Privacy Policy

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter referred to as the “Regulation”), this notice describes the methods for processing personal data of users consulting the Musei nazionali di Bologna [National Museums of Bologna] institutional website. The information herein does not concern any other websites, pages or online services, which can be reached through hypertext links, and which may be published on the website but which may refer to resources external to the Musei nazionali di Bologna website.

PROCESSING

Processing means “any operation, or set of operations, performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4 of the Regulation).

PURPOSE AND LEGAL BASIS FOR PROCESSING

Data relating to identified or identifiable natural persons may be processed following consultation of the Musei nazionali di Bologna website. The Musei nazionali di Bologna processes personal data for the performance of its public interest functions or otherwise for the exercise of the institution’s public authorities, including the management and protection of the cultural heritage and for related institutional activities of promotion and enhancement.

Personal data are processed solely for purposes strictly related and necessary for the utilisation of the institutional website, to access any services requested, for purposes functional for the conduct of research, analysis and statistics, to send information material and updates on Musei nazionali di Bologna initiatives and programmes, or to request a subscription to specific services (e.g. newsletters).

Pursuant to Article 13 paragraph 3 of the Regulation, should the Musei nazionali di Bologna intend to further process any personal data for purposes other than those for which the data were specifically collected, prior to such further processing the data subject shall be provided with information regarding such other purpose as well as any additional relevant information.

TYPES OF DATA PROCESSED

Browsing data

The computer software systems and procedures, used to manage the website, acquire, during their normal operation, certain personal data whose transmission is implicit in the normal use of Internet communication protocols. Though, by its very nature, this information, which is not collected to be associated with identified data subjects could, through processing and association with data held by third parties, permit users to be identified. These data categories include the IP addresses or domain names of the users’ computers that connect to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server and other parameters relating to the users’ operating systems and computer environments. These data, which are deleted immediately after processing, are used only to check that the site is functioning correctly and to obtain anonymous statistical information on site use. These data could also be used to ascertain responsibility if computer crimes against the site are committed.

Data communicated by users

The optional, explicit and voluntary transmission of messages to the Musei nazionali di Bologna’s contact addresses, of private messages from users to institutional profiles/pages on social media (where this option is available), including the completion and submission of any forms through the Musei nazionali di Bologna website, will require the acquisition of the sender's contact details, which would be necessary for sending a reply, as well as any other personal data included in the communication.

DATA RETENTION PERIOD AND PROCEDURES

Your personal data will be processed using automated tools.

Data will be retained according to the following criteria:

• for a period of time not exceeding what is necessary to achieve the purposes for which the data are being processed;
• for a period of time not exceeding what is necessary to meet regulatory obligations.

To this end, also through periodic checks, there will be constant verification of the strict relevance, non-excessiveness and indispensability of the data with respect to the pursuit of the purposes described above. Also as a result of these checks, data that has been found to be excessive, irrelevant or not indispensable will not be used, except for possible retention, in compliance with the law, of the deed or document that contains that data.

Specific technical and organisational security measures have been adopted to protect information against alteration, destruction, loss, theft or improper or unlawful use.

Processing connected to this site’s web services is handled only by authorised and trained technical personnel, or by the Managers designated by the Data Controller pursuant to Article 28 of the Regulation. No data derived from the web service will be disseminated. The personal data provided by users who submit requests for information and suggestions will only be used to perform the service or provision requested and may possibly be communicated to other personnel authorised to process such data or to other public or private entities only if required by law or strictly necessary to provide the information requested.

OPTIONAL OR COMPULSORY NATURE OF PROVIDING DATA AND THE CONSEQUENCES OF REFUSAL

Apart from what is specified above for browsing data, users are free to provide the personal details indicated in the forms used to register for site services, to request information and to send suggestions and reports. Failure to provide these data may make it impossible to provide the requested service, as well as the transmission of related communications and information.

DATA VOLUNTARILY PROVIDED BY USERS

If the collection of individual personal details (name, e-mail address, and telephone number) provided voluntarily by users is aimed at providing a service, no summary information will be provided, but reference will be made to this information notice.

SUBJECTS AND CATEGORIES OF RECIPIENTS FOR PERSONAL DATA COMMUNICATION AND DISSEMINATION

The data may be communicated to:

• other public subjects who request the data and are expressly authorised to process such data (more specifically, these subjects shall be authorised by laws or regulations or in any case they may need the data for institutional purposes) and/or other subjects, including private subjects, who cannot be identified at the present time but who are entitled to know the data on the basis of specific laws or regulations;
• third-party service providers of the Institute, or in any case linked to the Institute through a contractual relationship, solely for the purposes described above, subject to their designation as Data Processors and who shall, in any case, guarantee the same level of protection;
• lawyers appointed to protect the Institute in legal proceedings.

Some of these data may be disclosed to those authorised to process that data who, for institutional purposes, need to know the data for tasks inherent to their office.

These data shall not be subject to dissemination.

DATA TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

If there is a provision for transfer of these data outside the EU or to International Organisations, the entity performing the functions of Data Controller undertakes to clarify to the data subject whether or not an adequacy decision has been issued by the EU Commission on that third country or whether or not the Commission has decided that the third country, territory or one or more specific sectors within that third country, or the International Organisation in question, can ensure an adequate level of protection. In that case, the transfer will require no specific authorisations. Should the above adequacy not apply, reference must be made to appropriate or adequate safeguards and an indication of the means of obtaining a copy of such data or of the place where the data have been made available.

RIGHTS OF THE DATA SUBJECT

Data subjects may exercise their rights as set out in Articles 15 to 22 of the “General Data Protection Regulation”, which, subject to the conditions and limitations provided for therein, establish:

• Right of access by the data subject (Article 15) “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information [...]”;
• Right to rectification (Article 16) “The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement”;
• Right to erasure (‘right to be forgotten’) (Article 17) “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay […]”;
• Right to restriction of processing (Article 18) “The data subject shall have the right to obtain from the controller restriction of processing […]”;
• Right to data portability (Article 20) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided […]”;
• Right to object (Article 21) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims […]”.

The exercise of the aforementioned rights may take place in the manner provided, in general, by Article 12 of the General Data Protection Regulation. Therefore, the data subject may direct the relevant request to the Data Controller at the addresses indicated below, also through one of the authorised data processors or by registered letter, telefax or e-mail or other suitable means identified by the “Garante per la protezione dei dati personali [Italian Personal Data Protection Authority]”.

RIGHT TO LODGE COMPLAINT

Data subjects who believe that the processing of personal data relating to them carried out through this website is in breach of the provisions of the Regulation have the right to lodge a complaint with the Garante per la protezione dei dati personali, as provided for by Article 77 of the same Regulation, or to bring legal action (Article 79 of the Regulation). Additional information on personal data protection rights can be found on the Italian Personal Data Protection Authority’s website at www.garanteprivacy.it

DATA CONTROLLER

The Data Controller is the Ministry of Culture with its headquarters located at Via del Collegio Romano 27, – 00186 Rome, Italy.

For the purposes set forth in this information notice, the data will be collected and processed by Musei nazionali di Bologna, in its role as Data Controller (pursuant to Ministerial Decree no. 147 of 14 March 2019), with registered office in Via delle Belle Arti, 56 - 40126 Bologna (BO).

For matters concerning the processing of personal data, you, the Data Subject, may contact:

• primarily the National Museums of Bologna at the following e-mail address: pin-bo@cultura.gov.it
• secondarily, the Data Protection Officer at the following e-mail address: rpd@cultura.gov.it

DATA PROTECTION OFFICER

Pursuant to Article 37 of the Regulation (EU) 2016/679, the Ministry of Culture has appointed a Personal Data Protection Officer who may be contacted, also for the data subjects to exercise their rights, at the e-mail address rpd@cultura.gov.it or at the certified e-mail address rpd@pec.cultura.gov.it.

For anything not mentioned in this information notice, express reference is made to the relevant provisions in force, with specific reference to the General Data Protection Regulation (EU Regulation 2016/679).

Last update: 05/01/2024