Privacy Policy

Pursuant to Article 13 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and Recommendation No. 2/2001 concerning minimum requirements for the collection of data online in the EU


1. Data Controller

The data controller is:
Le Gallerie degli Uffizi
Piazzale degli Uffizi 6, 50122 Florenze, Italy

This privacy policy is intended to provide information about the processing, purposes, methods and, in general, the management of data collected through the website (hereinafter, for brevity, the Website). This privacy policy relates solely to this Website, thus excluding any further pages that may be visited via links.

2. Purpose of the processing and legal basis

Le Gallerie degli Uffizi guarantees that within the scope of the legal provisions, the processing of personal data on the Website takes place in accordance with the basic rights and freedoms as well as in accordance with the dignity of the person concerned, with particular reference to confidentiality, personal identity and the right to protection of personal data.

In compliance with the conditions of lawfulness set out in Article 6 of the GDPR 2016/679, the personal data you provide through the Website may be processed for the following purposes:

1. Navigation and improvement of the Website

For more details on these purposes and types of data, please visit the "Cookie Policy" section.

3. Type of data processed

For the purposes mentioned above, the following data may be processed mainly:

personal data collected during navigation (Log Files). The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected in order to be associated with identified interested parties, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This information contains only data relating to the navigation of users and no personal data relating to users. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and computer environment. This data is used to provide the requested service and to obtain anonymous statistical information on the use of the site and to check its correct operation. The data could be used to ascertain responsibility in the event of hypothetical computer crimes to the detriment of the site. For more details on these types of data, please visit the "Cookie Policy" section, drafted pursuant to the new Cookie Guidelines and other tracking tools (Official Gazette no. 163 of 9th July 2021)

4. Modalities of processing

The processing will be carried out only by

a) authorised personnel for the performance of processing activities;

b) through the use of manual and electronic systems;

c) by persons authorised to carry out such tasks in accordance with the law, including appointments as data processors pursuant to Art. 28 of the European Regulation;

d) with the use of appropriate organisational and technical measures to ensure the confidentiality of the data and prevent access to them by unauthorised third parties.

Your data will not be included in automated decision-making processes.

5. Storage period of personal data

The data you provide will be kept for a period no longer than is necessary to fulfil the obligations or tasks referred to in point 2 of this information notice, with gradual deletion of the data attributable to the specific purposes no longer being pursued:

Management of communications and requests

Until the institutional purposes for which they were collected are exhausted

Pre-contractual/contractual obligations

Max 10 years in accordance with the retention periods for accounting, fiscal and administrative documents (art. 2200 civil code)

Website navigation and improvement

See Cookie Policy

6. Communication of personal data

Without prejudice to communications carried out in fulfilment of legal and contractual obligations, the data collected and processed may be communicated for the purposes specified above, to b. all those natural and/or legal, public and/or private persons (such as, by way of example and not limited to, the website manager), when the communication is necessary or functional to the performance of our activity and in the manner and for the purposes listed above.

7. Disclosure of personal data

Your personal data will in no way be transferred or communicated to third countries outside the EU.

8. Rights of data subjects

You have the right to request from the Data Controller the rights set out in Articles 15 et seq. of GDPR 2016/679:

  •     Access to your data and information;
  •     The rectification and erasure ("right to be forgotten") of data;
  •     The restriction of processing and the possibility to object to processing;
  •     the portability of the data;
  •     revocation of consent to processing.

If you feel that your rights have been violated, you have the option and the right to lodge a complaint with the GPDP Authority for the Protection of Personal Data:

← back