Notice governing “Donations”

in accordance with Art. 13, EU General Data Protection Regulation 2016/679 (GDPR)

In compliance with EU General Data Protecton Regulation 2016/679 (hereinafter GDPR), Opera di Santa Croce in its capacity as Data Controller provides herewith all due information regarding the processing of any personal data which you may supply in connection with making a donation or donations in favour of Opera di Santa Croce’s institutional activities.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)
The Data Controller – as defined in Articles. 4 and 24 of Regulation (EU) 2016/679 -  is the Opera di Santa Croce, whose registered office is situated in Piazza Santa Croce, 16, Florence (FI), Italy – VAT Reg. No. 05489970482.
The Controller may be reached at the following e-mail address: privacy@santacroceopera.it.
The Controller has also appointed a Data Protection Officer (DPO) – the lawyer Avv.  Domenico Vispo – who may be contacted in connection with matters regarding the processing of users’ personal data at the following e-mail address: dpo@santacroceopera.it.

2. TYPES OF DATA PROCESSED AND COLLECTED
The Controller processes the following personal data in relation to the collection of donations and/or funds:
- personal data (forename, family name, date of birth, international tax code, home address, country of residence);
- contact data (e-mail address, telephone number);
For associated promotional, commercial and advertising activities:
- forename and family name;
- e-mail address.

3. PURPOSES, LEGAL BASIS AND LEGITIMACY OF THE DATA PROCESSING
Opera di Santa Croce processes personal data supplied when making a donation, or donations, for the following purposes:
a. The administrative management of the donation(s);
b. The promotion of fund collecting for the enhancement of the movable and/or immovable cultural assets entrusted to Opera di Santa Croce’s management, or at Opera di Santa Croce’s disposal, or acquired or received by Opera di Santa Croce in any capacity or form; the promotion of fund collecting for museum activities;
c. Associated promotional, commercial and/or advertising activities (the delivery by e-mail of newsletters and/or communications regarding the activites of Opera di Santa Croce and/or of third parties tasked by Opera di Santa Croce)
The legal basis for data processing is outlined below:
a. The administrative management of donations: fulfilment of a legal obligation incumbent upon the Data Controller (Article 6, letter b) GDPR);
b. The promotion of fund collecting for enhancement: legitimate interest of the Data Controller (Article 6, letter f) GDPR) in pursuing a statutory purpose (cf. Article 4 in the Statute);
c. Associated promotional, commercial and advertising activities: consent of the data subject (Article 6, letter a) GDPR).
It is understood that consent to the processing of personal data for the purposes outlined in letter c) above is optional; thus, in the event consent to processing data for the aforesaid purpose is denied, the data will be processed solely in connection with the purposes outlined in letters a) and b) above.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
For the purposes listed in this notice, data provided may be communicated to authorised Opera di Santa Croce staff and to businesses and/or professional people tasked with managing administrative activities and/or promotional activities, with delivering donation collecting services, and with promoting and enhancing the Monumental Complex of Santa Croce. In particular, donations are collected through the use of an IT platform supplied by a third-party firm appointed Data Controller solely in connection with this specific purpose, in accordance with Article 28 GDPR.

5. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATION
Data collected will not be transferred to a third country and/or international organisation.
Users should be aware, however, that the use of cloud services may entail the transfer of data onto servers located abroad (whether in the EU or elsewhere), but always in compliance with the relevant legal measures and in every instance in compliance with maximum security standards.

6. PERIOD OF STORAGE OR CRITERIA ADOPTED IN DETERMINING THAT PERIOD
In connection with the purposes outlined in letter a) and b) in Article 3 in this notice, data processed in relation to the collection of donations and/or funds will be stored for no longer than 5 years. In connection with the purposes outlined in letter c) in Article 3 in this notice, Opera di Santa Croce stores your data until you request its cancellation, or until the newsletter service is discontinued.

7. USER RIGHTS AND HOW TO EXERCISE THOSE RIGHTS
The user may exercise his or her rights as laid down in Section III (articles 15-22) of Regulation (EU) 2016/679 by addressing an e-mail to the Data Controller at privacy@santacroceopera.it, by registered post with reply – c/o the address of the organisation’s registered office – or by submitting a hardcopy request.  
- access;
- rectification;
- erasure;
- withdrawal of consent;
- restriction of processing;
- opposition to processing;
- portability.
The above rights are guaranteed at no expense to the user and require no particular formalities for their exercise, which is essentially free of charge.
Without impairment or prejudice to the user’s right to undertake legal action, he or she may also submit a complaint to the supervisory authority (ombudsman) as stipulated both in Regulation (EU) 2016/679 and in the Italian Privacy Code as modified by Decree Law 101/2018.

8. DATA PROCESSING MODALITIES
Personal data granted will be recorded, processed, managed and stored in harcopy format and/or with the assistance of electronic instruments, and in every circumstance in such a way as to ensure its security and confidentiality. Processing will be performed by expressly authorised in-house staff and is performed without the intervention of automatic systems; no profiling is performed at any time.
                                 
9. GRANTING CONSENT TO PROCESS DATA
The processing of the aforesaid data is not mandatory; however, in the event consent is withheld, it will not be possible to send or to enable the download of certain material concerning the Opera, including promotional e-mails and text messages, newsletters and/or e-books.

10. DATA DISSEMINATION

Personal data collected will never be disseminated under any circumstances whatsoever to third parties not authorised by the Data Controller and may be shown only on demand to the legal, financial and ombudsman authorities or to any other figures with whom we are legally bound to share that data for the achievement of the aforesaid purposes.

Web notice

in compliance with Art. 14 of Regulation (EU) 2016/679 governing the protection of personal data.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)
The Data Controller – as defined in Articles. 4 and 24 of Regulation (EU) 2016/679 -  is the Opera di Santa Croce, whose registered office is situated in Piazza Santa Croce, 16, Florence (FI), Italy – VAT Reg. No. 05489970482.
The Controller may be reached at the following e-mail address: privacy@santacroceopera.it.
The Controller has also appointed a Data Protection Officer (DPO) – the lawyer Avv. Domenico Vispo – who may be contacted in connection with matters regarding the processing of the user’s personal data at the following e-mail address: dpo@santacroceopera.it.

2. TYPE OF DATA COLLECTED AND PROCESSED
The Controller will process the following personal data:
- personal and contact details;
- data concerning educational qualifications and profession;
- data collected passively, in other words via the page (e.g. IP address, position, type of browser and so forth);
- cookies and other tracking systems, as illustrated in the cookie notice (see relevant information notice for more in-depth information).

3. LEGAL BASIS FOR DATA PROCESSING
The communication of personal data is a contractual obligation, or at any rate a necessary prerequisite, in relation to the collection of donations and/or funds and the user is obliged to supply his or her personal data inasmuch as without it the Controller is unable to process the purchaser’s application. Despatch of the newsletter is enabled only when consent is granted by the user. Data for the page’s security and for the prevention of misuse and spam, as well as data for analysing page traffic (statistics) in aggregate form, is processed on the basis of the Controller’s legitimate interest in protecting both the page and its users. 

4. PURPOSE OF DATA PROCESSING
Personal data is processed by the Controller in order to enable the user to surf the page and to use the services it provides in relation to the collection of donations and/or funds and, in the event the user grants his or her specific consent, for the despatch of the Controller’s newsletter. In addition to the relevant instrumental and necessary purposes associated with provision of the service, processing of the data collected from the page is required for the following purposes: 
- Statistics (analysis): the collection of data and information, solely in an aggregate and anonymous fashion, in order to verify the page’s proper functioning. None of this information is linked to the page’s physical user, nor does it permit the user’s identification in any form whatsoever. Prior consent is not required; 
- Security: the collection of data and information for the purpose of protecting the page’s security (anti-spam filters, firewalls, virus detection) and users’ security, and to prevent or to detect fraud or misuse detrimental to the page. The data is recorded automatically and may also include personal data (IP address) which may be used, in accordance with the relevant law in force at the time, to thwart attempts to damage the page or to harm other users, or in any case for harmful or criminal activities. This data is never used on any account to identify or to profile users, and it is periodically erased. Prior consent is not required.

5. PERSONAL DATA END USERS OR CATEGORIES OF END USERS
Data collected may be forwarded to end users, as listed in Article 28 of Regulation (EU) 2016/679, who process the data in their capacity as external professional figures and/or bodies acting as independent controllers. Specifically, the data may be forwarded: 
- to the Controller’s staff and collaborators, including external collaborators, and to figures who provide services instrumental to the purposes described above. These figures will act in their capacity as supervisors or appointees tasked with processing. Personal data may also be forwarded to other public or private figures but solely in compliance with a legal measure or regulation requiring such a move.
Data collected on the page is not generally forwarded to third parties, other than in the following specific instances – a legitimate request from the judicial authorities and in legally specified cases; - if required for the provision of a specific service requested by the user; - for the performance of page security and optimisation controls.

6. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATION
Data collected will not be transferred to third countries outside the European Union. Users should be aware, however, that the use of cloud services may entail the transfer of data onto servers situated abroad (whether in the EU or elsewhere) but always in compliance with the relevant legal measures and in every instance in compliance with maximum security standards.

7. DURATION OF STORAGE OR CRITERIA USED TO ESTABLISH THAT DURATION
Data collected during the functioning of the page is stored only for as long as is strictly necessary to perform the activities specified. On expiry, the data will be erased or anonymised unless there are further reasons for storing it. Data (IP address) used for page security purposes (thwarting attempts to harm the website) is stored for 30 days. Data used for analytical purposes (statistics) in stored only in aggregate form. Data processed in relation to the collection of donations and/or funds will be stored for 10 years; and in connection with the despatch of newsletters, it will be stored for the time required to provide the service. The data is not subject to automatic processing.

8. USER RIGHTS AND HOW TO EXERCISE THOSE RIGHTS
The user may exercise his or her rights as laid down in Section III (articles 15-22) of Regulation (EU) 2016/679 by addressing an e-mail to the Data Controller at privacy@santacroceopera.it, by registered post with reply – c/o the address of the organisation’s registered office – or by submitting a hardcopy request.  
The rights which the user enjoys under Regulation (EU) 2016/679 are the following:
- access;
- rectification;
- erasure;
- withdrawal of consent;
- restriction of processing;
- opposition to processing;
- portability.
The above rights are guaranteed at no expense to the user and require no particular formalities for their exercise, which is essentially free of charge.
Without impairment or prejudice to the user’s right to undertake legal action, he or she may also submit a complaint to the supervisory authority (ombudsman) as stipulated both in Regulation (EU) 2016/679 and in the Italian Privacy Code as modified by Decree Law 101/2018.

9. DATA PROCESSING MODALITIES
Personal data granted will be recorded, processed, managed and stored in hardcopy format and/or with the assistance of electronic instruments, and in every circumstance in such a way as to ensure its security and confidentiality. Processing will be performed by expressly authorised in-house staff and can be peformed at any time. 

10. DATA DISSEMINATION
Personal data collected will never be disseminated under any circumstances whatsoever to third parties not authorised by the Data Controller and may be shown only on demand to the legal, financial and ombudsman authorities and to any other figures with whom we are legally bound to share that data for the achievement of the aforesaid purposes.

Cookie policy

Comprehensive notice on the use of cookies.

In respect of the Measure formulated by the Ombudsman for the Protection of Personal Data, entitled “Identification of simplified modalities for information regarding, and the acquisition of prior consent to, the use of cookies – 8 May 2014” (published in the Official Gazette no. 126 dated 3 June 2914) as amended by the guidelines governing cookies and other tracking tools dated 10 June 2021 (Published in the Official Gazette no 163 dated 9 July 2021), the user should be aware that the OPERA DI SANTA CROCE processes only cookies of a technical and/or analytical nature, and on no account uses profiling cookies. The user’s prior consent is not required for the installation of technical and/or analytical cookies, but we are nevertheless bound to provide notice thereof in accordance with Article 16 of Regulation (EU) 2016/679 governing the protection of personal data.

Opera di Santa Croce, in its capacity as controller, hereby informs the user releasing his or her IP data through consulting the donate.santacroceopera.it page, regarding the purposes and modalities of the processing of the personal data collected, the circumstances governing its communication and dissemination, and the nature of its granting.

Data collected from the user is exclusively IP-related, in other words it is data that can be defined as coming from public records, thus prior consent for processing purposes is not required.

The data subject to processing is processed and used directly in order to fulfil purposes instrumental to the page (for example, controls to prevent cyberattacks, statistics) in full compliance with the principle of legal propriety and with the legal measures currently in force.

Where the modalities are concerned, the data is processed by electronic means operated by the controller ai sensi dell’art. 28 GDPR. The user’s data is not communicated to, sold to or exchanged with any third party, nor is it subject to dissemination, other than where mandatorily required by law.

The user may avail him or herself of his or her rights as laid down in Articles 15-22 or the Regulation (EU) 2016/679 by addressing a request to the processing controller. In particular, the user can obtain confirmation of the existence – or otherwise – of personal data concerning him or her, even if such data has yet to be registered, and insist on communicaton of said data in legible form. Users have the right to obtain information regarding:
a) the origin of the personal data;
b) the purpose and modality of its processing;
c) the rationale applied in the event of processing performed with the aid of electronic instruments;
d) the identification details of the controller, managers and appointed representatives as defined in Article 5, Paragraph 2;
e) the end users and categories of end users to whom that personal data may be communicated or who may become acquainted with it in their capacity as appointed representatives on national soil, as managers or as appointees.

The user has the right to obtain:
a) the updating, rectification or, when to his or her benefit, the completion of the data;
b) the erasure, the transformation into anonymous format or the blocking of data processed in breach of the law, including data whose storage is not required for the purposes for which the data was collected or subsequently processed;
c) certification that the operations described in letters a) and b) above have been communicated, including with regard to their content, to all those to whom the data may have been released or disseminated, other than where such communication proves to be impossible or entails the use of resources manifestly disproportionate to the right safeguarded.

The user has the right to oppose, in whole or in part:
a) for legitimate reasons, the processing of personal data concerning him or her, even if that data is relevant to the purpose for which it was collected;
b) for legitimate reasons, the processing of personal data concerning him or her for purposes related to the despatch of publicity or direct sales material or for conducting market research surveys or commercial communication.

The user may exercise his or her rights by sending an e-mail to the one of following addresses: privacy@santacroceopera.it and rgdp@iraiser.eu, or by fax or letter addressed to the addressees on the printed paper, art. 7.

The data is stored in electronic archives and minimum legal security measures are guaranteed. The controller reserves the right to block access for those IPs whose visits appear to produce anomalies. Users who cannot see the page may write to the following e-mail addresse: help@iraiser.eu.

What are cookies?
"Cookies" are small text files which a server can save on a computer’s hard disk and which can memorise certain information regarding the user. Cookies allow the website to record the user’s activity and to memorise his or her preferences. Cookies help to analyse interaction between the user and the website and to allow smoother and more customised surfing.

What types of cookies are there?
A cookie can be classified as a “session” cookie or a “permanent” cookie according to its duration. “Session” cookies are temporary and disappear from a computer when the user leaves the website visited or closes his or her browser. They are usually memorised in the computer’s cache. “Permanent” cookies remain in the user’s computer even after the browser has been closed, either until their expiry or until the user eliminates them. Their expiry date is determined by the website which installs them. They are often used to track the user’s habits so that when the user returns to the website, the cookie reads the information memorised and adapts it to his or her preferences.
A cookie can be classified as “technical” or “profiling” according to its function.
“Technical” cookies relate to activities strictly necessary for the proper functioning of the website and for provision of the service required. In most cases they are session cookies. No technical cookies require the user’s prior consent because they are not used for purposes other than ensuring that the website can function properly. “Profiling” cookies may be used to track the user’s habits and surfing preferences in order to deliver advertising and services which reflect his or her interests. This kind of cookie is installed or activated only with the user’s prior consent granted on the first occasion on which he or she visits the website. Consent can be expressed by interacting with the short information banner on the website’s homepage according to the modalities specified (by closing the banner, by explicitly agreeing, by browsing the page or by clicking on any element on the page).

What cookies does Opera di Santa Croce use?
In its santacroce.midaticket.it/en website Oppera di Santa Croce uses technical cookies generated and used for its own website and on no account by third parties. Visiting this website can generate the following kinds of cookie: - internal cookies and – technical session cookies: these are used to improve the user’s surfing experience and interaction with the website.

How to disable cookies using the browser: It is possible to configure the browser used for surfing in order to eliminate cookies and/or to prevent their installation. The user can control what cookies are installed and what their duration is, and/or eliminate them. The steps required to perform these operations differ from browser to browser. Disabling certain cookies may hinder access to the page and/or impair the proper functioning of the e-mail pages. 

Instructions on how to disable cookies may be found in the following web pages: Mozilla Firefox - Microsoft Internet Explorer - Microsoft Edge - Google Chrome - Opera - Apple Safari.