Privacy policy and personal data processing

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA


The Fabbrica di San Pietro (hereinafter “FSP”), with registered office at Palazzo della Canonica, 00120 Vatican City, acting as Data Controller, in line with the provisions of the General Regulation on the protection of personal data (hereinafter the “Regulation”) issued by Decree No. DCLVII of the Pontifical Commission for Vatican City State, adopted by FSP through the Personal Data Protection Guideline of 26.02.2026 and the related Procedure of 11.03.2026, provides the following information on the processing of the personal data provided by you.

Below is information on how the Personal Data of the user (hereinafter the “User”) are collected, used and transferred, meaning all information that may be acquired in order to allow access to the website www.basilicasanpietro.va (hereinafter the “Portal”) or to identify and/or contact the User (data subject).

Definitions

For the purposes of this document, the main definitions are set out below:

“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, as well as data concerning physical or mental health;

“Processing”: any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, comparison or interconnection, restriction, erasure or destruction;

“restriction of Processing”: the marking of stored Personal Data with the aim of limiting their Processing in the future;

“profiling”: any form of automated Processing of Personal Data consisting of the use of such Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements; profiling may involve statistical inferences;

“pseudonymization”: the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures designed to ensure that such Personal Data are not attributed to an identified or identifiable natural person;

“encryption”: Processing that uses digital keys to access Personal Data;

“marketing”: activities consisting of sending advertising material, direct sales material, carrying out market research (including surveys on the evaluation of the goods and/or services offered) and commercial communications.

“anonymization”: the Processing of anonymous information, meaning information that does not relate to an identified or identifiable natural person or Personal Data rendered sufficiently anonymous to prevent or no longer allow identification of the Data Subject;

“filing system”: any structured set of Personal Data accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

“recipient”: the natural or legal person, public authority, service or other body to which Personal Data are disclosed;

“Data Subject’s consent”: any freely given, specific and informed expression of the Data Subject’s wishes by which the Data Subject signifies agreement, by a statement or unequivocal affirmative action, that the Personal Data relating to him or her be subject to Processing;

“Data Protection Officer (DPO - FSP)”: the natural person responsible for ensuring compliance with personal data protection rules;

“communication”: making Personal Data known to one or more specific persons other than the Data Subject, the Data Controller, the Data Processor and the persons authorized to Process Personal Data under the direct authority of the Controller or Processor, in any form, including by making them available, consulting them or by interconnection;

“Security Measure”: appropriate technical and organizational activities aimed at preventing Personal Data breaches, proportionate to the risk level of the Processing;

“Personal Data breach”: a breach of security measures that results, accidentally or knowingly, in the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed;


1. THE DATA PROTECTION OFFICER (DPO - FSP)

The Data Protection Officer (hereinafter DPO - FSP) is designated by the Controller to perform the functions expressly provided for by the Decree.

The DPO - FSP can be contacted at the office of the Data Protection Officer located at FSP, e-mail: dpo@fsp.va.


2. CATEGORY OF PERSONAL DATA SUBJECT TO PROCESSING

Personal Data are collected directly from the data subject (User) through the User’s use of the Fabbrica di San Pietro Portal.

The data subject to Processing are “Personal Data”, namely common data consisting, by way of example only, of identification and personal details (e.g. name, surname, date of birth, tax code, etc.), contact information (e.g. telephone number, residential address or e-mail address, etc.) and information relating to your browsing (e.g. IP addresses or domain names).


3. ORIGIN OF PERSONAL DATA

Personal Data may be provided directly by the data subject by filling in the forms made available both in paper and digital format through use of the Portal.


4. PURPOSES AND LEGAL BASIS OF PROCESSING

Providing personal data is necessary in order to respond to your requests submitted through use of the Portal, relating to the purchase of tickets and any guided tours of the Necropolis and St. Peter’s Basilica.

If your data are not provided, we will not be able to carry out what has been requested.

The Processing of the User’s Personal Data, subject to specific consent where necessary, has the following purposes:

a. to allow browsing and consultation of the Portal and its contents;

b. to allow provision of the requested services;

c. to ensure the storage, security and custody of data;

d. to comply with legal obligations;

e. to analyze feedback and results from satisfaction surveys. For this purpose, Personal Data may also be processed in aggregate form (purpose of “Analysis of satisfaction surveys”);

f. to ensure security and prevent fraudulent conduct;

g. to use algorithmic artificial intelligence models to improve the services offered.

FSP will not process the information provided by the User for purposes other than those explicitly indicated above.

In addition, FSP will not make automated decisions based on the information provided and will not disclose Personal Data to Third Parties for purposes unrelated to the provision of the requested services.

All Personal Data collected are processed using automated and manual tools for the time strictly necessary to achieve only the purposes indicated above and in such a way as to ensure their integrity, confidentiality and security.

The stated purposes are based on the need to perform pre-contractual measures requested by you and on the consent you provided when requesting access to the Portal.


5. RECIPIENTS OF PERSONAL DATA

Personal Data may be disclosed by FSP to other public and private entities solely pursuant to laws, regulations and/or the relevant order of the Judicial Authority, in line with the provisions of the Regulation and the Guideline referred to above.

The Personal Data collected are processed by expressly authorized personnel (FSP employees or third parties appointed for maintenance and development services for the systems used for the computerized management of Personal Data, as well as third parties that manage network traffic) exclusively for purposes connected with the performance of their duties. They act on the basis of specific instructions provided regarding the purposes and methods of the Processing, in compliance with the confidentiality and security of the Personal Data and in relation to the services to which they are assigned.

Some of the User’s Personal Data may be shared and/or transferred, always for the indicated Processing purposes, to recipients located outside Vatican City State. In any case, FSP will introduce all appropriate safeguards and rules of conduct useful to preserve the integrity and confidentiality of the data in accordance with current regulations.

The data you provide may be sent to third-party companies that provide hosting, storage or IT infrastructure services, entities that provide customer support activities, third-party companies that manage fraud-control systems, and third-party companies that carry out Marketing activities.

Subjects, entities or authorities to whom it is mandatory and/or necessary to communicate Personal Data for the regular performance of the services (e.g. the SWIFT system to which it is necessary to communicate data in the case of transfers abroad, in foreign currency or with a non-resident beneficiary).

Where there are third-party service providers, they will receive only the Personal Data necessary for the performance of their activities and may not process the data of which they become aware for further purposes. In addition, such third parties are required to process the Personal Data of which they become aware in accordance with this Privacy Notice and the applicable regulations on personal data protection.


6. COOKIES AND OTHER TRACKING SYSTEMS

FSP uses its own technical session cookies (non-persistent) strictly limited to what is necessary for secure and efficient browsing of the Portal. FSP also uses third-party cookies for data analysis. Please refer to the relevant terms of service pages available at the following link.

For detailed information on the type of cookies used, you may consult our dedicated Cookie Policy information page.


7. STORAGE, SECURITY AND CUSTODY OF DATA

FSP stores the Personal Data collected accurately, completely and up to date for as long as they are necessary for the provision of the services to which the Personal Data are connected.

Browsing data only will be stored for a period of 12 months to establish liability in the event of hypothetical computer crimes against the Portal or third parties, or in the event of a request by the competent Police Authorities.

Restricted-access IT systems are used and protected storage solutions are employed in accordance with the security standards provided for the security measures indicated by best practices and in accordance with Article 14 of the Regulation and the Guideline.

FSP adopts specific security measures to prevent data loss, unlawful or improper use and unauthorized access.


8. DATA SUBJECTS’ RIGHTS

Users to whom the Personal Data relate, in their capacity as data subjects and in accordance with Articles 15-24 of the Decree, may exercise the following at any time:

- the right of access or to obtain a copy of the Personal Data, allowing them to know the type of User Personal Data processed by FSP and the characteristics of the Processing carried out;

- the right to request rectification of Personal Data in the event of omissions or errors;

- erasure or restriction of Processing;

- the right to object to Processing

- the data subject has the right to withdraw/revoke his or her consent at any time, without however affecting the lawfulness of Processing based on consent given before withdrawal/revocation.


9. METHODS FOR EXERCISING DATA SUBJECT RIGHTS AND UNSUBSCRIBING FROM OPTIONAL SERVICES

To exercise the rights referred to in point 8, or to submit a complaint in accordance with Article 25 of the Regulation and the Guideline, the data subject may contact FSP by sending an e-mail to privacy@FSP.va with the subject line “PERSONAL DATA”, which will be handled by FSP’s DPO, who will respond as provided for in Article 27 of the Regulation and the Guideline.