Data protection

Autogrill S.p.A. has updated the Data Protection Document for 2011, in consideration of our particular business needs, although it no longer needs to be mentioned in the financial statements in accordance with the “Simplification and Development Decree” (D.L. 5/2012).

This decree has also excluded data on corporate entities from the concept of “personal data.” The Group’s actions during the course of 2011 can be summarized as follows.

PCI DSS certification for credit card payment systems (available in version 2.0 since 2011) was renewed for Autogrill S.p.A. and Nuova Sidap S.r.l. and the certification process began for Alpha Retail Italia S.r.l.

A new intercompany agreement with the subsidiaries Aldeasa S.A., Autogrill Iberia S.L., World Duty Free Group UK Ltd. (formerly Autogrill Retail UK Ltd.), World Duty Free Group International Ltd. (formerly Autogrill International Airports Ltd.), Holding de Participations Autogrill S.a.s., and Autogrill Belux N.V. governs Autogrill S.p.A.’s processing of employee data for the Aconnect portal.

The Disaster Recovery (DR) project was completed for the SAP system,  regarding payroll and personnel management. This is in addition to DR for the administrative and financial, store management and supply chain systems.

Physical security improvements were completed and REI  120 fire safety certification obtained at the datacenter in Rozzano.

Four ICT security policies were adopted for all of the European companies (concerning reporting, access and usage management, the security of electronic payments and disaster recovery).

The process of appointing employees in charge of data processing has been completely automated and integrated with the HR management system.

In addition, more stringent criteria have been adopted for:

  • the evaluation of system administrators;
  • program access control;
  • access to the company network by external parties;
  • monitoring of online privacy training.

Finally, some updates have been made to the organizational structure and eight external companies have been added to the list of data processors.