This policy has been issued – pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter referred to as “GDPR”) – for the users (hereinafter also referred to as “Users” or “User”) of the website piccoloteatro.org/it and the relative ticketshop available via this link (hereinafter respectively the “Website” and the “Ticketshop”) of the Fondazione Piccolo Teatro di Milano – Teatro d’Europa (hereinafter also referred to as the “Teatro”) with the aim of describing the purpose and the methods of processing of personal data by the Teatro.
 

Pursuant to the applicable privacy regulation, personal data belonging to the User may be collected during consultation of the Website and the Ticketshop.

This policy has been issued exclusively for the Website and the Ticketshop and does not concern any other websites that may be accessed by the User via links present on the same.

DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller pursuant to article 4, paragraph 1, point 7 of the GDPR is the Fondazione Piccolo Teatro di Milano – Teatro d’Europa, with registered headquarters in Milan, 20121, Via Rovello 2 (hereinafter referred to as the “Data Controller” or “Teatro”). 

Pursuant to article 37 of the GDPR, the Data Controller has appointed a Data Protection Officer (DPO), who may be contacted via the email address: dpo@piccoloteatromilano.it. 

PURPOSE OF PROCESSING
Details are provided below of the data belonging to the User that may be processed by the Teatro in the event of consultation and use of the Website and the Ticketshop. 

The User assumes responsibility for any communication of personal data belonging to third parties, guaranteeing that they have full rights to communicate or distribute the same and, in any case, freeing the Teatro of any responsibility towards third parties resulting from any illegitimate use of their personal data. 

Personal data acquired automatically in the event of visits to the Website

Navigation data. The Teatro automatically collects data on the device (PC, tablet, mobile phone or other mobile device) and the connection used by the User including, for example, the IP address, the date and time of access, information on hardware and software, and information regarding device events and crashes.

Data regarding the use of the Website. The Teatro collects information regarding the methods with which the User has used the Website, including the pages and the content viewed, the searches carried out, the third-party applications present on the Website that are used by the User (for example, maps and other functions of Google Maps used by the User to locate Teatro Strehler, Teatro Studio Melato, Teatro Grassi and the Chiosco Nina Vinchi, as well as to view their interiors) and links to third-party websites and third-party applications on which the User has clicked.

Personal data provided directly by the User when using the Ticketshop

a. Data required to use the account created to make purchases via the Ticketshop

Compulsory data provided for account registration. The Teatro collects the compulsory data required to create the User’s account with the Ticketshop. These are fields marked with an asterisk, such as, for example, the email address and the creation of a password to access the personal profile, name, surname, date of birth, main address and mobile telephone number. 

b. Data required to allow the User to purchase tickets and/or subscriptions

Data connected to the User’s account. The Teatro collects a series of information related to the methods with which the User uses their account (for example the adding of tickets or subscriptions to the shopping cart). 

Data regarding transactions. The Teatro collects information related to the transactions that the User makes via the Ticketshop, including data on the payment tools used, the time and date of payment, and the amount paid. 

Optional data that the User may provide the Teatro

Data provided via requests for information via email. If the User requests information in an explicit and voluntary manner via the addresses indicated on the Website, the Teatro will acquire the email address of the User and any other personal data entered in the request. 

Data provided via the use of the newsletter service. If the User agrees to receive emails from the Teatro regarding any programme updates, sales, news, promotions, etc., the Teatro will acquire the email address of the User and other behavioural data regarding the email sent, including, for example, the opening of the same and any links included in the newsletter that the User may have clicked on. 

Personal data collected by the Teatro via cookies

Data provided via the use of cookies. The Teatro uses cookies to collect data on the activity of the User on the Website and the Ticketshop, on their preferences and on other technical data relative to the User. For further information on the use of Cookies, the User may consult the Cookie Policy relative to the Website. 

PURPOSE AND LEGAL BASIS FOR PROCESSING
Via the Website and the Ticketshop, the Teatro processes the personal data of the User for the purpose of:

• operating, monitoring and improving the Website;

• operating, monitoring and improving the services rendered by the Teatro via the Ticketshop (in particular, the online purchase and reservation of tickets and the online purchase of subscriptions);

• allowing management of the account and the processing of payments within the Ticketshop;

• maintaining secure, protected and operational the services rendered by the Teatro via the Ticketshop (in particular, the online purchase and reservation of tickets and the online purchase of subscriptions);

• providing the User with information regarding their account, as well as to resolve any problems regarding the Ticketshop account;

• resolving disputes with the User, to recover from the User any amounts due or in any case required to provide the services rendered by the Teatro via the Ticketshop;

• preventing, detecting and mitigating fraud, security violations and any potentially forbidden or illegal activities.

The legal basis for the processing carried out for these purposes, pursuant to art. 6, letter b) of the GDPR, is the fulfilment of a contract of which the User involved is party or the execution of precautionary measures adopted by request of the same.

The Teatro also processes the personal data of the User for the purpose of:

• identifying and resolving problems encountered by the User in using the Website or the Ticketshop (for example, pages blocked or not functioning) and providing them with an improved experience;

• personalising, measuring and improving the publicity shown to the User on other websites, on the basis of the preferences of the User detected while navigating the Website or the Ticketshop;

• collecting statistical information in aggregated form on the number of Users that visit the Website or the Ticketshop and on the methods with which Users visit the Website or the Ticketshop;

• preventing, detecting and mitigating fraud, security violations and any potentially forbidden or illegal activities published on the Website and/or the Ticketshop;

• gathering the opinions of the User via surveys or questionnaires.

The legal basis for the processing carried out for these purposes, pursuant to art. 6, letter f) of the GDPR, is the pursuing of the legitimate interests of the Data Controller or of third parties, in respect of the interests or the fundamental rights and freedoms of the data subject.

The Teatro also processes the personal data of the User for the purpose of:

• sending communications regarding any changes to the programme or disruptions regarding the chosen performance at the Teatro (such as, for example, modifications or cancellations);

• carrying out marketing and sending information and/or promotions regarding activities and shows organised by the Teatro.

The legal basis for these purposes, pursuant to ar. 6, letter a) of the GDPR, is the specific consent expressed by the data subject.

METHODS OF PROCESSING AND THE PERIOD OF CONSERVATION OF PERSONAL DATA
The Teatro ensures that the personal data of the User are processed, in full respect for the GDPR and the privacy regulations currently in force in Italy, via manual, digital or telematic tools exclusively to allow the purposes for which they have been collected.

The data collected will be protected through physical and logical methods with the purpose of reducing to a minimum the risk of unconsented access, distribution, loss or destruction of the data pursuant to arts. 25 and 32 of the GDPR.

The personal data of the User are held (in accordance with the criteria of recital 39 and art. 5, paragraph 1, letter e) of the GDPR) for the period of time strictly necessary for the provision of the service requested by the User themselves or, in any case, for the fulfilment of the purposes described above. 

Unless the Data Controller receives a request for erasure, the personal data of the Users with Ticketshop accounts will be held for a period of time of no more than 10 years from the date of the most recent access. In all other cases, the period of conservation will be no longer that two years.

The personal data of the User may be held for longer periods in the event that this is necessary in order to comply with the legal, administrative or accounting obligations of the Teatro, or to ensure, exercise or defend its legal rights, or to fulfil other requirements of public interest.

If the User has granted their consent to the processing of their data (for the sending of communications regarding any disruptions or of promotional emails), they may revoke their consent at any time.

On the expiry of said periods of conservation, the User’s data will be permanently erased or rendered anonymous.

TRANSFER OF PERSONAL DATA
The personal data collected via the Website or Ticketshop may be transferred outside of national territory only and exclusively for the execution of the services requested by the User, to provide the most suitable response to requests made and to improve the services offered. Any transfer of data, even outside the European Union, will take place in full respect for the GDPR, and, where necessary, of the so-called Standard Contractual Clauses and the so-called Suitability Decisions adopted by the European Commission.

RECIPIENTS OF PERSONAL DATA
The personal data collected may be processed by subjects or categories of subject who act, pursuant to art. 28 of the GDPR, as Data Processors or who, pursuant to art. 29 of the Regulation, are authorised for the processing of data.

Beyond the aforementioned hypotheses, the personal data are not subject to communication other than to subjects, organisations or authorities to which communication is obligatory in accordance with laws or regulations.

Lastly, the data may be communicated for marketing purposes only with the direct consent of the User.

RIGHTS OF DATA SUBJECTS
Pursuant to the relative regulation, the User has the right to request, at any moment:

1. confirmation of the existence or otherwise of personal data concerning them, even if not yet recorded, in a concise, transparent, intelligible and easily accessible form, and in simple and clear language;

2. indication:
   a. of the source of the personal data;
   b. of the purposes and methods of processing;
   c. of the legitimate interests pursued by the Data Controller or third parties;
   d. of the recipients or categories of recipients of the personal data, if any;
   e. of any intention of the Data Controller to transfer personal data to another country or an international organisation;
   f. of the period of storage of the personal data;
   g. of the logic applied in the event of processing with the use of electronic instruments, as well as the significance and the envisaged consequences of such processing for the data subject, in the case of automatic gathering and/or profiling processes;
   h. of the identification details of the Data Controller and of the Data Processors, of any appointed representatives and the Data Protection Officer (DPO);
   i. of the entities or categories of entity to which personal data may be communicated or who may become aware of the personal data in their role as designated representative within national territory, as Data Processors or persons authorised to process data;

3. the right to lodge a complaint with a supervisory authority;

4. the updating, rectification or, when necessary, the integration of the data;

5. the cancellation, the transformation in anonymous form or the blocking of data handled in violation of the law, including data for which conservation is unnecessary with regards to the purposes for which the data has been collected or subsequently handled;

6. the restriction of processing;

7. the portability of personal data that concerns them to another Data Processor;

8. the withdrawal of consent to processing;

9. the opposition, either total or partial, for legitimate reasons, the processing of personal data which concern them, even if pertinent to the purpose of collection.

The Teatro will comply with the request of the User without delay and, in any case, within a month of receipt of said request. If necessary, the aforementioned term may be extended to two months, taking into account the complexity and number of the requests received by the Teatro. In this case, the Teatro will inform the User of the extension of the terms and the relative reason within one month of receipt of the request.

The aforementioned rights may be exercised via informal written request to the Teatro at the following address: spiazzic@piccoloteatromilano.it.

The Teatro hereby reminds the User that, in the event that they consider the response to their request to be unsatisfactory, they may lodge a complaint with the Italian Data Protection Authority in the methods provided for by the Applicable Privacy Regulation.

DATA PROTECTION OFFICER
In order to exercise the rights as per the point above, the data subject may contact the Data Protection Officer at any time for any communications regarding the processing of their personal data, or to receive the updated list of any Data Processors appointed by the Company, by sending an email to the following address: dpo@piccoloteatromilano.it. 

UPDATES TO THE PRIVACY POLICY
The Teatro reserves the right to make changes to this Privacy Policy at any time, providing adequate information on this Website page.

It is therefore important to regularly consult this page, taking into account the date of the latest update shown below. Unless otherwise specified, in the event of modifications, the previous privacy policy shall continue to apply to personal data collected up to that point.
 

Image from the show Arlecchino servitore di due padroni by Carlo Goldoni, directed by Giorgio Strehler. Photo © Diego Ciminaghi/Piccolo Teatro di Milano – Teatro d’Europa

Last updated December 2023