This policy statement describes how the personal data of users and visitors (“User/Users”) of the website www.artinresidence.it (“Website”) is processed and managed.
In pursuance of Section 13 of Legislative Decree 196/2003, also known as “Personal Data Protection Code”, and of Articles 13 and 14 of the EU General Data Protection Regulation (“GDPR”), this statement applies to those who:
- browse and/or log in to the Website with the purpose of viewing the different kinds of holidays promoted on it, which consist of several possibilities to experience exceptional cultural, artistic, and architectural contexts, and to be accommodated in artists’ residences while also taking part in cultural programmes organized at said residences, and/or in the local environment (“Programmes”);
- communicate with FARE CULTURA CONTEMPORANEA APPLICATA through the forwarding of e-mails to the addresses mentioned on the Website;
- decide – upon prior consent – to receive e-mails containing promotional information and/or informative newsletters about the Programmes promoted on the Website.
This statement applies exclusively to the aforementioned Website and does not concern any other websites the user might access via external links.
1. DATA CONTROLLER
The Data Controller is FARE CULTURA CONTEMPORANEA APPLICATA, with offices at 20821 Meda (MB), via Trento 68, C.F. and P. IVA 06263060961, REA MB-1906566, e-mail address firstname.lastname@example.org (“Data Controller”).
2. CATEGORIES OF PROCESSED DATA
2.1 Browsing data
The information systems and software procedures utilised to operate the website www.artinresidence.it (hereon, “Website”) acquire personal data as part of their standard functioning; the transmission of such data is an inherent feature of internet communication protocols.
Such information is not collected in order to relate it to identified data subjects; however, it might allow user identification per se.
This data category includes, for example, IP addresses or domain names of computers employed to connect to the website, URI (Uniform Resource Identifier) notation addresses of the requested resources, request times, the methods used to forward server requests, the size of the files sent as a reply, the numeric code indicating server response status (success, error), and further parameters relating to the user’s operating system and computing environment.
Such information is used only to extract anonymous statistical information about the use of the Website as well as to check on its functioning. Additionally, it might be used in case it should be requested by judiciary authorities to establish liability in case of computer-related crimes.
2.3 Personal data voluntarily provided by users
The voluntary submission of information requests to the e-mail addresses mentioned on the Website and the communication of personal data when requesting to receive promotional information and/or informative newsletters about the Programmes promoted on the Website entail the subsequent acquisition and processing of said data and any other provided information by the Data Controller for the purposes specified in the following paragraph #3.
3. PURPOSE OF DATA PROCESSING AND LEGAL BASIS OF THE PROCESSING
The Data Controller shall process the User’s personal data with the purpose of:
a) pursuing – in compliance with article 6.1, let. f) of GDPR – its own legitimate interest, which consists in ensuring security of the Website and of the information that circulates on it, i.e., the ability of the system to withstand, at a given security level, accidental events, or unlawful or malicious actions that might compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or made accessible via, the Website itself;
b) allowing the User to request information to the Data Controller, and to provide said him/her with the required response, in compliance with with article 6.1, let. f) of GDPR;
c) contacting the User via e-mail, with his/her prior consent as pursuant of art. 6, let. a) of GDPR, in order to provide him/her with promotional messages and/or informative newsletters about the Programmes promoted on the Website.
4. NATURE OF DATA AND CONSEQUENCES OF ANY REFUSAL TO RESPOND
(i) to receive e-mails containing promotional messages and/or informative newsletters about the Programmes promoted on the Website.
The Data Controller, in any case, informs the Users that they can at any time withdraw their consent to process their personal data as specified in the above (i) section, without prejudice to the lawfulness of the processing based on the consent given prior to withdrawal.
5. PROCESSING ARRANGEMENTS
Personal data is processed through manual, IT, and automated means only for the time necessary to achieve the purposes for which it has been collected.
The personal data, moreover, is processed only by staff appointed to carry out such fulfilments; such staff is constantly identified and/or appointed to perform such duties, properly instructed and aware of the constraints provided by the applicable law. Specific security measures have been implemented to prevent unauthorised access to, loss of, or unlawful or improper use of data.
6. COMMUNICATION AND CIRCULATION OF DATA
The personal data collected on the website will neither be shared nor circulated.
However, the Data Controller may share or circulate data with specially appointed subjects that will be specifically made responsible for its processing, or with police, judiciary, information and security bodies, or other public subjects who may circulate data in compliance with the law, for purposes related to defence or State security, or else for the prevention, suppression, or detection of offences.
7. DATA SUBJECTS’ RIGHTS
Data Subjects are entitled to exercise the rights set forth by art. 7 of the Personal Data Protection Code and by GDPR (article 15 and following), i.e., the right to obtain:
1. confirmation of the existence of personal data concerning them, even if they have not been registered yet, and its communication in comprehensible form;
2. a copy of their personal data;
3. the correction of any inaccurate personal data;
4. the cancellation of their personal data;
5. the limitation of processing of their personal data;
6. the personal data they have provided or which they themselves have created (excluding the judgments created by the Data Controller and/or by the persons appointed pursuant to art. 4 of the Privacy Code / by the persons authorized to process the data in the name and on behalf of the Data Controller, pursuant to art. 4 of GDPR); such data shall be in a structured, common-use format that shall also be readable by an automatic device, and Users they shall be able to forward them, directly or through the Data Controller, to another data Controller;
7. the indication:
a) of the source of personal data;
b) of the categories of personal data processed;
c) of the purposes and methods of processing;
d) of the logic applied in case of treatment carried out with the aid of electronic instruments;
e) of the identifying details of the Data Controller and of any responsible parties;
f) of the retention time of their personal data, or the criteria useful for determining such time;
g) of the subjects or categories of subjects to whom the personal data may be communicated, or who may learn about them as appointed representatives within the territory of the State, of managers or persons in charge, in compliance with art. 4 of the Privacy Code / persons authorized to process data in the name and on behalf of the Data Controller, pursuant to art. 4 of the GDPR;
8. the updating, rectification or, when interested, the integration of data;
9. the transformation into anonymous form or the blocking of unlawfully processed data, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
10. the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except cases where this fulfillment proves impossible or involves the use of manifestly disproportionate means to the protected right.
11. Users also have the right to object, in whole or in part:
a) to the processing of personal data concerning them, even if pertinent to the purpose of collection, for legitimate reasons;
b) to the processing of personal data concerning them for the purpose of sending advertising materials, or direct sales, or the carrying out of market researches or commercial communication.
To exercise the aforementioned rights, Users can send an e-mail to the Data Controller’s address, as per the previous art. 1, indicating “Exercise of privacy rights as pursuant to art. 7 of Legislative Decree 196/2003 and art. 15 and following of GDPR” as the object of the message.
Finally, we inform you that if you believe that your rights have been violated by the Data Controller and / or by a third party, you have the right to file a complaint with the Data Protection Authority and / or any other competent supervisory body in strength of the GDPR.
8. DURATION OF PROCESSING AND PERSONAL DATA STORAGE
The User’s personal data will be processed by the Data Controller only for the time necessary to achieve the purposes referred to in art. 3 above; after this, it will be stored only in compliance with the current legal requirements, for administrative purposes and / or to assert or defend a right in the event of litigation and pre-litigation. The personal data – provided with the User’s prior consent – processed for the purpose of newsletter delivery will be stored until the Data Controller receives withdrawal of consent from said User.
*** *** ***