Information on the processing of personal data pursuant to Articles 13 and 14 of EU Regulation 679/2016

We hereby inform you that, pursuant to Articles 13 and 14 of EU Regulation 679/2016 (hereinafter "GDPR"), the data you provide to us through your use of the website www.villacarlotta.it (hereinafter also referred to as the "Site") will be processed as follows, in compliance with the principles of fairness, lawfulness, transparency, and protection of your privacy and your rights. This policy provides you (the data subject) with all additional information necessary to ensure fair and transparent processing, in relation to the specific context in which your personal data is collected and subsequently processed.

This information applies only to the Site and its related subdomains and not to third-party websites accessible via hyperlinks on the Site, for which the Data Controller is in no way responsible. The respective owners must provide separate information for such processing.

DATA CONTROLLER

Villa Carlotta Entity (hereinafter also “Entity”) with registered office at Via Statale 5605, CAP 22016 Tremezzina – Loc. Tremezzo (CO), can be contacted at the following contacts: telephone: (+39) 0344 40405; e-mail: amministrazione@villacarlotta.it

Website User Information

Purpose of the processing

1. Monitor the technical functioning and performance of the site.

2. Acquire browsing data (cookies) that can be disabled in your browser settings (number of visitors per time slot or day, most visited pages, etc.).

3. Profile the user if he or she has given consent to cookies.

4. Respond to requests received through the contact information on the site.

5. Subscribe to the newsletter by filling out the form accessible by clicking "Newsletter" to receive communications in the manner chosen by the user when registering (email, post, advertising offers, etc.).

Legal basis for processing and mandatory provision of data

• The processing of your personal data for the purposes referred to in points 1. and 2. (specified above) is based on the legitimate interest of the data controller (Article 6, paragraph 1, letter f) of the GDPR).
• The processing of personal data for the purposes referred to in point 3 (specified above) is based on the user's consent, provided by clicking the "Accept all" button on the banner that appears when accessing the site. You may review your choices by clicking the icon at the bottom of the site (Art. 122 of Legislative Decree 101/2018 "Privacy Code" - Guidelines for cookies and other tracking tools - June 10, 2021, GDPR).
• Please note that voluntary communications made by the user through the channels made available on the site entail the acquisition of personal data necessary to respond to/manage requests (Article 6, paragraph 1, letter f) of the GDPR) (purposes specified in point 4 above).
• The processing of personal data for newsletter subscription is based on the user's consent. Providing data for this purpose is optional. If the user decides to provide it, they may revoke it at any time.

Retention period

• Personal data processed for the purposes referred to in points 1. and 2. (specified above) will be retained until the end of the session/closure of the browser.
• To find out the retention period of third-party cookies, please refer to the Cookie Policy (purpose referred to in point 3).
• Personal data processed for the purpose referred to in point 4 (specified above) will be processed only to respond to the interested party's requests.
• Personal data processed for the purposes referred to in point 5 (specified above) will be retained for 2 years and deleted in the event of inactivity on the part of the interested party and in any case until the unsubscribe link at the bottom of the emails is used.

Information for Users who have registered on the site and for Buyers

Purpose of the processing

1. Create an account through which the buyer's data will be collected and stored to facilitate future purchases (registration on the site is optional for the user, who can still proceed with the purchase as a simple user).
2. Please contact the Group/School representative (in case of Group/School visits) for service communications.
3. Proceed with the purchase of the ticket(s) and fulfill accounting and tax obligations

Legal basis for processing and mandatory provision of data

• The processing of personal data for the purposes referred to in point 1 (specified above) is based on the data controller's legitimate interest (Article 6, paragraph 1, letter f) of the GDPR). The user may object to such processing at any time by deactivating their account or making an explicit request using the contact details provided in this policy.
• The processing of personal data for the purposes referred to in point 2 (specified above) is based on a pre-contractual measure (Article 6, paragraph 1, letter b) of the GDPR). Providing your data is mandatory; failure to provide it will prevent us from providing the requested service.
• The processing of personal data for the purposes referred to in point 3 (specified above) is necessary for the performance of a contractual obligation and for compliance with legal obligations (Article 6, paragraph 1, letters b) and c) of the GDPR). Providing your data is mandatory; failure to provide it will prevent you from completing the purchase.

Retention period

• Personal data processed for the purpose referred to in point 1 (specified above) will be retained for 3 years.
• Personal data processed for the purpose referred to in point 2. (specified above) will be retained until the end of the service provision unless the user has declared that he wishes to receive the newsletter.
• Personal data processed for the purposes referred to in point 3 (specified above) will be retained for 3 years.

Categories of personal data processed

The data processed may be:

1. Browsing data

Browsing data, collected automatically, is collected exclusively for the purpose of obtaining aggregate and anonymous statistical information regarding the use of the Site (including, for example, IP addresses, browsing times, geographic data, and other parameters relating to the user's operating system and IT environment). However, this information, including through processing and/or association with other data held by the provider or third parties, may allow the user's identity to be traced and be used to ascertain any liability in the event of hypothetical cybercrimes against the site or, in any case, related to browsing any links.

2. Cookies

This site uses cookies or markers, which are technically packets of information sent from a web server (in this case, this site) to the user's browser, which are stored on the user's device (personal computer, tablet, mobile phone, etc.) and automatically sent back to the server each time the site is accessed. To learn more about the type and purpose of the cookies used, please consult the website's Cookie Policy.

3. Data provided voluntarily by users/visitors

If the user decides to contact the Organization through the communication channels made available by the Organization (by telephone, email, website, online form, etc.), the Data Controller will process such data only to respond to the interested party's requests.

4. Data provided when subscribing to the newsletter

Registration requires the following data: email, first name, last name, company, address, country (required), birthday (for greetings), and phone number (optional). This data will be retained until you withdraw your consent and, in any case, for no longer than 2 years of inactivity.

5. Data provided for the creation of the user account

To create an account, we collect your email address and password. After 3 years, your data will be deleted; in that case, you will be able to register again.

6. Data provided for the organization of visits and/or ticket purchases

Tickets are purchased through a form that requires your name, surname, email address (required), and country (optional). For group/school visits, we will ask for the identification and contact information of the person to contact for questions regarding the management of the activities based on the requested service.

7. Social Network Plugins

This site also incorporates social media plugins and/or buttons to allow easy content sharing. These plugins are programmed to not set any cookies when accessing the page, to protect user privacy. Cookies are set, if required by the social networks, only when the user actively and voluntarily uses the plugin. Please note that if the user browses while logged in to the social network, they have already consented to the use of cookies delivered through this site when registering with the social network.

The collection and use of information obtained through the plugin are governed by the respective privacy policies of the social networks, to which please refer.

The processing will be carried out using IT tools, including by authorized persons, who operate under the direct authority and in accordance with the instructions given by the Data Controller, with logic strictly related to the indicated purposes and, in any case, in a way that guarantees the security and confidentiality of the processed data.

Processing operations are conducted in a manner that guarantees the security of data and systems. Specific security measures are adopted to minimize the risk of destruction or loss, even accidental, of data, unauthorized access, unauthorized processing, or processing that is not compliant with the purposes indicated in this policy. Specifically, the Site uses the HTTPS protocol for server authentication and communication channel encryption. The security measures adopted, however, cannot completely exclude the risk of interception or compromise of personal data transmitted electronically. Therefore, it is recommended to ensure that the device used by the user is equipped with adequate software systems to protect both incoming and outgoing data transmission (such as, for example, updated antivirus systems, firewalls, and spam filters).

Recipients of personal data

In addition to the Data Controller, other parties involved in the organization (authorized personnel) or external parties (web agencies, Mailchimp for newsletter management, hosting providers, other third-party technical service providers) may have access to the Data, also appointed, if necessary, as Data Processors by the Data Controller. An updated list of Data Processors may be requested from the Data Controller at any time. This does not affect the right to disclose data at the request of judicial or public security authorities, in the manner and cases provided by law.

Diffusion

Under no circumstances will personal data be communicated, disseminated, assigned, or otherwise transferred to third parties for unlawful purposes and, in any case, without providing appropriate information to the interested parties and obtaining their consent, where required by law.

Data transfer outside the EU

Your data will be transferred to countries outside the European Economic Area (EEA) by third-party technical service providers used by the Organization to manage its activities. In this case, personal data will not be transferred to countries or international organizations outside the European Union that do not guarantee an adequate level of protection, as recognized pursuant to Art. 45 GDPR, based on an adequacy decision by the EU Commission. If necessary for the provision of the Site's services, the transfer of personal data to countries or international organizations outside the EU, for which the Commission has not adopted an adequacy decision pursuant to Art. 45 GDPR, will only take place if adequate guarantees are provided by the recipient country or organization, pursuant to Art. 46 GDPR, and provided that data subjects have enforceable rights and effective legal remedies. In the absence of an adequacy decision by the Commission, pursuant to Art. 45 GDPR, or appropriate safeguards pursuant to Art. 46 GDPR, including binding corporate rules, the cross-border transfer will take place only if one of the conditions set out in Art. 49 GDPR is met.

Rights of the interested party

The GDPR recognizes various rights for the data subject, which they can exercise by contacting the Data Controller at the contact details indicated in this policy, provided that the conditions established by the legislation from time to time are met:

• Access your Data: you have the right to obtain information on the Data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the processed Data.
• Verify and request rectification: You can verify the accuracy of your Data and request that it be updated or corrected.
• Obtaining the deletion or removal of your Personal Data: when certain conditions apply, the data subject may request that the Data Controller delete their Data.
• Revoke consent at any time : you can revoke the consent to the processing of your Personal Data previously expressed.
• Object to the processing of your Data : you may object to the processing of your Data when it occurs on a legal basis other than consent.

• Obtaining restriction of processing: When certain conditions apply, the data subject may request the restriction of the processing of their Data.
• Obtain data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format and, where technically feasible, to have it transmitted to another controller without hindrance. This provision applies when the data is processed by automated means and the processing is based on consent, a contract to which the data subject is party, or contractual obligations related thereto.
• Lodging a complaint: You can lodge a complaint with the competent data protection supervisory authority or take legal action.

How to exercise your rights

To exercise your rights, you can send a request to the Data Controller's contact details provided in this document. Requests are submitted free of charge and will be processed by the Data Controller as quickly as possible, in any case within one month.

To exercise their rights, the Data Subject may avail themselves of non-profit organizations, associations, or bodies whose statutory objectives are in the public interest and which are active in the protection of the rights and freedoms of Data Subjects with regard to personal data protection, granting them a suitable mandate for this purpose. The Data Subject may also seek assistance from a trusted person.

To learn about your rights, file a complaint/report/appeal, and stay up-to-date on the legislation regarding the protection of individuals with regard to the processing of personal data, the interested party can contact the Italian Data Protection Authority by consulting the website at http://www.garanteprivacy.it/

INFORMATION FOR PARTIES INTERESTED IN VIDEO SURVEILLANCE

Information on the processing of personal data pursuant to Article 13 of EU Regulation 679/2016

We hereby inform you that, pursuant to Article 13 of EU Regulation 679/2016 (hereinafter 'GDPR'), personal data and images will be processed as follows, in compliance with the principles of fairness, lawfulness, transparency, and protection of privacy and the rights of the data subject.

Data Controller

The Data Controller is ENTE VILLA CARLOTTA (hereinafter also “Entity”) - CF 84001010135 Registered office and operational headquarters: Via Statale, 5605 – 22016 Tremezzina (CO) Telephone: (+39) 0344 40405 - Email: amministrazione@villacarlotta.it

Purposes for which we collect data

Legal basis of the processing and nature of the provision

Data retention period

Disclosure of data to other organizations

protection of the botanical, artistic, cultural, historical and architectural heritage of the works kept in the museum and botanical garden from criminal actions and damage visitor protection viewing of recordings in the event of intrusions by malicious individuals, as well as in the event that a specific investigative request by the judicial authority or the judicial police must be complied with		The processing in question is based on the legitimate interest of the data controller (Article 6, paragraph 1, letter f) of the GDPR).	Video surveillance images are retained for up to 72 hours after detection, except for specific retention requirements related to holidays or office closures, as well as in the event of a specific investigative request from the judicial authority or the police, or in the event of legal action being taken against the perpetrator.	The images may be accessed by duly authorized internal personnel within the organization who have been given specific instructions, as well as external parties such as judicial authorities or the police in the event of an investigative request, and technical service providers.
Diffusion	Personal data and images will not be disclosed.
Data transfer abroad	Personal data and images are stored on servers located at the Organization's headquarters.
Rights of the interested party	The data subject to whom the personal data processed refers may exercise the rights guaranteed by Articles 15 to 21 of the GDPR by contacting the Organization at the contact details indicated in this notice. In particular, the interested party has the right, in the cases provided for by the legislation, to: receive confirmation of the processing activity being carried out on your personal data, access to the data and relevant information on such activity carried out; obtain the rectification of inaccurate data or the integration of incomplete data; obtain the erasure of data concerning him or her if the conditions set out in Article 17.1 of the GDPR are met (e.g., if they are no longer necessary for processing and there is no obligation to retain such data); obtain restriction of the processing of their data if the conditions set out in Article 18.1 of the GDPR are met, meaning that the data will only be retained by the data controller for certain specific cases; receive the personal data provided to a data controller in a structured, commonly used and machine-readable format and to transmit those data to another data controller without hindrance; object, in whole or in part, to the processing of personal data concerning the interested party, even if pertinent to the purposes of the collection for legitimate reasons, or to revoke, in whole or in part, their consent, where necessary.
Complaint to the Supervisory Authority
The data subject has the right to lodge a complaint with a supervisory authority. The supervisory authority for Italy is the Guarantor for the protection of personal data ( www.garanteprivacy.it ).

Cookies Policy