PRIVACY POLICY

Notice pursuant to Arts. 13 and 14 of EU Regulation 2016/679 (Rev. 4.2 Updated 09/01/2024)

This page describes how the website is managed with regard to the processing of personal data of users who consult it or use the services it offers.

This page sets out the personal data processing activities carried out in relation to the services made available via the web through:

• the website https://www.maggiofiorentino.com/
   

THE "DATA CONTROLLER" (who decides why, how and to whom data is processed)

Following consultation of this website and use of the services it offers, data relating to identified or identifiable persons may be processed.

In addition to browsing data, information may be collected, for example:

• upon a contact request;
• through the use of cookies or other technologies as described below.

The Data Controller is the FONDAZIONE TEATRO DEL MAGGIO MUSICALE FIORENTINO, Piazzale Vittorio Gui, 1 – 50144 Florence – VAT number coinciding with tax code 00427750484, registered in the Florence Business Register, REA no. 506400, tel. 055 2779276.

The Data Controller has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection legislation. Contact details: [email protected].

RIGHTS OF DATA SUBJECTS

With regard to the processing activities described in this document, data subjects (website users) have the right to:

• request from the data controller access to their personal data and the rectification or erasure of such data, or the restriction of processing of personal data concerning them, and to object to their processing;
• where processing is carried out by automated means and on the basis of their consent, to receive the personal data concerning them in a structured, commonly used and machine-readable format and/or to have it transmitted directly to another data controller, where technically feasible;
• withdraw their consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal), obviously only for processing carried out on that basis;
• lodge a complaint with a supervisory authority: Garante per la protezione dei dati personali – Piazza Venezia n. 11, 00187 ROME – Tel: (+39) 06.696771 – E-mail: [email protected] – Certified e-mail: [email protected].

Further information is provided at the end of this policy.

To exercise their rights, the data subject may:

• send a registered letter or contact the addresses indicated above;
• send a communication to the e-mail address [email protected].

The data controller is required to identify the requesting party with certainty before providing any response and/or personal data.

BROWSING DATA – data processed in connection with the visit to the website

The computer systems and software procedures used to operate this website acquire, in the course of their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This information is not collected in order to be associated with identified data subjects, but by its very nature it could, through processing and association with data held by third parties, allow users to be identified.

This category of data includes, for example, the IP addresses or domain names of the computers used by users who connect to the website, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the user's operating system and IT environment, such as the type and version of the browser, the types and versions of browser plug-ins, the mobile device identifier (IDFA or AndroidID) and other parameters relating to your operating system and IT environment.

In the absence of specific consent to processing for further purposes, these data are used solely to obtain anonymous statistical information on the use of the site and to monitor its correct functioning.

The data may be used to ascertain liability in the event of hypothetical cybercrimes against the website, and only in such cases may specific procedures be activated to identify the perpetrator.

The legal basis for processing this data is the legitimate interest of the data controllers in data security, the proper functioning of the website and the improvement of service standards.

Personal data are processed by automated means for the time strictly necessary to achieve the purposes for which they were collected. Processing related to the web services of this website is carried out by staff designated by the Data Controller, as well as by external parties appointed as processors (ART. 28 EU REG. 2016/679), to whom technical management and maintenance of the website and related IT systems are delegated. Specific security measures are implemented to prevent data loss, unlawful or improper use and unauthorised access.

No data derived from the web service is disseminated.

Personal data provided by users who submit requests for the sending of informational material (newsletters, replies to queries, etc.) are used solely to fulfill the requested service or activity and are communicated to third parties only where this is necessary for that purpose.

DATA VOLUNTARILY PROVIDED BY THE USER

Apart from what is specified above, users are free to provide the personal data requested during browsing in order to request the sending of informational material or other communications. Failure to provide such data may result in the inability to obtain what was requested.

When the user visits a part of the Website that involves the collection of personal data, they are presented with a link to this information notice and are asked to confirm that they have read it and, where necessary, to give their consent.

The optional, explicit and voluntary sending of e-mail to the addresses indicated on this website entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the message which, unless otherwise stated, will be retained for the time necessary to fulfill the requests themselves.

Below, specific information notices are provided relating to the pages set up for particular services on request or through which additional personal data may be collected.

PROCESSING FOLLOWING A CONTACT REQUEST

• Personal data voluntarily provided by the data subject through the contact area, or e-mail addresses made available on the platform, are processed mainly by automated means to:
• ensure a timely and certain response and to satisfy the data subject's requests (legal basis: legitimate interest [Art. 6(1)(f) EU Reg. 2016/679] and consent of the data subject in the case of "special" personal data [Art. 9(2)(a) EU Reg. 2016/679]);
• fulfil obligations arising from laws, regulations and EU rules; comply with orders issued by the Judicial Authority, (legal basis: coinciding with the purpose [Art. 6(1)(c) EU Reg. 2016/679]);
• feed the public knowledge acquisition system through statistical analyses, carried out using anonymised and aggregated data, useful for verifying, improving and thus designing an ever more efficient service, (legal basis: legitimate interest of the data controller coinciding with the purpose [Art. 6(1)(f) EU Reg. 2016/679]).
• Contact details and e-mail addresses provided may be used to send courtesy communications and/or informational material relating to the data controller's activities, only where the following legal bases apply:
• legitimate interest consisting in the processing of personal data for direct marketing purposes, taking into account the relationship with the data subject [Art. 6(1)(f) EU Reg. 2016/679] where the contact requested was related to or involved the establishment of an ongoing relationship with the data controller
• consent of the data subject [Art. 6(1)(a) EU Reg. 2016/679] which, if the data subject is interested, the data controller will request in the course of contacts aimed at satisfying the data subject's requests.
• Data may be processed by staff responsible for promotion, communication and public relations, staff responsible for IT system maintenance tasked with ensuring system functionality and data security, other authorised staff within the limits of their assigned duties and in accordance with company procedures, and other parties providing services for purposes auxiliary to fulfilling the data subject's requests, also within the limits strictly necessary to perform their tasks.
• Data may be communicated or made available to:
• parties who may access the data under a legal, regulatory or EU provision, within the limits laid down by such rules,
• other parties that provide services for purposes related to fulfilling the data subject's requests, within the limits strictly necessary to perform their tasks – commercial partners whose collaboration is necessary for the provision of the requested services. Commercial Partners will operate as independent data controllers and in compliance with their respective privacy notices, which will be made available by them.
• Personal data will also be transferred to parties located outside the European Union in the country where the data subject resides or is located, exclusively where necessary to fulfil their requests and in compliance with applicable legislation.

When completing forms, mandatory fields are indicated; in the absence of the required data it will not be possible to fulfil the data subject's requests.

Should the data subject communicate special categories of data at the time of the contact request (Art. 9 identifies as special categories: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, and data concerning health, sex life or sexual orientation), a specific consent to their processing may be requested, in the absence of which it may be impossible to proceed with the data subject's requests.

Mailing List Subscription – Newsletter

Personal data voluntarily provided by the data subject upon subscribing to the mailing list/newsletter:

• are processed mainly by automated means solely to fulfil the data subject's requests, who may discontinue such processing at any time;
• may be processed by communication and marketing staff, IT system maintenance staff tasked with ensuring system functionality, data security and backup operations, other employees within the limits of their assignments and in accordance with company procedures, and other parties providing services for purposes auxiliary to fulfilling the data subject's requests, within the limits strictly necessary to perform their tasks;
• may be communicated or made available to:
• parties who may access the data under a legal, regulatory or EU provision, within the limits laid down by such rules,
• other parties that provide services for purposes related to fulfilling the data subject's requests, within the limits strictly necessary to perform their tasks.
   

REGISTRATION PROCEDURE

The registration procedure allows users to:

• receive the Foundation's newsletter;
• receive communications reserved for registered users;
• access the ticketing purchase procedure more easily directly from the Foundation's website.

Some important notices:

• Unless expressly authorised, current legislation, particularly regarding privacy, does not permit third parties to complete fields or submit information on behalf of the person wishing to register.
• We again remind you to enter contact details that are exclusively at the disposal of the person registering (e.g. avoiding the use of work e-mail addresses), since the Foundation will only send communications addressed exclusively to the account holder, which may contain their personal data.
• Please note that with the password set by the user, they may carry out transactions that may have an economic value; it is therefore recommended to choose an adequately complex password (it should not contain easily traceable references to the user, and should include special characters, numbers, punctuation marks, or increased length at the user's discretion) and to keep it carefully, changing it periodically or whenever its confidentiality may have been compromised.
• completion of the registration procedure presupposes familiarity with the notice made available to the public by the Foundation.

DATA RETENTION

Data communicated, unless otherwise indicated by the data subject or further duly communicated requirements, will be retained for the time necessary to fulfil the data subject's requests and comply with legal obligations.

Data provided in the registration procedure, unless otherwise duly communicated, will be retained until the registration is revoked.

Where the data subject has a contractual relationship with the Data Controller, the relevant data will be retained for the duration of the contract; after its termination, retention will continue only if required by law and in compliance with the rules on the preservation of administrative documents or as indicated in the notice provided at the time the contractual relationship was established and the registration was made.

Contact details that may lawfully be used for promotional, communication and public relations activities will be retained for up to 12 months following the last communication sent by the Data Controller or the withdrawal of consent by the data subject.

TICKET PURCHASE PROCEDURE

In order to offer the best service with the highest security standards, the management of this service has been fully entrusted to a specialised company with proven experience and reliability: the ticket purchase procedure redirects to the domains dedicated to the Foundation managed entirely by VIVATICKET S.p.A. – Società a socio unico – Via Antonio Canova 16/20, 40138 Bologna – https://www.vivaticket.com/it – as an interface allowing purchases on its web platform, also using authentication carried out by the user when logging in from the website https://www.maggiofiorentino.com/.

PROCESSING FOLLOWING TICKET PURCHASE – PUBLIC INFORMATION

1. WHAT DATA IS PROCESSED

• data provided by the data subject directly or through parties authorised by them, and therefore not listed here (first name, last name, details and/or copy of an identity document and, for the purchase/reservation of discounted tickets: details of any accompanying person, special requests to meet specific needs of the data subject or their companion, possibly documentation certifying the type and degree of disability, etc.), which may include "special" categories of personal data;
• data relating to the services purchased and the events the data subject intends to attend or has attended (e.g.: time, assigned seat number, applicable tariff and reason);
• data relating to the person (relative, companion, body, company, association, other) who may have purchased the ticket on behalf of the data subject;
• data arising during events, acquired at the data subject's request.

Specific protections are established by law for data relating to criminal convictions and offences and/or special categories of data (Art. 9 identifies as special categories: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, and data concerning health, sex life or sexual orientation); these data may only be processed with the consent of the data subject. In this regard, particular care is taken to collect only the necessary data and to carry out exclusively the processing required to fulfil the data subjects' requests, and only where pertinent and necessary in relation to the purposes set out below.

Some of the data described above, such as that collected in connection with the issuance of discounted tickets, fall within these categories; for this reason, specific consents will be requested from the data subject, where the characteristics or modalities of the processing so require.

2. ORIGIN OF DATA

Data may be collected and updated:

• through the data subject themselves or, if a minor, through whoever exercises parental responsibility (parents, guardians or persons delegated by them);
• through intermediary parties authorised by the data subject (relative, companion, body, company, ticketing agency, association, other);
• from freely accessible public sources.

3. WHY DATA IS PROCESSED – purposes of processing and applicable legal bases

The processing activities to be carried out have the following purposes, for each of which the applicable "legal basis" is indicated in brackets [the "legal bases" are the conditions that make a purpose lawful as provided for in Arts. 6 and 9 of EU Reg. 2016/679]:

• to fulfil obligations arising from laws, regulations or EU rules [legal basis: legal obligation – Art. 6(1)(c)]; in this regard it should be noted that tax legislation requires the body issuing a discounted ticket to identify the beneficiary and simultaneously request documentation proving that they meet the requirements for the discount;
• to fulfil requests from the Judicial Authority, Judicial Police and Public Security Authority in relation to public order requirements [legal basis: legal obligation – Art. 6(1)(c)];
• to fulfil contractual, accounting and tax obligations [legal bases: legal and contractual obligation – Art. 6(1)(b)-(c)];
• registry management, address lists and statistical calculations [legal basis: legitimate interest of the Data Controller consisting in the efficient organisation of activities, Art. 6(1)(f)];
• where applicable, to protect a legitimate interest, assert or defend a right, [legal basis: coinciding with the purpose, Art. 6(1)(f) and Art. 9(2)(f)];
• to fulfil any requests from the data subject; the contact details provided may be used for communications regarding the programming of the event the data subject intends to attend (as a holder of a subscription or having purchased a ticket), [legal bases: contractual obligation – Art. 6(1)(b) and legitimate interest of the Data Controller, consisting in the organisation of activities and of the data subject, coinciding with the subject matter of any request].

3.1 COMMUNICATION AND DIRECT MARKETING:

Unless otherwise advised by the data subject, the e-mail address provided in the context of the purchase will be used to send courtesy communications and/or informational material/offers relating to products and services analogous or related to the subject of the purchase. [Legal basis: legitimate interest of the Data Controller consisting in processing personal data for direct marketing purposes, always taking into account the reasonable expectations of the data subject based on their relationship with the Foundation, Art. 6(1)(f) and Legislative Decree 196/2003, Art. 130(4)]. The data subject shall have the right to object at any time to this processing.

4. HOW DATA IS PROCESSED

In relation to the aforementioned purposes, the processing of personal data may be carried out by paper, IT and telematic means, and will include all operations or sets of operations necessary to achieve the applicable purposes; always ensuring the utmost confidentiality, relevance and non-excess in relation to the purposes described above.

5. RETENTION PERIODS

Personal data will be retained exclusively for the periods permitted/imposed by the applicable legislation for the specific purpose for which the data is processed; more specifically:

• administrative documents and related supporting documents will be retained in accordance with Art. 2220 of the Civil Code "Retention of accounting records" (10 years);
• data related to any disputes (necessary for the protection of a right in judicial proceedings) will be retained until the fact or circumstance giving rise to the dispute (even potential) has exhausted all its possible effects;
• e-mail addresses and other contact details processed for promotional purposes will be retained for 12 months following the last contact/communication with the data subject.

4. WHO MAY PROCESS DATA – processors and authorised persons

For the same purposes, data may be processed by the following categories of authorised persons and/or processors:

• staff responsible for the issuance of tickets/subscriptions – call centre staff;
• Safety and access control managers and staff;
• administrative staff for managing administrative aspects;
• Senior management and management team;
• marketing staff, personnel appointed for processing related to marketing and communication activities;
• excluding systematic consultation, staff responsible for the management and maintenance of IT systems tasked with ensuring system functionality, data security and backup operations;
• companies/consultants, appointed as Processors (Art. 28 EU Reg. 2016/679), who need access to certain data for activities auxiliary to the purposes indicated above, within the limits strictly necessary to perform the tasks entrusted to them, such as: assistance in the fulfilment or direct execution of tax/accounting/welfare obligations, IT system management, financial services, ticket sales/ticketing.

It is understood that the parties indicated above are authorised to use the data only to the extent actually necessary to perform their functions.

5. TO WHOM DATA MAY BE COMMUNICATED – scope of communication

Personal data relating to the processing activities in question may be communicated or made available to:

• public bodies who may access the data under a legal, regulatory or EU provision, within the limits laid down by such rules;
• limited to accounting and tax data, banks, credit institutions, data processing companies and credit card issuers, for activities strictly connected to the execution and administrative management;
• parties indicated by the data subject or by a person acting on their behalf;
• other parties (companies/consultants) who need access to certain data for activities auxiliary to the purposes indicated above, within the limits strictly necessary to perform the tasks entrusted to them, such as: IT system management, financial services;
• entities that acted as intermediaries for the purchase of named tickets (associations, ticketing agencies, etc.) in the form of confirmation, who have direct relationships with the data subject; in this context, the processing of the relevant data may also include their communication abroad, both within and outside the European Union, to the country of origin of the data subject.

Naturally, all the communications described above are limited to the data strictly necessary for the recipient body/office (which will remain an independent Data Controller for all subsequent processing) to carry out its tasks and/or achieve the purposes connected to the communication itself, always in reference to the purposes stated above.

6. TRANSFER ABROAD to countries not belonging to the EU.

As mentioned above, personal data may also be transmitted to parties located outside the European Union where this is necessary in relation to the purposes referred to above; in particular to the country/countries:

• in which the data subject resides or is located;
• in which entities that acted as intermediaries for the purchase of named tickets, already known to the data subject, have their registered office.

The transfer will always be carried out in full compliance with applicable legislation and exclusively for the purposes referred to above:

• where one of the conditions set out in Art. 49 of EU Reg. 2016/679 applies:
• a) the data subject has explicitly consented to the transfer;
• b) the transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the data subject's request;
• c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person;
• e) the transfer is necessary for the establishment, exercise or defence of legal claims;

7. DISSEMINATION

Unless further communications are made to the data subjects and/or specific consent requests, personal data will not be disseminated. However, it should be noted that during events, television recordings/recordings/photographic services intended for dissemination may be carried out, including by third parties (e.g. press or television broadcasters), in which identifiable spectators may appear.

8. COMMUNICATION AND UPDATING OF DATA – when it is mandatory to communicate one's data

The communication and updating of personal data is mandatory only insofar as it relates to the fulfilment of legal, contractual and tax obligations connected to the issuance and management of tickets and subscriptions, as well as the obligations arising from applicable legislation. Failure by the data subject to comply with this obligation would result in the impossibility of fulfilling their requests and carrying out all normal procedures connected to the issuance of tickets/subscriptions, and consequently the impossibility of attending the event. Of course, on a case-by-case basis, information is always provided regarding which data must mandatorily be communicated in relation to the aforementioned purposes, depending on the means used (by highlighting on forms and online forms on the website or through indication by the relevant staff).

IMAGE RECORDING DURING PUBLIC EVENTS

During events, video-photographic recordings may be made and disseminated and published for the purpose of publicising and promoting the event itself.

Such video-photographic recordings are:

• processed, mainly by IT and telematic means, exclusively by the data controller's staff and collaborators;
• used and disseminated exclusively for informational and promotional purposes, for an indefinite period of time;
• reproduced and modified without altering their context/meaning, always protecting dignity and decorum, in order to adapt them to the use made thereof and the medium used;
• retained indefinitely in the data controller's historical archives together with an indication of the event on the occasion of which they were acquired.

IN NO CASE will video-photographic recordings be used by the Data Controller in contexts that undermine the personal dignity and decorum of the persons recorded who may be identifiable.

1. Video-photographic recordings intended to represent the context and not specific persons

Particular care is taken to carry out recordings clearly related to the context and not aimed at enabling the identification of participants (which may nevertheless occur incidentally), unless they are public figures or specific releases have been provided by the persons recorded. Video-photographic recordings, when clearly intended to represent the context of a public event and not specific persons, do not require a release (Art. 96 of Law no. 633/1941: ... "The consent of the person portrayed is not required … where the reproduction is connected to facts, events, ceremonies of public interest or held in public".)

2. Video-photographic recordings portraying specific persons

During certain events, a photographer may be present who may also photograph individual persons or small groups; this type of image does not fall within the exemptions set out in Art. 96 of Law no. 633/1941; consequently, the staff may have specific releases signed or verbally request authorisation from the individuals they intend to photograph, recording their response and full name on video, in order to document their consent; it is specified that such recording will be immediately deleted if the response of the data subjects is negative.

Subject to the rights of the data subjects, if the response is affirmative, the recording will be retained together with the photographs to which it refers for the entire period during which the images are retained, processed and disseminated.

The purposes pursued by the data controller remain:

• publication of photographs and/or video recordings on any means of dissemination, in any format, for advertising and publicity purposes and to give visibility to the event [legal basis: consent of the data subjects]
• to demonstrate the lawfulness of the Data Controller's conduct and ensure compliance with applicable legislation [legal basis: legal obligation, Art. 6(1)(c) EU Reg. 2016/679]
• to assert or defend a right (legal basis coinciding with the purpose, Art. 9(2)(f) EU Reg. 2016/679)

The provision of consent and, consequently, of data, is obviously optional; in its absence there will be no consequences for the data subjects.

Audio-video-photographic recordings may:

• be reproduced on any technical and/or multimedia medium, whether known or future;
• be modified, always without altering their context/meaning and always protecting the dignity and decorum of the data subject, in order to adapt them to the purpose for which they are processed and the medium used.

IN NO CASE will images and recordings be used in contexts that undermine the personal dignity and decorum of the persons recorded.

Recordings of consent not intended for dissemination may be communicated to public administrations (for the performance of their institutional functions, within the limits established by law and regulations) and to parties (companies, professionals, etc.) that provide services connected to the purposes referred to above.

COOKIES

This section provides information about the cookies in use and complements the cookie policy generated and constantly updated through the service provided by Cookiebot (https://www.cookiebot.com/en/), which should be referred to in relation to the consents provided.

The legal bases for the processing arising from the use of cookies are:

• for technical cookies (necessary for the proper functioning of the website and to enable navigation): the legitimate interest of the data controller coinciding with the purpose of the cookies;
• for any profiling cookies: the consent of the user manifested in the manner described in the aforementioned provision of the Data Protection Authority, i.e. by continuing to browse after having clearly read the notice displayed on the banner that appears when first visiting the website.

COOKIES – IN-DEPTH INFORMATION

WHAT ARE COOKIES AND HOW DO THEY WORK

Cookies are small text files that websites visited by a user send to their device. These files are saved and stored in the user's browser folders, and are then re-transmitted to the same websites on subsequent visits.

Through cookies, servers receive information that is re-read and updated each time the user returns to the website.

Cookies contain the following information:

• an indication of the server or domain that generated them;
• their duration (or expiry date);
• a unique identification code;
• a unique value.

In any case, cookies cannot cause damage to the user's computer.

WHAT COOKIES ARE USED FOR

Cookies are designed to facilitate the use of the website and improve the browsing experience. They also provide the website operator with information, mostly aggregated and anonymous, on user browsing in order to obtain statistical data on the use of the website.

Furthermore, some cookies collect and store on the user's device information about what the user has done on websites; this information can be used:

• to recognise the user (or, more precisely, the device used by the user), reproposing the settings previously requested/chosen by them on subsequent visits;
• to analyse the user's preferences shown during browsing, creating a profile used essentially to display or send personalised commercial promotional messages, i.e. those in line with the user's interests as inferred from their browsing.

TYPES OF COOKIES

Cookies can be divided into the following categories: Technical Cookies and Profiling Cookies.

TECHNICAL and functionality COOKIES: Technical cookies are those used solely for the purpose of "carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such service" (cf. Art. 122(1) of the Code).

These allow the website to function optimally, but the user may decide not to allow their use by modifying the settings of the browser being used. Disabling these cookies may prevent access to some website functions.

Within Technical Cookies, it is possible to distinguish:

• Navigation Cookies – These are necessary to navigate within the website using all its functions (such as maintaining the session and accessing reserved areas) and do not collect information to be used for profiling or commercial purposes. In the absence of these cookies, it would not be possible to provide the requested services.
• Functionality Cookies – These allow the user to browse based on a set of selected criteria (e.g. the website language), thus facilitating navigation. The information collected through these cookies is anonymous.

The installation of technical cookies does not require prior user consent, although the obligation to provide this notice remains. The collection and processing of data arising from the use of technical cookies is necessary for the correct use of the website. If the user objects, they will not be able to view the website correctly and in its entirety.

The legal basis for the use of technical cookies remains the legitimate interest of the data controller consisting in the proper functioning of the website and the improvement of the services provided.

• Analytics Cookies – These are treated as technical cookies where they are used directly by the website operator to collect information in aggregate form on the number of users and how they visit the website. They are used to optimise its management. The information collected by these cookies does not allow the user to be identified.

PROFILING COOKIES

As mentioned above, these cookies allow information to be collected about the user's preferences and the ways in which they interact with the website, and are used to assign the user (in practice, more often the device used by the user) a profile in order to maximise the effectiveness and usability of the website, including by personalising the promotional/advertising messages displayed to the individual user.

These cookies may be installed on users' devices only after they have been previously and adequately informed and have provided consent, which, as provided by the provision referred to in the preamble, may be manifested simply by continuing to browse after reading the notice displayed the first time they visit the website.

The legal basis for the use of profiling cookies is the consent of the data subject (user of the device used for browsing) manifested in the manner prescribed by the aforementioned general measure of the Data Protection Authority "Identification of simplified methods for the privacy notice and acquisition of consent for the use of cookies" of 8 May 2014 [https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3118884].

DISABLING AND DELETING COOKIES

The user's privacy is guaranteed essentially by the fact that they may AT ANY TIME:

• configure the browser to accept all cookies, reject all of them, or receive a warning notice when one is sent,
• delete one, some or all cookies.

Each browser has its own specific settings; therefore, please consult the "Help" section of the browser being used for more information on how to change preferences.

Most browsers are initially set to accept cookies automatically. In the case of different devices (e.g. computer, smartphone, tablet, etc.), the user must ensure that the browser settings of each device are configured to reflect their cookie preferences.

Below are some links to the online documentation of the main browsers:

• Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/ie-security-privacy-settings#ie=ie-11
• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
• Safari iOS (iPhone, iPad, iPod touch): http://support.apple.com/kb/HT1677

Microsoft Internet Explorer

• Click on "Tools" at the top of the browser window.
• Select "Internet Options" and then click on the "Privacy" tab.
• To enable cookies, the Privacy level must be set to "Medium" or below. To disable them, the Privacy level must be set above "Medium".
• To enable the "third-party cookies" option, select the "Advanced" button in the "Privacy" section, check "Override Automatic Cookie Handling", confirm the default "Accept" option for "Third-party Cookies" and save by clicking OK. Alternatively, if you do not wish to allow third-party cookies, select "Block" and confirm with OK. If you wish to accept or block third-party cookies on a case-by-case basis, select the "Prompt" option and click OK.

Mozilla Firefox

• Click on "Tools" at the top of the browser window and select "Options".
• Select the "Privacy" icon and in the "History" section check "Accept cookies from sites" to accept them. To prevent cookies from being installed, including third-party ones, deselect this option.
• To allow the installation of third-party cookies, you must have selected "Accept cookies from sites" (see previous point) and select, next to "Accept third-party cookies", the "Always" option from the drop-down menu. If you do not wish to accept third-party cookies, select "Never" from the same drop-down menu.

Google Chrome

• Click the Chrome menu icon and select "Settings".
• At the bottom of the page, click "Show advanced settings".
• In the "Privacy" section, click "Content settings".
• To enable or disable cookies:
• To enable cookies, select "Allow sites to save and read cookie data".
• To disable cookies, select "Block sites from setting any data".
• To prevent access by third-party cookies, also select the "Block third-party cookies and site data" option in the same Privacy section.
• Click Done to save.

Safari (iPhone, iPad, iPod touch)

• Click the "Settings" icon, then select "Safari".
• Select "Privacy & Security" and then "Block Cookies".
• Select the "Always Block" option if you wish to prevent the installation of cookies.

More information about cookies can be found at: www.allaboutcookies.org

Permanent disabling of profiling cookies

If you use Internet Explorer 9 or higher

• Click on "Tools" at the top of the browser window.
• Select "Internet Options" and then click on the "Privacy" tab.
• Set the Privacy level to "High".

If you use Firefox 5 or higher

• Open the "Options" menu and click on the "Privacy" tab.
• Select the option "Tell sites that I do not want to be tracked".

If you use Google Chrome

• Open Chrome and then the "Settings" menu.
• Click on "Show advanced settings" at the bottom of the page.
• Under "Privacy", in the "Send a request" box, check "Send a Do Not Track request with your browsing traffic".

Disabling COOKIES ON MOBILE DEVICES

Just as with browsers on computers, browsers on mobile devices allow you to change privacy settings or settings to disable or delete cookies.

If you wish to change your privacy settings, follow the instructions provided by the browser developer for your mobile device.

Below are links for some browsers:

• iOS: https://goo.gl/fG1K8t
• Chrome Mobile: https://goo.gl/f0XME
• Opera Mobile: http://goo.gl/Nzr8s7

USER RIGHTS – IN-DEPTH INFORMATION

Right of access

The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed and, where this is the case, to obtain access to the personal data and the following information:

• a) the purposes of the processing;
• b) the categories of personal data concerned;
• c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations and, where applicable, the existence of appropriate safeguards;
• d) where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
• e) the existence of the data subject's right to request from the data controller rectification or erasure of personal data, or restriction of processing of personal data concerning them, or to object to such processing;
• f) the right to lodge a complaint with a supervisory authority;
• g) where the personal data are not collected from the data subject, any available information as to their source;
• h) the existence of automated decision-making, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to rectification

The data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them.

Right to erasure

The data subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay and the data controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

• a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
• c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• d) the personal data have been unlawfully processed;
• e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the data controller is subject;

Right to restriction of processing

The data subject has the right to obtain from the data controller restriction of processing where one of the following applies:

• a) the data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data;
• b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• c) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• d) the data subject has objected to processing, pending the verification of whether the legitimate grounds of the data controller override those of the data subject.

Right to object

The data subject has the right to object at any time to the processing of personal data concerning them for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing.

Right to data portability

The data subject has the right to receive personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another data controller without hindrance from the data controller to which the data have been provided, where:

• a) the processing is based on consent or on a contract; and
• b) the processing is carried out by automated means.

In exercising their rights in relation to data portability, the data subject has the right to have the personal data transmitted directly from one data controller to another, where technically feasible.

SOME DEFINITIONS

Personal data: Any information relating to an identified or identifiable natural person.

"Special" personal data REQUIRE GREATER PROTECTION AND SPECIAL ATTENTION; these are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, and data concerning health, sex life or sexual orientation (Art. 9 of EU Reg. 2016/679).

Processing: any operation or set of operations performed, by any means or method, on personal data or sets of personal data (such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction).

Data subject: The natural person to whom the personal data relate.

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processors (appointed pursuant to Art. 28 EU Reg. 2016/679): the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Legal basis for processing: the regulatory principle under which the personal data processing described may be carried out, in many cases coinciding with the stated purpose. The legal bases are set out mainly in Arts. 6 and 9 of EU Reg. 2016/679.

This document is prepared for the use of the Fondazione Teatro del Maggio Musicale Fiorentino (referred to in this document as the Foundation). Copying and any form of use, even partial, by parties not authorised to do so under applicable law or express authorisation is prohibited. Reproduction is permitted only if complete with this footer.