Information pursuant to articles 13 and 14 of EU Regulation no. 679/2016 dated 27 April 2016, “on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/ED (General Data Protection Regulation, hereinafter referred to as the GDPR)”)”
Pursuant to articles 13 and 14 of Regulation EU 2016/679 we herewith inform visitors to the Museo Galileo and users of the services provided by the museum of the following:
- The Museo Galileo – Istituto e Museo di Storia della Scienza located in Piazza dei Giudici n° 1, Florence (hereinafter also referred to as “Museum”) is the responsible entity to this agreement.
- The personal data furnished by users will be processed by the Museum itself:
a) for the purposes of the institution, connected with or contributing to the activities of the Museo Galileo, and therefore necessary for the provision of its contractual services and the fulfillment of its legal obligations in terms of administration and bookkeeping, and all other obligations assumed as the responsible entity to this agreement;
b) for the purposes of sending information to users regarding the cultural activities organized by the Museum via the Newsletter, mailings, etc., and for the analysis of data for the purposes of marketing research.
The Museum will in addition, for the same purposes as specified above, conduct statistical studies on aggregate, duly anonymized data.
- The processing of all personal data will be conducted in conformity with the principles of lawfulness, accuracy, fairness, transparency, and confidentiality as required by article 5 of the GDPR and the other laws and regulations in force. All data will be processed in a correct and transparent manner either manually or by computer and stored in printed, digital and/or other forms in designated archives that will be constantly monitored using adequate procedures and security measures in conformity with the requirements laid out in article 32 of Regulation EU 2016/679 in order to safeguard and ensure the confidentiality of all personal data, and to prevent any loss or illicit use of, or unauthorized access to this data.
- The legal basis for the processing of personal data as per point 2a lies in the specific contractual agreement established and in the institution’s compliance with the legal obligations contained therein. The processing of this data is retained to be indispensable to the execution of the contract to which the user is co-signatory and refusal of consent by the user will render the Museum unable to respect its side of the contract. The legal basis for the processing of personal data as per point 2b lies in the express consent given by the user, which is required if the Museum is to carry out its activities and realize its objectives as listed above, and in the absence of which it will not be possible to conduct these activities for the benefit of the interested party.
- The processing of personal data will be undertaken by members of the Museum staff as expressly requested by organizations, companies or consortiums, as well as by outside professionals and consultants designated as per article 28 of the above-cited EU regulation. These contracted service providers will furnish specific data processing or administrative services or carry out functions connected with, necessary to, or in adjunct support of the Museum and its activities as outlined above, such as the delivery of the newsletter, booking services, or market research.
A list of the duly authorized Museum personnel and outside service providers is available on request from the Museum.
- The personal data referred to above may be provided by the Museum to public entities, as allowed for by the relevant laws and regulations, in order to enable them to carry out their duly mandated administrative functions.
- In adherence to the EU’s principles of necessity and proportionality, the data as specified in point 2a will not be kept for periods longer than is indispensible for the realization of the objectives outlined above and therefore for the time necessary to properly fulfill its contractual obligations, and in any case no longer than the 10 years stipulated in the Civil Code on this matter. The personal data referred to in point 2b will be conserved for 24 months from the date of the most recent consent given. At the end of this period a renewal of the interested party’s consent to the processing of his or her personal data will be requested and if withheld, this data will be cancelled.
- The GDPR recognizes a series of rights held by the user as dictated in articles 15 to 22, among them full access rights to his/her own personal data, the right to correct or cancel any of this data, to limit its processing, and to deny permission for its use in direct marketing activities. The interested party has the right to revoke his/her consent at any time, without prejudicing the legality of the use by the Museum of the data as consented to by the interested party up to the date of his/her revocation of consent.
- The interested party has the right to file a complaint regarding the improper use of his/her data with the relevant authorities as provided for in article 77 of EU regulation 2016/679.
The Data Controller