Privacy Policy

Version 1.0

The Fondazione Accademia Carrara, with registered office in Piazza G. Carrara 82, 24121 Bergamo, Italy, is committed to protecting the online privacy of its users. This document has been drafted in accordance with Art. 13 of EU Regulation 2016/679 (hereinafter, the “Regulation”) in order to inform you about our privacy policy, so that you can understand how your personal information is managed when you use our website (hereinafter, the “Site”) and, where necessary, so that you can give your explicit, informed consent to the processing of your personal data (valid only if given by persons aged 16 or over). The information and data you provide or that are otherwise acquired during your use of our services on the site (hereinafter “Services”) will be processed in compliance with the provisions of the Regulation and with the confidentiality obligations that underpin the activities of the data controller.

According to the rules of the Regulation, processing of data by the Fondazione Accademia Carrara is based on the principles of lawfulness, fairness, transparency, limitation of purpose and the data minimisation and conservation, accuracy, integrity, and confidentiality.


  1. Data controller
  2. Personal Data subject to processing
    a. Browsing data
    b. Special categories of Personal Data
    c. Data voluntarily provided by the data subject
  3. Purposes of data processing
  4. Legal basis and mandatory or optional nature of data processing
  5. Recipients of Personal Data
  6. Transfer of Personal Data
  7. Retention of Personal Data
  8. Rights of the data subjectù
  9. Modifications

1. Data controller

The controller of data processing carried out on the Site is the Fondazione Accademia Carrara as defined above. For further information concerning the processing of Personal Data by the data controller, including the list of data processors who process data, please write to:

2. Personal data subject to processing

After you browse the Site, please note that the data controller will process your personal data, which may consist of an identifier such as your name, identification number, online identification, postal address, e-mail address, telephone number (landline and/or mobile) and/or one or more characteristic features of your physical, physiological, psychic, economic, cultural or social identity (data hereinafter referred to as “Personal Data”) that may be suitable for identifying you or making you identifiable as the data subject.

Personal Data processed through the Site are as follows:

a. Browsing data

During their normal operation, the computer systems and software procedures used to operate the Site acquire some Personal Data, the transmission of which is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified data subjects, but by its very nature it could, by means of processing and association with data held by third parties, make it possible for users to be identified. This category of data includes the IP addresses or domain names of the computers used by those who connect to the Site, the addresses in Uniform Resource Identifiers (URI) of the resources requested, the time of the request, the method used for submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to ensure that it is functioning correctly, to identify anomalies and/or abuses, and they are deleted immediately after processing. The data may be used to ascertain responsibility in the case of hypothetical computer crimes committed against the Site or third parties: without prejudice to this possibility, the data collected by the Site are currently removed within a short period of time.

b. Special categories of personal data

If you use the Site to send an application (or if you send it by e-mail), your Personal Data may fall within one of the special categories of personal data referred to in Art. 9 of the Regulation, which states that personal data are data that reveal “[…] racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and […] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. We invite you not to publish such data unless strictly necessary. Indeed, we remind you that in the event of special categories of Personal Data being transmitted, but in the absence of a specific manifestation of consent to process such data (which, however, naturally allows you to submit your curriculum vitae), the data controller cannot be held responsible under any circumstances, nor will it be subject to any claims whatsoever, since in this case the processing will be allowed as it concerns data manifestly made public by the data subject, in accordance with Art. 9(2)(e) of the Regulation. We nevertheless specify the importance, as already indicated above, of expressing your explicit consent to the processing of special categories of Personal Data, if you decide to share such information.

We also inform you that, for the purposes of selection, the data controller may analyse the professional social profiles made freely available on the Internet (e.g. LinkedIn).

c. Data voluntarily provided by the data subject

When using some Services on the Site (for example, request / contact / booking forms), the Personal Data you submit to the data controller may be processed by third parties. In these cases, you act as an independent data controller, assuming all legal obligations and responsibilities. As such, you grant absolute indemnity with respect to any dispute, claim, request for compensation for damage caused by the processing, etc. that may reach the data controller from third parties whose Personal Data have been processed by the Site in violation of applicable rules concerning the protection of Personal Data. In any case, should you provide or in any way process the personal data of third parties in your use of the Site, you henceforth guarantee – assuming any related responsibility – that such particular processing has a legitimate legal basis pursuant to Art. 6 of the Regulation, which legitimises the processing of the information in question.

3. Purposes of data processing

The data processing we intend to carry out, with your explicit consent where necessary, is designed to
a. enable us to provide the Services you request;
b. respond to requests for assistance, information or bookings;
c. examine CVs and contact candidates who have submitted their application;
d. fulfil any legal, accounting, and tax obligations.
e. provide marketing Services: the data provided may be processed, subject to your explicit and specific consent, for sending promotional and marketing communications, including newsletters and market surveys, by means of instruments that may be automated (sms, mms, e-mail, push notifications) or otherwise (printed mail, telephone with an operator). The legal basis for processing your data for these purposes is Art. 6, paragraph 1, letter a) of the Regulation. You are free to choose whether or not to receive direct marketing, so if you do not provide your consent for this purpose, your use of the Services will not be affected.

4. Legal basis and the obligatory or voluntary nature of data processing

The legal basis for processing Personal Data for the purposes referred to in section 3 (a-b-c) is Art. 6 (1)(b) of the Regulation (implementation of a contract) since the processing is required in order to provide the Services or to respond to requests from the data subject. Providing Personal Data for these purposes is optional but failure to provide them would make it impossible for the Site to provide its Services, respond to requests or evaluate CVs. With specific reference to the purposes outlined in 3.c and the related analysis of professional social profiles made freely available on the Internet, as referred to in section 2.b, the legal basis for data processing is Art. 6 (1)(f) of the Regulation, i.e. the legitimate interest of the data controller to assess any risks concerning the candidate’s suitability to fill the particular position.

The purpose referred to in section 3.d constitutes a legitimate use of Personal Data processing in accordance with Art. 6 (1)(c) of the Regulation (compliance with a legal obligation). Once Personal Data have been provided, processing is necessary in order to fulfil the data controller’s legal obligations.

The legal basis for data processing for the purposes referred to in section 3.e is Art. 6 (1)(a) of the Regulation (user consent). In the case of data processing carried out for the same purposes that involve the direct delivery of its own advertising material or its own direct sales or for carrying out its market research or commercial communications with regard to the data controller’s own products or Services similar to those purchased by you, the data controller can, without your consent, use the e-mail and printed mail addresses provided, pursuant to and within the limits permitted by Art. 130, paragraph 4 of the Code and by the provision of the Italian Data Protection Authority for the protection of Personal Data, dated 19 June 2008. The legal basis for processing your data for this purpose is Art. 6 (1)(f) of the Regulation (legitimate interest).

5. Recipients of Personal Data

Your Personal Data may be shared, for the purposes referred to in section 3 above, with:

a. subjects that typically act as data processors, namely: i) persons, professional firms or companies that provide assistance and advice to the data controller in accounting, administrative, legal, tax, financial, debt collection, marketing and communication matters relating to the provision of the Services; ii) subjects with whom it is necessary to interact for the provision of the Services (such as hosting providers) iii) or subjects delegated to carry out technical maintenance activities (including the maintenance of network equipment and electronic communication networks); (collectively, the “Recipients”);

b. subjects, entities, or authorities to whom it is mandatory to communicate your Personal Data in accordance with the legal provisions or orders of the authorities;

c. persons authorised by the data controller to process Personal Data in order to carry out activities strictly related to the provision of the Services or for the other purposes referred to in section 3 above, who are committed to confidentiality or have an adequate legal obligation of confidentiality (e.g. employees of the data controller).

6. Transfer of Personal Data

Some of your Personal Data are shared with Recipients that may be located outside the European Economic Area. The data controller ensures that your Personal Data is processed by these Recipients in compliance with the Regulations. The transfer of data may be based on an adequacy decision, on the Standard Contractual Clauses approved by the European Commission, or on another relevant legal basis. For further information, please write to the data controller at the following address:

7. Retention of personal data

Personal Data processed for the purposes referred to in section 3 (a-b) will be retained for the time strictly necessary to achieve said purposes. In any case, since such data processing is carried out for the provision of Services, the data controller will process the Personal Data up to the deadline permitted by Italian legislation in order to protect its interests (Italian Civil Code, Art. 2946 and ff.). As regards CVs submitted via the Site or by e-mail, as referred to in section 3.c, Personal Data will be retained for a period deemed appropriate for the purpose for which the data are collected. The data controller may nevertheless contact the candidate again shortly before the expiry time to request an extension of the retention period.

Personal Data processed for the purposes referred to in section 3.d will be retained until the time indicated by the specific obligation or applicable law.

Personal Data processed for the purposes referred to in section 3.e will, on the other hand, be retained until withdrawal of consent by the data subject, or, in the absence of such withdrawal, for a maximum period that is deemed to be appropriate.

Further information concerning the data retention period and the criteria used to establish this period can be requested by writing to the data controller at the following address:

8. Rights of data subjects

Pursuant to Article 15 and following articles of the Regulation, you have the right to ask the data controller, at any time, for access to your Personal Data, to correct or delete them, or to oppose their processing, and you have the right to request that processing be limited in the cases referred to in Art. 18 of the Regulation, as well as to obtain the data concerning you in a structured, commonly used and machine-readable format, in the cases referred to in Art. 20 of the Regulation.

Requests should be sent in writing to the data controller at the following address:

In any case, you always have the right to lodge a complaint with the Italian Data Protection Authority, in accordance with Art. 77 of the Regulation, if you believe that the processing of your Personal Data is contrary to current legislation.

9. Modifications

This privacy policy is effective from 23 May 2018. The data controller reserves the right to modify or simply to update its content, in part or in its entirety, also to comply with modifications to the applicable legislation. The content of the Site and of this privacy notice may be subject to variations, so the data controller invites you to visit this section regularly so as to be informed of the most recent updated version of the privacy notice so that you can be constantly informed of the data collected and of the use that is made of it.