Privacy Notice pursuant to Article 13 of EU Regulation 2016/679
The EU Regulation 2016/679 “General Data Protection Regulation” (GDPR) establishes the right to the protection of natural persons with regard to the processing of personal data.
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Pursuant to this Regulation, the processing of your personal data shall be carried out in compliance with the principles set out in Article 5 of the GDPR, namely lawfulness, fairness and transparency.
Personal data will be:
• collected for specified, explicit and legitimate purposes (see section 2);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Furthermore, all reasonable steps shall be taken to ensure that personal data that are inaccurate are rectified or erased without delay.
________________________________________
PURPOSE OF THIS NOTICE
Pursuant to EU Regulation 2016/679 (hereinafter, the “Regulation”), this page describes the processing of personal data of users who use the online ticketing service provided on behalf of the Museo Egizio through the website www.museitorino.it.
The following information is provided to you, as a Data Subject, regarding the processing of your personal data.
________________________________________
1. DATA CONTROLLER
The Data Controller is:
Fondazione Museo delle Antichità Egizie di Torino
(hereinafter, “FME” or “the Organizer”)
Registered office: Via Accademia delle Scienze 6, IT-10123 Turin, Italy
Email: privacy@museoegizio.it
1.1 DATA PROTECTION OFFICER (DPO)
The Data Protection Officer (DPO) can be contacted at:
Fondazione Museo delle Antichità Egizie di Torino,
Via Accademia delle Scienze 6, IT-10123 Turin (TO), Italy
Email: dpo@museoegizio.it
________________________________________
2. PURPOSES OF DATA PROCESSING
Your personal data will be processed for the following purposes:
a) Performance of a contract and management of orders, in particular to:
• execute the service contract and enable event organizers to issue entry tickets;
• manage bookings of goods and services and ensure delivery of purchased items;
• comply with all contractual and legal obligations, particularly those of fiscal and public safety nature.
b) Administrative and accounting purposes, including the possible electronic transmission of invoices.
c) Subscription to the newsletter service, limited to the use of your email and/or postal address.
d) Marketing purposes, limited to the use of your email and/or postal address.
e) Fundraising activities carried out by FME for the enhancement, promotion, management and development of the Museo Egizio, its cultural assets and activities.
f) Visitor satisfaction surveys, to assess service quality and improve museum offerings.
g) Information and promotional communications concerning products or services similar to those already purchased.
________________________________________
3. LEGAL BASIS FOR PROCESSING
The processing of your personal data is based on:
• Article 6(1)(b) of the GDPR, for purposes under points 2(a) and 2(b), as processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract;
• Article 6(1)(a) of the GDPR, for purposes under points 2(c) and 2(d), based on your explicit consent;
• Article 6(1)(f) of the GDPR, for purposes under points 2(e), 2(f) and 2(g), as the processing is necessary for the legitimate interests pursued by the Controller in line with its institutional aims.
________________________________________
4. CATEGORIES OF PERSONAL DATA PROCESSED
To achieve the above purposes, the following personal data may be processed:
• identification data (name, surname, date of birth, nationality, gender, fiscal code, VAT number);
• contact details (email address, phone number, postal address);
• payment information (credit card details).
________________________________________
5. METHODS OF PROCESSING
Your data will be processed using both paper-based and electronic tools.
Processing will be carried out exclusively by the Controller and/or by persons duly authorised by it.
________________________________________
6. DATA RETENTION PERIOD
Your personal data will be retained only for as long as necessary to ensure proper service delivery and to comply with legal and contractual obligations.
For marketing purposes, in the absence of specific legal provisions defining retention periods, FME will retain data for a period deemed appropriate based on the data subject’s expressed interest. In any case, FME will verify, at least every five years, the continued interest of the data subject and will take appropriate steps to avoid indefinite storage.
Once these periods have expired, your data will be deleted and rights such as access, rectification, deletion or portability can no longer be exercised.
________________________________________
7. NATURE OF DATA PROVISION
Providing your data for the purposes described under points 2(a) and 2(b) is optional, but failure to do so will prevent the provision of services or fulfilment of contractual obligations.
Providing your data for the purposes described under points 2(c) and 2(d) is optional; refusal will not affect any contractual relationship. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Each communication related to purposes under points 2(e), 2(f) and 2(g) will always include an option to object to the processing (opt-out) free of charge.
________________________________________
8. CATEGORIES OF RECIPIENTS
Your personal data may be shared with:
• companies and/or professionals providing marketing consultancy services on behalf of the Controller (upon your consent);
• third parties acting as Data Processors under Article 28 of the Regulation, such as IT or logistics service providers, ticketing systems, call centres, security or reception services, accounting and management providers, event organisers, and suppliers of purchased or booked goods or services. An updated list of Data Processors is available upon request.
• public authorities or entities entitled to access data by virtue of legal or administrative provisions.
Personal data will not be disseminated.
________________________________________
9. MINORS UNDER 14 YEARS OF AGE
The online ticketing service is not intended for users under 14 years of age.
Users under 14 are requested not to provide personal data without prior authorisation from a parent or legal guardian.
If it comes to light that data has been provided by a person under 14, it will be immediately deleted, and access to the service may be restricted.
In the event of a breach of the above by a minor, the service provider cannot be held responsible for any direct or indirect damages arising therefrom.
________________________________________
10. RIGHTS OF THE DATA SUBJECT
As a Data Subject, you may exercise your rights under Articles 15–22 of the GDPR, including the right to:
• obtain confirmation as to whether personal data concerning you are being processed and, if so, access such data;
• obtain information about the purposes of processing, categories of data concerned, recipients, and storage periods;
• request rectification or erasure of data;
• request restriction of processing;
• object to processing at any time;
• exercise the right to data portability.
For purposes under points 2(c) and 2(d), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Requests should be addressed to the Data Controller at the contact details provided in Section 1.
________________________________________
11. RIGHT TO LODGE A COMPLAINT
If you believe that your personal data have been processed in violation of the Regulation, you have the right to lodge a complaint with the competent Supervisory Authority, pursuant to Article 77 of the GDPR, or to seek judicial remedy pursuant to Article 79.