FAPIM S.p.A., as the Data Controller of your personal data, in the person of its legal representative, pursuant to and for the purposes of Regulation (EU) 2016/679 (GDPR), hereby informs you that the above-mentioned legislation provides for the protection of persons and other subjects with regard to the processing of personal data and that such processing will be based on the principles of correctness, lawfulness, transparency and protection of your privacy and your rights. Your personal data will be processed in accordance with the legal provisions of the legislation referred to above and the confidentiality obligations therein.
Processing Purpose: in particular, your data will be processed for purposes related to the implementation of the following legislative or contractual obligations:
- Access register:
- Organisation of guided tour management services at museum premises, production plants or company offices;
- If minors are registered, the access registers are filled in and provided by the teaching staff responsible for the schoolchildren or their parents;
- Control services for security purposes and legal or contractual obligations;
- Security reasons so as to be able to verify, at any time, the presence of outsiders within the company structure.
- Video surveillance:
- Control services for security purposes and protection of company assets;
- Complementary measure aimed at improving corporate security and facilitating the possible exercising of the data controller’s or third party’s right of defence in civil or criminal proceedings based on images relevant to unlawful acts;
- The cameras are positioned outside the company buildings and indicated by appropriate signage;
- This data will be consulted by the Data Controller in case of investigations resulting from criminal offences.
- Internet network for visitors:
- The Internet network has been partitioned to allow online browsing by company guests, without interfering with the activities of other workers. This network is protected and can be accessed with the user’s personal device after entering a password, which is provided by company personnel;
- Personal data relating to network access or browsing logs (e.g. sites visited via IP address) will only be processed if connectivity anomalies are verified and the company’s IT security is endangered, and this will be communicated to the data subject.
- COVID-19 protocols:
- To manage the emergency period related to the COVID-19 risk as best as possible, the body temperature may be measured or requested to be measured independently, in order to certify that it is below 37.5 °C as required by current regulations, without any recording of it;
- The possession of a valid Green Pass may also be requested and verified; filing of the same will only take place at the explicit request of the data subject, in accordance with the procedures and time frames provided for by the regulations in force.
Functional data processing for the fulfilment of these obligations is necessary for the proper management of the relationship and provision of such data is compulsory for the implementation of the above-mentioned purposes. The Data Controller also points out that failure to provide, or incorrect communication of, any of the mandatory information may make it impossible for the Data Controller to guarantee the adequacy of the processing.
For the purposes of the aforementioned processing, the Data Controller may become aware of data defined as particular, i.e. sensitive or judicial data within the meaning of privacy legislation, when necessary for the purposes specified above, and in particular:
- Photographs or recordings, which could reveal the data subject’s conduct and habits;
- Health data, related to proper implementation of pandemic protocols.
With your consent, your personal data may also be used for the following purposes:
- Sharing of personal data, photos and/or videos on the company website, social page. This data will only be collected and shared after explicit consent has been given.
Providing the data is optional for you with regard to the above-mentioned purposes, and your refusal to do so will not jeopardise the continuation of the relationship or the appropriateness of the processing.
Processing Methods: your personal data will be processed as follows:
- Outsourcing to third parties in the event of an investigation by the competent authorities;
- Processing by means of paper files (attendance registers and self-certifications);
- Processing by means of electronic devices (consultation of video recordings or system logs).
All processing is carried out in accordance with Chapter II of Regulation (EU) 2016/679.
Disclosure: your data will be stored at our premises and will be disclosed exclusively to the subjects responsible for carrying out the services required for the proper management of the relationship, with guaranteed protection of the data subject’s rights.
Your data will only be processed by personnel expressly authorised by the Data Controller and, in particular, by the following categories of appointees:
- Management and secretariat;
- Reception Manager;
- Reception and switchboard employees;
- IT employees and managers;
- other employees within the limits of the assignments received and the company procedures.
Your data may be disclosed to third parties, in particular to:
- Fire brigade and other competent bodies in the event of an emergency within the premises;
- Company entrusted with the maintenance of the video surveillance system;
- Company entrusted with the supervision and protection of company assets;
- Local health authorities and authorities responsible for managing health emergencies;
- Other third parties and entities authorised by the company to handle the personal data described.
Personal data will not be processed by third party companies, appointed and verified as External Data Processors, with the exception of special technical needs. The data controller is responsible for verifying the compliance of these subjects with national and European legislation on the processing of personal data.
Dissemination: without prejudice to the absolute ban on dissemination of data disclosing health status, after collecting explicit consent, the data may be disseminated for:
- Publication on the web or advertising material (personal data and any photographs/videos).
Storage: registers relating to schoolchildren or other users visiting the museum will be completed by the teacher/manager and handed over to the staff present at the time of entry; attendance registers will be kept daily at the concierge desk and reception, for 12 months in the company archives. The retention of video surveillance recordings is limited to a few hours or, at most, forty-eight hours following the recording, except for special needs for further retention in connection with holidays or office or business closures, as well as in the event of a specific investigative request by the judicial authority or the judicial police. Access logs of devices connected to company networks are deleted every 6 months. Forms to manage the risk from COVID-19 are kept in the dedicated office for 14 days, as required by law.
Your sensitive data to be processed are only those strictly pertinent to the obligations, tasks or purposes described above and will be processed in compliance with the indications contained in the relevant General Authorisations of the Data Protection Authority.
The Data Subject’s Rights
You have the right to obtain from the controller the deletion, communication, updating, rectification, integration of your personal data, and in general you may exercise all your rights under Chapter III of the GDPR, Articles 15 to 22, including the right to lodge a complaint with the Data Protection Authority.
- The data subject has the right to obtain confirmation of the existence or non-existence of his or her personal data, even if not yet recorded, disclosure of such data in an intelligible form and the possibility of lodging a complaint with the Data Protection Authority.
- The data subject has the right to be informed:
- of the source of his or her personal data;
- of the processing purposes and methods;
- of the logic applied in the event of processing carried out with the aid of electronic instruments;
- of the identity details of the data controller, data processors and the representative designated pursuant to Article 5, paragraph 2;
- of the entities or categories of entities to whom the personal data may be disclosed or who may become aware of the data in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing.
- The data subject has the right to obtain:
- updating, rectification or, when interested, integration of the data;
- deletion, transformation into anonymous form or blocking of data processed in breach of the law, including data that need not be kept for the purposes for which the data was collected or subsequently processed;
- certification that the operations referred to in points a) and b) have been brought to the attention, also as regards their content, of those to whom the data has been disclosed or disseminated, except where this proves impossible or involves a manifestly disproportionate effort compared to the right protected;
- portability of the data.
- The data subject has the right to object, in whole or in part:
- for legitimate reasons to the processing of his or her personal data, even if pertinent to the purpose of collection;
- the processing of his or her personal data for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.