Notice pursuant to EU Regulation 679/2016 (GDPR)

The purpose of this document is to inform the natural person (hereinafter the “Data Subject”) about the processing of their personal data (hereinafter “Personal Data”) collected by the data controller, Fondazione Basilica di Superga ETS, with registered office at Piazza Borgo Dora 61, CF 97909840015, VAT no. 13203000016, e-mail address fondazione@basilicadisuperga.org, phone +39 011 8980083 (hereinafter the “Controller”), through the website www.basilicadisuperga.org (hereinafter the “Application”).

Changes and updates will be binding as soon as they are published on the Application. If the Data Subject does not accept the changes to the Privacy Notice, they must stop using this Application and may request the Controller to delete their Personal Data.

 

Categories of Personal Data Processed

The Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

• Contact data: first name, last name, address, email, phone, any other information sent by the Data Subject, etc.
• Tax and payment data: tax code, VAT number, credit card details, bank account details, etc.

The Controller also processes the following types of Personal Data collected automatically:

• Technical data: Personal Data generated by devices, applications, tools, and protocols used, such as device information, IP addresses, browser type, ISP type. These data may leave traces which, especially when combined with unique identifiers and other information from servers, may be used to create profiles of natural persons.
• Browsing and usage data of the Application: e.g., pages visited, number of clicks, actions performed, session duration, etc.

Failure to provide Personal Data required by law, contract, or necessary for the conclusion of a contract with the Controller will make it impossible for the Controller to establish or continue the relationship with the Data Subject.

The Data Subject who provides the Controller with Personal Data of third parties is directly and solely responsible for their origin, collection, processing, communication, or dissemination.

 

Cookies and Similar Technologies

The Application uses cookies, web beacons, unique identifiers, and other similar technologies to collect Personal Data about the pages visited, links clicked, and other actions taken when using the Application. They are stored to be transmitted on the Data Subject’s next visit. The complete Cookie Policy is available at: www.basilicadisuperga.org/cookie

 

Legal Basis and Purposes of Processing

Processing of Personal Data is necessary:

• for the performance of the contract with the Data Subject, specifically:

1. fulfilling all obligations arising from the pre-contractual or contractual relationship with the Data Subject
2. registration and authentication: allowing the Data Subject to register on the Application, access it, and be identified, including through external platforms
3. support and contact: responding to the Data Subject’s requests
4. payment management: handling payments by credit card, bank transfer, or other means

 

• for legal obligations, specifically:

1. fulfilling any obligation under current laws and regulations, particularly tax-related

 

• based on the Controller’s legitimate interest, for:

1. email marketing of the Controller’s products/services to directly sell similar products/services using the email provided by the Data Subject in the context of a previous sale
2. management, optimization, and monitoring of the technical infrastructure: identifying and resolving technical issues, improving Application performance, managing and organizing information in an IT system (e.g., servers, databases)
3. anonymous statistical analysis: analyzing aggregated and anonymous data to understand Data Subject behavior, improve products/services, and better meet expectations

​

• based on the Data Subject’s consent, for:

1. profiling for marketing purposes: providing information on the Controller’s products/services through automated processing aimed at collecting personal information to predict or assess preferences or behavior
2. retargeting and remarketing: serving personalized ads to the Data Subject who has already visited or shown interest in the products/services offered by the Application
3. marketing the Controller’s products/services: sending commercial/promotional information or materials, conducting direct sales, or performing market research using automated and traditional methods
4. sharing Personal Data for marketing and research purposes with third parties, such as organizations and entities in the Italian cultural and tourism sector or partner organizations of Fondazione Basilica di Superga ETS (notably Associazione Abbonamento Musei – Via Assarotti 9 – Turin / Piazza Città di Lombardia 1 – Milan), so they may use them for analysis/research and to send commercial/promotional information or conduct direct sales or market research using automated and traditional methods.

Based on the Controller’s legitimate interest, the Application enables interactions with external platforms or social networks whose Personal Data processing is governed by their respective privacy notices. Interactions and information acquired are in any case subject to the Data Subject’s privacy settings on those platforms. Such information—absent specific consent for further purposes—will only be used to enable use of the Application and provide the requested services.

The Data Subject’s Personal Data may also be used by the Controller to protect its rights in legal proceedings before the competent courts.

 

Processing Methods and Recipients of Personal Data

Personal Data are processed using paper and electronic tools with organizational methods and logic strictly related to the indicated purposes, and with the adoption of appropriate security measures.

Personal Data are processed exclusively by:

1. individuals authorized by the Controller who have committed to confidentiality or are under an appropriate legal obligation of confidentiality
2. entities operating as independent controllers or as processors designated by the Controller to perform processing activities necessary for the purposes described (e.g., business partners, consultants, IT companies, service providers, hosting providers)
3. entities to whom communication of Personal Data is mandatory by law or order of authorities

These subjects must use appropriate safeguards to protect Personal Data and may only access the data necessary for performing their assigned tasks.

Personal Data will not be indiscriminately disseminated in any way.

 

Location

Personal Data will not be transferred outside the European Economic Area (EEA).

 

Personal Data Retention Period

Personal Data will be retained for the time necessary to achieve the purposes for which they were collected, specifically:

1. for contract performance, throughout the duration of the contractual relationship and, after termination, for the standard limitation period of 10 years. In the event of legal proceedings, for the entire duration until exhaustion of appeal rights
2. for purposes based on the Controller’s legitimate interest, until that interest is fulfilled
3. for legal obligations, authority orders, or legal defense, for the period provided by such obligations or until the limitation period provided by law
4. for purposes based on the Data Subject’s consent, until the consent is withdrawn. For marketing purposes, no longer than 24 months.

At the end of the retention period, all Personal Data will be deleted or stored in a form that does not allow identification of the Data Subject.

 

Data Subject’s Rights

Data Subjects may exercise certain rights regarding their Personal Data processed by the Controller.

In particular, they have the right to:

1. be informed about the processing of their Personal Data
2. withdraw consent at any time
3. restrict processing of their Personal Data
4. object to processing
5. access their Personal Data
6. verify and request rectification
7. obtain restriction of processing
8. obtain erasure
9. transfer their Personal Data to another controller
10. lodge a complaint with the data protection authority and/or take legal action.

To exercise these rights, Data Subjects may send a request to the following email: fondazione@basilicadisuperga.org. Requests will be handled by the Controller promptly and in any case within 30 days.

 

Data Protection Officer

The Data Protection Officer is Fondazione Basilica di Superga ETS, with registered office at Piazza Borgo Dora 61, CF 97909840015, VAT no. 13203000016, e-mail address fondazione@basilicadisuperga.org, phone +39 011 8980083.

 

Last update: 30/06/2025