Privacy Policy

PRIVACY NOTICE

Pursuant to Article 13 of Regulation (EU) 2016/679

 

In accordance with Regulation (EU) 2016/679 (hereinafter “GDPR”), Fondazione Luigi Rovati ETS, as Data Controller, provides the following updated privacy notice to users of its institutional application (hereinafter the “App”). The purpose of this document is to transparently describe the methods of processing of personal data collected through the App.

 

1. Data Controller

The Data Controller of the personal data is:

 

Fondazione Luigi Rovati ETS

Registered office: Corso Venezia 52, 20121 Milan (MI), Italy

Tax Code: 94634860152

(hereinafter, the “Controller”).

Contact details:

  • Email: rpd-fondazioneluigirovati@fidimholding.com

  • Address: Corso Venezia 52, 20121 Milan (MI), Italy

2. Data Protection Officer (DPO)

The Foundation has appointed a Data Protection Officer (DPO), who may be contacted regarding matters relating to the processing of personal data.

DPO contact details:

  • Avv. Maria Rocca

  • Email: studiolegale@avvrocca.it

  • PEC: maria.rocca@ordineavvgenova.it

3. Purposes of Processing and Legal Basis

Your personal data will be processed for the following purposes, each based on a specific legal ground:

A) Provision of services requested through the App:

Processing is necessary for the management of pre-contractual and contractual activities, such as:

  • Providing general information about the Museum, the visitor route, and exhibited objects;

  • Managing the purchase of admission tickets, museum services, and merchandising products;

  • Consulting catalogues or books.

    Legal basis: Performance of a contract to which the data subject is a party or implementation of pre-contractual measures taken at the data subject’s request (Art. 6(1)(b) GDPR). Provision of data for this purpose is necessary to deliver the requested services.

B) Compliance with legal obligations:

Processing is necessary for the management of administrative, accounting, and tax obligations arising from the contractual relationship.

Legal basis: Compliance with a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).

C) Marketing and newsletters:

Subject to your explicit and specific consent, your contact details may be used to send promotional communications, newsletters, and updates on the Foundation’s activities.

Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR). Consent is optional and may be withdrawn at any time with the same ease with which it was given. Withdrawal of consent does not affect the lawfulness of processing based on consent prior to withdrawal.

D) Profiling for marketing purposes:

Subject to your explicit and specific consent, data relating to your purchases and preferences may be analysed in order to personalise commercial communications and service offerings.

Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR). Consent is optional and may be withdrawn at any time.

E) Statistical analysis and service improvement:

Data relating to use of the App and visits to the Museum may be collected and processed in anonymous or aggregated form for statistical purposes, in order to evaluate and improve the cultural offer and services provided.

Legal basis: Legitimate interest of the Controller (Art. 6(1)(f) GDPR) in improving its services, provided that such interest does not override the interests or fundamental rights and freedoms of the data subject.

4. Categories of Personal Data Processed

The Controller processes the following categories of personal data:

 

  • Identification and contact data: First name, last name, gender, year of birth, email address;

  • Economic and commercial activity data: Information relating to the purchase of tickets, services or products, and payment data necessary to complete transactions;

  • Browsing data: Parameters relating to the operating system and IT environment of the user, collected during use of the App, necessary to ensure proper operation and security.

As a rule, the processing does not concern special categories of personal data (pursuant to Art. 9 GDPR) or data relating to criminal convictions and offences (pursuant to Art. 10 GDPR).

5. Data Retention Period

Your personal data will be retained for a period not exceeding that necessary to achieve the purposes for which they are processed, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR). In particular:

 

  • Contractual, accounting and tax data: retained for 10 years from termination of the contractual relationship, in compliance with civil and tax obligations;

  • Marketing and profiling data: retained until withdrawal of your consent;

  • Browsing data: retained for the time strictly necessary for the technical operation of the App.

In the event of legal disputes, data will be retained for the entire duration of the proceedings, until expiry of the terms for filing appeals.

6. Categories of Data Recipients

Your personal data may be disclosed to third parties for the proper fulfilment of the above purposes, in particular to:

 

  • Technical and IT service providers: companies providing hosting services, App maintenance, email delivery, acting as Data Processors pursuant to Art. 28 GDPR;

  • Banks and financial institutions: for the management of collections and payments;

  • Consultants and professionals: such as law firms or accountants, for tax and legal compliance;

  • Public bodies and judicial authorities: in cases provided for by law and upon request.

An updated list of Data Processors is available upon request. Data will not be subject to indiscriminate disclosure.

7. Transfer of Data Abroad

As a rule, no transfers of personal data to third countries or international organisations outside the European Economic Area (EEA) are envisaged. Should such transfers be necessary for the provision of specific services (e.g. cloud services), the Controller ensures compliance with Articles 44 et seq. of the GDPR, by adopting Standard Contractual Clauses (SCCs) approved by the European Commission or by verifying the existence of adequacy decisions.

8. Rights of the Data Subject

As a data subject, you may exercise at any time the rights provided for in Articles 15 to 22 of the GDPR, including:

 

  • Right of access (Art. 15);

  • Right to rectification (Art. 16);

  • Right to erasure (“right to be forgotten”, Art. 17);

  • Right to restriction of processing (Art. 18);

  • Right to data portability (Art. 20);

  • Right to object (Art. 21);

  • Right to withdraw consent (Art. 7).

Requests may be sent to the Controller using the contact details provided in Section 1 or directly to the DPO using the contact details in Section 2.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority (in Italy, the Garante per la Protezione dei Dati Personali) pursuant to Art. 77 GDPR, or to seek judicial remedies pursuant to Art. 79 GDPR.

10. Processing of Minors’ Data

The services offered through the App are not intended for individuals under the age of 18. The Controller does not intentionally collect personal data relating to minors. Should such data be inadvertently collected, they will be promptly deleted upon request by the user or by the person exercising parental authority.

11. Data Protection Impact Assessment (DPIA)

At present, the processing activities carried out through the App do not present a high risk to the rights and freedoms of data subjects such as to require a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR. The need for a DPIA will be periodically reviewed.

 

This privacy notice is updated as of 12/12/2025.