Privacy Policy

PRIVACY NOTICE

Pursuant to Article 13 of Regulation (EU) 2016/679

In accordance with Regulation (EU) 2016/679 (hereinafter “GDPR”), Fondazione Luigi Rovati ETS, as Data Controller, provides the following updated privacy notice to users of its institutional application (hereinafter the “App”). The purpose of this document is to describe, in a transparent manner, how personal data collected through the App are processed.

1. Data Controller

The Data Controller of personal data is Fondazione Luigi Rovati ETS, with registered office in Milan, Corso Venezia 52. Email: rpd-fondazioneluigirovati@fidimholding.com. Address: Corso Venezia 52, 20121 Milan (MI), Italy.

2. Data Protection Officer (DPO)

The Foundation has appointed a Data Protection Officer (DPO), who may be contacted regarding matters related to the processing of personal data. DPO contact details are: Avv. Maria Rocca, Email: studiolegale@avvrocca.it, Certified email (PEC): maria.rocca@ordineavvgenova.it.

3. Purposes of Processing and Legal Basis

Your personal data will be processed for the following purposes, each based on a specific legal ground.

A) Provision of services requested through the App. Processing is necessary for the management of pre-contractual and contractual operations, including the provision of general information about the Museum, the visitor itinerary and the exhibited objects; the management of the purchase of admission tickets, museum services and merchandising products; the consultation of catalogues or books; the management of the interactive audio guide function during the Museum visit, which interacts with the space through a sensor system (beacons) to deliver visit content based on your location. Legal basis: performance of a contract to which the data subject is party or implementation of pre-contractual measures taken at the data subject’s request (Article 6(1)(b) GDPR). The provision of data for this purpose, including geolocation data for the audio guide function, is necessary for the delivery of the requested services. Failure to activate the relevant functions (e.g. Bluetooth, background tracking) will prevent the correct functioning of the audio guide service.

B) Compliance with legal obligations. Processing is necessary for the management of administrative, accounting and tax obligations arising from the contractual relationship. Legal basis: compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) GDPR).

C) Marketing and newsletter. Subject to your explicit and specific consent, your contact details may be used to send promotional communications, newsletters and updates on the Foundation’s activities. Legal basis: consent of the data subject (Article 6(1)(a) GDPR). Consent is optional and may be withdrawn at any time with the same ease with which it was given. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

D) Profiling for marketing purposes. Subject to your explicit and specific consent, data relating to your purchases and preferences may be analysed in order to personalise commercial communications and service offerings. Legal basis: consent of the data subject (Article 6(1)(a) GDPR). Consent is optional and may be withdrawn at any time.

E) Statistical analysis and service improvement. Data relating to the use of the App and visits to the Museum may be collected and processed in anonymous or aggregated form for statistical purposes, in order to assess and improve the cultural offer and the services provided. Legal basis: legitimate interest of the Data Controller (Article 6(1)(f) GDPR) in improving its services, provided that such interest does not override the interests or fundamental rights and freedoms of the data subject.

4. Categories of Personal Data Processed

The Data Controller processes the following categories of personal data: identification and contact data (name, surname, gender, year of birth, email address); economic and commercial activity data (information relating to the purchase of tickets, services or products, and payment data necessary to complete transactions); browsing data (parameters relating to the operating system and the user’s IT environment collected during the use of the App, necessary to ensure its proper functioning and security); geolocation data. During the use of the audio guide function inside the Museum, the App, subject to your activation of the necessary permissions (Bluetooth and background tracking), acquires data relating to your position via beacon technology. Such data are processed to enable the activation of contextual audio content. For statistical purposes, these data are aggregated and anonymised. The processing of location data is subject to specific safeguards, such as consent or anonymisation. As a rule, the processing does not concern special categories of personal data pursuant to Article 9 GDPR, nor data relating to criminal convictions and offences pursuant to Article 10 GDPR.

5. Data Retention Period

Your personal data will be retained for a period no longer than necessary to achieve the purposes for which they are processed, in accordance with the principle of storage limitation (Article 5(1)(e) GDPR). In particular, contractual, accounting and tax data will be retained for 10 years from the termination of the contractual relationship, in compliance with civil and tax obligations; data processed for marketing and profiling purposes will be retained until your consent is withdrawn; browsing data will be retained for the time strictly necessary for the proper technical functioning of the App; geolocation data for the audio guide service will be processed in real time and retained only for the time strictly necessary to provide the service during the Museum visit, after which they will be deleted or anonymised. In the event of judicial disputes, the data will be retained for the entire duration of the proceedings, until the expiry of the terms for lodging appeals.

6. Categories of Data Recipients

Your personal data may be communicated to third parties for the proper fulfilment of the purposes indicated, in particular to technical and IT service providers, acting as data processors pursuant to Article 28 GDPR; banks and credit institutions for the management of collections and payments; consultants and professionals, such as law firms or accountants, for tax and legal obligations; institutional bodies and judicial authorities in cases provided for by law and upon their request. The updated list of data processors is available upon request by the data subject. Data will not be subject to indiscriminate disclosure.

7. Transfer of Data Abroad

As a rule, no transfers of personal data to third countries or international organisations outside the European Economic Area (EEA) are envisaged. Should such a transfer be necessary for the provision of specific services (e.g. cloud services), the Data Controller ensures that it will take place in compliance with Articles 44 et seq. of the GDPR, by adopting Standard Contractual Clauses (SCCs) approved by the European Commission or by verifying the existence of adequacy decisions.

8. Rights of the Data Subject

As a data subject, you have the right to exercise at any time the rights provided for in Articles 15 to 22 of the GDPR, including the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and the right to withdraw consent at any time for marketing and/or profiling purposes, without affecting the lawfulness of processing based on consent prior to its withdrawal. To exercise your rights, you may send a request to the Data Controller at the contact details indicated above or contact the Data Protection Officer directly.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority (for Italy, the Italian Data Protection Authority – Garante per la Protezione dei Dati Personali) pursuant to Article 77 GDPR, or to bring proceedings before the competent judicial authorities pursuant to Article 79 GDPR.

10. Processing of Minors’ Data

The services offered through the App are not directed at individuals under the age of 18. The Data Controller does not intentionally collect personal data relating to minors. Should data relating to minors be inadvertently collected, the Data Controller will promptly delete them upon request of the user or of the person exercising parental authority.

11. Data Protection Impact Assessment (DPIA)

The processing activities carried out through the App, including geolocation for the audio guide, do not currently present a high risk to the rights and freedoms of data subjects requiring a Data Protection Impact Assessment pursuant to Article 35 GDPR, as the monitoring is not systematic and on a large scale. The need for a DPIA will be periodically reassessed.

 

This privacy notice is updated as of 15 December 2025.