Marketing Information Notice

In compliance with Regulation (EU) 2016/679 (European Regulation for the Protection of Personal Data), the Opera di Santa Croce – in its capacity as the Data Controller – provides the following information concerning the processing of personal data supplied by users for marketing purposes such as: promotional, commercial and publicity activities. The data supplied by the user will be processed in compliance with the principles and measures laid down in Regulation (EU) 2016/679.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER (DPO)
The Data Controller – as defined in Articles. 4 and 24 of Regulation (EU) 2016/679 -  is the Opera di Santa Croce, whose registered office is situated in Piazza Santa Croce, 16, Florence (FI), Italy – VAT Reg. No. 05489970482.
The Controller may be reached at the following e-mail address: privacy@santacroceopera.it.
The Controller has also appointed a Data Protection Officer (DPO) – the lawyer Avv.  Domenico Vispo – who may be contacted in connection with matters regarding the processing of users’ personal data at the following e-mail address: dpo@santacroceopera.it.

2. TYPE OF DATA COLLECTED AND PROCESSED
The Controller will process the following personal data:
- personal and contact details.

3. LEGAL BASIS, LEGITIMACY AND PURPOSE OF DATA PROCESSING
The legal basis for the processing of the aforesaid data is the consent granted by the user.
In particular, processing is intended to facilitate data processing by the Opera di Santa Croce for marketing purposes (promotional, commercial and publicity activities) – specifically: the despatch of promotional material and announcements linked to the products and services offered by the Opera or by third parties tasked by the Opera; the despatch of e-mails, text messages and, if applicable, promotional phone calls; the despatch of newsletters and e-books. 

4. PERSONAL DATA END USERS OR CATEGORIES OF END USERS
For the purposes illustrated in this notice, the data granted may be forwarded to authorised Opera di Santa Croce staff and/or to professional figures specifically tasked with handling the administrative and promotional activities and the provision of services included in the context of the promotion and enhancement of the Monumental Complex of Santa Croce.

5. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATION
Data collected will not be transferred to a third country and/or international organisation.
Users should be aware, however, that the use of cloud services may entail the transfer of data onto servers located abroad (whether in the EU or elsewhere), but always in compliance with the relevant legal measures and in every instance in compliance with maximum security standards.

6. DURATION OF STORAGE OR CRITERIA USED TO ESTABLISH THAT DURATION
Data will be stored for as long as is necessary to achieve the purpose for which it was granted and/or collected, but under no circumstances for more than 24 months.  
The Opera will store your data until it receives a request to erase that data, or until the newsletter service is terminated.

7. USER RIGHTS AND HOW TO EXERCISE THOSE RIGHTS
The user may exercise his or her rights as laid down in Section III (articles 15-22) of Regulation (EU) 2016/679 by addressing an e-mail to the Data Controller at privacy@santacroceopera.it, by registered post with reply – c/o the address of the organisation’s registered office – or by submitting a hardcopy request.  
- access;
- rectification;
- erasure;
- withdrawal of consent;
- restriction of processing;
- opposition to processing;
- portability.
The above rights are guaranteed at no expense to the user and require no particular formalities for their exercise, which is essentially free of charge.
Without impairment or prejudice to the user’s right to undertake legal action, he or she may also submit a complaint to the supervisory authority (ombudsman) as stipulated both in Regulation (EU) 2016/679 and in the Italian Privacy Code as modified by Decree Law 101/2018.

8. DATA PROCESSING MODALITIES
Personal data granted will be recorded, processed, managed and stored in harcopy format and/or with the assistance of electronic instruments, and in every circumstance in such a way as to ensure its security and confidentiality. Processing will be performed by expressly authorised in-house staff and is performed without the intervention of automatic systems; no profiling is performed at any time.
                                 
9. GRANTING CONSENT TO PROCESS DATA
The processing of the aforesaid data is not mandatory; however, in the event consent is withheld, it will not be possible to send or to enable the download of certain material concerning the Opera, including promotional e-mails and text messages, newsletters and/or e-books.

10. DATA DISSEMINATION
Personal data collected will never be disseminated under any circumstances whatsoever to third parties not authorised by the Data Controller and may be shown only on demand to the legal, financial and ombudsman authorities or to any other figures with whom we are legally bound to share that data for the achievement of the aforesaid purposes.