Go to main contentGo to footer

Video surveillance system policy


pursuant to article 13 of the “European General Data Protection Regulation” (GDPR)
With this document (“Policy”), the Uffizi Galleries, as the entity through which the Italian Ministry of Culture (MIC) exercises the functions of Data Controller pursuant to Ministerial Decree no. 147 of 14 March 2019, wishes to inform You about the purposes and methods of the processing of your personal data and of the rights granted to you by Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free circulation thereof (“GDPR”).

1. Data Controller
•       The Data Controller of personal data is the Italian Ministry of Culture (MIC).
•       Your data, for the purposes foreseen by this policy, will be collected and processed by the Uffizi Galleries (hereinafter also referred to as “Uffizi” or “Institute”), in its capacity as Data Controller, with registered office in Piazzale degli Uffizi 6 - 50122 Florence (FI).

2. Data Protection Officer
The MIC, exercising as Data Controller, with Ministerial Decree of 24 July 2020, Repertory Number 349/2020, has identified as Data Protection Officer, pursuant to Article 37 et seq. of the GDPR, Dr. Antonio Francesco Artuso, Manager of Service I of the General Directorate Organisation.
For issues concerning the processing of personal data, the data subject may contact:
I.      Primarily, the DPO contact person appointed by the Uffizi Galleries (article 3, letter e) of Ministerial Decree no. 147 of 14 March 2019) at the following email address: ga-uff.privacy@cultura.gov.it.
II.     Secondarily, the DPO in the following ways:
- by email at the following addresses:  regular email to rpd@cultura.gov.it, certified email to rpd@pec.cultura.gov.it
- by phone at the number: 0667232494.

3. Information on the processing
The personal data subject to processing is collected and processed by the Uffizi Galleries, or by third parties expressly authorised by the same, or communicated by the Institute to such third parties for the pursuit of the purposes described below.

4. Personal data processed
For the purposes indicated in this Policy, the personal data that is subject to processing relates to the detection and recording by means of the video surveillance system, i.e. detection and recording of images of people and things entering the premises of the Uffizi Galleries or passing through the range of action of such system.

5. Purpose and legal basis of processing
Your personal data will be processed (for the definition of “processing”, see article 4, par. 1, no. 2 of the Regulation) for the following purpose:
The processing of personal data collected through the video surveillance system is carried out for purposes of public interest such as the safety and protection of persons, as well as for the protection of the historical and cultural heritage under the Institute's jurisdiction. Ex Art. 6 par. 1(e) Regulation (EU) 2016/679.

6. Video Surveillance System
Pursuant to art. 3.1 of the General Provision on Video Surveillance of 29 April 2004 set forth by the Italian Data Protection Authority and the General Provision on Video Surveillance of 8 April 2010, we inform You that the Uffizi Galleries has activated a video surveillance system, both inside and outside its premises, in order to control access and certain sectors/departments within the Institute.
As the video recording is automatic and generalised, the person accessing the areas under video surveillance cannot avoid being filmed, which is exclusively aimed at guaranteeing the safety of staff and third parties during their stay inside the Institute, as well as at ensuring the protection of the Uffizi Gallery's assets and helping to identify any perpetrators of offences by facilitating, in the event of unlawful acts, the protection of the violated rights.
Through the above-mentioned video surveillance system, some personal data concerning You, represented by Your images, may also be processed. To this end, we inform You that the processing of data collected through the cameras is carried out according to legitimate objectives and in compliance with the provisions of the above-mentioned General Provisions on video surveillance.

7. Processing method
The data provided is processed by the Uffizi Galleries in accordance with the current Privacy regulations. The Uffizi Galleries undertakes, in particular, to process them according to the principles of correctness, lawfulness and transparency, to collect them in the necessary and exact measure for their processing and to allow their use only by personnel authorised for this purpose.
The Data Controller carries out the processing of personal data by means of IT and/or telematic tools, and with organisational and logical methods strictly related to the pursuit of the purposes indicated in this Policy, as well as by adopting appropriate security measures in order to prevent unauthorised access, disclosure, modification or destruction of personal data. 

8. Period of data retention
All data held by the Uffizi Galleries is retained only for the period of time necessary according to management requirements and applicable legal obligations.
The data collected through the video surveillance system is not subject to communication or dissemination (except for the execution of any orders issued by the judicial authorities or public security authorities, as set out in point 9 below) and is retained for the pursuit of the aforementioned purposes for the time strictly necessary exclusively by the surveillance personnel, for a period of 6 days (as per the authorisation order by the Italian Data Protection Authority of 27 July 2010, protocol no. 17367), after which it is automatically deleted. The images can only be viewed by authorised personnel or judicial authorities.

9. Communication of data
Without your express consent (pursuant to article 6, letters b) and c) of the Regulation), the Data Controller or the party exercising the functions of Data Controller may communicate your data for the purposes referred to in article 5 to supervisory bodies, judicial authorities and to all other persons to whom the communication is required by law for the fulfilment of the above purposes.

10. Data transfer
The management and retention of personal data will take place on the server of the Data Controller or of the party exercising the functions of Data Controller, and/or of third-party companies duly appointed as Data Processors (ex. Art 28 GDPR) located within the European Union. Currently, the servers are located in Italy. However, it is understood that the Data Controller or the party exercising the functions of Data Controller, if necessary, will have the right to move the location of servers within the European Union and/or non-EU countries. In this case, the Data Controller, or the party exercising the functions of Data Controller, ensures as of now that the transfer of data outside the EU will take place in accordance with articles 44 et seq. of the Regulation and the applicable legal provisions by entering into, if necessary, agreements that guarantee an adequate level of protection. In particular, it must ensure that adequate technical and organisational measures are in place so that the processing meets the requirements of the Privacy Code and the GDPR, that the protection of the rights of interested third parties is ensured, that data transfers can be traced, and that the appropriate security measures can be documented.

11. Rights of the data subject
In Your capacity as data subject, we inform You that you can exercise all the rights provided for by article 15 of the Regulation, namely:
a)      the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to the personal data and the following information: i) the categories of personal data concerned; ii) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular in the case of third countries or international organisations; iii) when possible, the expected period of retention of the personal data or, if this is not possible, the criteria used to determine this period; iv) the existence of the right of the data subject to request from the Data Controller, or the party exercising the functions of Data Controller, the rectification or erasure of personal data or the restriction of the processing of personal data concerning them or to object to their processing; v) the right to lodge a complaint with a supervisory authority, pursuant to articles 77 et seq. of the Regulation; vi) if the data are not collected from the data subject, all available information regarding their origin; vii) the existence of an automated decision-making process, including profiling as referred to in article 22, paragraphs 1 and 4 of the Regulation, and, at least in such cases, meaningful information on the logic used, as well as the importance and expected consequences of such processing for the data subject; viii) the right to be informed of the existence of adequate guarantees pursuant to article 46 of the Regulation relating to the transfer, if personal data are transferred to a third country or an international organisation;
b)      the rights (where applicable) under articles 16-21 of the Regulation (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object).
We inform you that the Uffizi Galleries is committed to responding to your request within one month of receiving it. This term may be extended, for no more than two months, depending on the complexity or number of requests, and the Institute will explain the reason for the extension within one month of your request. It should also be noted that if the Uffizi Galleries does not comply with the request, it is obliged to provide feedback to the data subject regarding the reasons for non-compliance and the possibility to lodge a complaint with a supervisory authority or judicial appeal within one month of receiving the request.
The outcome of your request may be provided to you in writing or electronically.

12. Procedures for exercising rights
The data subject may at any time exercise the rights set out in Article 15 et seq. of the Regulation in the following ways:
i.      by sending an email to the DPO contact person at the address: ga-uff.privacy@cultura.gov.it. ii.     by sending a registered letter with acknowledgement of receipt to the Institute's registered office at the address:
Piazzale degli Uffizi 6 - 50122 Florence (FI).

13. Amendments to this Policy
The Uffizi Galleries undertakes to inform the data subject of any amendments to this policy.

Gallerie degli Uffizi
(in qualità di esercente le funzioni di Titolare del trattamento)
Dr. Simone Verde

The Newsletter of the Uffizi Galleries

Subscribe to keep up to date!