This policy is divided into two sections: the first is aimed at describing how this website owned by Leonardo3 srl is managed, with reference to the processing of personal data of users who consult it and/or use the services made available to them through the website, such as online ticketing and newsletter services; the second contains information on the processing of users’ personal data that Leonardo3 srl implements through the cookies on the website.
Leonardo3 srl (hereinafter also referred to as the “Company” or “Owner”), in compliance with the legislation on the protection of personal data, intends to guarantee the privacy and security of the personal data of each user/visitor (the reference to them in the body of the policy is equivalent to identifying them as data subjects), also in relation to Internet access made from abroad.
The policy is also provided as a brief information notice and/or with a link to it, pursuant to art.13 of the EU Regulation 679/2016 (hereinafter “GDPR”), to those who interact with the web services of the Site accessible by electronic means. Please note that the information is not provided for other websites that may be consulted by the user through links published on the Site.
Data controller, data processors and persons in charge of data processing
The data controller is Leonardo3 srl, in the person of its legal representative pro tempore, with registered office in Via Monte Napoleone 9, Milan. Personal data may be processed by specially authorized and trained personnel.
Section 1: Processing of data deriving from the user’s subscription to the online ticketing and newsletter services accessible through the leonardo3.net website, as well as those deriving from consultation of the site’s pages.
1. Object, purpose and legal basis of the processing and nature of the personal data
a) The Data Controller collects data from users of the Site through the forms on its pages, which are set up for the use of the ticketing service managed through distribution platforms in agreement with the Data Controller.
The personal data processed are:
• identification data (name, surname, country of origin);
• address and contact details (e-mail and telephone number);
• data provided for the payment of tickets;
• accounting data (company name, VAT number, tax code);
• common data related to the facilities provided for access to museum facilities or events staffed or organized by the holder;
• computer data (e.g. related to the transaction carried out).
Personal data are processed for activities such as those functional to:
• acquiring and processing information useful for establishing the relationship with users for the purchase of tickets online, including reduced or free tickets;
• for the execution of the relationship established and of what follows from it (e.g. registration, data processing, including for accounting purposes, archiving, consultation and storage).
In such cases, the legal basis for the processing is based on:
• the need to carry out pre-contractual measures and the performance of the contract (ex Art. 6 (1) (b) of the GDPR);
• the need to comply with legal obligations (ex art. 6, paragraph 1, letter c) of the GDPR), such as those arising from the proper keeping of accounts and the application of the rules on the modalities of use of and access to the facilities and places of cultural interest referred to in Legislative Decree no. 42/2004, as amended, and Ministerial Decree no.111/2016, as amended.
The processing of personal data for the aforementioned purposes is necessary and any refusal to provide such data will make it impossible to provide the service requested and, therefore, to issue tickets for access to the museum facilities managed by the owner or to events organized by the owner, as well as to use the facilities provided for the aforementioned purposes.
(b) The personal data of the users, such as their contact and address data (in particular e-mail), may also be processed:
• with the User’s prior consent, for subscription to the mailing list set up, also through providers in agreement with the Data Controller, for the sending of newsletters for information purposes, that is to say, to periodically inform the User about the initiatives and developments of the services provided by the Data Controller and the activities related to them.In particular, once the user has provided his or her e-mail address in the “Keep in touch” section of the home page, by clicking on the “Subscribe to the newsletter” button, he or she consents to the processing of his or her personal data for the aforementioned purposes, without having to tick any further boxes. This is because, in accordance with Recital 32 and Article 5(1)(11) of the GDPR, any free, specific, informed and unambiguous manifestation of will by which the data subject expresses his or her consent to the processing of his or her data, by means of an unambiguous statement or positive action, constitutes a manifestation of consent.
In the event of failure to provide personal data, as well as in the absence of consent of the data subject, their processing will not take place for such purposes.
If the user had also used the other services offered by the owner through the site, any refusal to make the data for the newsletter subscription or the lack of consent will not affect the other processing already in place.
Consent, if given, may be revoked at any time and free of charge. The same applies if the user decides to object to the processing. In particular, to object to the processing, the User need only follow the unsubscribe instructions provided at the bottom of each email. In the event of withdrawal of consent, the User may send his request to email@example.com.
In the event that the user has given his/her consent and subsequently wishes to revoke it or oppose the processing for the purpose of receiving newsletters, the data relating to him/her will be permanently deleted or otherwise excluded from the processing in question (e.g. by being included in a black list), without this having any consequences or adverse effects on the user and on the processing carried out for the other purposes, with the exception also of the processing already carried out for the purposes in question on the basis of the consent given at the time.
c) The Data Controller may also process the personal data of users (including those of an IT nature) in order to guarantee the security and confidentiality of the processing carried out through the services displayed on the Site (ex art. 6, par. 1, lett. f) of the GDPR).
The data controller also acts in fulfillment of other legal obligations (art. 6, par. 1, lett. c) of the GDPR), when it carries out:
• the control and monitoring of HW and SW systems, applications and IT tools used for the processing of personal data, and also when it:
• implements procedures for the detection and notification of personal data breaches;
• responding to requests from competent authorities.