All identified or identifiable natural persons (‘Users’) accessing the Website www.lestanzedelvetro.org (hereinafter the ‘Website’) are hereby notified that multiple data falling into the categories indicated under Point no. 1 (‘Type of Data Collected’) of the present Information Document, including ‘Personal Data’ concerning each User, may be collected and processed.
Pentagram Stiftung, a private foundation subject to Swiss law, with its head office at Hartbertstrasse 1, Chur 7001 (Switzerland).
Representative in Italy in accordance with Article 1, Paragraph 1, 17), and Article 27 of the GDPR
Servizi Fondazione Pentagram, a single-member limited company, with its registered office at Santa Croce no. 464, 30135, Venice, and operational headquarters on the Isola di San Giorgio Maggiore Venice, no. 8, 30124, Venice – email@example.com
1. Types of ‘Data Collected’
1.1. The ‘Personal Data’ of the User, as defined in Article 4, Paragraph 1, 1) of the GDPR, collected by this Website, independently or through third parties, include: first name, surname, address, date and place of birth, tax identification number, telephone number, e-mail address, the Website Cookies and Use Data (hereinafter, the ‘Personal Data’).
1.2. The Personal Data may be provided freely by the User (in connection with a request for receipt of free editorial products, including newsletters, of invitations to exhibitions and events, of the programmes of seminars, conferences, lessons, etc.) or, in the case of data regarding access to or navigations on a page or pages of the Website (‘Use Data’), may be collected automatically during each connection to and use of this Website (through signing into the site or simply browsing on it).
1.3. In cases where certain Personal Data are indicated within the Website as being optional, the Users are free not to provide such Personal Data, without this having any consequence on the availability or functionality of the service.
1.4. Furthermore, on the User’s signing into the Website and/or simply accessing (i.e. simply browsing on) the Website, data may be collected regarding the technological equipment used for this purpose by the User, such as for example, the operating system used, the Host ID and IP address, the pages visited, Cookies, Web Beacons, other types of identifying or tracking software (markers, fingerprinting) and other use data and metadata made available by similar technologies used by the Website, even at a time subsequent to the navigation on the Website or in the case of subsequent navigation by the User on the Website and/or subsequent authentication on the Website (Navigation Data), which also make it possible to recognise:
– the User’s IP;
– the type of browser (Internet navigation software) used;
– the operating system used;
– the website from which the User has come;
– the date and time of each visit to the Website;
– the URLs of the pages consulted in the context of the Website;
– other navigation data, such as for example the downloads carried out
1.7. The Use Data, including the Navigation Data (including Data Regarding the Technological Equipment of the User), are jointly referred to as ‘Data Collected’.
2. Methods of Processing of the Personal Data and the Data Collected
2.1. The processing of the Personal Data and Data Collected (where forming part of the Personal Data) is carried out using electronic and/or telematic instruments, with organisational methods and approaches that are strictly correlated with the purposes of the processing indicated below. The Data Controller and the Established Representative adopt the appropriate safety measures aimed at preventing unauthorised access, disclosure, alteration or destruction of the Personal Data and Data Collected (where forming part of the Personal Data).
2.2. The Data Controller, also through the intermediary of the Established Representative, may occasionally receive information concerning the User from other sources, such as for example commercial counterparts or businesses, associations and/or foundations that are linked, controlled, controlling or subject to common control (also foreign), or also from businesses that have been acquired or simply affiliated and/or from other bodies (such as for example: for-profit companies, cooperatives, consortium companies, foundations and/or associations, also foreign ones; public bodies, etc.) and may cross-check and supplement this information with the information already available.
2.3. In addition, it is possible that the Data Controller and/or the Established Representative will share with third parties the Personal Data however gathered (also through the Internet channel or the Bookshop of ‘Le Stanze del Vetro’) for promotional or information purposes concerning cultural activities and/or publishing initiatives (such as for example: shows, exhibitions, symposia, conferences, concerts, seminars, lessons, video-installations, films, documentaries, presentations of artists and of works of art, of books and/or catalogues, etc.) designed, implemented, produced, sponsored and/or curated by the Data Controller and/or Established Representative, together with or having recourse to the cooperation, in various capacities, of these third parties.
2.4. In addition to the Data Controller, access to the Personal Data and/or Use Data (‘Data Collected’) could be had by other parties involved in the organisation of this Website (Established Representative, administrative, commercial, marketing staff, system administrators, technical personnel) or external parties (such as suppliers of technical services and/or ITC, computer companies, hosting providers, independent collaborators entrusted with the maintenance and/or upgrading of the Website, appointed also, if necessary, as co-Data Processors by the Data Controller even if only for particular and/or specific processing areas of the Personal Data.
2.5. The updated list of the Data Processors may always be requested from the Data Controller or the Established Representative.
2.6. Subject to the communications and disseminations carried out in compliance with the obligations of national and Community regulations, the personal data, once collected by the Data Owner (and/or Established Representative and/or third parties) may be disclosed to the following categories of parties:
- in the context of their duties and/or respective objectives and projects, employees and/or associates of the Data Controller and of the Party appointed as Data Processor
- in the context of their duties and/or respective objectives and projects, employees and/or associates of bodies linked to, controlled by, controlling and/or subject to the common control of the Data Controller through the intermediary of the Established Representative (and/or of the Data Processor if such a party is appointed) or linked to the aforesaid parties by specific contractual obligations
- Offices of the Public Authorities and Legal Authorities;
- Third parties participating in cultural, publishing, scientific, educational or training projects designed and/or implemented in common with the Data Controller and/or with the Data Processor;
- suppliers, distributors and wholesalers of goods and services of any type;
- credit institutions, insurance companies and agencies, insurance brokers and intermediaries, banks, financial companies, leasing companies, financial intermediaries, etc.
- IT consultancy companies and similar;
- communication and/or marketing agencies; real-estate intermediary agencies;
- post offices, dispatchers and/or couriers for the sending /receipt of documentation and/or other material;
- individuals, companies, associations and/or professional practices that supply services or representation, assistance and consultancy activities to the Data Controller and/or Data Processor, with particular, but not exclusive, reference to promotion, accounting, internal auditing, administrative, legal, labour and social security, tax and financial affairs.
2.7. Subject to the provisions of Point 2.10 below, the Data Collected are not subject to dissemination.
2.8. The Data Controller, also through the intermediary of the Established Representative, may furthermore share or transmit the User’s data with/to third parties (counterparties in commercial contracts, counterparties in agreements, enterprises, foundations or associations that are controlled, controlling or subject to common control etc.) that are affiliated whether to the Data Controller or to the Established Representative to support their respective institutional activities of marketing and communication as well as with the suppliers of goods and/or services which act and use the data on behalf of the Data Controller and/or of the Established Representative;
2.9. In addition, the User is advised that in the case of wiki, forum, blog, chat and other areas (platforms) of social networks, if such are activated, the information sent by the User may be disseminated to all participants.
3. Purposes of Personal Data processing
The Personal Data are collected with the objective of managing the services provided to the User through the Website as well as that of developing targeted communication with the User through:
- the opening and reporting of the Site User accounts (also in correlation with accounts that might be activated at the Bookshop of Le Stanze del Vetro);
- the planning of the Site User accounts (also in correlation with accounts that might be activated at the Bookshop of Le Stanze del Vetro);
- the personalisation of communications regarding cultural activities and content of interest to the User (also in connection with accounts that might be activated at the Bookshop of Le Stanze del Vetro);
- the sending of information to the User regarding cultural and recreational services supplied by the Data Controller or third parties (also in connection with accounts that might be activated at the Bookshop of Le Stanze del Vetro);
- the sending of information and promotional messages to the User (in the form of electronic and/or paper newsletters; of electronic or paper invitations; of brochures, leaflets and similar material, circulated electronically or in paper form) concerning cultural activities (events, exhibitions, seminars, conferences, lessons, concerts, exploration workshops for children and/or adults and related activities) produced and/or organised by the Data Controller or by the Data Processor with and/or by third parties, market research carried out on behalf of the Data Controller and/or the Data Processor and/or third parties (implying the possibility of communicating the Personal Data of the data subjects to third parties commissioned to carry out such operations);
- the analysis of the service usage patterns of the User (implying the possibility of communicating the Personal Data of the data subjects to third parties commissioned to carry out such an analysis);
- the monitoring of the service made available to prevent unauthorised uses of contents and breaches of the service conditions (implying the possibility of communicating the Personal Data of the data subjects to third parties commissioned to carry out such monitoring operations);
- the prevention of fraud and illegal activities (implying the possibility of communicating the Personal Data of the data subjects to third parties commissioned to carry out such prevention operations).
4. Legal basis of Personal Data processing
The Data Controller processes the Personal Data relating to the User where one of the following conditions is fulfilled:
- the User has given consent for one or more specific purposes;
- the processing is necessary for the execution of a contract with the User and/or the execution of pre-contractual measures;
- the processing is necessary for compliance with a legal obligation to which the Data Controller and/or Data Processor is subject;
- the processing is necessary for the execution of a task of public interest or for the exercise of public powers vested in the Data Controller and/or Data Processor;
- the processing is necessary for the pursuance of the legitimate interest of the Data Controller, the Established Representative and/or third parties.
It is in any case always possible to ask the Data Controller (also through the intermediary of the Established Representative) to clarify the concrete legal basis of each act of processing and in particular to specify if the processing is based on the law, provided for by a contact or necessary in order to conclude a contract.
5. Place of Processing and Transfer of Personal Data
5.1. Personal Data are processed at the operational headquarters of the Data Controller and any other place where the parties involved in the processing are established. For further information, the User may contact the Data Controller (also through the intermediary of the Data Processor) using the contact details provided at the beginning of these presents.
5.2. Personal Data may be transferred, always for the purposes defined under Point 3 above, both within the member states of the European Union and to third-party countries, in compliance with the provisions of Regulation (EU) 679/2016. In addition, the Personal Data of the User may be transferred to a country other than that in which the User is located.
5.3. The User has the right to obtain information regarding the legal basis on which the data are transferred outside the European Union or to an international organisation subject to public international law or constituted by two or more countries, such as for example the UN, as well as with regard to the safety measures adopted by the Data Controller (also through the intermediary of the Data Processor) to protect the Data.
5.4. Whenever one of the transfer operations described above takes place, the User may refer to the respective sections of this document and request information from the Data Controller (also through the intermediary of the Data Processor) using the contact details provided at the beginning of these presents.
6. Retention period
6.1. The Data are processed and retained for the time required for the purposes for which they have been gathered. Therefore:
- Personal Data collected for purposes linked to the execution of a contract between the Data Controller and/or Data Processor, on the one hand, and the User, on the other, will be retained until the execution of this contract has been completed.
- Personal Data collected for purposes concerning the legitimate interest of the Data Controller and/or Data Processor will be retained until the said interest has been satisfied. The User may obtain further information concerning the legitimate interest pursued by the Data Controller (and/or Data Processor) in the relevant sections of this document or by contacting the Data Controller and/or Data Processor.
6.2. When the processing is based on the consent of the User, the Data Controller (also through the intermediary of the Data Processor) may retain the Personal Data for a longer period, until such time as this consent is withdrawn. Furthermore, the Data Controller (also through the intermediary of the Data Processor) might be obliged to retain the Personal Data for a longer period to comply with a legal obligation or because of an order issued by an Authority.
6.3. At the end of the retention period the Personal Data will be deleted. Therefore, at the expiry of the said period, the right of access, deletion and correction and the right to data portability can no longer be exercised.
7. Provision of the Personal Data
7.1. The provision of the Personal Data is in all cases optional and failure to provide them does not normally prejudice navigation on the Website in any way.
7.2. With regard to the Personal Data provided directly by the User, please note however that failure to provide data marked as ‘obligatory’ for the forms handed in personally in the Bookshop of Le Stanze del Vetro or for access to certain sections of the Website, or in any case for use of certain services, makes such access and use impossible and, consequently, it becomes impossible for the User to send requests (regarding information or contracts) and to use the services made available through the Website. On the other hand, failure to provide further data (non-‘obligatory’) has no consequence for the User with respect to navigation on the Website and/or periodic information services (such as for example newsletters, etc.) and/or other connected services.
With regard however to the Navigation Data acquired automatically in the course of their normal exercise from the computer systems and software procedures required for the running of this Website, in the event of the User being unwilling to provide them, he/she will not be allowed to navigate on this Website.
8. Rights of the User
Users may exercise certain rights with reference to the Personal Data processed by the Data Controller (also through the intermediary of the Data Processor). In particular, the User has the right to:
- withdraw consent at any time. The User may withdraw previously expressed consent to the processing of his/her Personal Data.
- object to the processing of his/her Personal Data. The User may object to the processing of his/her Personal Data, when this takes place on a legal basis other than consent. Further details on the right of objection are set out in the section below (9.)
- access his/her Personal Data. The User has the right to obtain information about his/her Personal Data that are processed by the Data Controller and about specific aspects of the processing, and to receive a copy of the Personal Data that are processed.
- Verify and request correction. The User may verify the correctness of his/her Personal Data and requested that they be updated or corrected.
- obtain restriction of processing. When certain conditions are satisfied, the User may request the restriction of the processing of his/her Personal Data. In this case the Data Controller will not process the Personal Data for any reason other than that of their retention.
- obtain the deletion or removal of his/her Personal Data. When certain conditions are satisfied, the User may request that his/her Personal Data be deleted by the Data Controller.
- receive his/her Personal Data or have them transferred to another Data Controller. The User has the right to receive his/her Data in a structured, commonly used and machine-legible format, and, where technically feasible, to have them transferred without hindrance to another data controller. This provision is applicable when the Data are processed with automated instruments and the processing is based on the consent of the User, on a contract to which the User is a party or on contractual measures connected with it.
- lodge a claim. The User may lodge a claim with the competent Personal Data Protection Authority and/or take legal action.
9. Details about the ‘right to object’
9.1. When the Personal Data are processed in the public interest, in the exercise of public powers vested in the Data Controller or to pursue a legitimate interest of the Data Controller, Users have the right to object to the processing for reasons connected with their particular situation.
9.2. Users should note that, if their Personal Data were to be processed for direct marketing purposes, they may object to such processing without providing any reason. To find out if the Data Controller Processor processes data for direct marketing purposes, Users may refer to the respective sections of this document.
10. How to exercise User rights
To exercise their rights, Users may lodge a request using the contact details of the Data Controller supplied in this document. The requests are filed free of charge and processed by the Data Controller (also through the intermediary of the Data Processor) in the shortest time possible, and in all cases within thirty days of receipt of each request from the User.
11. Declarations of the User with regard to further uses and/or processing of the Personal Data
12. Specific information documents
15.3. Where the changes concern processing of which the legal basis is consent, and in any case where it should prove necessary, the Data Processor, possibly through the intermediary of the Established Representative, will collect the User’s consent again.