1. Identity and contact details of the Controller
The Controller is the Fondazione Teatro dell’Opera di Roma Capitale, with its headquarters in Rome (RM), Piazza Beniamino Gigli 7,
00184 Rome, and can be contacted at the following e-mail address: firstname.lastname@example.org.
2. Contact details of the Data Protection Officer
The Foundation has appointed a Data Protection Officer, who can be contacted at the following e-mail address: email@example.com.
3. The purpose of data processing and the legal basis of the processing.
Personal data is processed for the following purposes:
a) stipulation, execution and fulfillment of pre-contractual obligations, and contractual and tax obligations deriving from existing relationships. Legal basis: the execution of a contract or of pre-contractual measures, consent of the interested party;
b) execution of organizational activities connected to the benefits and services deriving from the status as Associate Member. Legal basis: the execution of a contract or of precontractual measures;
c) fulfillment of obligations established by law, by regulation, by European legislation or by a legal authority. Legal basis: the fulfillment of a legal obligation to which the Controller is subject;
d) internal, organizational needs connected to the necessity to construct an internal contact database. Legal basis: the legitimate interest of the Controller to have an updated database;
e) exercise of the Controller’s rights, for example, the right to a judicial defense. Legal basis: the legitimate interest of the Controller;
Subject only to specific and explicit consent (Art. 7, GDPR) for the following purposes:
f) Publication of the donor’s name among the subjects who have made donations in support of the Foundation and/or the Fabbrica – Young Artist Program project. Legal basis: consent of the interested party;
g) Communication via e-mail, mail, and/or by telephone, newsletter, commercial communications or marketing and promotion materials regarding the services or initiatives offered by the Controller or to survey the interested party’s satisfaction of the services; Legal basis: upon consent of the interested party.
4. Recipients of personal data
The data may be made accessible, for the purposes referred to in Art. 3 of this policy:
- to employees or collaborators of the Controller, in their capacity as internal data processors or system administrators;
- to third-party companies or other subjects (as a non-exhaustive indication: to credit institutions, professional firms or consultants, or insurance companies for the provision of insurance services, etc.) who carry out outsourced activities on behalf of the Controller, in their capacity as external data processors;
- to third-party companies or other subjects, in case of the co-organization of events;
- to supervisory agencies, judicial authorities, as well as to subjects to whom communication is lawfully obligatory for the fulfillment of the purposes referred to in Art. 3. These subjects will process the data in their capacity as independent data controllers.
5. Processing of particular categories of personal data
The Foundation commits to not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, and to not process genetic data, biometric data intended to uniquely identify a physical person, data relating to the health or sexual life or sexual orientation of the person, except in the cases expressly provided for by Art. 9, Par. 2 of the GDPR. As a non-exhaustive indication, upon explicit consent of the interested party to the processing of such data for one or more specific purposes, processing necessary for the performance of duties or exercise of rights of the Controller or of the interested party in the field of labor law.
6. Type of data provision and the consequences of refusal to respond
The provision of data for the purposes referred to in Art. 3, letters a, b, c, d, e is mandatory. In the absence of such a provision, we will not be able to guarantee the establishment or execution of the established relationships. The provision of data for the purposes referred to in Art. 3, letters f, and g, is instead optional. The interested party may therefore decide to not provide any data or to subsequently deny the possibility of processing data previously provided. In this case, the interested party will not receive any newsletter, commercial communications or advertising materials regarding the services or initiatives offer by the Controller or third parties.
7. Transfer of personal data outside the EU
In the context of contractual relationships between the Foundation and third-party bodies or companies, for the purposes indicated in Art. 3, personal data may be transferred outside of the EU, including through the insertion into databases shared and managed by third parties.
The management of the database and the processing of such data is bound to the purposes for which it was collected and is carried out in compliance with the standards of confidentiality and security as per the applicable data protection laws.
8. Data retention period
Personal data will be retained for a period of time not exceeding that necessary for the purposes for which it was collected or subsequently processed, in compliance with the provisions of the legal obligations.
Data will be stored for ten years from the conclusion of an existing relationship, to allow the Foundation to defend itself against any eventual claims made in relation to the relationship itself. At the end of this period, personal data will be erased or otherwise irreversibly de-identified, unless further retention of some or all of the data is required by law.
9. Rights of the interested party
In compliance with the GDPR, the interested party can exercise the following rights:
a) access to his/her personal data;
b) request a copy of the personal data supplied (i.e. data portability);
c) the correction of data held by the Foundation;
d) the cancellation of any data for which there is no longer any legal prerequisite for its processing;
e) the withdrawal of consent in the event that the data processing is based on the consent of the interested party;
f) the limitation of the processing of his/her personal data;
g) opposition to processing.
Nevertheless, the Foundation has the right to disregard the exercise of the aforementioned cancellation rights if the right to freedom of expression and of information prevails, or for the exercise of a legal obligation, or to defend one’s right to trial.
The interested party may exercise the aforementioned rights by sending an e-mail to the certified e-mail address:
firstname.lastname@example.org, or by writing to the Data Protection Officer at email@example.com.
The interested party may in any case forward his/her complaints or reports to the Italian Data Protection Authority, a competent
authority for data protection in case of unlawful processing of his/her data