If you register to the Website http://ticket.museiincomuneroma.it/ (or “the Website”) managed by Mida Informatica Srl (hereafter “MIDA”) on behalf of Zetema Progetto Cultura S.r.l. (hereafter “ZETEMA”), which includes the service of reservation, purchase and issuance of tickets and the transmission, on paper or electronically, of event communication material, we will need to process personal data relating to you. Therefore, in compliance with the requirements of EU Regulation 2016/679, General Data Protection Regulation (known as «GDPR«) and the Privacy Code, if and to the extent to which it is applicable, we hereby inform you that MIDA and ZETEMA in the capacity of Joint Processing Controllers, will process your personal data under the following conditions.
A- Joint Processing Controllers
The data will be processed by the company M.I.D.A. Informatica S.R.L. based in Via Casalino 27, 24121 Bergamo VAT No. 02758170167 and by the company Zetema Progetto Cultura S.r.l. – Via Attilio Benigni, 59 – 00156 ROMA – Tax Code and VAT No.05625051007;
B- Type of Data Processed
The data collected are common personal data and identification details, such as name, surname, address or other contact details; as well as data concerning the order and purchase process;
C-. Processing Purposes
The personal data processing (therein including their registration in the company registries) is aimed exclusively at achieving the following purposes:
a) to guarantee Website registration and to provide the services requested from M.I.D.A. Informatica S.R.L. and Zetema Progetto Cultura S.r.l via the Website and, therefore, to fulfil correctly and promptly all obligations deriving from the contractual relationship established with you, as well as legal or regulatory obligations, particularly in the tax and public safety area;
b) for administrative and accounting purposes, therein including any e-mail transmission of sales invoices by M.I.D.A. Informatica S.R.L. and Zetema Progetto Cultura S.r.l and/or companies associated with the same in providing the service;
D- Legal Grounds
The processing is aimed at issuing the pass/ticket and at accessing events and museums and it is performed on the basis of the purchase contract (art. 6 paragraph 1 letter b) Reg. 2016/679). This context also includes the Customer Care service and thus also the processing of your personal data to manage and transmit responses to requests for assistance in relation to one or more of the available services.
In the event of additional data processing purposes by the Organiser and any third parties linked to it, these will be further specified during the purchase process through the provision of specific information.
In addition, the processing occurs in fulfilment of legal obligations (art. 6 letter c) GDPR) – to comply with obligations deriving from existing laws or regulations, national and/or Community, particularly in the tax and public safety area, as well as with instructions imparted by the competent authorities and bodies also in relation to «secondary ticketing»;
The processing may also occur by virtue of a vital interest (art. 6 letter d) GDPR) for the defence in court of a right or interest before any competent authority or body, therein expressly including for credit recovery purposes; to allow for the direct offer of products or services analogous to those bought previously (known as soft spamming), limited to the e-mail details provided by you in the context of your purchase of a service via the Website and subject to your objection to that processing; for the organisational management of the purchased pass or in any case of services accompanying the latter, such as, merely by way of example, to inform of any cancellations or date postponements, how to access and participate, how to request a refund in the event of cancellation; to identify the level of customer satisfaction on the quality of the services rendered and on the activity performed and to conduct statistical analyses and market surveys on aggregate data;
E- Processing Methods
Your data will mainly be processed using electronic tools, by the methods and within the limits necessary to pursue the purposes indicated above, in respect of the principles identified in Art. 5 of EU Regulation 2016/679. The data will be stored in electronic archives with a full guarantee of adequate security measures, required by the GDPR.
F- Data Storage
Your personal data will only be stored for the time necessary to guarantee the correct performance of the services offered and, in particular, according to what is specified below:
Your personal data will be processed for the purposes indicated in chapter C above for the period of time permitted by law and by the requirements of the Data Protection Supervisor (Supervisory Authority) and, therefore, for a period of 24 months from the latest registered purchase.
More particularly, you are informed that once 36 months have elapsed without a purchase being made, your personal data will no longer be processed for any of the indicated purposes and your registration details will be erased.
Subject to the foregoing, your data will be processed and retained for the maximum time provided by legal provisions applicable in relation to the limitation of rights and/or forfeiture of the action and, in general, for the exercise/defence of the rights of the Joint Processors in disputes brought by public authorities, public bodies and private entities.
G — DATA COMMUNICATION
Your data may be communicated:
a) to all those entities (therein including Public Authorities) which have access to the personal data by virtue of regulatory or administrative measures;
b) to banking institutions and companies that manage national or international payment circuits on which online payments are made for products purchased on the Website;
c) to companies, consultants or professionals instructed to perform the installation, maintenance, update and, in general, management of the hardware and software of M.I.D.A. Informatica S.R.L. or used by the company to provide its services;
d) to companies belonging to the groups of the company M.I.D.A. Informatica S.R.L. and the company Zetema Progetto Cultura S.r.l, based in Italy or abroad, within the European Union;
e) to all those public and/or private entities, natural and/or legal persons (legal, administrative and tax consultancy firms, Judicial Offices, Chambers of Commerce and Employment Offices, etc.), in relation to which the communication is necessary or functional to the correct fulfilment of the contractual obligations assumed, as well as legal obligations.
Your data will not be disseminated, except in anonymous and aggregated form, for statistical or research purposes.
H — TRANSFER OF DATA TO A THIRD COUNTRY
The personal data collected via the Website are not transferred outside the European Union.
I – MINORS AGED UNDER 16
The Website does not contain information or features or services directly intended for users aged under 16 years. Minors must not provide information or personal data without consent from their parents or guardians.
The Joint Controllers therefore invite all users who have not reached 16 years of age not to communicate their personal data in any case without prior authorisation from a parent or guardian. If the Joint Controllers become aware of the fact that personal data have been provided by minors (aged under 16), they will immediately destroy the same or request the provision of specific consent from the parents (or guardians), also reserving the right to prevent access to the services available on the Website to anyone who has concealed their minor age or has in any case communicated their personal data in the absence of consent from their parents (or guardians).
J — RIGHTS OF DATA SUBJECTS
You, in the capacity of Data Subject, may exercise the following rights:
Right to Access
You may request confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to those data and specific information on processing, such as, by way of example, purposes, categories of data concerned, the existence of the other rights indicated below. You may also request a copy of your data.
Right to Rectification
You have the right to request and obtain the rectification of personal data relating to you and/or the completion of incomplete personal data.
Right to Erasure
You may obtain the erasure of your data, without undue delay, if (i) those data are no longer necessary in relation to the purposes for which they were collected, (ii) you have withdrawn the consent on which the processing is based (where there is no other legal ground for the processing), (iii) you object to the processing of your data (as indicated below) and there are no overriding legitimate grounds for the processing or if you object to the processing of your data for marketing or for profiling aimed at marketing, (iv) your personal data have been unlawfully processed, (v) your data have to be erased to comply with a legal obligation, (vi) the personal data of a minor aged under 16 have been collected in relation to the offer of information society services.
We invite you to consider that that right does not apply if the processing of data is necessary, inter alia:
— for the fulfilment of a legal obligation;
— for the establishment, exercise or defence of legal claims.
Right to Restriction
You have the right to obtain the restriction of processing where one of the following applies:
— the accuracy of the personal data relating to you is contested, for a period enabling the controller (Company) to verify the accuracy of the personal data;
— unlawful processing and request by you of the restriction of their use instead of erasure;
— the requirement by you of your data for the establishment, exercise or defence of legal claims;
— objection by you to the processing, as indicated below, pending the verification of whether the legitimate grounds of the controller override your own.
Right to Portability
You have the right to receive in a structured, commonly used and machine-readable format personal data relating to you and the right to transmit those data to another controller in relation to circumstances in which the processing of your data is based upon consent or concerns special categories of personal data processed based upon your consent or the processing is based upon the execution of a contract and that processing is performed with automated means.
You also have the right to obtain the direct transmission of the data from one controller to another, where technically feasible.
This is without prejudice to the possibility of obtaining the erasure of the data, as indicated above.
Right to Object
You have the right to object at any time to processing based upon a legitimate interest of the controller, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and fundamental freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Finally, you have the right to lodge a complaint to a Supervisory Authority (for Italy, the Data Protection Authority, namely the Garante).
To exercise the rights indicated above, please write to the shared contact point of the Joint Controllers:
M.I.D.A. Informatica srl, Via Casalino 27, Bergamo 24121 — email: firstname.lastname@example.org