PERSONAL DATA PROCESSING PRIVACY POLICY
pursuant to Articles 13 of Regulation EU 2016/679
Covid-19 protocol
Introduction
Dear Sir/Madam, the “European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data”, requires the protection of natural persons and other entities in relation to the processing of personal data.
MUSE – MUSEO DELLE SCIENZE OF TRENTO, in its capacity as “Data Controller” and/or “Data Processor”, wishes to inform you about the purposes and methods underlying the collection and processing of your personal data. More specifically, the following information is provided:
1. Identity and contact details of the Data Controller/Processor
The Data Controller/Processor is MUSE – MUSEO DELLE SCIENZE OF TRENTO located in Corso del Lavoro e della Scienza, 3 – 38122 Trento.
Below are the contact details where the Data Controller may be reached:
- Phone: +39 0461 270311
- Email: amministrazione@muse.it
- Certified email (PEC): museodellescienze@pec.it
2. Identity and contact details of the Data Protection Officer
The Data Protection Officer is QSA S.r.l. – ENGINEERING CONSULTING TRAINING, with registered office in via alla Marcialonga, 3 – 38030 Ziano di Fiemme (Trento).
Below are the contact details where the Data Protection Officer may be reached
- Email: privacy@qsa.it
- Certified email (PEC).: privacy.qsasrl@pec.it
3. Description, purposes of processing and legal basis
The data collected relate to health conditions, body temperature readings (and registration if above 37.5°C), information regarding travel and coming from risk areas according to WHO guidelines, as well as contacts in the last 14 days with persons who tested positive for COVID-19.
- Personal data may be collected and processed for the following purposes:
- Managing the protocol regulating access to museum premises and workplaces;
- Taking the necessary safety and prevention measures to counter COVID-19 infection;
- Implementing anti-counterfeiting safety protocols.
(a) Processing of special categories of personal data required by law as referred to in Article 1(7)(D) of Prime Ministerial Decree dated 11 March 2020.
Processing for the purpose of admission to the museum premises involves the processing of special categories of data concerning you, such as data relating to your health conditions, measurement of your body temperature, absence of any contact in the last 14 days with people who have tested positive for COVID-19 and coming from places that have been identified as “risk areas” and are therefore highly likely to be infected. Such processing is considered necessary for the management of safety protocols in place to prevent and contain COVID-19 infection.
(b) Processing of special categories of personal data for reasons of public interest (9.2(i)) GDPR
Processing for the purpose of admission to the museum premises involves the processing of special categories of data concerning you, such as data relating to your health conditions, measurement of your body temperature, absence of any contact in the last 14 days with people who have tested positive for COVID-19 and coming from places that have been identified as “risk areas” and are therefore highly likely to be infected. Such processing is considered to be of public interest insofar as it relates to processing operations in the area of public health, such as protection against serious cross-border health threats, on the basis of Union or Member State law which provides for appropriate and specific measures to safeguard the rights and freedoms of the data subject.
You are required to provide your data for the pursuit of the above-mentioned purposes.
Failure to do so will result in inability to access museum premises, according to the protocols currently in force within the Organisation.
4. Processing methods
In relation to the aforesaid purposes, your personal data will be processed using manual, electronic and/or computer telecommunications tools, in strict accordance with the aforesaid purposes and, in any event, in such a way as to guarantee the security and confidentiality of your data in compliance with the aforesaid Regulation.
No automated decision-making processes will be used, including profiling.
5. Third parties to whom the data may be disclosed.
The Data Controller may disclose your personal data to the following groups of entities:
- Relevant health authorities to identify the “close contacts” chain, if appropriate;
- In the event that the information is collected electronically, those involved in the maintenance and management of the IT infrastructure system for data collection;
- Public authorities, if conditions are met;
- Insurance and legal institutions.
The entities mentioned above operate, in some cases, entirely on their own as separate Data Controllers; in other cases, they act as Data Processors on behalf of the Data Processor and are, as such, specifically appointed by the Data Controller in accordance with Article 28 GDPR.
You may request a list of the Data Processors using the contact details of the Data Controller provided under 1 above.
Your data will not be disclosed.
6. Duration of processing and retention period.
Your data will be retained for the period of time strictly necessary for the pursuit of the aforementioned purposes, including on the basis of such guidance and provisions as may be issued by the relevant public health authorities and, in any case, for a period not exceeding the end of the state of emergency, currently stated by the Government (Council of Ministers resolution of 31 January 2020) on 31 July 2020.
7. Transfer of data outside the European Union
Data collected will not be transferred to non-European countries.
8. Rights of the data subject
In your capacity as a data subject, you may exercise the rights set forth in Articles 15 et seq. of the GDPR as shown below:
Rights of access, rectification, amendment and erasure of data, portability, limitation of processing and withdrawal of consent given.
(a) According to Regulation EU 2016/679 you have the right to obtain from the Data Controller access to your data and rectification, amendment or erasure of such data. Within 30 days of submitting your request, you will receive a written reply, including by electronic means.
(b) You also have the right to object to the processing or request limitation of such processing, for legitimate reasons and in the cases as under Articles 18 and 21 of Regulation EU 2016/679.
(c) You may withdraw at any time your consent to the processing of your data given for the purposes stated herein.
(d) Finally, you may exercise your right to data portability, requesting the Data Controller to transmit your data to another data controller.
You may exercise the aforesaid rights by using any of the Data Controller’s contact details provided under 1 above.
Right to lodge a complaint with the relevant Supervisory Authority.
(a) If you believe that your data have been processed unlawfully or in breach of applicable law provisions, you will be entitled to lodge a complaint with the Supervisory Authority.