Privacy Policy Statement pursuant to Art. 13 of UE Regulation No. 679/2016 and of the Privacy Code as recently modified by Legislative Decree 101/2018
Preamble
For Opera Santa Maria del Fiore (hereinafter, also only OSMF) your privacy and the confidentiality of your personal data are particularly important. For this reason we collect and process them with the utmost care and attention, adopting at the same time, specific technical and structural measures in order to guarantee the complete safety of their processing.
We consequently inform you, therefore, pursuant to Art. 13 of the 2016/679 European Union Regulation and the Privacy Code as recently amended by Legislative Decree 101/2018 ("Regulations") that the processing of your personal data takes place in a manner suitable to guarantee security and confidentiality, and is carried out, using paper, computer and/or electronic media, as detailed in this Private Privacy Statement.
Definitions
Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Processing of special categories of personal data: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data controller;
Distance selling contract: means any contract concerning goods or services concluded between a supplier and a consumer under an organized distance sales or service-provision scheme run by the supplier, who, for the purpose of the contract, makes exclusive use of one or more means of distance communication up to and including the moment at which the contract is concluded; made by means of distance communication` means any means which, without the simultaneous physical presence of the supplier and the consumer, may be used for the conclusion of a contract between those parties (Legislative Decree No. 185/1999, Article 1 of the Italian Civil Code).
Data Controller
The processing of your personal data is carried out by Opera Santa Maria del Fiore (hereinafter, also only OSMF), with its registered office in Florence, Via della Canonica 1, as Data Controller pursuant to and for the purposes of the Regulations.
For any questions related to the processing of your personal data you can contact OSMF at any time, by sending a request, to the following references:
Corporate Name: Fabbriceria di Opera di Santa Maria del Fiore - Onlus
Registered Office Address: Via della Canonica 1, Firenze (50122)
Telephone contact data: 055 2302885
E-mail contact data: privacy@operaduomo.firenze.it
Data Protection Officer (DPO) contact data: dpo@operaduomo.firenze.it
External Data Processor pursuant to EU. Art. 28 Reg. 679/2016
1. The Company SKIDATA S.r.l. with its registered office in Bolzano, Via J. Ressel, 2F, 39100, P.IVA 01220250219 is appointed by OSMF as the External Data Processor pursuant to Art. 28 of the Regulation, and is required to carry out the activity assigned to it according to the specific instructions given by OSMF.
2. SKIDATA has appointed as the Sub External Data Processor the Company Skiperformance AS, with its registered office in Lommedalsveien 230 N-1354 Bærums Verk, Norvegia Org: 814 054 462 mva.
SKIDATA and Skiperformance, which were previously authorized and properly selected in order to offer a suitable guarantee of compliance with the rules on the processing of personal data, shall treat your data only in order to allow you to take advantage of our ticket sales service, which will take place by means of the regulations governing "distance contracts". SKIDATA will also assume all responsibility (invoicing, shipping, etc.) pursuant to the aforementioned Legislative Decree 185/1999 and Art. 51 et seq. of the Italian Consumer Code (Legislative Decree 206/2015).
It should also be noted that every transaction deriving from the stipulation of the aforementioned "distance contracts" will take place - in compliance with Art. 124 of Legislative Decree 101/2018 - on servers equipped with SSL encryption system in order to ensure a secure transmission, as well as the fact that the verification of the credit card will take place only via the bank payment (which will validate the payment and store the card code, without having the latter ever arriving at the Skiperfomance server).
Type of Data and the Purpose of the Date Processing
The personal data that OSMF shall deal with are only those that are provided by users who use the electronic ticket sales services.
These are only transmitted to SKIDATA, in relation to the service that is provided by it and its quality of External Data Processor.
OSMF may, therefore, collect personal identification data, such as personal data such as name and surname, email address, origin, etc. in two different ways: web site registration form or social network account login (Facebook and Gmail). The personal data used to register on the Site are provided directly by the user, except in the case where the user expressly requests registration and login via the social network at the first access, or subsequently if already registered. In this case, OSMF will store through the reference social network only. The information from the relevant profile of which the user expressly authorizes the sharing. The association of the social network profile will result in the respective accounts on the social networks to which specific privacy policies should be referred to for any further details. OSMF does not send any information about the user to social networks.
Your personal data, once it has been collected, are processed for the following purposes:
A. B. | PURPOSE: Compliance with the obligations foreseen by laws, regulations, national or European regulations, or provisions issued by Authorities and by Supervisory and Control Bodies. Perform the activity of providing electronic and IT ticket sales services. | JURIDICAL BASIS: The data processing carried out for these purposes are necessary for the fulfilment of legal obligations and to make it possible for the data subject to use the online sales service and does not require specific consent. The provision of data is necessary to allow users to use the online sales services provided by OSMF and do not require the specific consent from the data subject. |
Categories of recipients of the personal data
Your personal data shall be processed by OSMF systems and personnel, that has been specifically authorized pursuant to Art. 4, paragraph 10 of the EU Regulation, which processes data upon precise indications provided by the Data Controller.
Your personal data will also be transmitted to the aforementioned company SKIDATA and Skiperformance, appointed External Data Processor and Sub External Data Processor pursuant to Art. 28 of the Regulations and which is required to carry out the activity assigned to it in accordance with the specific instructions given by OSMF.
Finally, your data may be transmitted to other subjects as legal counselors, the police forces and to the judicial and administrative authorities, in accordance with the law, for the investigation and prosecution of crimes, the prevention and protection from threats to public security, as well as to allow OSMF to exercise or protect its own or third party right before the competent authorities, as well as for other reasons related to the protection of the rights and freedoms of others, in accordance with the provisions of Art. 2-sexies of Legislative Decree 101/2018.
Your personal data will be not transmitted for maketing purposes.
Retention period of the personal data (Data Retention)
We inform you that your data will be kept for two years starting from the date of visit, aimed solely for the purpose of fulfilling those obligations imposed by the ticket sales contract, and that, in any case, this period will not exceed legal terms. At the end of this period, your data will be permanently erased by OSMF and Skiperformance (at the address: privacy@operaduomo.firenze.it; support@skiperformance.com).
Mandatory or optional nature of data provision and consequences of any refusal
The provision of data is necessary to provide the service or for the performance of a contract to which the data subject is party. Refusal to provide the same will not allow provision of other service.
Profiling
No profiling of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements is done.
Your rights
We inform you that you have the right to exercise the following rights in relation to the personal data subject of this information, as provided for and guaranteed by the Regulation:
- Right of access and rectification (Articles 15 and 16 of the Regulation) you have the right of access to your personal data and ask that the same are correct, be modified or completed. If you so desire, we will provide you a copy of your data in our possession.
- Right of the erasure of the data (Art. 17 of the Regulation): in the cases provided for by the current legislation you may request the erasure of your personal data. Having received and analysed your request, we shall cease the processing and erase your personal data, if the request is found to be legitimate.
- Right to the restriction of processing (Art. 18 of the Regulation): you have the right to request the restriction of processing of your personal data in the case of unlawful processing or if the accuracy of the personal data is contested by the data subject.
- Right to data processing (Art. 20 of the Regulation): you have the right to ask for and obtain your personal data by the Data Controller in order to transmit them to another Data Controller, in those cases foreseen in the referred to Article.
- Right to object (Art. 21 of the Regulation): you have the right to object at any moment to the processing of your personal data carried out on the basis or our legitimate interest, explaining the reasons for your request to us; before acceding to your requests, OSMF will have to evaluate the reasons of your request.
- Right to lodge a complaint with a supervisory authority (Art. 77 of the Regulation and Art. 141 of the Legislative Decree 101/2018): you have the right to lodge a complaint with the competent Supervisory for the protection of the Personal Data whenever you feel that there is an infringement of your rights as regards the processing of your personal data.
- Right to withdraw the consent given (Article 13 of the Regulation): to the processing of personal data that find their legal basis exclusively on your consent, you have the right to withdraw the consent you have given at any time, by contacting the Data Controller.
You may exercise your rights at any time with reference to the specific processing of your personal data by OSMF.
Further information about the rights of the data subject may be obtained by asking the Data Controller for a complete extract of the aforementioned articles.
Without prejudice to that which has been expressed so far, we remind you that the above rights may also be exercised by anyone who has a personal interest in, or acts to protect you, as your agent, or for family reasons worthy of protection, pursuant to Art. 2- (1) of the Legislative Decree 101/2018.
Security Measures
OSMF has adopted adequate security measures to safeguard the confidentiality, integrity, completeness and availability of the personal data of the data subject. Technical, logistical and organizational measures have been developed to prevent damage, even accidental losses, alterations, improper and unauthorized use of the processed data.
We proceed to test, verify and regularly assess the effectiveness of the safety measures, in order to ensure the continuous improvement in the security of the processing.
Modifications to Current Legislation
The constant evolution of our services might involve changes in the characteristics of the processing of your personal data described up to now. This privacy statement may be subject to changes and additions over time, as necessary owing to new regulatory measures regarding the protection of personal data, or the evolution/modification of our services.
We therefore invite you to periodically check the contents of our information: whenever possible, we will try to promptly inform you about the modification carried out and their consequences.