Privacy policy for the newsletter pursuant to art. 13 of Regulation (EU) 2016/679 (“GDPR”)

Dear Data Subject,

Please be informed that the Fondazione Palazzo Strozzi, in its capacity as Data Controller – with registered office in Piazza Strozzi – 50123 Florence (FI) – will process the personal data provided by you for the purposes and methods set out below.

Purposes of the processing

The Data Controller will process your personal data for the following purposes:
1. Contractual purposes, i.e. the pursuit of purposes instrumental and/or complementary to the request for registration in activities organised by the Fondazione (e.g. exhibitions, events, guided tours, workshops, educational activities);
2. Direct marketing purposes, i.e. the sending of informative messages relating to events organised by the Fondazione, using the email address indicated in this form.

Legal basis of the processing

The legal basis of the processing for the purposes referred to in point 1 of the section “Purposes of the processing” is the performance of a contract to which the Data Subject is a party; specifically, it is aimed at allowing the Data Subject to participate in the activities organised by the Fondazione (Article 6, subsection 1, letter b) of the GDPR).

The legal basis of the processing for the purposes referred to in point 2 of the section “Purposes of the processing” is the Data Subject’s consent to the processing of his/her personal data (Art. 6, subsection 1, letter a) of the GDPR).

Data processing methods

Your data will be processed in compliance with the above-mentioned regulations and the confidentiality obligations that inspire the activities of the Fondazione. Such data will be processed both by computer instruments and in hard copy, in compliance with the security measures established by the GDPR.

Obligation to provide data

The provision of data for the pursuit of the purpose referred to in point 1 is a necessary requirement for the provision of the services requested by the Data Subject. Any refusal to do so will make it impossible to provide the service requested.

The provision of personal data for the purposes set out in point 2 is free, optional and revocable at any time. Failure to provide the data will in no way affect the possibility of using the service requested.

Period of storage

The data collected will be stored for a period of time not exceeding the achievement of the purposes for which they are processed (art. 5 of the GDPR – “principle of restriction of storage”). Once the above-mentioned storage terms have expired, your personal data will be destroyed, deleted, or made anonymous, in compliance with the technical cancellation and backup procedures.

Communication and dissemination of data 

The personal data provided by you will be processed by the staff of the Fondazione, insofar as “authorised to process”, and may be processed on behalf of the Fondazione by persons designated as “Data Processors”.

The Data Processors are promptly identified and duly appointed. The complete and updated list of all Data Processors is available upon request by sending an email to the following address

None of your personal data will be disclosed.

Rights of the Data Subject

At any time you may exercise the following rights before the Data Controller, as set out in Articles 15-22 of the GDPR: right of access, right of rectification, right of cancellation, right of restriction of processing, right of opposition, right of portability, as well as the right to lodge a complaint with the Supervisory Authority.

Please note that the Data Controller undertakes to respond to your requests within one month at the latest after receipt of the same. This deadline may be extended by two months, if necessary, depending on the complexity or number of requests received.

These rights may be exercised through a specific request to be sent by registered mail to the Data Controller or by email to the following address