Pursuant to Article 13 of Regulation (EU) 2016/679.
Fondazione Luigi Rovati operates in accordance with the General Data Protection Regulation as set forth in EU Regulation 2016/679 (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, "GDPR").
This page describes how the personal data of users (hereinafter "Users") who interact with the web services provided by the website https://shop-en.fondazioneluigirovati.org/ ("Site") are processed.
1. DATA CONTROLLER
The data controller of personal data is Fondazione Luigi Rovati, Corso Venezia 52 – 20121 Milano (MI) Tel. 039.90.66.008, codice fiscale 94634860152 ("Data Controller").
To contact the Data Controller send a communication to the following addresses: firstname.lastname@example.org or to the above-mentioned head office address.
2. DATA PROTECTION OFFICER
The Data Protection Officer is Avv. Rocca Maria, with office in Via Fiasella, 1/18 -16121 Genova, C.F. RCCMRA70S58D969J, P. Iva 02319400996 ("DPO"). To contact the Data Protection Officer send a communication to the following addresses: email@example.com; PEC firstname.lastname@example.org or to the address of the above-mentioned firm.
The Controller will process personal data of Users of the site for the following purposes:
1. Offering the Site's navigation features, including accessing its pages and accessing content;
2. Responding to contact or information requests sent by the User;
3. Registration, access and use by the user of the Ticket shop, including the subsequent activities of product management and delivery and refunds;
4. Management of tax documentation related to purchases through eCommerce shop;
5. Analysis of usage statistics and improvement of Site functionality;
6. User subscription to the newsletter and subsequent management of related communications
7. Analysis activities of the user's tastes and consumption habits, aimed at offering personalized promotions and services
4. CATEGORIES OF PERSONAL DATA PROCESSED
The categories of data processed are as follows:
- information related to the user's navigation on the Site, including so-called online identifiers and data related to the devices used;
- personal identification and contact data such as first name, last name, e-mail address in case of use of the Site features;
- personal data necessary for the management of payment methods and systems;
- additional data in case of implementation of new features
- Content that you make available through social media accounts (e.g., access through social media plug-ins). About the use of your social media data, we recommend that you review the privacy policies of the social media sites where you have a profile.
5. PROVISION OF DATA AND CONSENT TO ITS PROCESSING - CONSEQUENCES IN CASE OF FAILURE TO PROVIDE DATA
Failure to provide personal data will make it impossible for the Interested Party to complete the procedures for the purchase, sale, delivery, to benefit from the services reserved for registered Users or requested by them from time to time as indicated in the conditions of use of the Site, as well as the performance of administrative and accounting activities by the Owner.
The provision of personal data where optional will make it impossible to subscribe to the newsletter and communications of commercial offers. In the event of the provision of data by the Interested Party, the right of the Interested Party to revoke consent to the sending of communications at any time by selecting the "Unsubscribe" function present in the e-mail communications remains, however, unaffected.
6. SCOPE OF DATA COMMUNICATION AND COMMUNICATION TO THIRD PARTIES
Within the limits of the above obligations, tasks or purposes, personal data may be processed, made available and/or communicated to:
(i) employees and/or collaborators of the Data Controller;
(ii) third parties appointed as Data Processors (in particular, suppliers of goods or services), including their employees and/or collaborators;
(iii) Jurisdictional, administrative and/or public security authorities, in accordance with regulatory provisions.
The list of data recipients is constantly updated and can be requested from the Data Controller at RPDemail@example.com.
7. DATA RETENTION PERIOD AND LEGAL BASIS
Personal data are retained for as long as necessary to achieve the purposes.
A) Navigation functionality of the Site, including access to its pages and access to content: only for the period necessary to stay on the Site, and in any case for a maximum of 24 months. The processing is necessary for the performance of pre-contractual and contractual activities
B) Responding to contact or information requests sent by the user: for a maximum of 10 years from the interaction with the data subject. Exercise of the legitimate interest of the Data Controller, aimed at maintaining relationships with users of the Site
C) Registration, access and use by the user to the Ticket shop, including the subsequent activities of product management and deliveryand refunds: For up to 10 years after the user's deletion from Ticket shop. The processing is necessary for the performance of pre-contractual and contractual activities
D) Management of tax documentation related to purchases through Ticket shop: for up to 10 years after the relevant purchase made. The processing is necessary to fulfill legal obligations (in particular, accounting and tax)
E) Analysis of usage statistics and improvement of Site functionality: until expiration of user ID kept longer, unless requests for deletion or anonymization. User consent, except - in some limited cases - exercise of the legitimate interest of the Owner, aimed at improving its products and services
F) User subscription to the newsletter and subsequent management of related communications: until the data subject requests cancellation, unless extended or requests for cancellation. User Consent.
G) Activities to analyze user tastes and consumption habits, aimed at offering personalized promotions and services: for up to 24 months from the acquisition of consent, unless extended or requests for cancellation. User Consent.
Should the interested party wish more information about the balance between the legitimate interests pursued by the Data Controller and the fundamental rights and freedoms of the natural person, he/she may contact them at the contact details indicated, being entitled to receive feedback as soon as possible and in any case within the timeframe prescribed by law.
In case of litigation with the user or third parties, or control by the authorities in charge, the storage may be extended until the expiration of the last applicable prescriptive term.
The data will not be disseminated in any way, except with the express and prior consent given by the interested party and within the limits of what is required by law.
Personal data are processed by manual and electronic means and are stored in the electronic database in charge (site database) residing on servers owned by the Data Controller. In the event that the processing is based on consent or contract and is carried out by automated means, the data subject has the right to receive his or her data in a structured, commonly used and machine-readable format, as well as, if technically feasible, to transmit it to another data controller without hindrance.
8. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
Personal data may be transferred to countries outside the European Economic Area exclusively for technical needs, in any case to entities based in countries recognized as "adequate" by the European Commission or which have stipulated appropriate Contractual Conditions Type in the text approved by the European Commission.
9. RIGHTS OF DATA SUBJECTS (USERS)
The data subject may, at any time, exercise the rights provided for in European Regulation No. 2016/679. In particular, the data subject has the right:
- to access his/her personal data;
- To obtain the rectification or erasure of the same or the restriction of the processing concerning him/her;
- to object to the processing;
- To obtain data portability;
- to revoke consent, where applicable: revocation of consent does not affect the lawfulness of the processing based on the consent given before revocation;
- to lodge a complaint with the supervisory authority: for Italy, the supervisory authority is the Data Protection Authority based in Rome (www.gpdp.it).
The exercise of the aforementioned rights may be made by sending a request to the references of the Data Controller, as indicated above, and in particular to the e-mail address indicated.
Last update: August 2nd 2023