Privacy statement on personal data processing: newsletters and quality


Article 13 of the EU Regulation 679/2016 on the protection of personal data collected from the data subject

  1. Data Controller

-The Data Controller is the Museo dei Bambini SCS Onluswith registered office inVia Flaminia no. 80/86 -00196 (RM)

– The Data Processor is Patrizia Tomasich in compliance with the principles of protection of personal data.

– The Museo dei Bambini SCS Onlusstaff is tasked with personal data processing.

2. Source of personal information

In accordance with Article 13 of the EU Regulation 679/2016, we hereby inform you that the Museo dei Bambini SCS Onlusprocesses personal data collected from the data subjects who have freely communicated in person and/or by means of forms, telephone or fax their personal information to our offices.

  1. Purposes of personal data processing

In accordance with the above-mentioned regulation, the Data Controller will ensure that the processing of personal data will be carried out in the respect of the data subject’s fundamental rights and freedoms, as well as of the data subject’s dignity, specifically for privacy, personal identity and the right of personal data protection.

3.1 All personal data collected from the data subject is processed only for the purposes of booking the services requested by the data subjects:

– administrative paperwork for the services of the Museo dei Bambini SCS Onlusand the activities it carries out in order to provide the data subjects with customised services.

– data entry in user records and computerised databases;

– requirements related to the provision of the service requested;

– ability to meet specific needs of the data subject.

Providing personal data is not an obligation; however, if the user fails to provide it, this will prevent us from providing our services as requested.

3.2 Personal data may be also used for purposes functional to promotional activities for services provided by the Museo dei Bambini SCS Onlus, such as:

3.2.1 newsletters sent via e-mail for information and promotional purposes such as free-of-charge and paid museum activities, surveys and market analyses;

3.2.2 measurement of the customer satisfaction index on the quality of the services provided.

Providing personal data for the above-mentioned purposes is not an obligation. Data will be used for mailing lists, which are exclusive property of the Museo dei Bambini SCS Onlus;

 If this data is provided, the data subject shall give their consent to processing by entering specific “flags” in the consent check boxes.


  1. Personal data collection and consequences for non-consent to processing

The collection of personal data for the purposes referred to in item 3.1is required in order to allow delivery of the service requested. Should the user not consent to the collection of their personal data, the service cannot be provided.

As to the purposes of processing under item 3.2,consent to processing is optional and can be given by selecting the appropriate check box, for each separate purpose provided at the bottom of this privacy statement. Failure to give consent will not prevent the user from receiving the services requested, but it will only prevent the following:

– the user from receiving information and promotional communications as well as newsletters from the Museo dei Bambini SCS Onlusabout its initiatives as described in item 3.2.1;

– the Museo dei Bambini SCS Onlusfrom making aggregate and anonymous statistics in order to monitor and improve the services provided as described in item 3.2.2;

  1. Data communication and disclosure

Personal data freely obtained from the data subject will not be disclosed in any form whatsoever.

Personal data, whenever necessary, might be communicated to:

5.1 all subjects whose access right is acknowledged pursuant to and for the purposes of law provisions;

5.2 our contractor personnel, employees and suppliers, in relation to their tasks and/or our contractual obligations to them, for the purposes of the business relationships with the data subject;

5.3 all public and/or private subjects, individuals and/or legal bodies (legal, administration and tax offices, Courts, Chambers of Commerce, Municipality of Rome, etc.), whenever data communication proves necessary or functional to our business and activities for the purposes and in the manners described above; 

5.4 banks for the purposes of receiving and issuing payments arising from contracts.

In the cases described above, only basic data – and no more than basic data – will be communicated for the purposes for which it is communicated.

Transfer of data to third countries

The Data Controller will not transfer personal data to third countries; however, it reserves the possibility to use cloud services; in this case, cloud service providers will be selected among those who provide appropriate safeguards in accordance with article 46 of GDPR 2016/679.

  1. How personal data is processed

Processing involves common identification personal data.

Personal data may be held electronically and in hard copy and is subject to appropriate safeguards in order to ensure protection and privacy. Data will be processed and stored on premises where access is constantly monitored; in particular, all technical, information technology, organisational, logistic and safety procedural safeguards will be adopted so that the appropriate data protection level specified in the regulation is maintained; access will be allowed only to persons tasked with processing by the Data Controller or Data Processors being appointed by the Data Controller.

How long personal data will be kept

Personal data will be kept for a time limited to a strict minimum needed for the specific purposes of processing for which the data subjects have expressed their consent, and namely:

–  for the purposes described in item 3.1, for no longer than is necessary to meet contractual obligations and no longer than 10 years from the data collection to meet regulatory obligations and no longer than the terms established by law for the prescription of rights;

– for the purposes described in item 3.2, for 36 (thirty-six) months from the date of consent to processing.

  1. Rights of the data subject

The data subject can, at any time, exercise the following rights:

a.right of access to personal data: obtain confirmation or not that their personal data is being processed; in this case, the right of access to the following information: purposes, data categories, recipients, how long data will be kept, the right to lodge a complaint  with a supervisory authority , the right to rectification or erasure or right to restrict processing or right to object to processing, as well as whether an automated decision-making process is in place;

b.right to rectification or erasure or right to restrict processing; “right to restrict processing” means to mark data stored to restrict its processing in future;

  1. right to object to processing: right to object for reasons related to the data subject’s particular situation of processing data in order to carry out a task of public interest or pursue a legitimate interest from the Data Controller;

d.right to data portability; in the case of automated processing done based on consent or for the purpose of a contract, right to receive personal data in a commonly used, machine-readable and structured format; specifically, data will be provided by the Data Controller in word format or similar format;

e.right to revoke consent to processing for the purposes of direct marketing and market analyses; exercising this right does not compromise in any way whatsoever the lawfulness of data processing done prior to the revocation;

  1. right to lodge a complaint with a supervisory authority pursuant to article 77 of GDPR based on the data subjects’ private address, place of work, or place of breach of their rights; for Italy the competent supervisory authority is the Data Protection Authority (Garante per la protezione dei dati personali) who can be contacted through the website

The rights described above can be exercised by sending a request to the Data Controller at the following e-mail address privacy@mdbr.itor using the contact information included in this privacy statement. The right to object of data subjects to processing of their own personal data for the purposes of marketing is extended to traditional practices; however, data subjects can exercise partly their right, that is, objecting to only receiving, for example, promotional communications through automated instruments.

Requests related to the exercise of the data subject’s rights will be handled without unjustified delay and within a month from the date of request; only in more complex cases and in the face of a high number of requests, the above term can be extended by 2 (two) more months.