In the performance of its activities Fondazione MAXXI guarantees the protection and security of the personal information communicated to it by natural persons, legal entities or other subjects, with particular attention regarding the security of the personal information of those visiting the internet site www.maxxi.art (henceforth also “the site”) and using its services.
The data controller is the Fondazione MAXXI with legal offices in Via Guido Reni, 4/A – 00196 Roma (e-mail: email@example.com – telephone: 06-324861)
TYPES OF PERSONAL INFORMATION
For its own purposes the Fondazione MAXXI may collect the following categories of personal information that concern you:
Information regarding members of the Fondazione bodies and staff: the information provided for by current legislation, with particular reference to disclosure requirements under legislative decree No. 33/2013 and amendments and additions
Information regarding the handling of contractual relationships: the information provided for by the current legislation (in particular, legislative decree No. 50 of 18 April 2016 and the legislative and contractual discipline relating to relationships of permanent employment and self-employment) for the execution, drawing up and processing of contracts, however denominated, including the agreements, however defined, drawn up with artists and/or holders of rights to the works exhibited.
Information regarding the public: information relating to personal details (for example, name, surname, sex, residence, address, date of birth) and contact details (for example, telephone number, mobile telephone number, e-mail address, fax number); other information provided voluntarily, in particular regarding profession and academic qualification, reasons for visits and degree of customer satisfaction); information relating to commercial transactions for the purchases of tickets and other services (for example, tax number, VAT number, residence for tax purposes).
Information relating to users of the site www.maxxi.art: with regard to information gathered via cookies, the site gathers no personal information from users; cookies are not used to transmit information of a personal nature and the site does not use persistent cookies of any kind or systems for tracking users.
All those who transmit personal information are asked by the Fondazione MAXXI – on its site or on specific forms – for confirmation of their consent for the personal information to be used for the purposes indicated and confirmation that they have read this policy statement. The Fondazione MAXXI also asks users to communicate any modifications to allow the information to be kept up to date.
WHAT THE PERSONAL INFORMATION IS USED FOR
The processing of personal information by the Fondazione MAXXI must be justified by one of the legal prerequisites provided for by the current regulations relating to the protection of personal information, described as follows:
a) Compliance with the transparency requirements imposed on private corporations under public oversight by the existing legislation, as detailed in the deliberations of the national anti-corruption authority. The processing of the information is therefore necessary to meet a legal obligation to which the Fondazione MAXXI is subject.
b) Obligations resulting from the exercise of the right of access, civic access, and similar institutions governed by law. The processing of the information is therefore necessary to meet a legal obligation to which the Fondazione MAXXI is subject.
c) Predisposition, conclusion and execution of contracts and agreements however denominated, in accordance with existing legislation regarding public contracts and employment and self-employment contracts, including agreements, however defined, with artists and/or the holders of the rights to the works exhibited. The processing is necessary for the execution of contracts and agreements in which the subject is involved or in order to conclude contracts and agreements however denominated.
d) Statistical mapping of visitors for the ongoing improvement of the Fondazione’s cultural offer, by age, sex, residence, educational qualification, profession, reasons for visit, specific interests, satisfaction with the cultural offer and services provided by the Fondazione. To this end, the subject is required to express their consent to the processing of their personal information.
e) Customer satisfaction survey relating to the services provided by the Fondazione and/or the managers of licensed services. To this end, the subject is required to express their consent to the processing of their personal information.
f) Management of the commercial transactions for tickets (single and cumulative tickets, “myMAXXI” carnets, “Amici del MAXXI” memberships etc.). The processing is necessary for the execution of a contract in which the subject is involved or in order to conclude the contract.
g) Distribution of newsletters, invitations and other communications regarding the Fondazione’s activities, in digital and/or printed form. To this end, the subject is required to express their consent to the processing of their personal information.
h) Predisposition of lists of figures with institutional positions and/or in bodies of major cultural, scientific or social significance, for ceremonial purposes (VIP invitations to exhibitions or events). The processing is necessary for the purposes of public interest pursued by the Fondazione MAXXI.
i) Purposes associated with the organization and management of educational and training services, including the recognition of educational credits or the attribution of certificates of participation and/or merit. The processing is necessary for the purposes of public interest pursued by the Fondazione MAXXI.
j) Implementation of procedures of any kind preceded by tenders or public notices however denominated. The processing of the information is necessary to meet a legal obligation.
k) Online sales of products relating to the Fondazione’s cultural activities (for example, catalogues, other publications, artist’s multiples, reproductions of works etc.). The processing is necessary for the execution of a contract in which the subject is involved or in order to conclude the contract.
l) Soliciting of free donations however denominated, including those facilitated by detractions and/or tax credits, including those contributions covered by the Art Bonus regulations and the declarations for the so-called “5 per mille”. The processing is necessary for the purposes of public interest pursued by the Fondazione MAXXI.
m) Compliancy with further legally binding requests to meet a legal obligation, regulations or measures of the judicial authorities, and to defend a right in court.
Refusal to provide personal information, when their communication is obligatory by law, prevents the fulfilment of legal obligations and may expose the subject to the sanctions provided for by existing legislation. Refusal to provide the personal information necessary for the conclusion or execution of a contract exposes the subject to liability for non-performance.
N.B. Consent to the use of personal information may be revoked at any time by sending an e-mail to firstname.lastname@example.org or by using the specific link on the site www.maxxi.art for the cancellation of data.
The Fondazione MAXXI uses appropriate security measures to improve the protection and the maintenance of the security, integrity and accessibility of the personal information entrusted to it. All personal information is stored on its secure servers (or secure hard copies) or on those of its suppliers or its commercial partners, and are accessible and usable on the basis of its standards and its data security policy (or the equivalent standards of its suppliers and commercial partners).
DURATION OF THE CONSERVATION OF DATA
The Fondazione MAXXXI only retains personal information for the time required for the purposes for which they were collected or for any other legitimate associated purpose. Therefore, in the case of data retained for two different purposes, the data will be retained until the purpose with the longer term is concluded; however, we shall no longer retain the personal information for that purpose for which the period of conservation has finished.
Personal information that is no longer required, or for which there is no longer a legal requirement for its conservation, is irreversibly anonymised (and may be retained in this form) or securely destroyed.
The personal information acquired by the Fondazione MAXXI, in the manners and for the purposes detailed in this statement, are generally retained for five years, with the following exceptions:
Fulfilment of contractual obligations: the data processed to fulfil contractual obligations may be retained for the duration of the contract and in any case no longer than the following 10 years in order to verify any discrepancies including accounting documents (for example, invoices).
Surveying of visitors (see letter d) and customer satisfaction (see letter e): the data processed for these purposes will be retained for 12 months from the date the Fondazione obtained the most recent consent for this purpose (with the exception of opposition to the receipt of further communications).
Distribution of newsletters, invitations and other communications regarding the Fondazione’s activities. The data processed for this purpose will be retained for 24 months from the date on which the Fondazione obtained the most recent consent for the purpose.
In the case of disputes in any place, in which the Fondazione acts or resists the actions of others, the data will be retained for the time reasonably necessary for these purposes according to the specific sectorial regulations.
COMMUNICATION OF DATA TO THIRD PARTIES
The personal information acquired may be communicated to third parties collaboration with the Fondazione MAXXI to fulfil its institutional purposes or to comply with the legal obligations to which it is subject. The Fondazione MAXXI communicates to the recipients of the data all modifications, cancellations or limitations on processing, except where this proves impossible or implies unreasonable effort. The detailed list of recipients is available on request made writing to email@example.com.
In any case, in the forms used by the Fondazione, in electronic or printed form, the personal information holder is explicitly invited to authorise, separately:
a) The processing of the data for the purposes expressly indicated
b) The processing of the data for statistical purposes
c) The processing of the data for promotional purposes
d) The processing of the data for market surveys
e) The transfer, for the same purposes, to institutions, associations, businesses or other subjects that are partners of the Fondazione MAXXI.
CONTACTS, REPORTS AND COMPLAINTS
In compliance with the provisions of REGULATION (EU) 2016/679, the role of Data Protection Officer (DPO) is performed by an external professional with specific expertise and experience, in agreement with Federculture, the national association of public and private bodies, institutions and companies operating in the field of cultural policies and activities.
For all issues relating to the processing of personal information and rights the Data Protection Officer (DPO) may be contacted at the following address: firstname.lastname@example.org.
Whomsoever has transmitted their personal data to the Fondazione MAXXI has the right to request:
– access to their personal information
– the portability of that information
– the correction of the information in the Fondazione’s possession
– the cancellation of all information in those cases provided for by the existing legislation
– the limitation of the processing of the data
– opposition to the processing where provided for by the applicable regulations.
Exercising of these rights is subject to certain exceptions aimed at safeguarding the general interest and the public interest (e.g. prevention or identification of offences), the rights and freedoms of others and the legally significant interests of the Fondazione MAXXI itself. The Fondazione MAXXI will respond in a timely manner to all requests submitted pursuant to this statement.
In any case, subjects may lodge complaints with the data protection authority (Data Protection Supervisor), using the details found on the website www.garanteprivacy.it.