PRIVACY POLICY FOR WEBSITE VISITORS

Pursuant to Regulation (EU) 2016/679, the purpose of this Privacy Policy is to describe the management methods of the website owned by OPERA DEL DUOMO DI ORVIETO - FABBRICERIA at the URL www.duomodiorvieto.it, with regard to the processing of the personal data of its users/visitors.

The policy provided pertains exclusively to the website mentioned above, and does not apply to any other websites that may be accessed by the user via links.

OPERA DEL DUOMO DI ORVIETO guarantees compliance with the personal data protection legislation. The website’s users/visitors are therefore invited to carefully read this Privacy Policy prior to submitting any personal information and/or filling out any electronic form on the website itself.

The Data Controller is OPERA DEL DUOMO DI ORVIETO - FABBRICERIA with registered office in Orvieto (PG), at via Piazza del Duomo, 26, zip code 05018.

Certified email address (PEC) opsm@pec.it
Telephone number 0763 342477
Email address info@duomodiorvieto.it

In addition, any partner websites occasionally involved in the data processing activities from time to time may assume the role of autonomous data controllers.

Types of data processed

When the user/visitor browses the website, the undersigned company will process personal data of the following types:

  1. Browsing data collected automatically.
    During their normal operation, the computer systems and software procedures that govern this website’s functionality acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols.
    By their very nature, these data items could allow the users/visitors to be identified if associated and processed with data held by third parties (e.g. IP address, domain names of computers used by users/visitors connecting to the website, type of browser, date and time of the visit, visitor’s web page of origin and exit, number of clicks, etc.).
    These data are only used for static information purposes and to verify the website’s proper functionality.
    Data regarding web contacts will not be retained for more than seven days, unless investigations are being conducted into computer crimes perpetrated against the website.
    No data derived from the web service will be disclosed or disseminated.
     
  2. Data provided voluntarily by users/visitors
    If the users/visitors connecting to this website submit their personal data to access certain services, they are made aware that this will entail the Data Controller’s acquisition of the sender’s address and/or any other personal data provided, which will be processed exclusively for the purpose of providing the service.
    The personal data provided by the users/visitors will only be disclosed to third parties if such disclosure is necessary to comply with the requests of the users/visitors themselves or is required by law.
     
  3. Cookies
    In addition to the data expressly provided to the Data Controller, other data may also be recorded as a result of the user browsing on the website. In fact, when the user accesses the website, the website may send the user a cookie. A cookie is a small text file that the website may automatically send to your computer when you view our webpages. The cookies serve to make the browsing of the website more convenient, as well as to obtain information about the individual user’s browsing on the website itself, and to enable certain services that require the identification of the user’s path through website’s various pages. Regardless of whether a cookie is present, any time a user/visitor accesses the website, the website will record the type of browser (e.g. Internet Explorer, Chrome, Firefox, etc.), the operating system (e.g. Windows, Macintosh, etc.), the host and the URL of origin of the user/visitor, as well as the data regarding the webpage requested. These data may be used in aggregate and anonymous form for the statistical analysis of the website’s use.
    While browsing a website, the user’s computer may also receive cookies sent from websites or web servers other than that being visited (so-called “third-party” cookies).

Social Network Plugins

The main social media widgets are embedded into the website. The collection and use of information by social network platforms are governed by their respective privacy policies. We recommend that you review their policies. Several social buttons/widgets, i.e. special "buttons" that represent different social networking platforms, are also on the website. These "buttons" allow users to access and interact with social networks directly. By clicking on the social buttons/widgets, the social network acquires data on your visit. In all other cases, where the User wishes to share their browsing data by clicking on select social networks, the Controller does not share any of browsing information or data of Users, obtained through the website, with the social networks accessible via the social buttons/widgets.

More information can be found in the privacy policies of:

Facebook at the following link: https://www.facebook.com/policies/cookies/

Instagram at the following link: https://help.instagram.com/519522125107875/?maybe_redirect_pol=0

YouTube at the following link: https://www.youtube.com/intl/ALL_it/howyoutubeworks/user-settings/privacy/

To prevent social media widgets from tracking you, please log out of all social networks before visiting the website.

 

Processing methods

The data processing is carried out using automated tools (e.g. electronic procedures and media) and/or manually (e.g. on paper), for the time strictly necessary to achieve the purposes for which the data were collected, and, regardless, in accordance with the applicable regulations.

 

Purposes and legal basis of the data processing

In addition to those indicated in the individual policies shown prior to completing the forms in the various sections of the website, the data processing carried out by the Data Controller is also performed for the following purposes:

  • Browsing data is collected and processed for the purpose of carrying out any activity related to the management and administration of the website, including information security management. It may also be used to collect anonymous statistical information on the use of the website and to check that the website is working properly. Legal basis for the processing and compliance with legal obligations and the legitimate interest of the Controller.
  • General personal data provided voluntarily by users when filling out the contact form to request information may be collected and processed for:
    - processing and handling the reservation of a service by the data subject. In this case, the processing is based on the request sent by the data subject and, for this reason, to take any necessary steps prior to entering into a contract.
  • Processing of the personal data provided and those inferred from the browsing of the website in order to provide a service that’s consistent with the indications transmitted during use of the service;
  • Purposes functional to the conduct of our business, such as:
    - Sending of sales communications regarding products and services similar to those purchased (Soft Spam) The processing of personal data for Soft Spam purposes represents a lawful form of data processing pursuant to the applicable data protection legislation, which does not require consent. The user/visitor may object to the processing of their data for this purpose, both when requesting the products/services available on the website, by denying consent for marketing purposes, and when receiving subsequent communications from the Data Controller, by writing to the addresses indicated above, as well as by clicking on the link found at the bottom of each communication sent by email.
    - Marketing: entering data in the company CRM system and sending emails, SMS, newsletters regarding services, events, and initiatives organised by the Controller. The legal basis for the processing is consent of the data subject. The user/visitor may object to the processing for this purpose both when making enquiries and bookings on the website and at the time of subsequent communications from the Controller by writing to the contact details provided above, as well as by using the link found at the bottom of each email communication received or through withdrawal of consent for marketing purposes.

 

Recipients

In addition to the data controller, in some cases the following recipients may also have access to the data:

  • Persons who typically act as data processors, by way of example: -
    - Persons, companies, or professional firms that provide assistance and consultancy to the data controller for accounting, administrative, legal, financial, and debt collection purposes relating to the provision of the services and management of the contractual relationship;
    - Persons with whom it is necessary to interact for the purposes of providing the services and managing the relationship (e.g. hosting providers, suppliers of services in support of the marketing activities, as well as suppliers of related services);
    - Subjects delegated to perform technical maintenance activities (including maintenance of network equipment and electronic communication networks).
    - For marketing purposes, the undersigned company may process personal data in order to use marketing and targeting services provided by third party platforms, including social media (e.g. Facebook and Google). The use of such services may entail the need for the undersigned company to disclose personal data to these third party platforms.
  • Persons, entities, or authorities to whom the disclosure of personal data is required by law or by order of the authorities in order to prevent and/or detect any fraudulent activity or the abuse of the website and the services offered by the Data Controller
  • Persons authorised by the Data Controller to process personal data for the purpose of carrying out activities strictly related to the provision of the services, who have agreed to maintain confidentiality, or have an appropriate legal obligation to ensure confidentiality (e.g. employees and/or collaborators).

 

Transfer of data on third country

The personal data of the data subject are stored in paper-based, electronic and online archives located in the Countries where the GDPR applies (EU Countries). Data is not transferred outside the European Union.

 

Duration and place of data retention

The data are processed for the time necessary to carry out the service requested by the User, and are then destroyed by secure means of destruction, such as document shredding for paper, and deletion for data contained on electronic media.
In particular, the personal data acquired will be retained by the Data Controller for the following periods:

  • as regards data processed for the purpose of management and administration of the website, users' browsing data will be kept for 3 days;
  • as regards data processed for the purpose of responding to specific requests by the user, the data provided will be kept for the time needed to process the request and will be deleted, unless the parties have entered into an agreement, 12 months after the initial contact, provided that the data subject has not already exercised his or her right to erasure and to object.
  • For marketing and soft spam purposes, if the user/visitor did not deny their consent for Marketing purposes in the forms present on the website itself, the data will be processed and retained by the Data Controller until the user/visitor revokes their consent or until the user/visitor exercises their right to have their personal data deleted by writing to the addresses indicated above or contained in the “contact us” section of the website.

The data may also be processed, on behalf of the Controller, by third parties appointed as Processors, who have received adequate instructions. These parties are mainly represented by external companies that offer IT management and maintenance services and partners that, for various reasons, are involved in providing specific services.

 

Optional or compulsory nature of data provision

Beyond that which has been specified for browsing data, which are acquired automatically, users/visitors are free to either provide or withhold their personal data.
Failure to provide such data could make it impossible to obtain that which has been requested.

 

Rights of the data subject

As Data Subjects, and in relation to the processing operations described in this Policy, the website’s users/visitors have the rights set out under articles 7, 15 through 21 and 77 of the GDPR. In particular, these consist of:

  • the right of access – Article 15 of the GDPR: the right to obtain confirmation as to whether or not personal data concerning the Customer is being processed and, if so, to obtain access to such personal data, including a copy thereof;
  • the right of rectification – Article 16 of the GDPR: the right to obtain, without undue delay, the rectification of any inaccurate personal data concerning the Customer and/or the supplementation of any incomplete personal data;
  • the right to erasure (the right to be forgotten) – Article 17 of the GDPR: the right to obtain, without undue delay, the erasure of any personal data concerning the Customer;
  • the right to restriction of processing – Article 18 of the GDPR: the right to obtain restriction of processing, when: the Data Subject disputes the accuracy of the personal data, for the period necessary for the Data Controller to verify the accuracy of such data; the processing is unlawful, and the Data Subject objects to the deletion of the personal data and instead requests that its use be restricted; the personal data is necessary for the Data Subject to ascertain, exercise, or defend a right in court; the Data Subject has objected to the processing pursuant to art. 21 of the GDPR, during the period pending verification as to whether the Data Controller’s legitimate reasons prevail over those of the Data Subject;
  • the right to object – article 21 of the GDPR: the right to object, at any time, on grounds relating to the Customer’s particular situation, to the processing of personal data concerning the Customer based on the lawful condition of legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority, including profiling, unless there are legitimate grounds for the Data Controller to continue the data processing that override the interests, rights, and freedoms of the Data Subject, or for the verification, exercise, or defence of legal claims. In addition, the right to object to the data processing at any time if the personal data are processed for direct marketing purposes, including profiling, insofar as it is related to such direct marketing;
  • the right to withdraw consent - article 7 of the GDPR: the Customer has the right to withdraw his or her consent at any time. The withdrawal of consent does not undermine the lawfulness of the consent-based processing operations carried out prior to the withdrawal;
  • the right to lodge complaints – article 77 of the GDPR: the Customer has the right to lodge complaints with the Data Protection Authority by sending a registered letter with acknowledgement of receipt to the following address: no. 11 Piazza Venezia, ROME, ITALY – 00187; or else by sending a certified e-mail message to protocollo@pec.gpdp.it

Users/visitors may exercise their rights at any time by sending a registered letter with acknowledgement of receipt to: OPERA DEL DUOMO DI ORVIETO, no.26 Piazza del Duomo, Orvieto, Italy, or by sending an e-mail/certified e-mail message to the following addresses: opsm@pec.it / info@duomodiorvieto.it

Final clauses
It should be noted that this privacy policy may be subject to updates if there should be any changes with respect to the current status of the personal data protection legislation.