PRIVACY POLICY

Contact list

 

This policy is provided under Art. 13 of Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, hereinafter "GDPR"), and Art. 13 of Legislative Decree No. 196 of 30 June 2003,  as amended by Legislative Decree No. 101 of 10 August 2018 101 (hereafter referred to as the "Privacy Code"), to parties included in the contact list of Palazzo Grassi - Punta della Dogana (hereafter "PG") and in the contact list of Pinault Collection - Bourse de Commerce - Paris (hereafter "BdC", or, collectively with PG, "the Companies") and recipients of newsletters, invitations to events or openings organised by PG and BdC.

 

1. DATA CONTROLLER

Pursuant to Art. 4 of the GDPR and the Privacy Code, the Data Controllers are:

• for contracts with PG, sending newsletters, invitations to events or openings organised by Palazzo Grassi S.p.A.:

Palazzo Grassi S.p.A. – San Marco 3231 – 30124 Venice (Italy)

Controller's email address: privacy@palazzograssi.it

• for contracts with BdC newsletters, invitations to events or openings organised by BdC: with its registered office in Paris (75008), 12 Rue François 1er

Data Controller's e-mail address: dpo@pinaultcollection.com

 

2. METHOD, PURPOSES AND LEGAL BASIS OF DATA PROCESSING

PG and BdC collect and process Personal Data provided directly and knowingly by the User.

This data includes:

• biographical data (name, surname, date of birth, nationality, gender, tax code, VAT number, profession, interests, number of children);
• contact details (email address, telephone number, residential address);
• information on the payment method (credit card data).

If you wish to receive the services offered by Palazzo Grassi, you will be asked for your Personal Data. Without your Data, PG and BdC cannot provide this service.

The data provided may be used:

1. to perform the contract and manage the order to:

• perform the ticketing service supply contract and enable PG and BdC to manage the issuing of admission tickets;
• manage reservations of services and enable the use of services purchased (visit, workshop or space);
• fulfil all obligations deriving from the respective contractual relationships established with the user, as well as obligations arising from applicable law or regulations, particularly in the fields of tax and public safety;
• record the User's participation in events promoted by PG;
• facilitate administrative and accounting tasks, including the possible transmission of commercial invoices by email;

2. send direct marketing by subscribing to the newsletter, and commercial/promotional information activities, invitations to events promoted or organised by the Data Controller or Data Processors via e-mail or mail:
3. assess visitor satisfaction by completing an online questionnaire sent to your e-mail address;

 

3. REQUIRED OR OPTIONAL PROVISION OF PERSONAL DATA AND CONSEQUENCES OF REFUSAL TO PROVIDE SAID DATA

Providing Data is mandatory for the purpose referred to in point a. as it is necessary for PG to fulfil a legal obligation and provide the requested service.

Providing personal data for the purposes referred to in point b. and c. is optional, and refusal does not entail any consequences for PG or BdC’s contractual obligations.

 

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS

User Personal Data will be processed by PG and BdC employees and partners who are trained by each Company for this purpose.

User Personal Data provided may be processed by trusted individuals carrying out technical and organisational tasks on behalf of PG and BdC, respectively, for the purposes referred to in paragraph 2 above. Such individuals process the data as Data Processors or Data Controllers and adopt appropriate security measures to ensure that such processing complies with the GDPR, thus guaranteeing the protection of user rights.

Personal data may be transmitted to information technology providers appointed by the Data Controller.

Under no circumstances will personal data be disclosed indiscriminately and/or to the public.

 

5. STORAGE PERIOD

In compliance with Art. 13(2)(a) GDPR, the Data Controller shall store users’ personal data exclusively until such time as this is required to pursue the purposes of the data collection. Personal data are generally stored by the Data Controller for ten years from the conclusion of the relationship with the user. In some cases, however, the Data Controller stores personal data for longer periods of time, for example if this is required to comply with legal, tax or accounting obligations.

Given that the processing is based on user consent, the Data Controller may store their personal data for the established period and otherwise until such consent is withdrawn.

At the end of the storage period, the personal data will be erased. Therefore, once this deadline has expired, the right of access, erasure, rectification and portability may no longer be exercised.

 

6. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR AN INTERNATIONAL ORGANISATION

PG collects Personal Data, as BdC's Data Processor, and transfers it to BdC, based in France. The personal data provided by users and subject to processing will not be transferred to third countries and/or international organisations.

Newsletters are sent via the MailChimp® platform belonging to Rocket Science Group, LLC, based in the United States, to which your personal data may be transferred. The company complies with the “Privacy Shield” agreement, which guarantees a level of personal data protection that meets the standards required by the GDPR.

 

7. RIGHTS OF DATA SUBJECTS

Users may exercise the rights granted to them under Art. 15 ff. of the GDPR and under the Privacy Code with reference to data processed by the Data Controller. In particular, users have the right to:

• withdraw their consent at any time. Users may withdraw their previous consent to the processing of their personal data.
• object to the processing of their Data. When personal data are processed in the public interest, in the exercise of official authority vested in the Data Controller or to pursue a legitimate interest of the Data Controller, users have the right to object to the processing on grounds relating to their particular situation. Where personal data are processed for marketing purposes, users may object to the processing without providing any reason.
• access their data. Users have the right to obtain information on the data processed by the Data Controller and on certain aspects of the processing, as well as to receive a copy of the data processed.
• verify and request data rectification. Users have the right to verify the accuracy of their personal data and request their updating or correction.
• obtain restriction of processing. Where one of the conditions referred to in Art. 18 of the GDPR applies, users can request restriction of processing of their data. In this case the Data Controller will not process the data for any purpose other than their storage.
• receive their data or have them transferred to another Data Controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, where technically possible, to transmit those data to another controller without hindrance. This right can be exercised if the data are processed by automated means and the processing is based on consent, on a contract to which the user is a party or on contractual measures connected to it.
• lodge a complaint. Users may lodge a complaint with the competent personal data protection watchdog or take legal action.

To exercise your rights regarding Palazzo Grassi – Punta della Dogana, you may submit a request via email to privacy@palazzograssi.it or send a traditional mail to the following address: Palazzo Grassi S.p.A., San Marco 3231 – 30124 Venice (Italy).

To exercise your rights regarding Pinault Collection - Bourse de Commerce, you may submit a request via email to dpo@pinaultcollection.com or by traditional mail to the following address: 2bis rue de Viarmes, 75001 Paris – France.

All requests are processed free of charge by the Data Controller in the shortest possible time.

 

8. REGULATORY REQUIREMENTS

The full text of the GDPR and the Privacy Code are available for consultation on the watchdog’s website at www.garanteprivacy.it

 

9. CHANGES TO THIS INFORMATION ON DATA PROCESSING

The Data Controller reserves the right to make changes to this disclosure at any time, notifying the user immediately.

 

Download the privacy policy