Information to Data Subjects according to Articles 13-23 and 26 of the Italian Legislative Decree no. 196/2003
We found it necessary to summarize in the following document all the elements dealing with the processing of personal data, already available to the spectators through relevant documentation, to keep in line with the constant updating of our procedures dealing with the Privacy of our spectators and with the obligations imposed by Italian Legislative Decree no. 196/2003. We have integrated them with more specific information aimed at providing maximum transparency for all data collected when accepting reservations, issuing personal tickets at a concessionary fare or free of charge, managing some types of payment methods, and during public relations and customer relations activities.
1) TYPE OF DATA PROCESSED
- data supplied directly by the spectator or through a third party (first name, last name, possibly Identity Document number and when buying or reserving a ticket at a concessionary fare: personal details of any escorting person, particular requests in order to meet special needs of the spectator or any escorting person, certification of the degree of invalidity);
- data related to the services acquired and the shows attended or to be attended (e.g.: time, seating, any specific service requested by disabled people);
- in some cases, data related to the organization (travel agency, Company, association, other) that has organized or offered to the spectator the attendance to the show in our buildings;
- only in few cases, the ticket office will require as a guarantee to the spectator a copy of the Identity Document of the person paying for the ticket with a credit card or by check; such copies will be destroyed as soon as said guarantee is no longer needed;
Article 26 of the Italian Legislative Decree no. 196/2003 grants specific protection for data considered “sensitive”, that is personal data “allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life”. Said information can only be processed with the written consent of the data subject and after the authorization of the Garante (Privacy guarantor). Some of the aforementioned data falls in this category, as in the case of data acquired when issuing tickets at a concessionary fare for disabled people, and for this reason the data subject will be asked to give specific consent should the processing method require it.
2) REASONS FOR DATA PROCESSING
The processing takes place for the following purposes:
- to fulfil any obligation imposed by a law, regulations or European Community legislation; specifically, tax legislation requires the organization issuing a ticket at a concessionary fare to identify the recipient and to request at the same time proof of eligibility of a concessionary fare;
- to fulfil contractual obligations as well as accounting- and tax-based requirements;
- to fulfil orders given by the Judicial and Financial Authorities;
- to meet possible Spectator’s requests by offering thorough and qualified services; personal details provided by the Spectator may be used to send information related to the show for which tickets have been reserved;
- to manage client master data, mailing lists and statistical computations for company purposes;
- to possibly protect a legitimate interest, to exercise or defend a right;
- other purposes connected to public relations, marketing, advertising, information activities for the public. In particular, any details, mailing addresses and emails provided may be used to send courtesy information and/or informative material related to specific offers, seasonal tickets, future shows.
For this type of processing, the fourth subparagraph of Article 130 of the Italian Legislative Decree 196/2003 does not oblige the data controller to request the data subject’s consent, and the data subject is entitled to oppose said processing at any time.
3) MEANS OF DATA PROCESSING
With reference to the aforementioned purposes, personal data may be processed in paper, IT, and telematic formats. Personal data will be treated with absolute confidentiality and its use shall be relevant and not excessive in relation to the previously mentioned purposes in terms of data entry and retention data periods.
More specifically, Fondazione’s database stores data related to reservations made and tickets issued at a concessionary fare for the purposes referred to in points (c)-(d)-(e)-(g) of paragraph 2 above.
4) ENTITIES PERFORMING PROCESSING OPERATIONS
Data may be processed solely by the following staff and/or managers:
- staff for the issuing of tickets/seasonal tickets,
- reservations staff, call centre staff,
- access control staff,
- administration management staff,
- marketing staff,
- IT maintenance staff that guarantees system performance, data security and backup operations excluding consultation,
- companies/consultants appointed as external Data Processors that need to access some data for purposes linked to services requested by data subjects, and strictly within the limits necessary to perform the assigned duties such as: assistance in the execution or direct execution of compliance to tax/accounting/assistance issues, management of IT systems, financial services,
and only within the limits of what is deemed necessary to carry out one’s duty.
5) DATA COMMUNICATION
Personal data may be communicated or made available to:
- those people that may access data according to any law, regulation or European Community legislation, still within the limits foreseen by said norms;
- public and private bodies that manage letter post business;
- banks, credit institutions, data processing companies and credit card issuing companies, limited to accounting and tax data and only for activities strictly connected to the execution and administrative management of the contract;
- other parties (companies/consultants) that need to access some data for purposes linked to the management of services requested by data subjects, and strictly within the limits necessary to perform the assigned duties such as: assistance in the execution or direct execution of compliance to tax/accounting/assistance issues, management of IT systems, financial services;
- entities that have acted as a liaison for reservations or purchasing of personal tickets (associations, travel agencies, etc.) as a confirmation, and that have a direct relationship to the spectator; within this scope and after authorization (when required), the data that is the subject of processing may be transferred outside the country, both inside or outside the European Union and to the country where the spectator comes from;
It should be mentioned that all aforementioned communication is limited only to the data necessary to the specific Entity/office (which will remain an independent Data Controller of all additional processing) to carry out its duties and/or to achieve those ends connected to the communication of the data.
6) WHEN DATA COMMUNICATION IS MANDATORY
Communicating and updating one’s personal data is mandatory within the limits of what is required to comply with agreements and tax issues as foreseen by current legislation and with contractual obligations (refer to points (a)-(b)-(c)-(d) of paragraph 2). Failure by the data subject to fulfil this obligation would make it impossible for Fondazione ARENA DI VERONA to meet the spectator’s requests and to carry out the normal activities connected with ticket issuing or acceptance of a reservation. Clearly, on a case by case basis, the required data is clearly pointed out depending on which format is used (highlighted on paper forms and on forms found on the website or pointed out by a Fondazione staff member).
It is necessary to specify that most processing done is not subject to requesting a consent pursuant to Article 24 of the Italian Legislative Decree 196/2003, with only few exceptions for which specific forms are available (for example, the processing necessary for issuing a ticket at a concessionary fare).
7) DATA DISCLOSURE
Fondazione ARENA DI VERONA will not disclose personal data.
However, it must be pointed out that TV/recording/photographic services carried out by third parties during the events may at times show identifiable spectators.
8) DATA CONTROLLER
The data controller is Fondazione ARENA DI VERONA – Via Roma 7/D – 37121 VERONA
9) CONTACTS FOR ADDITIONAL INFORMATION
To exercise one’s rights pursuant to Article 7 of the Italian Legislative Decree no. 196/2003 (full text enclosed) the data subject may contact the Marketing and Sales Manager by calling the number +39 045 8005151, sending a fax to +39 045 8015593 or an email to firstname.lastname@example.org
Tickets at a concessionary fare are issued as personal tickets in order to provide for a better service and to avoid their misuse and staff members may request an Identity Document to verify the recipient’s identity. We strongly recommend keeping the tickets in a safe place and to promptly notify any loss by calling the following number: +390458005151.
Italian Legislative Decree no. 196 of 30 June 2003 (Italian Personal Data Protection Code).
Article 7 (Right to Access Personal Data and Other Rights):
1. A data subject [natural person or legal person to whom the data refers to] shall have the right to obtain confirmation as to whether or not personal data concerning him exists, regardless of its being already recorded, and communication of such data in intelligible form.
2. A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Article 5(2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3. A data subject shall have the right to obtain:
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymization or blocking of data that has been processed unlawfully, including data whose retention is unnecessary for the purposes for which it has been collected or subsequently processed;
c) certification to the effect that the operations as per points (a) and (b) have been notified, as also related to their contents, to the entities to whom or which the data was communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared to the right that is to be protected.
4. A data subject shall have the right to object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning him/her, even though it is relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys;
g) setting up, managing, planning and monitoring the relationships between the administration and the entities bound by contractual agreements with and/or recognized by the National Health Service.