WEBSITE STATEMENT
Information regarding the processing of personal data pursuant to art. 13 of EU Regulation 679/2016
The Fondazione Mario Merz, as Data Controller (hereinafter also: “Owner” or “Foundation”), pursuant to EU Regulation 679/2016 (hereinafter: “GDPR”) and Legislative Decree (Leg.Dec.) 196/2003 and subsequent amendments (hereinafter “Privacy Code”) invites you, before communicating any personal data to the Owner, to read this Privacy Policy carefully as it contains important information concerning the protection of your personal data.
This Privacy Policy:
- is pertinent to the www.mariomerzprize.org website (hereinafter: “Site”), as well as requests, information and services that may be requested by telephone on +39.011.19719437 or by fax on +39.011.19719805 or by email to the following address: merzprize@fondazionemerz.org;
- constitutes an integral part of the Site and the services we offer,
- is made pursuant to art. 13 of the GDPR and of the Privacy Code for those who interact with the web services of the Site or who contact the Foundation by telephone, by post or by fax or e-mail.
The processing of your personal data will be based on principles of correctness, lawfulness, transparency, limitation of purposes and of conservation, minimisation and accuracy, integrity and confidentiality, as well as on the principle of responsibility pursuant to art. 5 of the GDPR.
Your personal data will therefore be processed in accordance with the legislative provisions of the GDPR and the confidentiality obligations provided for therein as well as those of the Privacy Code which are still in force today.
By processing of personal data we mean any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication via transmission, dissemination or any other form of provision, comparison or interconnection, limitation, cancellation or destruction, as defined in art. 4.2 of the GDPR.
We inform you that the personal data subject to processing may be constituted – depending also on your decisions on how to use the services – by any information concerning your person suitable for enabling you to be identified or identifiable, including textual information, photographic or video images and by any other information supplied.
- OWNER OF THE PROCESSING: WHO WE ARE AND WHAT WE DO
The data controller is the Fondazione Mario Merz, tax no. 97590980013 and VAT No. 09216820010, with registered offices in Via Limone no. 24 – 10141 Turin (TO), Italy, which operates as a centre for contemporary art, founded with the intention of hosting exhibitions, events, educational activities and carrying out research and the investigation of art.
- THE DATA WE PROCESS
We inform you that the personal data subject to processing may consist of an identifier such as name, an identification number, location data, an online identifier or one or more characteristic elements of your physical, physiological, genetic and psychic, economic, cultural or social identity suitable for rendering the interested party identified or identifiable, depending on the type of services requested (hereinafter only “personal data”).
Furthermore, in the light of the educational/training/teaching activities we carry out, we will also process the data relating to your health and those, more generally, falling within the scope of the Special Data referred to in Article 9 of the GDPR.
The personal data processed through the Site are the following:
a. Browsing data
The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the Site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numeric code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data are used for the sole purpose of obtaining eventual anonymous statistical information on the use of the Site to check its correct functioning, to identify anomalies and/or abuses, and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the Site or third parties.
b. Data voluntarily provided by you – personal data
Except for the reference to specific information, this Privacy Policy is intended also for the processing of data voluntarily provided by e-mail and/or telephone. In this regard, we ask you not to disclose information that may fall within the category of special categories of personal data pursuant to art. 9 of the GDPR (for example, data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, life/sexual orientation as well as genetic data, biometric data or data relating to your state of health), unless specifically requested of you and subject to specific information and eventual consent.
c. Third-party data voluntarily provided by you
In the use of particular services, personal data of third parties may be processed, communicated by you to the Foundation. With respect to these possibilities, you constitute the independent data controller, assuming all legal obligations and responsibilities. In this sense, you grant the widest indemnity with respect to any dispute, claim, compensation claim for treatment, etc. that might reach the Data Controller from third parties, whose personal data have been processed through your use of the Site services in violation of the rules on the protection of applicable personal data. In any case, if you provide or otherwise process personal data of third parties in your use of the Site, you hereby guarantee – assuming all associated responsibilities – that this particular processing eventuality be based on the prior acquisition on your part of the consent of the third party to the processing of information concerning them and to their dissemination and that such processing by you will be in accordance with the GDPR.
d. Cookies
The information on cookies used by the Site is available at the following address _____________________
- OUR MOTIVES FOR PROCESSING YOUR DATA – PURPOSE OF THE PROCESSING
Your personal data will be processed, with your consent where necessary, for the following purposes, where applicable:
3.1. to allow navigation of the Site and provision of the Foundation’s services through the Site;
3.2. to find specific requests, including by telephone, via fax or e-mail, addressed to the Foundation;
3.3. to fulfil any obligations required by applicable laws, regulations or EU legislation, or meet requests from the authorities;
3.4. to exercise the rights of the Owner;
3.5. to fulfil contractual or pre-contractual obligations deriving from existing relationships with you;
Your personal data, including those belonging to special categories, will be processed with automated and non-automated tools.
Specific security measures are observed to prevent the loss of data, illicit or incorrect use and unauthorised access.
- LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF THE DATA PROCESSING
The legal basis for the processing of personal data for the purposes referred to in section 3.1 and 3.2 and 3.5. is art. 6 (1) (b) of the GDPR: […] processing is necessary for the execution of a contract of which the interested party is a party or the execution of pre-contractual measures adopted at the request of the same), as the processing is necessary for the provision of services. The supply of personal data for these purposes is optional, but failure to provide such data would make it impossible to activate the services requested.
The legal basis for the purpose referred to in section 3.3 is art. 6 (1) (c) of the GDPR: ([…] processing is necessary to fulfil a legal obligation to which the data controller is subject. Indeed, once personal data has been provided, processing is necessary to fulfil legal obligations to which the Foundation is subject.
The legal basis for the purpose referred to in section 3.4 is art. 6 (1) (f) of the GDPR: [….] processing is necessary for the pursuit of the legitimate interest of the owner or third parties, provided that the interests or fundamental rights or freedoms of the Interested person do not prevail…. Indeed, once the personal data has been provided, the processing is necessary for the pursuit of a legitimate interest of the Foundation in conformity with the conditions indicated above.
- RECIPIENTS OF PERSONAL DATA
Your personal data may be shared, for the purposes referred to in section 3 of this Privacy Policy, with:
5.1. subjects that typically act as data processors, ie: i) subjects delegated to carry out technical or IT maintenance activities, such as, but not limited to, subjects operating on the management software, on the website, etc .; (collectively “Recipients”).
5.2. subjects, entities or authorities to which it is obligatory to communicate your personal data in accordance with legal provisions or orders of the authorities;
5.3. persons authorised by the Foundation to process personal data necessary to carry out activities strictly related to the provision of services, which are committed to confidentiality or have an adequate legal obligation of confidentiality and which guarantee the Processing of Data in accordance with the GDPR.
- TRANSFERS OF PERSONAL DATA
The personal data are stored on servers located within the European Union. It is understood that the Owner, if necessary, shall retain the right to move the servers outside the European Economic Area. In this case the Data Controller assures as of now that this transfer, if undertaken, would be effected in compliance with the applicable legislation based on a decision of adequacy or on the Standard Contractual Clauses approved by the European Commission. More information is available by sending a written request to the Owner at the addresses indicated in the “Contacts” section of this statement.
- STORAGE OF PERSONAL DATA
The personal data processed for the purposes referred to in section 3 will be kept for the time strictly necessary to achieve those same purposes, as well, given that this processing is carried out for the provision of services, up to the time period envisaged and admitted by Italian legislation for the protection of interests and the right to defence of the Foundation, having regard to the statute of limitations established by the applicable legislation.
More information about the data retention period and the criteria used to determine this period can be requested by sending a written request to the Owner at the addresses indicated in the “Contacts” section of this statement.
- RIGHTS OF THE INTERESTED PARTY
As an interested party, pursuant to articles 15 and following of the GDPR, you have the right to:
- obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in an intelligible form;
- obtain the indication: a) of the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the case of processing carried out with the aid of electronic instruments; d) the identification data concerning the owner, data processors and the designated representative pursuant to Article 3, paragraph 1, of the GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who can be appraised of them as appointed representative within the State, as managers or appointees;
- obtain: a) updating, rectification or, when requested, integration of data; b) the deletion, transformation into anonymous form or blocking of data processed in violation of the law, including data which does not need to be kept for the purposes for which the data was collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the event that such fulfilment as occurs prove impossible or involve a manifestly disproportionate use of resources with respect to the protected right;4
- object, in whole or in part: a) to the processing of personal data concerning you, even though they be relevant to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and/or through traditional marketing methods by phone and/or mail. It should be noted that the right of opposition of the interested party, with regard to the previous point b) for direct marketing purposes by automated means is extended to traditional ones and that in any case includes the possibility for the interested party to exercise the right of opposition even in part only. Therefore, the interested party may decide to receive only communications using traditional methods or only automated communications or none of the two types of communication.
Where applicable, you shall also have the rights set forth in Articles 16 – 22 of the GDPR (right of rectification, right to deletion, right to limitation of processing, right to data portability, right to object, right to oppose automated processing, including profiling).
Requests should be sent in writing to the Owner at the addresses indicated in the “Contacts” section of this statement.
In all cases you shall always be entitled to lodge a complaint with the competent regulatory authority (Guarantor for the protection of personal data), pursuant to art. 77 of the GDPR, if you should consider that the processing of your data has been done in contravention of current legislation.
- MODIFICATIONS
The Foundation reserves the right to modify or simply update the contents of this Privacy Policy, in part or in whole, in response also to changes in applicable legislation. In this case the Foundation will inform you of these changes as soon as they are introduced and they will be binding as soon as they are published on the Site. The Foundation therefore invites you to visit this section regularly to be aware of the most recent and updated version of the Privacy Policy in order to be always up-to-date as to the data collected and the use made of it by the Owner.
- CONTACTS
The Owner of the personal data processing is the Mario Merz Foundation, with registered offices in Via Limone, 24 – 10141 Torino (TO), Italy, phone +39. 011.19719437, email: info@fondazionemerz.org