Kuratorium Stiftsmuseum Innichen EO, with registered office at Attostraße 2, Innichen (BZ) - 39038, C.F./P.IVA IT01733530214, (hereinafter referred to as the "Data Controller" or "Controller"), is committed to protecting the online privacy of individuals while they browse and use the services of the website https://mik.bz.it (hereinafter referred to as the "Portal" or "Website").
This document describes every aspect related to the processing of personal data of users (hereinafter referred to as "Data Subjects") carried out through the Website, in accordance with the provisions of Article 13 of EU Regulation No. 2016/679 (hereinafter referred to as the "Regulation"). According to the provisions of the Regulation, the processing carried out by the Controller through the Website will be based on the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality.
1. Data Controller
The Data Controller for the processing carried out through the Portal is Kuratorium Stiftsmuseum Innichen EO as defined above and can be contacted using the methods indicated in the "Contact" section (see Article 10).
2. Categories of Personal Data processed
Navigation/Usage Data:
Information collected during the user's visit to the Website (e.g., IP address, URI notation addresses, browsing history, information about interactions with the site, information about the user's computer environment, browser type and language, operating system, location, date and time of the request). These are pieces of information that are not collected to be associated with identified individuals, but by their very nature, through processing and associations with data held by third parties, they could allow user identification.
Voluntarily provided data by the user:
Personal information voluntarily provided by the user through specific forms on the Website (e.g., registration, contact, comments, reviews, posts, etc.). Such information may include, for example: identifying data (name, surname, ID number, username, user ID, password, place and date of birth, etc.), personal image, contact and location data (residential address, email address, phone number, postal address, etc.).
Commercial data:
Information necessary for the performance of economic and fiscal obligations related to the provision of services on the Website (e.g., payment information, VAT number, purchase history, product or service usage information, credit and billing information, assistance requests, etc.).
Location or mobility data:
Information indicating the geographical location (latitude, longitude, altitude, direction of movement, time of position recording) of the user's terminal device (e.g., smartphone, PC) using the services of the Website.
3. Purposes of Processing
The Data Controller uses the Personal Data collected through this Website for the following purposes:
Service Provision:
Responding to information requests received through the Website; delivering content and services related to the Website; sending user notifications and updates regarding the requested service.
Payments and Invoicing:
Managing the economic and fiscal profile related to the sale of products/services through the Website.
Security Assurance, Abuse and Fraud Prevention, Debugging:
Monitoring and preventing fraudulent activities and ensuring that systems and processes function properly and securely.
Judicial Protection:
Ensuring the Data Controller's right to protect or exercise a legal claim.
Legal Obligation:
Complying with a legal obligation to which the Data Controller is subject.
4. Legal Basis for Processing
The Data Controller uses the Personal Data collected through this Website for the following purposes:
Contract/Pre-contractual Measures:
The processing of Personal Data is based on Article 6(1)(b) of the Regulation ("[...] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract").
Consent of the Data Subject:
The processing of Personal Data is based on Article 6(1)(a) of the Regulation ("[...] the data subject has given consent to the processing of his or her personal data for one or more specific purposes"). The consent given by the user is voluntary and does not affect the use of additional services on the Website. The consent given can always be revoked through the appropriate cookie preference selection form or by contacting the Data Controller using the contact information provided in the [Data Controller Contacts] section.
Legitimate Interest of the Data Controller:
The processing of Personal Data is based on Article 6(1)(f) of the Regulation ("[...] processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party").
Legal Obligation:
The processing of Personal Data is based on Article 6(1)(c) of the Regulation ("[...] processing is necessary for compliance with a legal obligation to which the data controller is subject").
Protection of Vital Interests:
The processing of Personal Data is based on Article 6(1)(d) of the Regulation ("[...] processing is necessary in order to protect the vital interests of the data subject or of another natural person").
Task Carried Out in the Public Interest:
The processing of Personal Data is based on Article 6(1)(e) of the Regulation ("[...] processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller").
5. Processing Methods
The processing is carried out using manual and/or automated methods, including the use of computer and telecommunications technologies (e.g., CRM, management software, and mailing list services), applying suitable technical and organizational security measures to ensure the security, integrity, and confidentiality of Personal Data, in order to minimize the risks of destruction, loss, unauthorized access, alteration, and unauthorized disclosure, in accordance with Articles 6 and 32 of the GDPR.
6. Transfer of Personal Data outside the EU/EEA
The Data Controller does not intend to transfer Personal Data outside the European Economic Area. However, if there is a need for organizational/production purposes, for example, by using providers and/or cloud services that involve the transfer of data abroad, appropriate safeguards will be implemented for the transfer of Personal Data to a Third Country. Depending on the specific circumstances, these safeguards may include verifying the existence of adequacy decisions by the European Commission, adopting standard contractual clauses and/or binding corporate rules, and verifying the adoption of any additional measures in compliance with EDPB Recommendation 01/2020.
Vendor Name |
Description |
Vendor Privacy Policy |
7. Retention Periods
The Data Controller retains Personal Data only for the periods of time necessary to fulfill the purposes outlined in this document, or as required by specific regulations.
In particular:
- Personal Data processed for the purpose of "Service Provision" will be retained for a period not exceeding 10 years;
- Personal data processed for the purpose of "Payments and Invoicing" will be retained for a period not exceeding 10 years (Art. 2220 of the Italian Civil Code).
- Personal Data processed for Direct Marketing purposes will be retained for a period not exceeding 2 years or until the withdrawal of consent by the data subject.
- The duration of individual cookies is specified in the "Cookie Policy".
- The Data Controller may retain Personal Data for the period permitted and required by Italian law for the purpose of "Judicial Protection" of their interests (Art. 2946 and 2947 paragraph 1, paragraph 3 of the Italian Civil Code).
After the expiration of these retention periods, Personal Data will be deleted or anonymized, unless held for additional purposes based on appropriate legal grounds.
8. Recipients
The Personal Data collected by the Data Controller may be disclosed or made accessible, for the purposes mentioned above, to the following categories of recipients:
- Employees and collaborators assisting the Data Controller in the processing operations, with their explicit authorization and, if necessary, the signing of confidentiality agreements;
- Entities providing outsourcing services on behalf of the Data Controller, acting as Data Processors: cloud computing service providers, independent professionals, companies or professional firms providing assistance and consultancy to the Data Controller, or entities entrusted with hosting and technical maintenance activities, including software maintenance, network devices, and electronic communication networks;
- Independent Data Controllers to whom the communication of data is necessary for the provision of the requested service.
- Independent Data Controllers pursuing their own purposes (subject to the data subject's consent);
- Public authorities, when such communication is required by law.
After the expiration of these retention periods, Personal Data will be deleted or anonymized, unless held for additional purposes based on appropriate legal grounds.
9. Data Subject's Rights
At any time, the Data Subject has the right to access their personal information and request its rectification, erasure, restriction of processing, and portability. The Data Subject also has the right to object, in whole or in part, to the processing and to not be subject to a decision based solely on automated processing, including profiling.
To exercise the rights provided by Articles 15-22 of the GDPR, the Data Subject can contact the Data Controller using the contact details provided in the "Contacts" section (see Article 10). The Data Controller is required to respond to the request within 1 month, or to communicate any delay in case of numerous and/or complex requests (the extension period cannot exceed 2 months). In any case, the Data Subject has the right to lodge a complaint with the competent Supervisory Authority (Data Protection Authority) in accordance with Article 77 of the Regulation if they believe that the processing of their Personal Data is in violation of applicable regulations.
10. Contacts
For further information regarding the processing of Personal Data carried out under the contract or to exercise your rights, you can contact the Data Controller at the following email address: info@mik.bz.it