Privacy policy

Informative notice on the processing of personal data, pursuant to Articles 13 and 14 of the EU Regulation 2016/679 and the Privacy Code (Legislative Decree. 196/2003) as amended by Legislative Decree 101/2018

1. Foreword

For the Fondazione Palazzo Strozzi (hereafter, the “Fondazione“), your privacy and the security of your personal data are particularly important, which is why we collect and process them with the utmost care and attention, while taking specific technical and structural measures to ensure that they are processed securely.With this notice, we wish to inform you about the purposes and methods of the processing of your personal data, pursuant to Article 13 of the European Data Protection Regulation No. 679/2016 (hereinafter also only “EU Regulation” or “GDPR”) and the Privacy Code Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (hereinafter, the “Regulation”).

2. The Data Controller

The processing of personal data is carried out by the Fondazione Palazzo Strozzi, in its capacity as Data Controller. If you have any questions or requests relating to the processing of your personal data, please send a request to the following:

Registered office: Piazza Strozzi, 5023 Firenze
CPO contact details:
3. Type of data processed

Surfing data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data the transmission of which is implicit in the use of Internet communication protocols  This category of data includes the IP addresses or domain names of the computers and terminals used by users, the URI/URL (Uniform Resource Identifier/Locator) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment.

These data, necessary for the use of web services, are also processed in aggregate order to

– obtain statistical information on the use of the services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.);

– check the correct functioning of the services offered.

Data communicated by the user
The voluntary sending of messages to contact addresses, private messages sent by users/visitors addressed to social media profiles/pages (where this possibility is provided for), as well as the completion, if any, of forms on our website, entail the acquisition of the sender’s contact data as well as all personal data included in the communications.

Photographs or images of events
We would also like to draw your attention to the fact that the data, subject to processing by the Fondazione, may at times consist of photographic images and video footage collected at exhibitions, conferences, museum settings, events and shows for institutional purposes, public relations and commercial communications. These data may be processed in printed and/or audio-visual form, through any means of dissemination such as the web or social networks. 

Data of Minors
We would also like to specify that during visits by families, schoolchildren, and students to our premises or for the performance of educational activities in our equipped classrooms, also organised by the Institutes to which they belong, it may be necessary to process the data of persons under the age of 18 for accounting and reporting purposes, as well as tax purposes.

Processing the data of minors is only lawful with the express consent of their parental authority. In the case of visits and/or didactic activities organised by Schools or Educational Institutes, arrangements will be made with the Data Controller in order to collect consent for the processing of data from parents or legal guardians.

4. Purpose and legal basis of the processing

The following table outlines the purposes and legal basis for the lawful processing of the data collected.

PurposeLegal basis of the processing
AContractual purposes, i.e., the pursuit of purposes instrumental and/or complementary to the application for registration to activities organised by the Fondazione (e.g., exhibitions, events, guided tours, workshops, educational activities).Carrying out of pre-contractual and contractual negotiations, (Art. 6 subsection 1 letter b) GDPR). legitimate interest (Art. 6 subsection. 1 letter f) GDPR)
BMarketing activities, subscription to the newsletter, sending of commercial communications to the data subject, also by third parties, approval surveys, market research and statistical analysisConsent of the data subject (Art. 6 subsection 1 letter a) GDPR)
CManagement of payment activitiesExecution of the contract (Art. 6 subsection 1, letter b) GDPR).
DProfiling activities, analysis activities, also by means of cookies, of your preferences and interests (e.g., use of content and services, functions used, connection times, traffic data, etc.) and to offer you personalised services, content, initiatives and offers, also by third parties.Consent of the data subject (Art. 6 subsection 1 letter a) GDPR)
EFulfilment of obligations provided for by laws, regulations, European legislation, or provisions issued by Authorities and Supervisory and Control Bodies.Fulfilment of legal obligations (Art. 6 subsection 1 letter c) GDPR)
FData of MinorsConsent given by the person exercising parental authority (Art. 6 subsection 1 letter a) GDPR)
5. Obligatory or optional nature of providing data

The provision of the data referred to in the above table is compulsory, with the exception of the data collected for marketing and profiling purposes referred to in letters B, D and F, the provision of which is optional.

6. Recipients of the data

Your personal data will also be transmitted to third parties that the Fondazione avails of. These parties have been adequately selected and offer suitable guarantees of compliance with the regulations governing the processing of personal data. Said third parties have been appointed as data processors pursuant to Article 28 of the Regulation and are required to perform their activities in accordance with specific instructions given by the Fondazione and under its control.

Such third parties may belong to the following categories:

  • third-party subjects that the Fondazione uses for the correct execution of contracts and relative administrative management: financial operators; internet providers; social platforms; companies specialized in IT services; legal consultants; labour consultants; tax consultants (etc.). 
  • business partners of the Controller: financial operators; social platforms; companies specialising in IT services; marketing companies.

A specific and updated list of these subjects is available at the registered office of the Fondazione and can be consulted at the request of the data subject.

It is understood that your personal data shall not be disclosed to third parties to allow them to use them for their own promotional purposes, nor shall they be disseminated in any way

Your data may also be disclosed to the police and to judicial and administrative authorities, in accordance with the law, for the detection and prosecution of criminal offences, the prevention and protection of threats to public safety, and to enable the Fondazione to exercise or protect its own rights or those of third parties before the competent authorities, as well as for other reasons related to the protection of the rights and freedoms of others.

7. Transfer of data outside the EU 

Please note that some of the third parties referred to in section may be located in countries that are not members of the European Union, but countries which nevertheless offer an adequate level of data protection, as established by specific decisions of the European Commission. The transfer of your personal data to third parties resident or located in countries that are not members of the European Union and that do not provide adequate levels of data protection will be made only with your consent or subject to the conclusion of specific agreements between the Fondazioneand such third parties, containing appropriate safeguards and guarantees for the protection of your personal data known as “standard contractual clauses”, also approved by the European Commission, or if the transfer is necessary for the conclusion and performance of a contract between you and  the Fondazione or for the processing of your requests. 

8. Data Retention

We inform you that your data will be retained for a limited period of time, which varies according to the type of processing activity in compliance with the Data Retention Policy of the Fondazione and the specific purposes of the same.

By way of non-limiting example, we would like to point out that:

  • the data of the user registered for the newsletter service will be retained and processed until cancellation is requested;
  • user data processed in relation to associated activities will be retained and processed for a period of time not exceeding that necessary to achieve the purposes and/or in any case for a reasonable time and in accordance with the Data Retention Policy;
  • data processed for the purposes of profiling and analysis, also by automated means, will be processed for a period of time not exceeding that necessary to achieve the purposes and the provisions of the law and individual provisions of the Supervisory Authority for the Protection of Personal Data
  • data collected in the context of the use of services offered by the Fondazione such as the sending of communications of a commercial nature will be retained until the termination of the service or cancellation of the subscription to the service by the User. 

At the end of this period, your data will be permanently deleted or otherwise irreversibly anonymized by the Fondazione.

9. Your rights as a data subject

Please note that you are entitled to exercise the following rights in relation to the personal data covered by this informative notice:

  • Right of access and rectification (Articles 15 and 16 of the UE Regulation): you have the right to access your personal data and to request that it be rectified, amended or supplemented. If you wish, we will provide you with a copy of the data in our possession concerning you.
  • Right to deletion of data (art. 17 of the Regulations UE): in the cases provided for by the regulations in force, you can request the cancellation of your personal data. Once we have received and analysed your request, if found to be legitimate, we will cease processing and delete your personal data.
  • Right to restriction of processing (Art. 18 of the EU Regulation): you have the right to request the restriction of the processing of your personal data in the event of unlawful processing or objection to the accuracy of your personal data by the data subject. 
  • Right to data portability (Art. 20 of the EU Regulation): you have the right to request to obtain, from the Data Controller, your personal data in order to transmit them to another Data Controller, in the cases provided for by the above-mentioned article.
  • Right to object (Art. 21 of the EU Regulation): you have the right to object at any time to the processing of your personal data carried out based on the Data Controller’s legitimate interest, explaining the reasons justifying your request. Before accepting it, the Data Controller must evaluate the reasons for your request.
  • Right to lodge a complaint (Art. 77 of the EU Regulation): you have the right to lodge a complaint with the competent Data Protection Authority if you believe that your rights have been or are being infringed with regard to the processing of your personal data.
  • Right to withdraw your consent (Art. 13 of the EU Regulation): for the processing of personal data the legal basis of which is exclusively your consent, you have the right to always withdraw your consent by contacting the Data Controller.

At any time, you may exercise your rights at the contact addresses indicated in point 2 of this policy with reference to the specific processing of personal data carried out by the Fondazione in its capacity as Data Controller.

10. Organisational and technical security measures

The Fondazione adopts suitable and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of the data subject’s personal data. 

Technical, logistical and organisational measures are implemented to prevent damage, loss (including accidental loss), alteration, and improper and unauthorised use of the processed data.

The Data Controller regularly tests, verifies and evaluates the effectiveness of the measures implemented, in order to ensure continuous improvement in the security of the data processing.

More specifically, in order to protect the personal data of the person concerned, the Website uses a coding system that guarantees protection by encrypting the information both on the access page and in the other sections where it is possible to release, view or modify one’s personal data.

The Fondazione cannot be held responsible for untruthful information sent directly by the user (e.g., the correctness of email address, credit card details or postal address), nor for information concerning the user that has been provided by a third party, albeit fraudulently. 

This policy was updated on12 October 2022.