Information pursuant to Article 13 of EU Regulation No. 2016/679
Pursuant to Article 13 of EU Regulation No. 2016/679 (General Data Protection Regulation), the following information is provided.
Data Controller
The Data Controller is the Municipality of Milan, with registered office at Piazza della Scala, 2 – 20121 Milan – Culture Directorate / Heritage Enhancement and Security Office, located at Piazza Duomo No. 14 – 20122
Milan – email address: c.dirvalorizzazione@comune.milano.it
Data Protection Officer (DPO)
The Municipality of Milan has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: dpo@comune.milano.it
Purpose
Data processing is aimed at the following purposes:
a. Registration procedures required to use ticketing services for access to the Civic Museums of Milan, including any requests for assistance and complaints;
b. Issuing tickets for the Civic Museums of Milan, based on the purchase contract, also in relation to organizational and security requirements related to the use of such tickets;
c. Administrative and accounting purposes, including the possible transmission of commercial invoices, including by email, etc.;
d. Collecting statistical data and tracking preferences related to the museum visit experience. This activity is instrumental in producing anonymous and aggregated reports.
e. Periodically sending the cultural newsletter distributed by the Culture Department of the Municipality of Milan, in compliance with the principles of lawfulness and fairness and the provisions of law. This purpose is pursued based on the consent expressed by the interested parties, which may be revoked if necessary. The issuance of tickets is guaranteed even in the event of a refusal of consent;
f. Marketing and promotional purposes, through the automated sending of direct debits (e.g., email, text message) regarding services and/or products related to cultural activities promoted by the Municipality of Milan, including to third-party companies (primarily event organizers or commercial partners). These operations will be carried out based on the consent expressed by the data subjects, which may be revoked. Tickets will be issued even if consent is denied;
g. Marketing purposes, which involve sending invitations, offers, services, products, and events related or connected to previous purchases made by the user. This purpose is pursued based on the legitimate interest of the Data Controller pursuant to Art. 6, paragraph 1, letter F) of Regulation (EU) 2016/679, and may also be carried out to third-party companies (primarily event organizers or commercial partners). These operations will be carried out based on the consent expressed by the data subjects, which may be revoked. Tickets will be issued even if consent is denied;
h. Browsing the websites selling tickets to the Civic Museums uses cookies strictly necessary to provide the requested services.
Legal basis
Personal data is processed in compliance with the conditions set forth in EU Regulation 2016/679, and in particular Article 6, paragraph 1, letter b), for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures adopted at the data subject's request.
Types of data processed
The ticket sales service for the Civic Museums of Milan involves the collection of the following personal data:
- Personal data (Name and Surname)
- Date of birth
- Gender
- Nationality (Country, Region, Residential Address)
- Education/Cultural information
- Email address
- Telephone number
Processing methods
Processing is carried out in compliance with fundamental rights and freedoms and is based on the principles of fairness, lawfulness, transparency, and protection of confidentiality. It is also carried out with the aid of electronic tools in accordance with the operations indicated in Article 4, point 2, of EU Regulation 2016/679.
Nature of processing
The provision of data is mandatory for the purpose of purchasing tickets for the Civic Museums of Milan, and failure to provide it will prevent the purchase from being processed.
Communication and dissemination
Personal data may be processed by data processors affiliated with the Data Controller, i.e., by professionals and personnel who need to process such data for organizational and functional reasons, as well as by any third parties involved, appointed as Data Processors, as they are required to participate in the performance of the activities required to ensure the provision of the services offered. Processing will be limited solely to purposes related to the provision of the services offered. For example, the data will be communicated to any server providers, shipping agents, and carriers contracted for the delivery of purchased admission tickets, or to Contact and Call Center companies for the management of customer support services, etc.
The Data Processors are trained in personal data security and protection, and are specifically prohibited from disseminating or communicating personal data to other third parties except within the scope of performing their services. Where necessary, data may be disclosed to judicial authorities, including for organizational and security purposes related to purchased securities, as well as for checks required by applicable law. The data will not be disclosed.
Categories of data recipients
Data processing is carried out by authorized persons, committed to confidentiality, and responsible for the relevant activities in relation to the purposes pursued.
Data processing is also carried out by personnel affiliated with the PRIMO NOMINE Scarl consortium, with registered office at Via del Banco di Santo Spirito 42 – 00186 Rome, which acts as
Data Processor pursuant to Article 28 of EU Regulation 2016/679.
Data retention
Data will be retained for the time necessary to achieve the purposes for which it was collected and, in any case, for a period not exceeding 10 years.
Data transfer to third countries
Data processed for the aforementioned purposes are not transferred to third countries outside the European Union or the European Economic Area (EEA) or to international organizations.
Rights of data subjects
Data subjects may exercise the rights provided for in Article 15 et seq. of EU Regulation 2016/679, and in particular the right to access their personal data, request rectification or restriction, data portability, updating if incomplete or incorrect, and erasure if the conditions are met, as well as to object to processing by addressing the request to:
− Municipality of Milan as Data Controller, Piazza Duomo no. 14, 20122 Milan – Culture Department / Heritage Enhancement and Security Area - at the following email address: c.dirvalorizzazione@comune.milano.it
or
- The Data Protection Officer of the Municipality of Milan (DPO) can be reached at the following email address: dpo@Comune.Milano.it
Right to Complaint
Finally, please be informed that data subjects who believe that the processing of their personal data violates the provisions of EU Regulation 2016/679 (Article 77) have the right to lodge a complaint with the Garante (www.garanteprivacy.it) or to take appropriate legal action (Article 79 of the Regulation).
Amendments
The Data Controller reserves the right to make any changes to this Policy, at its sole discretion and at any time, deemed appropriate or required by applicable laws, providing appropriate publicity to interested parties.