1. Introduction
For Fondazione Opificio ETS (hereinafter also referred to simply as the “Foundation”), your privacy and the security of your personal data are particularly important. Therefore, we collect and process your data with the utmost care and attention, implementing specific technical and organizational measures to ensure the complete security of data processing.
Pursuant to Article 13 of European Regulation 2016/679 and the Privacy Code as amended by Legislative Decree 101/2018 (“Legislation”), we hereby inform you that your personal data, including data classified as “special” under the Regulation (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health-related data, or data concerning a natural person’s sex life or sexual orientation), are processed in a manner that guarantees security and confidentiality. This processing is carried out using paper, electronic, and/or telematic means, as detailed in this privacy notice.
2. Definitions
Personal Data: refers to any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to identifiers such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that person.
Processing: refers to any operation or set of operations performed with or without automated processes on personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Special categories of personal data: refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data aimed at uniquely identifying a natural person, data concerning health, or data relating to a natural person’s sex life or sexual orientation.
Data Controller: refers to the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.
Data Processor: refers to the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
3. Data Controller
The processing of your personal data is conducted by Fondazione Opificio ETS, with its registered office at Via Bufalini n. 6, 50122 Florence (FI), as Data Controller pursuant to and for the purposes of EU Regulation.
For any questions or requests related to the processing of your personal data, you can contact the Foundation at any time using the following contact details:
Data Controller
Legal Name: Fondazione Opificio ETS
Registered Office Address: via Bufalini n. 6 – Firenze
Telephone Contact: +39 055 5384100
Email Contact: info@fondazioneopificio.it
4. Types of Data and Purposes of Processing
The website provides informative and interactive content. While browsing the website, the Foundation may collect visitor information through the following means:
- Browsing Data: Computer systems and software procedures used for this website automatically collect certain personal data, which are implicitly transmitted through Internet communication protocols. This category of data includes IP addresses, browser types, operating systems, domain names, referring website addresses, user navigation within the website, access times, page visit duration, internal navigation path analysis, and other parameters related to the user’s operating system and computer environment. Although this information is not intended to identify users, its nature might allow user identification when combined with other data held by third parties (e.g., your internet service provider). These data are used solely to obtain anonymous statistics about website use and to ensure its proper functioning.
- Additional Data Categories: This refers to all personal data provided by visitors through the website, such as registering and/or accessing a reserved area, service, or event, writing to the Foundation’s email addresses to request information, or contacting our phone numbers directly. The personal data processed by the Foundation include those provided by you while browsing or using online services offered.
Apart from what is specified regarding browsing data, users are free to provide or withhold the personal data requested in service registration forms. On these forms, certain data may be marked as mandatory; these data are required for providing the requested service. If these data are not provided, the requested service cannot be delivered, nor can associated opportunities be utilized. At the time of data provision, data subjects receive an information notice containing all GDPR requirements. Data subjects must provide informed, free, explicit consent, documented as required by law, where necessary. If personal data are provided at later stages, supplements to previously provided notices may be delivered, and new consents for processing may be requested.
The types of personal data collected and processed via the website are those necessary to provide various offered services. To offer services, your fax and telephone numbers, as well as your email address, may be used. Therefore, it is clear that if such data are not provided, the services requiring these tools cannot be delivered. If you do not consent to using your email address for newsletter subscription or for informational or interactive communication purposes, these tools will not be used for these purposes. Specific notices will be provided on website pages designed for personal data submission. Voluntary sending of emails to addresses listed on the website entails the acquisition of the sender’s address and any additional information contained in the message; such personal data will only be used to perform the requested service or task.
Once collected, your personal data are processed for the following purposes:
| Purposes | Legal Basis | |
| A | To monitor your user experience with our web services and offered services, and to ensure the proper functioning of web pages and their content. | The processing activities carried out for these purposes are based on the legitimate interest of the Data Controller and do not require specific consent from the data subject. |
| B | To carry out administrative and accounting activities strictly related and instrumental to fiscal and bureaucratic obligations, as well as the organizational management of requested services. | The processing activities carried out for these purposes are necessary for fulfilling contractual obligations and do not require specific consent from the data subject. |
| C | To enable the provision of services requested by data subjects. | The processing activities carried out for these purposes are necessary for fulfilling contractual obligations and do not require specific consent from the data subject. |
| D | To formalize user information requests and manage relationships with data subjects. | The processing activities carried out for these purposes are necessary for fulfilling contractual obligations and do not require specific consent from the data subject. |
| E | To follow up on requests for the use of exhibition spaces, conference rooms, and the Foundation’s Auditorium. | I trattamenti posti in essere per queste finalità sono necessari per l’adempimento di obblighi contrattuali e non necessitano di uno specifico consenso da parte dell’interessato. |
| F | To comply with obligations set out by laws, regulations, and European legislation. | The processing activities carried out for these purposes are necessary for fulfilling contractual obligations and do not require specific consent from the data subject. |
| G | Subscription to the newsletter service. | The processing activities carried out for these purposes are performed based on the specific consent provided by the user. |
| H | To perform direct communication activities concerning the institutional activities of the Foundation, through the periodic sending of newsletters to the email address voluntarily provided during your registration on the website. | The processing activities carried out for these purposes are performed based on the specific consent provided by the user, except for communications related to services similar to those already used and/or subscribed to by the user, for which the processing is based on the legitimate interest of the Data Controller. |
Your personal data is processed by Foundation personnel specifically authorized under Article 4(10) of the EU Regulation, who handle data based on precise instructions provided by the Data Controller.
To carry out technical, organizational, and operational tasks for providing services and managing ongoing relationships, the Foundation may share your personal data with third parties. These third parties are carefully selected and offer adequate guarantees for compliance with personal data processing regulations. They have been appointed as Data Processors under Article 28 of the EU Regulation and are required to carry out their activities in accordance with specific instructions issued by the Foundation and under its control. An updated list of these entities is available at the Data Controller’s registered office and can be consulted upon request.
If necessary for specific services requested, personal data may also be disclosed to third parties acting as independent data controllers, performing functions strictly related and instrumental to the provision of such services. Without this disclosure, these services cannot be provided. Personal data will not be disseminated unless explicitly required by the requested service.
It is understood that your personal data will not be disclosed to third parties for promotional purposes nor disseminated in any manner.
Your data may also be shared with law enforcement agencies and judicial or administrative authorities in compliance with the law, for the investigation and prosecution of crimes, the prevention and protection against threats to public security, to enable the Foundation to exercise or defend its rights or those of third parties before competent authorities, and for other reasons related to protecting the rights and freedoms of others.
5. Data Transfer Outside the EU
Some third parties referenced in the previous paragraph may be located in countries outside the European Union that, according to specific decisions by the European Commission, offer adequate levels of data protection.
Transfers of your personal data to third parties located in countries outside the European Union that do not provide adequate protection will only occur with your consent or following the execution of specific agreements between the Foundation and these parties. These agreements contain appropriate safeguards for protecting your personal data, known as “Standard Contractual Clauses,” also approved by the European Commission, or when the transfer is necessary for the conclusion and performance of a contract between you and the Foundation or for managing your requests.
6. Data Retention
Your data will be retained for a limited period, varying according to the type of processing activity and its specific purpose, as detailed below:
- Data from users registered on a portal/website: retained until you request profile deletion.
- Data collected while using services provided by the Foundation: retained until the end of the service or cancellation by the user.
- Data collected for sending informational newsletters: retained until the user requests to stop receiving communications, and in any case within two years from the user’s last interaction with the Foundation
- Data collected for administrative and accounting purposes related to fiscal and bureaucratic obligations and organizational management: retained for 10 years from the end of your relationship with the Foundation or, in case of disputes, for the statutory limitation period for protecting related rights, subject to longer periods required by specific sector regulations.
At the end of these periods, your data will be permanently deleted or irreversibly anonymized by the Foundation.
7. Your Rights
You can exercise the following rights concerning your personal data as provided and guaranteed by the Regulation:
- Right of access and rectification (Articles 15 and 16 of the Regulation): You have the right to access your personal data and request their correction, amendment, or supplementation. We will provide you with a copy of your data if requested.
- Right to erasure (Article 17 of the Regulation): You may request deletion of your data under the conditions provided by law. Upon receiving and assessing your request, we will cease processing and delete your data if legitimate.
- Right to restriction of processing (Article 18 of the Regulation): You have the right to request restriction of data processing in cases of unlawful processing or when contesting the accuracy of personal data.
- Right to data portability (Article 20 of the Regulation): You have the right to request your personal data from the Data Controller to transfer them to another controller under conditions provided by Article 20.
- Right to object (Article 21 of the Regulation): You have the right to object to processing based on our legitimate interest at any time, specifying your reasons; before accepting your request, the Foundation will assess the validity of your reasons.
- Right to lodge a complaint (Article 77 of the Regulation): You have the right to lodge a complaint with the competent Data Protection Authority if you believe your data protection rights have been violated.
You may exercise these rights at any time regarding the specific processing activities carried out by the Foundation.
The above rights can also be exercised by anyone with their own interest, acting on your behalf as your agent, or for family reasons worthy of protection, pursuant to Article 2-terdecies of Legislative Decree 101/2018.
Further information about your rights can be obtained by requesting a complete extract of the articles mentioned above from the Data Controller.
8. Security Measures
The Foundation implements appropriate security measures under Articles 5 and 32 of the GDPR to safeguard the confidentiality, integrity, completeness, and availability of personal data. Technical, logistical, and organizational measures are implemented to prevent accidental damage, loss, alteration, misuse, and unauthorized access, ensuring timely restoration of data availability in the event of physical or technical incidents (e.g., data breaches).
The Foundation regularly tests, verifies, and assesses the effectiveness of these security measures to continuously improve data processing security.
9. Changes to this Privacy Policy
The ongoing evolution of our services may result in changes to the characteristics of personal data processing described herein. This privacy policy may be modified and supplemented over time as necessary due to new legal provisions regarding data protection or changes in our services.
We encourage you to regularly review this policy. We will attempt to promptly inform you of changes and their consequences.
The updated version of the privacy policy will always be published on the Foundation’s website, indicating the date of the last update.
10. Date of last update
01/04/2025