Privacy

Information on the processing of personal data, according to art. 13 of EU Regulation 2016/679 (hereinafter GDPR)

This information describes the methods of processing the personal data of users who intend to access the Study Room of this Institute and take advantage of the related services for consulting documentary and bibliographic material.

 

1) Data Controller

The data controller of personal data is the Ministry of Culture (MiC), which has designated:

→ the Director General of the Archives (dg-a@beniculturali.it, mbac-dg-a@mailcert.beniculturali.it) subject through which MiC exercises the functions of owner of the processing of personal data (DM 14/03/2019 no. 147);

→ dr. Stefano Vitali (rpd@beniculturali.it / rpd@mailcert.beniculturali.it; tel. 065454.8568) Responsible for the protection of personal data (D.M. 24/07/2020 n. 349).

 

2) Legal basis of the processing

• European Regulation 2016/679
• Deontological rules for data processing for archiving purposes in the public interest or for historical research purposes (Italian Official Gazette no. 12 of 15 January 2019)
• Legislative Decree 101/2018 and subsequent amendments (Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679)
• Legislative Decree 196/2003 and subsequent amendments (Code regarding the protection of personal data)
• Legislative Decree 42/2004 and subsequent amendments (Code of cultural heritage and landscape)
• Royal Decree 2 October 1911 n. 1163 (Regulations for State Archives)

 

3) Purpose of the treatment

The processing of personal data is aimed at:

- ensure the safety of the archival and bibliographic heritage of the State Archives of Prato;

- ensure the safety of users (eg. in case of evacuation of the building for an emergency);

- keep a record of the commitment signed by the user to comply with the ethical rules for processing for archiving purposes in the public interest or for historical research purposes;

- know the types of users and their research interests, in order to optimize the Institute’s services.

 

4) Communication and dissemination of data

No data collected for the purposes referred to in point 3) of this information is communicated or disseminated externally or to third parties, without prejudice to the communication of personal data to all subjects to whom the right of access is recognized by virtue of regulatory provisions ( eg. Public Security Authority, Judicial Authority).

 

5) Obligation to communicate data

The communication of personal data is mandatory for the achievement of the purposes referred to in point 3) of this information, therefore the refusal to communicate them implies the impossibility of enrolling in the Study Room of the Institute and access to the related services.

 

6) Processing methods

The processing concerns common personal identification data. The processing of personal data takes place both through IT tools and paper supports and is handled only by personnel authorized to process it in compliance with the principles of lawfulness, correctness and transparency. The data will also be managed and protected in environments whose access is under constant control. In particular, all technical, IT, organizational, logistical and procedural security measures will be adopted, so that the appropriate level of data protection required by law is guaranteed.

 

7) Data retention period

Personal data will be kept for the time necessary to pursue the purposes referred to in point 3) of this information and, in any case, for the time in which storage is necessary for purposes of archiving in the public interest, scientific or historical research or for statistical purposes, after applying the guarantees provided for by art. 89 of the GDPR.

 

8) Rights of interested parties

Pursuant to art. 15-22 and 77 of the GDPR, the interested party has the right to obtain access to personal data concerning himself, the correction or integration of the same and their cancellation (upon the occurrence of one of the conditions referred to in art. 17, par.1 of the GDPR and in compliance with the exceptions provided for in par.3 of the same article); the interested party also has the right to obtain the limitation of the processing of personal data concerning him / her in the event of one of the hypotheses indicated in art. 18 of the GDPR, to oppose this treatment and to lodge a complaint with the supervisory authority. The above rights may be exercised with a request to the Data Controller, at the addresses indicated in this information.