data and/or internal processing managers and/or system administrators.

E. Disclosure of data
Except for the browsing data previously mentioned, the User is free to disclose its/her Personal Data contained in the O.T.C.R. application forms to request information material or any other communication. If the Data provided by the User are not complete, it is impossible to proceed with the request. Furthermore, it should be noted that in some cases the Authority might request for news and information to control the Data processing in accordance to EU Regulation 679/2016 and the Legislative Decree 196/2003. In these cases, the Data disclosure is mandatory, otherwise an administrative penalty will be applied.

F. Place of data
Personal Data are held on servers located at the Data Controller’s operating premises, within the European Union. However, the Data Controller has the right to move these servers outside the European Union, where necessary. In this case, the Data Controller guarantees as of now that the transfer of Data outside the European Union will occur in compliance with the applicable legal provisions, following stipulation of standard contractual clauses required by the European Commission.

G. Storage of data
Personal Data are processed and retained for the length of time necessary to achieve the purposes for which they have been collected. Therefore:

  • The Data collected following a request from the User shall be retained as long as needed to meet his/her request.
  • The Data collected for the newsletter subscription shall be process until the User’ withdrawal of consent.
  • The Data collected for the implementation of the contract between the Data Collector and the User shall be processed until the contract has expired.
  • When the processing is based on the User’ consent for any other activity/request, the Data Controlled shall retain the Data until the User’ withdrawal of consent.
  • The Data Controller may be obliged to retain the Personal Data for a longer period in accordance with a legal obligation or by order of an authority
  • The Data collected for a legitimate interest of the Data Controller shall be processed until the satisfaction of the interest.

At the end of the retention period, the Personal Data will be deleted and the right of access, erasure, rectification and portability of the Data cannot longer be exercised. You may exercise your rights by sending an e-mail to

H. Rights of data subjects
As a Data Subject, you have the rights of access referred to in Articles 15-21, GDPR, that is, the right of access, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to Data portability, the right to object, and the right to lodge a complaint with the Italian Data Protection Authority.

I. Method of exercising rights
You may exercise your rights at any time by sending:

– a registered letter A.R. to O.T.C.R. – OBSERVATORY TRANSPORT COMPLIANCE RATING Via Benedetto Marcello, 2 – 20124 Milano (MI)
– an e-mail to:

L. Data Controller, Data Processor and Persons authorised to process Personal Data

The Data Controller is O.T.C.R., having its head office and registered office in Via Benedetto Marcello, 2 – 20124 Milano (MI) and the following e-mail address: