INFORMATION ON DATA PROCESSING PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 (‘GDPR’)
Given that: (i) https://shop.uffizi.it/ is a service offered by the temporary joint venture founded through act No. 20617 (repertoire), No. 6713 (collection), of which Giunti Editore S.p.A. is the commissioner/group leader, with registered office in Via G. B. Pirelli, 30, 20124 Milan, Italian fiscal code and registration number in the Milan Register of Companies: 80009810484, share capital €8,000,000.00 fully deposited; (ii) the companies in the temporary business association are joint holders, pursuant to art. 26 of EU Regulation 2016/679 (hereinafter also referred to as ‘GDPR’) of the processing of personal data of the users of the website for the purposes laid out in this information sheet and specific to the temporary business partnership; (iii) the companies in the temporary business partnership responsible for the satisfaction of the requirements stated above have signed an appropriate joint ownership agreement (art. 26 GDPR); (iv) the members of the temporary association of companies that do not process the personal data of the parties concerned (users) do not come into contact with any of the personal data of the parties concerned, and for this reason do not have any privacy role; (v) pursuant to the provisions of current legislation on the protection of personal data, with particular reference to Article 13 of EU Regulation 2016/679, the companies composing the joint venture (Giunti Editore SpA, Opera Laboratori Fiorentini SpA, Orbital Cultura srl, a Nexi group company) inform the parties concerned (site users) of the following:
1. Purposes of processing and data processed, legal basis and need for conferral
The contracting companies will process the acquired data for the following purposes:
- for the fulfilment of contractual obligations (e.g. the purchase of products via the website, ticket booking and payment as well as website registration for associated services). Such processing involves categories of common user data (name, surname, contact details for order confirmation, shipping address, tax data for invoicing). The legal basis of the processing is the need to fulfil the obligations arising from contract art. 6 paragraph 1 letter b) of the GDPR; while the provision of the data requested is necessary to honour the contract between the parties, and the data requested are thus pertinent and strictly necessary;
- for the issue of invoices and any relative administrative-accounting requirements. The processing involves categories of common user data (name, surname, address data for order confirmation, shipping address, tax data for invoicing); the legal basis of the processing is the need to fulfil the obligations arising from the contract Article 6 paragraph 1 letter b) of the GDPR. The provision of the data requested is necessary to execute the contract between the parties, and the data requested are thus pertinent and strictly necessary;
- to correctly fulfil the obligations deriving from laws or regulations in force (for example in the fiscal field such as the conservation of invoices, etc.). The processing involves categories of common user data (name, surname, address data for order confirmation, shipping address, fiscal data for invoicing). The legal basis of the processing is the need to fulfil obligations deriving from the contract, art. 6, paragraph 1, letter c) of the GDPR; the conferment of the data requested is necessary to execute the contract between parties, and the data requested are thus pertinent and strictly necessary;
- to receive promotional communications, including the carrying out of market research or surveying the degree of customer satisfaction on the quality of services rendered and the activities carried out by the temporary joint venture. The legal basis of the processing is the consent of the data subject (article 6, paragraph 1, letter a) of the GDPR) which may be revoked at any time by the data subject.
2. Categories of persons to whom data may be communicated
The personal data of the data subjects may be processed by the staff (employees and/or collaborators) of the temporary partnership companies for the purposes stated in this information sheet, subject to training and assignment to confidentiality pursuant to Articles 29 of the GDPR and 2-quaterdecies of Legislative Decree 196/2003, as amended and adapted to the GDPR by Legislative Decree 101/2018.
The personal data of the parties concerned may also be communicated to subjects operating as autonomous data controllers, on the basis of legal provisions (including, by way of example, authorities and supervisory and control bodies and in general subjects, public or private, entitled to request the data) or to subjects appointed as data controllers pursuant to Article 28 of the GDPR. The complete list of data processors will be made available to the data subject upon request at the addresses below in the ‘contact details’ section.
The personal data of the parties concerned, as well as any other information associated with them, directly or indirectly, will be processed by applying technical, organisational and safety measures so as to ensure a level of security appropriate to the risk, taking into account the state of the art and the costs of implementation, in accordance with the provisions of current legislation on personal data, as well as in compliance with the provisions of the Guarantor Authority and within the limits of the provisions of Article 5 of the GDPR.
3. Transferral of data to countries outside the EU
In pursuit of the purposes indicated, the contracting companies will not transfer personal data to countries outside the EU, in accordance with the GDPR. If it is necessary to carry out a transfer, all due precautions and security measures for the protection of personal data shall be adopted, as foreseen in Chapter V of EU Regulation 2016/679.
4. Period of data conservation
Personal data will be kept only for the time necessary to guarantee the correct provision of the services offered and, if necessary, until the fulfilment of legal obligations and those deriving from contractual relations (the data will be kept according to the provisions of the tax and administrative law for 10 years) has been completed, except in the case of events interrupting the foreseen period. Where the legal basis is that of consent, processing may be carried out up until its revocation.
5. Rights of the data subjects
In relation to the processing operations described above, data subjects may at any time exercise the rights provided for by the GDPR (ex-Articles 15 to 22): Articles. 15 – “The data subject’s right of access,” 16 – “Right to rectification,” 17 – “Right to erasure,” 18 – “Right to restriction of processing,” 19 – “Obligation to notify in case of rectification or erasure of personal data or restriction of processing,” 20 – “Right to data portability,” 21 – “Right to object,” 22 – “Automated decision-making process concerning natural persons, including profiling” of the GDPR, within the limits and under the conditions foreseen by Art. 12 of the GDPR and to lodge a complaint pursuant to Article 77 if deemed appropriate.
The contracting companies state that requests for the exercise of rights may be sent by email to the following address: dpo@nexigroup.com and the addresses given in the paragraph below.
6. Contact details of the contracting companies
The contracting companies will receive any privacy requests inherent to the website in question at the following addresses:
Orbital Cultura Srl, with registered office in Florence, Via Petrocchi 24. The designated Data Protection Officer may be contacted by writing to the following email address: dpo@nexigroup.com.