Privacy Policy

You are here:

Information on the processing and protection of personal data (Art. 13 GDPR)

 

GARDA MUSEI informs on how it processes and protects the personal data that it may process and acquire through the website.


Art. 1. Data controller: who collects the data and decides the purposes / methods of processing

CULTURAL ASSOCIATION GARDAMUSEI

Via del Vittoriale n. 12, 25083 Gardone Riviera (BS), Italy

VAT number:            04101050989

Cod. Fiscal:          96038330179

Telephone:                [email protected]

The data controller is also known as “GARDA MUSEI” and resells its attractions and routes through the site: https://onegardaticket.it

Art. 2. Purpose and legal basis of the processing: why the data is processed and What justifies the processing

GARDA MUSEI processes data for the following purposes.

Purpose a) – Registration to the https://onegardaticket.it portal 

Registration takes place via the e-mail      address.

Legal basis : execution of a contract.

The refusal to provide the e-mail address prevents registration to the portal.


Purpose b) – Purchase of routes and experiences

     During the purchase phase, you are asked to confirm your billing information (name, surname, address).

Legal basis : execution of a contract.

The refusal to provide the e-mail address prevents registration to the portal.

 

Purpose c) – Right of defence

    Exercise the rights of the Data Controller, for example any right of defense (judicial and extrajudicial).

Legal basis : legitimate interest of the owner.


The Data Controller does not carry out data profiling.

Art. 3. Data processed and processing methods

To achieve the aims of Art. 2 GARDA MUSEUMS processes the following data: e-mail address, name, surname and address of the person making the purchase. The telephone number can also be provided optionally.

All data communicated to GARDA MUSEI are processed within the limits strictly necessary to achieve the purposes referred to in Article 2 above, with the aid of paper and computer tools.

Art. 4. Data retention

The data are processed and stored at the offices of the Data Controller and on the company tools used (e.g. computers, servers, smartphones, etc.).

The processing of data (paper and digital) is carried out with appropriate measures to guarantee the security and confidentiality of personal data, in particular in compliance with appropriate security measures and according to the principles of lawfulness, necessity and proportionality.

The data collected and processed are kept for the following periods:

    Purpose a):          10 years from the end of the execution of the contract.

Purpose b):          10 years from purchase.

    Purpose c):          duration necessary to exercise the rights of the owner

Art. 5. Communication and transmission of data

The employees and / or collaborators of the Data Controller, in carrying out their normal work and / or collaboration activities, have access to the data as persons authorized to process.

Personal data may be transmitted to third parties who carry out the processing on behalf of the Data Controller, for example the structures that manage the attractions / routes purchased.

Payment data are managed by independent systems not attributable to GARDA MUSEI (payment by credit card and / or PayPal).

No data is resold to third parties.

Art. 6. Extra-EU data transmission

The transmission of extra-EU data is not foreseen.

Art. 7. Rights of the interested parties

Art. 7 para. 3 The interested party has the right to withdraw his consent at any time; Art. 15 Right of access, including the right to obtain the indication of the retention period of personal data envisaged. Right to obtain information on the origin of the data collected, as well as the purposes and methods of processing. Right to lodge a complaint with the Supervisory Authority at any time (Guarantor for the Protection of Personal Data); Art. 16 Right of the interested party to obtain the updating, rectification, integration of personal data; Art. 17 Right to erasure / right to be forgotten (when provided); Art. 18 Right to restriction of processing (when provided); Art. 20 Right to data portability (if existing technology allows it); Art. 21 Right to object to processing; Art. 22 Right not to be subjected to a decision based solely on automated processing, including profiling.

In addition, Art. 19 obliges the Data Controller to notify the correction, cancellation and / or limitation of processing requested by the interested parties.

Art. 8. Requests of interested parties: How rights can be exercised 

Requests relating to the exercise of the rights referred to in Article 7 above may be submitted by the interested parties to the Data Controller by registered letter or e-mail to the addresses listed in Article 1 above.

In all cases, interested parties must attach a valid identity document to the request.

Art. 9. Updates to this policy

This information may be subject to changes and additions, also as a consequence of any changes and / or regulatory additions. Any changes will be communicated to the interested parties.

Please note that the interested party can obtain the text of the constantly updated information by sending a request to the email: [email protected]