Information on the processing of personal data pursuant to Articles 13 and 14 of EU Regulation No. 679/2016.

The website of the Basilica of San Petronio collects and processes the personal data of users who browse or use the online services available on the site https://www.basilicadisanpetronio.org/

By personal data, we mean any information that can be used to identify a user as an individual.

The purpose of this notice is to provide a clear and detailed explanation of how, when, and why we collect and process personal data and information. It has been designed to present our data protection policy in a simple and transparent manner and to explain to users how to effectively exercise their rights.

This information applies only to the data collected and processed through this website and does not concern other websites, platforms, or social media pages, even if they can be accessed via links on this website. In such cases, users should always refer to the information provided on the respective pages.

This information may be subject to changes and updates over time. Therefore, users are encouraged to regularly check this page to stay informed about the processing of personal data.

INDEX:

1. Data Controller
2. When we collect personal data
3. Which data is processed
4. For what additional purposes might we use personal data?
5. With whom is the data shared?
6. How is the data processed?
7. Where is personal data processed?
8. How long is the data retained?
9. Links to Third-Party Websites and Social Networks
10. The Rights of Data Subjects
11. Possibility to File a Complaint
12. Possible Changes to This Privacy Policy

1. Data Controller

The Data Controller for personal data related to the website is Basilica di San Petronio, C.F. 80007310370, P.IVA 04248901201, as it determines the means and purposes of processing and ensures adequate protection.

You can contact the Data Controller by sending a communication to the following addresses:

• by mail: Basilica di San Petronio, Piazza Maggiore, 40124 Bologna – Italy;
• e-mail: info@basilicadisanpetronio.org;
• PEC: basilicadisanpetronio@pec.it.

2. When We Collect Personal Data

Personal data may be collected directly from the user in the following ways:

• When accessing and browsing the website (navigation data);
• When the user submits requests (including visit reservations) through the dedicated sections or contact details (email address and information contained in the sent communication);
• When the user registers to participate in an event (registration and contact data);
• When making donations in favor of the Basilica or participating in the “Adopt a Brick” initiative (name and surname to be included in the Donors’ Register);
• If the user subscribes to the newsletter service (email address).

3. Which Data is Processed

When the user browses or utilizes the services on the website, the following types of data may be processed:

1. Navigation Data

Some personal data, whose transmission is implicit in website navigation—including but not limited to traffic data, location data, weblogs, and other communication data for potential billing purposes or regarding the resources a user accesses through their device—are acquired by IT systems to ensure proper functionality.
Although these data are not collected to be associated with identified individuals, they could potentially allow user identification due to their nature and/or through processing and association with data held by third parties. For example, this category includes IP addresses or domain names of the computers used by users connecting to the website, unique addresses of the requested resources, request timestamps, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the server response status, and other parameters related to the operating system and browser used.

• Purpose of Processing: To allow you to use the website safely and correctly.
  • Legal Basis for Processing: The Data Controller’s legitimate interest in ensuring the proper functioning of the website and the security of navigation, duly balanced with the data subject’s rights (Article 6, paragraph 1, letter f, GDPR).

• Request for information through the dedicated sections

You can contact us through the contact form (https://www.basilicadisanpetronio.org/contatti/) or by using the contact details provided on the website to request information (info@basilicadisanpetronio.org), book visits (prenotazioni@basilicadisanpetronio.org), or to request information or materials from the historical archive (archivio.storico@basilicadisanpetronio.org) or musical archive (archivio.musicale@basilicadisanpetronio.org) the Basilica, as well as to request assistance for any issues. This involves the subsequent acquisition of the data provided by users (name, surname, email address, and the information included in the communication) and legitimizes the Data Controller to send response communications using the contact details provided by the user at the time of the request.

• Purpose of Processing: To provide adequate support to users in accessing the services available through the website;
  • Legal Basis for Processing: The performance of the service requested by the user (Article 6, paragraph 1, letter b, GDPR).
• Event Registration

By filling out the forms available on the page https://www.basilicadisanpetronio.org/eventi/
It is possible to register directly through the website to participate in events organized or promoted by the Basilica of San Petronio. The data provided will be processed by personnel authorized by the Data Controller solely to manage the registration request and the preliminary activities related to the user’s participation in the event.
Events may also be organized by third parties unrelated to the Data Controller, as indicated on the respective descriptive pages. In such cases, the data provided by the user—only to the extent necessary for proper participation in the event—may also be shared with the organizing entity.
If you have any doubts, please contact the Data Controller directly for further clarification at the following address
info@basilicadisanpetronio.org

• Purpose of Processing: To manage the registration request for one or more events and the user’s subsequent participation in them.
  Legal Basis for Processing: The performance of the service requested by the user (Article 6, paragraph 1, letter b, GDPR).
• Making Donations to the Basilica

On the website, users can find instructions on how to make donations in favor of the Basilica on the page https://www.basilicadisanpetronio.org/sostienici/. If the user participates in the “Adopt a Brick” initiative, they may request to receive the related adoption certificate at the email address they provided. Additionally, with prior and explicit consent, the user’s name will be included in the Donors’ Register, published in the dedicated section of the website https://www.basilicadisanpetronio.org/sostienici/.

• Purpose of Processing: To record the donation made by the user in support of the Basilica.
  Legal Basis for Processing: The user’s consent (Article 6, paragraph 1, letter a, GDPR).
• Newsletter

The Basilica of San Petronio’s newsletter is sent via email to those who explicitly request it, by filling out the dedicated form on the website with their email address and authorizing the Data Controller to process their personal data for this purpose.
The service is provided only after the user has given explicit and unequivocal consent (by selecting the appropriate checkbox on the website). Providing data is mandatory solely for the purpose of receiving the newsletter, and refusal to provide it will result in the inability to access the service, without any further consequences.

The newsletter service is provided through the Mailchimp platform, part of the corporate group owned by Intuit Inc., based in the United States of America. More information on compliance with applicable regulations can be found here: https://mailchimp.com/it/gdpr/ and the related Privacy Policy is available here: https://www.intuit.com/privacy/statement/.

Since Mailchimp is based in the USA, if you choose to subscribe to the newsletter service, you should be aware that your data may be transferred outside the European territory for this processing. Mailchimp applies various measures to ensure that such data transfers occur securely and in compliance with European regulations (particularly the GDPR). More information on this is also available here: https://mailchimp.com/help/mailchimp-european-data-transfers/.For any further clarification, you can contact privacy@intuit.com or directly Mailchimp’s Data Protection Officer (DPO) at the following address: dpo@mailchimp.com.

In any case, to stop receiving the newsletter, simply select the unsubscribe link at the bottom of each email or send a specific request to the following email address: info@basilicadisanpetronio.org. Unsubscription is managed in a partially automated manner, so additional newsletters may still be received for a short period after the request, but no later than 72 hours from the unsubscription request. These emails would have been scheduled before the request was processed.

• Purpose of Processing: To send the user email communications with information and updates about the Basilica, as well as events and activities organized.
  • Legal Basis for Processing: The user’s consent (Article 6, paragraph 1, letter a, GDPR).

• Cookie

What are they?
With the term cookie it refers to a small text file that stores brief information about browsing activity on a specific website, which is installed on your device when you access the site. Each cookie contains different data (e.g., the name of the server it originates from, a numerical identifier, etc.), can remain in the system for the duration of a session (until the browser is closed) or for extended periods, and may contain a unique identification code.

What are they used for?
Cookies are used for different purposes depending on their type: some are strictly necessary for the proper functioning of a website (technical cookies), while others optimize performance to provide a better user experience or allow the collection of statistics on website usage, such as analytics cookies. Additionally, some cookies enable the display of personalized advertisements, such as profiling cookies.

When you visit the website again, cookies will be sent back to the site that generated them (first-party cookies) or to third parties that can recognize them (third-party cookies).

In any case, cookies do not harm users’ devices but allow for faster navigation, providing a better browsing experience.

The website may use both cookies that do not require your consent for installation (such as technical cookies and anonymized analytics cookies) and cookies that require your prior consent (such as profiling cookies). This information is displayed in the banner shown when you first access the website and in the cookie settings panel, which is always available on the website.

In particular, the following types of cookies may be activated on the website:

a. Technical cookies (which do NOT require your consent):

These cookies are essential for the website’s functionality, allowing you to access its features (so-called navigation cookies) or authenticate during a session.

Functional cookies are also used, allowing the website to remember your preferences and settings, thereby enhancing your browsing experience.

To ensure their functionality, these cookies are generally not deleted when the browser is closed; however, they have a predefined duration (usually up to a maximum of 2 years) and automatically deactivate after this period. These cookies and the data they collect will not be used for any additional purposes.

Technical cookies are installed automatically upon accessing the website or to enable specific functionalities (e.g., security checks when submitting a request through contact forms). At any time, you can choose to disable them by modifying your browser settings; however, doing so may cause issues with the website’s display and functionality.

• Purpose pursued: To ensure the proper functioning and security of the website.
• Legal Basis for Processing: The Data Controller’s legitimate interest in ensuring the proper functioning of the website and the security of navigation, duly balanced with the data subject’s rights (Article 6, paragraph 1, letter f, GDPR).

b. Analytical Cookies (which may NOT require your consent if anonymized)

These cookies track the choices made on the website and data related to users’ online navigation (e.g., pages viewed, time spent on a page, etc.) to perform statistical analyses, usually in an anonymous and aggregated form. If users can be tracked and identified through these analyses, these tools may only be used with their prior consent.

However, when the following circumstances apply:

• the IP address has been properly anonymized;
• the information obtained through analytical cookies pertains to a single digital resource (website, app, etc.) and is used only in an anonymous and aggregated form;
• the cookie provider does not combine the information with other data processing and does not transmit it to third parties,

the complete anonymization of the collected data is ensured, and cookies falling into this category can be activated without requiring user consent, as the processed data cannot be linked to any identifiable user.

• Purpose pursued: To obtain statistics on user behavior on the website, based on aggregated and anonymized data.
• Legal Basis for Processing: Depending on the circumstances:

– The Data Controller’s legitimate interest in optimizing the website’s performance and improving the services provided through the website, duly balanced with the data subject’s rights (Article 6, paragraph 1, letter f, GDPR);

– The user’s consent (Article 6, paragraph 1, letter a, GDPR), freely given and revocable at any time through the cookie banner or by following the instructions provided below and in the Cookie Policy available on the website.

c. Profiling and Marketing Cookies (which require your CONSENT):

This website also uses profiling and third-party cookies, whose installation requires your prior consent, given through the cookie banner or managed at any time via the Cookie Policy available on the website.

Profiling cookies may include different categories, such as advertising profiling cookies, retargeting cookies, or social media cookies.

• Advertising Profiling Cookies: These cookies create a user profile that allows the display of advertising content aligned with the preferences expressed during website navigation.
• Retargeting Cookies: These cookies are created to send you advertising content related to products you have purchased or viewed on the website and shown interest in.
• Social Media Cookies: This website allows the installation of cookies related to social media plugins. These cookies are managed directly by third parties and enable the display of advertisements aligned with your preferences.

When you access the website, a dedicated banner will inform you about the presence of profiling and retargeting cookies. Through this banner, you can choose whether or not to consent to their installation, selecting specific cookies you wish to enable if desired.

At any time, you can revoke the consent previously given, without affecting your ability to visit the website and access its content.

The installation of profiling, retargeting, analytical, and social cookies, as well as any related activities, is managed through third-party services. For more information and to enable or disable these cookies, you can refer to the policies provided directly by the third-party companies. The relevant list is available in our Cookie Policy on the website.

The user is informed both through the brief notice (a banner displayed until consent is given or denied) and through our Cookie Policy available on the website. We encourage you to read it carefully for all additional information about the cookies used on the site and instructions on how to disable them.

• Purpose pursued: To analyze user browsing behavior in order to display personalized advertisements.
• Legal Basis for Processing: The user’s consent (Article 6, paragraph 1, letter a, GDPR), freely given and revocable at any time through the cookie banner or by following the instructions provided below and in the Cookie Policy available on the website.

Disabling Cookies via Browser

We inform you that from the website http://www.youronlinechoices.com/it/ It is possible not only to obtain additional information about cookies but also to check the installation of various cookies on your browser/device and, where supported, disable them.

Commonly used browsers (e.g., Internet Explorer, Firefox, Chrome, Safari) accept cookies by default, but this setting can be changed by the user at any time. This applies to both PCs and mobile devices, such as tablets and smartphones, as it is a widely supported feature.

Therefore, cookies can be easily deactivated or disabled by accessing the options or preferences of the browser in use, and in most cases, it is also possible to block only third-party cookies. Generally, these settings will apply only to that specific browser and device unless options to synchronize preferences across multiple devices are enabled.
Specific instructions can be found in the browser’s settings or help page. However, disabling technical cookies may affect the full and/or proper functionality of various websites, including this one.

Typically, modern browsers:

• offer the “Do Not Track” option, which is supported by some websites (but not all). This allows certain websites to stop collecting specific browsing data.
• offer the option of anonymous or incognito browsing: this prevents data from being stored in the browser and stops the browsing history from being saved. However, browsing data may still be collected by the operator of the visited website.
• allow the deletion of stored cookies, either partially or completely. However, upon revisiting a website, cookies will typically be reinstalled unless this option is explicitly blocked.

Below are links to the support pages of the most commonly used browsers, providing instructions on how to disable cookies:

• Firefox (https://support.mozilla.org/it/kb/Attivare%20e%20disattivare%20i%20cookie);
• Microsoft Edge (http://windows.microsoft.com/it-it/internet-explorer/delete-manage-cookies#ie=ie-11);
• Safari (iOS) (https://support.apple.com/it-it/HT201265);
• Chrome (desktop: https://support.google.com/chrome/answer/95647?hl=it; Android and iOS https://support.google.com/chrome/answer/2392971?hl=it).

4. For What Additional Purposes Might We Use Personal Data?

Additionally, users’ personal data may also be used for the following purposes:

1. to comply with legal obligations and requests from public or governmental authorities;
2. to manage any disputes or legal proceedings and, consequently, to defend the Data Controller’s rights, both in judicial and extrajudicial settings.

In such cases, the legal bases for processing will be:

• for point (a), compliance with a legal obligation;
• for point (b), the Data Controller’s legitimate interest in protecting its rights, provided that it is adequately balanced, on a case-by-case basis, with the rights of the data subject.

5. With Whom Is the Data Shared?

In accordance with the purposes outlined in the previous section, the personnel authorized by the Data Controller may process users’ personal data collected through the website to provide the requested services, information, or support. Access to personal data will be expressly authorized by the Data Controller, who, if necessary, appoints the entities engaged in providing services and carrying out relevant activities as Data Processors in accordance with Article 28 of the GDPR. The list of Data Processors is available from the Data Controller and can be requested using the contact details provided above.

Users’ data will never be transferred to third parties, except when required by the nature of the provided services or when, due to a legal obligation or a legitimate interest, the Data Controller needs to disclose them to the competent judicial or regulatory authorities.

6.How Is the Data Processed?

Users’ personal data will also be processed using electronic means for the time strictly necessary to achieve the purposes for which it was collected.

The Data Controller will adopt appropriate technical and organizational measures to limit the risks of data loss, unlawful or improper use, and to prevent unauthorized access by third parties.

The Data Controller is committed to implementing appropriate solutions to ensure the security of personal data by limiting the number of individuals authorized to access servers or databases and setting up protection systems to mitigate the risk of cyber-attacks.

7. Where Is Personal Data Processed?

The data collected through the website is stored on servers located in Italy, owned by Aruba S.p.A.

However, some service providers may be based in non-European countries, particularly the United States, as specifically mentioned in this policy regarding the Newsletter service provided via the Mailchimp platform and certain cookies provided by Google Inc., as indicated in the Cookie Policy available on the website.
In these cases, personal data related to the provided service may also be transferred to servers located in the United States, even though it is primarily collected and stored within the European territory.
In such instances, the provider guarantees compliance with and adoption of the safeguards required by the adequacy decision issued by the European Commission on July 10, 2023, concerning personal data transfers from the EU to U.S. companies.
To ensure the highest possible level of data protection, all necessary precautions are implemented, and the transfer is based on:
a) Adequacy decisions regarding the recipient third countries, as issued by the European Commission;
b) Adequate safeguards provided by the recipient third party, in accordance with Article 46 of the GDPR;
c) Binding Corporate Rules (BCRs), including the adoption of technical and IT security measures that best protect personal data and the rights of data subjects, in compliance with the GDPR and European regulations.

8. How Long Is the Data Retained?

Users’ personal data will be retained for the time reasonably necessary to achieve only the purposes previously listed, which can be consulted in the “Which Data is Processed?” section. For example, data used for sending the newsletter will be retained as long as the service remains active or until the user requests to unsubscribe from the service. Likewise, data may be retained for the periods required by applicable sector regulations, such as in the case of donations made in favor of the Basilica.

At the end of the retention period, your personal data will be deleted or irreversibly anonymized.

9. Links to Third-Party Websites and Social Networks

The website may contain links to and from third-party websites and social networks. Please note that the Data Controller assumes no responsibility for any personal data that may be collected through these websites and the use of their services. If the user follows a link to any of these external websites, they are encouraged to review the Privacy Policies provided by each third party before proceeding.

In particular, On the website, there are buttons that redirect users to the Data Controller’s profiles on social networks. Only after clicking on these buttons, certain marketing and profiling cookies may be activated by the third parties managing the social networks.
The Website Owner does not directly manage these tools but informs you of the possibility that, by using the website’s features, they may be activated.
For more information, including how to disable these cookies, please refer to the privacy policies of the respective social networks:

• Facebook: http://www.facebook.com/policy.php
• YouTube: https://policies.google.com/privacy?hl=it
• Instagram: https://help.instagram.com/519522125107875

10. The Rights of Data Subjects

In accordance with the provisions of the GDPR, the Data Controller informs users that all data subjects have the right to request:

• access to their data;
• the modification and correction of any errors in our databases related to personal data;
• the deletion of their data if held without the legal grounds for retention;
• the limitation of data processing;

• the objection to data processing;
• the portability of data.

Any templates and further information are also available here: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

In the following table, we provide detailed information on how to exercise your rights:

YOUR RIGHT	HOW CAN YOU EXERCISE IT?
Access	It is possible to: Request confirmation of whether personal data is being processed; Obtain a copy of the data; Request additional information regarding personal data that is not already included in this privacy policy.
Rectification	It is possible to request the correction of inaccurate or incomplete personal data. Before proceeding with the correction, we will verify the accuracy of the data in our records.
Deletion / Right to be Forgotten	It is possible to request the deletion of personal data, but only in the following cases: The data is no longer necessary for the purposes for which it was collected; The user has revoked the previously given consent (if the processing is based on consent); The processing was carried out unlawfully; It is necessary to comply with a legal obligation to which the Data Controller is subject (in relation to an order from an authority).
Limitation	It is possible to request the limitation of personal data, but only in the following cases: If the accuracy of the data has already been contested; If the data is no longer necessary for the purposes for which it was collected, but there is an ongoing legal dispute regarding its use. Following a request for limitation, the use of personal data is still permitted if: The consent of the data subject remains valid; It is necessary to exercise or defend a legal claim; It is necessary to protect the rights of another individual or legal entity involved in the processing.
Portability	It is possible to request a copy of your personal data in a structured, commonly used, and machine-readable format.
Objection	You can object at any time to the processing of your personal data when: The legal basis for processing is the legitimate interest of the Data Controller; The personal data is being processed for direct marketing purposes, including profiling to the extent related to such marketing. In case of objection: For direct marketing purposes, personal data will no longer be processed for those purposes; For legitimate interest of the Data Controller, processing may continue only if the Data Controller demonstrates the existence of overriding legitimate grounds for proceeding with the processing that prevail over the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of a legal claim. The right to object can also be exercised through automated means using specific techniques, such as those provided on the website in the personal page and in emails (unsubscribe links).

The Data Controller guarantees that any request regarding the rights of data subjects will be responded to within thirty days of receipt, unless further investigation is required.

11. Possibility to File a Complaint

Each data subject has the right to file a complaint with the Data Protection Authority if they believe that the processing of their personal data by the Data Controller does not comply with the provisions of European Regulation No. 679/2016 and national legislation.

n Italy, the competent authority is the Garante per la Protezione dei Dati Personali, and its contact details are available at the following address: http://www.garanteprivacy.it/.

Further information and the sample document to use for the complaint are available here: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 .

Furthermore, if the conditions set forth in Articles 78 and 79 of the GDPR are met, each data subject has the right to file an appeal before the competent judicial authority.

12. Possible Changes

The information provided here may be modified over time, when changes occur in the processing activities, the data collected, or in response to legislative or regulatory changes, or technological developments. Users are therefore encouraged to periodically review this Privacy Policy, which will always be updated on this page.