In accordance with Articles 13 and 14 of EU Regulation No. 2016/679 (General Data Protection Regulation, hereinafter referred to as the “Regulation”), information about the processing and protection of personal data related to the purchase of electronic tickets is provided.

Though the Data Controller is the Ministry of Culture, the General Director of Museums exercises his functions from the Directorate General of Museums, via di San Michele, 22 - 00153 Rome, dg-mu@cultura.gov.it

It is possible to address to the Data Protection Officer (DPO) for the Directorate General of through the email address rpd@cultura.gov.it.

To finalize the ticket purchase procedures for museum entry, the processing operations are carried out pursuing Article 6(1)(b) of the GDPR. The Administration commits to periodically verifying the lawfulness of its processing based on current legislation and any future amendments or additions by the designated Authorities.

The processing of personal data (including their registration) is aimed exclusively at achieving the following purposes:

• 'Registration and account creation;
• 'Sale of entrance tickets;
• 'Sending service communications regarding booked entries using personal information provided by the Data subject.

The Data Subject directly provides their personal data or that of third-party visitors when registering on the platform and throughout the related registration process or when purchasing tickets. Specifically, the Administration will process the following personal data:

• 'Name and surname;
• 'Email address.

The processing of personal data is carried out in compliance with fundamental rights and freedoms, and adheres to the principles of lawfulness, fairness, transparency, and confidentiality. We ensure that the information collected and used is relevant and proportionate to the purposes described.

More specifically, only the personal data provided at the time of ticket purchase will be processed.

Personal data is processed using computer systems and by personnel formally authorized by the Data Controller to carry out operations necessary to achieve the aforementioned purposes.

The Data Controller adopts appropriate technical and organizational measures to ensure the protection of personal data, maintaining a level of security appropriate to the nature of the data processed (Articles 5, 25, and 32 of the Regulation).

Subscription to online services is voluntary. The following personal information must be provided for registration: first name, last name and email. To purchase tickets, the first name, last name and email of the Data Subject/purchaser and where there are other visitors other than the purchaser, the first name, last name and (on a voluntary basis) email must be provided.

Personal data will not be shared with third parties, except in cases and manners prescribed by the law (e.g., to judicial authorities).

The processing is carried out by authorized personnel who have been appropriately trained and are bound by confidentiality obligations. These individuals are responsible for the related activities in accordance with the stated purposes. Specifically, the processing is carried out by:

• 'Personnel authorized by the Data Controller through a specific appointment act and after receiving the relevant instructions;
• 'External entities appointed by the Data Controller as Data Processors pursuant to Article 28 of the Regulation;
• 'Public or private entities, where required by legal obligations.

Personal data will be processed in accordance with the principle of 'storage limitation' as governed by Article 5(1)(e) of the Regulation.

Personal data is stored by the Data Controller for a period of one year, starting from December 31st of the year following registration or purchase of tickets on the platform, after which it will be deleted.

In the event of account cancellation, exclusion, or deactivation due to inactivity, the data will be stored for administrative purposes for a period not exceeding one year, without prejudice to any specific legal obligations regarding the retention of accounting documentation or public security purposes.

The data processed for the aforementioned purposes is not transferred to third countries outside the European Union or the European Economic Area (EEA), nor to international organizations.

Data Subjects may exercise the rights provided for in Articles 15 to 22 of the Regulation, and in particular:

• 'The right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the information expressly indicated in Article 15 of the Regulation;
• 'The right to request the rectification of inaccurate personal data or the completion of incomplete personal data if the conditions indicated in Article 16 of the Regulation are met;
• 'The right to the erasure ('right to be forgotten') of their personal data if one of the grounds expressly indicated in Article 17 of the Regulation applies;
• 'The right to restrict processing where one of the situations indicated in Article 18(1) of the Regulation applies;
• 'The right to be notified regarding any rectification or erasure of personal data or restriction of processing, unless this involves disproportionate effort compared to the protected right under Article 19 of the Regulation;
• The right to data portability, specifically, the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as indicated in Article 20 of the Regulation;
• 'The right to object, which can be exercised both for legitimate reasons related to their particular situation and to the processing of personal data concerning them (even if pertinent to the purpose of collection) for the purposes of commercial information, sending advertising or direct sales material, or for carrying out market research or commercial communication (Article 21 of the Regulation);
• L'interessato ha il diritto di non essere sottoposto a una decisione basata unicamente sul trattamento automatizzato, compresa la profilazione, che produca effetti giuridici che lo riguardano o che incida in modo analogo significativamente sulla sua persona. (art. 22 del Regolamento).

The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them (Article 22 of the Regulation). To exercise these rights, you can address your request to:

• 'Ministry of Culture as Data Controller and to the Director General of Museums exercising its functions, at Via di San Michele, 22 - 00153 Rome, Italy - Directorate General of Museums and Digital, at the email address specified in Article 1 above;
• 'Data Protection Officer (DPO) at the address indicated above or via email as specified in Article 2 above.

We inform you that Data Subjects who believe that the processing of their personal data infringes the Regulation (Article 77) have the right to lodge a complaint with the Italian Data Protection Authority (Home - Garante privacy en - Garante Privacy) or to pursue appropriate legal remedies (Article 79 of the Regulation).

The Data Controller reserves the right to make any changes to this Policy, at its sole discretion and at any time, as deemed appropriate or required by applicable regulations, providing adequate notice to the Data Subjects.

Cookies are text files that the web sites visited by users send to their terminals and that are retransmitted to the web sites themselves on the next visit. Cookies can be divided into two macro-categories: 'technical cookies' and 'profiling cookies'.

The Musei Italiani web site uses technical cookies to allow safe, rapid and efficient exploration of the web site itself and to provide users with the requested services. The User’s prior consent is not required for the installation of these cookies. Technical cookies are used for the sole purpose of 'carrying out the transmission of a communication on an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the contractor or user to provide such service' (see art. 122, paragraph 1 of the Privacy Code);

Session cookies are used for navigation and authentication to online services and reserved areas. The use of these cookies (which are not stored permanently on the user's computer and disappear when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow effective navigation of the web site. The session cookies used on this web site avoid the use of other IT techniques that could potentially compromise the confidentiality of users' navigation and do not allow the acquisition of personal data identifying the user.

The use of permanent cookies is strictly limited to the acquisition of statistical data useful for understanding the level of use of your web site.

They are assimilated to technical cookies and are used to collect information, in anonymous and aggregate form, on the number of users and how they visit the web site. The data obtainable from these cookies are managed by the Ministry of Culture as the web site manager exclusively for statistical purposes and for the preparation of reports on the use of the web site itself.

Permanent cookies are stored permanently on the device, while temporary cookies have a variable and limited duration. Session cookies disappear when the browser is closed or when you log out.

When you first access the Web site, all first-party profiling cookies and/or third-party cookies, if provided, are blocked, while only the technical and functional cookies described above are active. In application of the provision of the Italian Data Protection Authority (Garante per la protezione dei dati personali) 'Guidelines on the use of cookies and other tracking tools' - 10 June 2021 [9677876] for the acquisition of consent for the use of cookies, users of the Web site can give their explicit consent to the installation of profiling cookies on their PC, via the banner that appears upon first access. Users can still view the cookies to which they have given consent and possibly change their preferences at any time.

Most browsers automatically accept cookies, but you can refuse them. If you do not wish to receive or store cookies, you can change your browser security settings (Microsoft Edge, Google Chrome, Safari Opera, etc.). Each browser has different procedures for managing settings:

• 'Microsoft Edge From “Settings” select “Cookies and web site permissions”, then select 'Manage and delete cookies and web site data' and disable 'Allow web sites to save and read cookie data' to block all cookies or access via the link Manage cookies in Microsoft Edge: view, allow, block, delete and use - Microsoft Technical Support
• 'Google Chrome for Desktop Select “Settings”, then “Show advanced settings”, then in the “Privacy” section select “Content settings” and adjust the cookie settings or access via the link https://support.google.com/chrome/bin/answer.py?hl=en&answer=95647&p=cpn_cookies https://support.google.com/accounts/answer/61416?hl=it
• 'Google Chrome for Mobile Access via the link https://support.google.com/chrome/answer/2392971?hl=it
• 'Mozilla Firefox Select “Options” and in the pop-up window select “Privacy” to adjust the cookie settings, or access via the link http://support.mozilla.org/en-US/kb/Enabling%20and%20disabling%20cookies https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie
• 'Apple Safari Select “Preferences” and then “Security” where you can adjust the cookie settings, or access via the link https://support.apple.com/it-it/HT201265
• 'Opera Select “Preferences”, then “Advanced” and then “Cookies” where you can adjust the cookie settings, or access via the link https://help.opera.com/en/latest/web-preferences/ https://help.opera.com/en/latest/security-and-privacy/
• 'Android native browser Select “Settings”, then “Privacy” and select or deselect the “Accept cookies” box.
• 'For browsers other than those listed above, consult the relevant guide to find out how to manage cookies.

Using this function, now available in all browsers, you can browse the Internet without saving any information on the web sites and pages visited.

However, it should be noted that browsing data, even when this function is activated, are recorded and stored by web site managers and connectivity providers.

Currently, almost all browsers allow you to delete installed cookies. For further instructions, consult your browser's guide or visit one of the following links:

• 'Edge: https://support.microsoft.com/en-us/windows/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d#ie=ie-9
• 'Firefox: https://support.mozilla.org/it/kb/Eliminare%20i%20cookie
• 'Chrome: https://support.google.com/chrome/answer/95647?hl=it&ref_topic=3421433
• 'Safari: http://support.apple.com/kb/HT1677

• 'Technical cookies: these data are collected to allow safe, rapid and efficient exploration of the web site itself and to provide users with the requested services.
• 'Technical session cookies: these data are collected for navigation and authentication to online services and reserved areas.
• 'Analytical cookies: these data are collected to collect information anonymously and in aggregate form on the number of users and how they visit the web site, in order to detect statistics and process reports on the use of the web site itself.