REV. 03 del 20/05/2024
IN-02
PRIVACY STATEMENT ON PERSONAL DATA PROCESSING MDBR WEBSITE Art.13 REG.UE 2016/679
1. Data Controller
Under Article 13 of the EU Regulation 2016/679 (hereinafter referred to as “GDPR”) Museo Dei Bambini Scs (hereinafter referred to as “Data Controller”), Via Flaminia n. 80/86, 00196 Roma, FC/VST No. 05504141002, Tel. 06 3613776,
e-mail privacy@mdbr.it acting as “Data Controller”, hereby informs you that your personal data collected will be processed according to the applicable law, with respect of the data subject’s fundamental rights and freedoms, as well as of the data subject’s dignity, specifically for privacy, personal identity and the right of personal data protection.
2. Source of personal information
Accordin to Article 13 of the EU Regulation 2016/679, we hereby inform you that Museo Dei Bambini Scs processes personal data collected through the following website: https://mdbr.it/, from the data subjects who have freely communicated in person and/or by means of forms, telephone or fax their personal information to our offices.
3. Purposes of personal data processing
In accordance with the above-mentioned regulation, the Data Controller shall guarantee that the processing of personal data is carried out with respect of the data subject’s fundamental rights and freedoms, as well as of the data subject’s dignity, specifically for privacy, personal identity and the right of personal data protection.
3.1. All personal data collected from the data subject is processed only for the purposes of booking the services requested by the data subject:
– administrative paperwork and tax obligations for the services of Museo Dei Bambini Scs and the activities it carries out to provide the data subject with customised services and meet their specific needs.
The lawful bases for personal data processing for the above-mentioned purposes are stated in art. 6.1.b) e 6.1.c) of the Regulation, that is the execution of an agreement or pre-agreement conditions and legal obligations.
3.2 Personal data may also be used for functional purposes of the promotional activities for services provided by Museo dei Bambini SCS Onlus, such as:
3.2. Marketing activities, such as receiving trade and promotional communications, i.e. proposal of new initiatives, communication of new products and services of Museo Dei Bambini Scs through mailing lists;
The lawful basis for personal data processing for the purposes referred to in item 3.2 is Article 6.1.a) of the GDPR, in that data processing is based on consent.
3.3. Measurement of the index of satisfaction on the quality of the services provided through satisfaction questionnaire, sent together with the ticket purchased online. Filling in the questionnaire is optional and anonymous. It is sent to meet the requirements requested by the EN ISO 9001:2015-certified quality management system and to make improvements wherever necessary for the satisfaction expressed.
The lawful basis or the purposes referred to in item 3.3 is Article 6.1 f) i.e. the Data Controller’s legitimate interest.
4. Personal data collection and consequences for non-consent to processing
The collection of personal data for the purposes referred to in item 3.1 is needed to allow delivery of the service requested. Should the user not consent to the collection of their data, the service cannot be provided.
As to the purposes of data processing under item 3.2, consent to data processing is optional and can be given by selecting the appropriate check box, for each separate purpose provided at the bottom of this privacy statement. Failure to give consent will not prevent the user from receiving the services requested, but it will only prevent the following:
– The user from receiving information and promotional communications from Museo Dei Bambini Scs through mailing lists.
The collection of personal data for the purposes referred to in item 3.3 is useful for our quality and for obtaining a certification proving a never-ending better service for the user, who can choose not to answer the questionnaire even though their data will be kept anonymous.
5. Data communication and disclosure
Personal data freely obtained from the data subject, whenever necessary, might be communicated to:
5.1. 5.1 all subjects whose access right is acknowledged pursuant to and for the purposes of law provisions;
5.2. our contractor personnel, employees and suppliers or sponsors, in relation to their tasks and/or our contractual obligations to them, for the purposes of the business relationships with the data subject
5.3. post offices, shippers and couriers for sending documentation and/or material;
5.4. all public and/or private subjects, individuals and/or legal bodies (legal, administration and tax offices, Courts, Chambers of Commerce, Municipality of Rome, etc.), whenever data communication proves necessary or functional to our business and activities for the purposes and in the manners described above;
5.5. banks for the purposes of receiving and issuing payments arising from contracts.
Data can be transferred to duly appointed Data Processors under Article 28 of GDPR. To other duly appointed data processors, Museo Dei Bambini Scs shall give adequate operational instructions, particularly for the adoption of and compliance with safety measures to ensure data protection and privacy. The list of duly appointed data processors is available at the Museum’s headquarters. In the cases described above, only basic data – and no more than basic data – will be communicated for the purposes for which it is communicated.
Transfer of data to third countries
The Data Controller will not transfer personal data to third countries.
6. How personal data is processed
Processing involves common identification personal data. The personal data may be held electronically and in hard copy and is subject to appropriate safeguards to ensure protection and privacy. Data will be processed and stored on premises where access is constantly monitored; in particular, all technical, computer, organisational, logistic and safety procedural safeguards will be adopted so that the appropriate data protection level specified in the regulation is maintained; access will be allowed only to persons tasked with processing by the Data Controller or Data Processors being appointed by the Data Controller.
7. How long personal data will be kept
Pursuant to art. 5 of EU Regulation no. 2016/679, in the respect of the principles of fairness, the right to restrict or minimise processing, personal data will be kept for a time limited to a strict minimum needed for the specific purposes of processing for which the user has given their consent and namely:
– for the purposes described in item 3.1, for no longer than is necessary to meet contractual obligations and no longer than 10 years from the data collection; data collected by the ticket office (online) and subscriptions will be kept for no longer than 10 years; after that deadline, data will be kept in anonymous form for reasons of record chronology and statistics;
– for the purposes described in item 3.2, i.e. for the purposes of marketing from the time data subjects give consent to the time they withdraw their consent, personal data will be kept for no longer than 10 years; after that deadline, data will be kept in anonymous form for reasons of record chronology and statistics;
– for the purposes described in item 3.3, i.e. for the satisfaction questionnaire, no personal data will be collected as the filled-in questionnaire will be sent in anonymous form by the data subject.
8. Rights of data subjects.
The data subject can, at any time, exercise the following rights:
· Right of access, Article 15: obtain confirmation or not that their personal data is being processed; in this case, obtain access to their personal data;
· Right to rectification, Article 16: obtain rectification of incorrect personal data without undue delay;
· Right to erasure, Article 17: obtain erasure of their personal data without undue delay; the Data Controller has the obligation to erase personal data without undue delay, under certain conditions;
· Right to restrict processing, Article 18: obtain restriction of processing in some cases;
· Right to data portability, Article 20: receive personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, in certain cases:
· Right to object, Article 21: object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her;
· Withdraw consent given at any time (Conditions for consent, Article art. 7).
Right to lodge a complaint with a supervisory authority pursuant to article 77 of GDPR based on the data subjects’ private address, place of work, or place of breach of their rights; for Italy the competent supervisory authority is the Data Protection Authority (Garante per la protezione dei dati personali) who can be contacted through the website.
The rights described above can be exercised by sending a request to the Data Controller at the contact information included in this privacy statement. The right to object of data subjects to processing of their own personal data for the purposes of marketing is extended to traditional practices; however, data subjects can exercise partly their right, that is, objecting to only receiving, for example, promotional communications through automated instruments. Requests related to the exercise of the data subject’s rights will be handled without unjustified delay and within a month from the date of request; only in more complex cases and in the face of a high number of requests, the above term can be extended by 2 (two) more months. Requests related to the exercise of the data subject’s rights can be sent to the following e-mail: privacy@mdbr.it