PERSONAL DATA PROCESSING PRIVACY POLICY
pursuant to Articles 13 of Regulation EU 2016/679
Suppliers
Introduction
Dear supplier, the “European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data”, requires the protection of natural persons and other entities in relation to the processing of personal data.
MUSE – MUSEO DELLE SCIENZE, in its capacity as “Data Controller”, wishes to inform you about the purposes and methods underlying the collection and processing of your personal data. More specifically, the following information is provided:
1. Identity and contact details of the Data Controller
The Data Controller is MUSE – MUSEO DELLE SCIENZE located in Corso del Lavoro e della Scienza, 3 – 38122 Trento.
Below are the contact details where the Data Controller may be reached:
- Phone: +39 0461 270311
- Email: amministrazione@muse.it
- Certified email (PEC): museodellescienze@pec.it
2. Identity and contact details of the Data Protection Officer
The Data Protection Officer of MUSE – MUSEO DELLE SCIENZE is QSA S.r.l. – ENGINEERING CONSULTING TRAINING, having its registered office in via alla Marcialonga, 3 – 38030 Ziano di Fiemme (Trento).
Below are the contact details where the Data Protection Officer may be reached:
- Email: privacy@qsa.it
- Certified email (PEC).: privacy.qsasrl@pec.it
3. Purposes of processing and legal basis
Personal data may be collected and processed for the following purposes:
(a) Contract performance and purpose
Your personal data will be processed to (i) formalise and manage contract-related transactions (e.g. billing, handling payments), including dealing with any litigation, (ii) send communications strictly related to the performance of the respective contractual obligations, and therefore (iii) ensure the progressive management of the services covered by the contract.
(b) Fulfilment of legal obligations
Your personal data will be processed for the fulfilment of legal obligations laid down by EU regulations, national laws, or other regulatory sources.
More specifically, MUSE – MUSEO DELLE SCIENZE may process your data for the fulfilment of accounting and tax obligations.
While providing your data for the purposes under (a) and (b) above is optional, failure to do so will prevent you from entering into a contract.
The legal basis that makes processing lawful will, with respect to the purposes described above, be deemed to exist in order to perform the contract to which the Data Subject is a party and take pre-contractual steps at his or her request (Article 6(1)(b) GDPR); and comply with legal obligations the Data Controller is required to abide by (Article 6(1)(c) GDPR).
(c) Image collection through video surveillance systems.
With reference to the installation of video surveillance systems located in areas inside and outside the Museum, the purpose of the processing relates to the protection of the Museum’s property and assets in accordance with the Data Controller’s legitimate interest pertaining to the protection of persons and property against possible aggression, theft, robbery, damage, vandalism, fire prevention, work safety, etc.
The legal basis that makes processing lawful will, with respect to the purpose described above, be deemed to exist in order that the legitimate interest of the data controller may be pursued (Article 6(1)(f) GDPR).
4. Processing methods
In relation to the aforesaid purposes, your personal data will be processed using manual, electronic and/or computer telecommunications tools, in strict accordance with the aforesaid purposes and, in any event, in such a way as to guarantee the security and confidentiality of your data in compliance with the aforesaid Regulation.
No automated decision-making processes will be used, including profiling.
5. Third parties to whom the data may be disclosed.
MUSE – MUSEO DELLE SCIENZE may disclose your personal data to the following entities:
- Entities engaging in broadcasting, mailing, transporting and delivering communications;
- Firms and companies in the context of professional assistance and consultancy relations;
- Public authorities, if conditions are met;
- Credit institutions or banks for the payment of fees due;
- Insurance and legal institutions;
- Technicians to maintain and manage the IT infrastructure system and the video surveillance system;
- Contractors involved in the management of services offered by the Museum;
The entities mentioned above operate, in some cases, entirely on their own as separate Data Controllers; in other cases, they act as Data Processors on behalf of MUSE – MUSEO DELLE SCIENZE and are, as such, specifically appointed by the Data Controller in accordance with Article 28 GDPR.
You may request a list of the Data Processors using the contact details of the Data Controller provided under 1 above.
The data will not be disclosed, except in the event of compulsory disclosure required by law or in the event of a request for access to the records, or in the event that this is expressly required under the contract in order to fulfil the purposes thereunder. In any case, any disclosure will not relate to particular data.
6. Duration of processing and retention period.
Your data will be processed only for the time necessary to pursue the above purposes.
More specifically, below are the main periods of use and retention of your personal data with reference to the different processing purposes:
- Data processed for the conduct of museum activities: Time limits set out in respect of the mandatory record retention period established by the Provincial Authorities of Trento
- Data processed for the fulfilment of legal obligations: Retention as per statutory time limits
- Data processed through video surveillance systems: 72 hours following detection, except in cases of extension as per Privacy Authority Order dated 8 April 2010
7. Transfer of data outside the European Union
Data collected will not be transferred to non-European countries.
8. Rights of the data subject
In your capacity as a data subject, you may exercise the rights set forth in Articles 15 et seq. of the GDPR as shown below:
Rights of access, rectification, amendment and erasure of data, portability, limitation of processing and withdrawal of consent given.
(a) According to Regulation EU 2016/679, you have the right at any time to obtain from the Data Controller access to your data, as well as the rectification, amendment or erasure of such data. Within 30 days of submitting your request, you will receive a written reply, including by electronic means.
(b) You also have the right to object to the processing or request limitation of such processing, for legitimate reasons and in the cases as under Articles 18 and 21 of Regulation EU 2016/679.
(c) You may withdraw at any time your consent to the processing of your data given for the purposes stated herein.
(d) Finally, you may exercise your right to data portability, requesting the Data Controller to transmit your data to another data controller.
You may exercise the aforesaid rights by using any of the Data Controller’s contact details provided under 1 above.
Right to lodge a complaint with the Supervisory Authority.
(a) If you believe that your data have been processed unlawfully or in breach of applicable law provisions, you will be entitled to lodge a complaint with the Supervisory Authority.