PRIVACY POLICY
Mailing list

This privacy policy is furnished pursuant to Article 13 of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation - hereinafter the "GDPR"), and pursuant to Article 13 of Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018 (hereinafter the "Personal Data Protection Code"), to those included on the mailing list of Palazzo Grassi S.p.A. (also "the Company”) and to the recipients of invitations to events or openings which Palazzo Grassi organises.

1. DATA CONTROLLER

Pursuant to Article 4 of the GDPR and of the Personal Data Protection Code, the Data Controller is:
Palazzo Grassi S.p.A. – San Marco 3231 – 30124 Venice (Italy)
Data Controller's e-mail address: privacy@palazzograssi.it

2. METHOD, PURPOSES AND LEGAL BASIS OF DATA PROCESSING OPERATIONS

Palazzo Grassi collects and processes Personal Data which the User provides directly and knowingly, in order to facilitate participation in company-organised events and openings. Such data include, for example, job title, first and last name, e-mail address, postal address, department, company/firm, telephone contact and profession.
The User will be requested to provide Personal Data if he/she wishes to receive invitations to events and openings organised by Palazzo Grassi. If the User does not provide his/her Data, Palazzo Grassi will unfortunately not be in a position to provide this service to him/her.
The Data provided may be used, for example, to:

• send newsletters and informative and promotional communications, including those of a commercial nature, advertising material and invitations to exhibitions and events;
• register the User's participation in one or more events promoted by Palazzo Grassi;
• respond to and satisfy every request of the User and, therefore, to manage the relationship between the User and Palazzo Grassi.

3. MANDATORY OR OPTIONAL NATURE OF THE DATA PROVISION AND CONSEQUENCES OF ANY REFUSAL

The provision of data is not mandatory, but if the User wishes to receive invitations to openings and events organised by Palazzo Grassi, he/she will have to provide the latter with the necessary data, otherwise the Company will be unable to perform the service requested.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS

The User's Personal Data will be processed by employees and non-company collaborators of Palazzo Grassi who are suitably trained for this purpose.
The Personal Data provided by the User may be processed by trusted parties who perform tasks of a technical and organisational nature on behalf of Palazzo Grassi for the purposes referred to in para. 2 above. These parties process the Data as Data Processors or Data Controllers, and put in place adequate security measures to ensure that the processing is in conformity with the GDPR, thus ensuring the protection of the User's rights.
Personal Data may be transmitted to the operators appointed by the Data Controller for the performance of any service concerning Information Technology.
Personal Data will not in any case be indiscriminately disclosed, nor disclosed to the public.

5. Data retention period

In compliance with the provisions of Article 13, para. 2, letter a) of the GDPR, the approach of the Data Controller is aimed at the retention of the User's Personal Data only until such time as it is required for the fulfilment of the purposes for which it was collected. In general, Personal Data is retained by the Data Controller for ten years from the termination of the relationship with the User. In some cases, however, the Data Controller retains Personal Data for longer periods of time, for example if this is required in compliance with legal, tax or accounting obligations.
As the processing is based on User consent, the Data Controller may retain Personal Data for the period established and, in any case, until such consent is revoked.
At the end of the retention period the Personal Data shall be deleted. Therefore, upon the expiry of this term, the right of access, deletion, correction and the right to Data Portability may no longer be exercised.

6. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANISATION

The Personal Data which you provide and which is processed will not be transferred to third countries and/or international organisations.

7. RIGHTS OF THE DATA SUBJECT

You are entitled to exercise the rights granted to you by Article 15 et seq. of the GDPR and by the Personal Data Protection Code, in relation to the Data processed by the Data Controller. In particular, you are entitled:

• to withdraw your consent at any time. The User may withdraw his/her previously expressed consent to the processing of his/her Personal Data.
• to oppose the processing of your own Data. When Personal Data are processed in the public interest, or in the exercise of public authority vested in the Data Controller or in order to pursue a legitimate interest of the Data Controller, you are entitled to oppose the data processing for reasons associated with your particular situation. If the Personal Data are processed for marketing purposes, the User can object to the data processing without having to provide reasons.
• to access your own Data. You are entitled to obtain information on the Data processed by the Data Controller, and on certain aspects of the data processing, and also to receive a copy of the Data processed.
• to verify and request the correction of your own Data. You are entitled to check that your own Data is correct, and to request its updating or correction.
• to have the data processing limited. When one of the conditions referred to in Article 18 of the GDPR occurs, you may request the processing of your Data to be limited. In this case, the Data Controller will not process the Data for any purpose other than its retention.
• to receive your own Data or have them transferred to another Data Controller. You are entitled to receive your own Data in a structured and commonly used format which is readable by an automatic device and, where technically feasible, to obtain its transfer without hindrance to another Data Controller. This right is applicable when the Data is processed with automated instruments and the processing is based on your consent, on a contract to which you are party or on contractual provisions connected to it.
• to make a complaint. You may lodge a complaint with the competent Personal Data Protection Authority or bring court proceedings.

These rights may be exercised by sending a request to the Data Controller at the following e-mail address:
privacy@palazzograssi.it
or by ordinary post to the following address:
Palazzo Grassi S.p.A., San Marco 3231 – 30124 Venice (Italy).
The Data Controller will process requests as soon as possible.

8. RELEVANT REGULATIONS

The full text of the GDPR and of the Personal Data Protection Code can be consulted on the website of the Personal Data Protection Authority accessible at the link www.garanteprivacy.it

9. CHANGES TO THIS DATA PROCESSING POLICY

The Data Controller reserves the right to make changes to this privacy policy at any time, notifying User of this.

Download the privacy policy regarding the Mailing List