Privacy policy and personal data processing

With this privacy policy, we wish to inform you about the methods of processing personal data of users (hereinafter referred to as “Personal Data”) who browse the website www.basilicasanpietro.va (hereinafter referred to as the “Portal”), according to the Decree No. DCLVII issued by the Pontifical Commission for the Vatican City State (hereinafter referred to as the “Decree”).

Below, you will find information on how we collect, use, and transfer the User’s Personal Data (hereinafter referred to as “User”), which includes all information that can be used to identify or contact the User.

1. DATA CONTROLLER

The Data Controller is the Fabbrica di San Pietro (hereinafter “FSP”), Palazzo della Canonica, 00120 Vatican City, privacy@fsp.va, through its Data Protection Officer (DPO).

2. PERSONAL DATA SUBJECT TO PROCESSING

The Personal Data subject to processing will consist of data suitable for making the User identified or identifiable within the Portal. In particular, the Personal Data processed through the Portal are the following:

a. Browsing data

The computer systems and software procedures used to operate the Portal acquire, during their normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by Users connecting to the Portal, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User’s operating system and IT environment. These data are used solely to obtain anonymous statistical information on the use of the Portal and to check its proper functioning, as well as to identify anomalies and/or abuse. The data may be used to ascertain liability in the event of hypothetical computer crimes against the Portal or third parties.

b. Data provided voluntarily by the User

When using certain services, the User may be asked to provide additional Personal Data, which the User will provide voluntarily if they wish to use such services.

3. LAWFULNESS OF THE PROCESSING OF THE USER’S PERSONAL DATA

The information we collect comes mostly directly from the User: it has been provided to us voluntarily or has proved necessary for the provision of our services.

The provision of Personal Data, which is used exclusively for the purposes listed in point 2.b., is optional and subject to the rights set out in Articles 15-24 of the Decree.

4. PURPOSES AND METHODS OF PROCESSING

The processing of the User’s Personal Data, based on specific consent where necessary, has the following purposes:

a. to allow browsing and consultation of the Portal and its related content;

b. to allow the provision of the requested services;

c. to ensure the preservation, security and safekeeping of data;

d. to fulfil legal obligations;

e. to ensure security and prevent fraudulent conduct.

f. to assess users’ level of satisfaction and improve the quality of the services offered by sending automated communications containing questionnaires, surveys or requests for feedback relating to the visit experience and the services used.

FSP will not process the information provided by the User for purposes other than those expressly indicated above.

Furthermore, FSP will not make automated decisions on the basis of the information provided and will not disclose Personal Data to third parties for purposes unrelated to the provision of the requested services.

All Personal Data collected are processed using automated and manual tools for the time strictly necessary to achieve exclusively the purposes indicated above and in such a way as to ensure their integrity, confidentiality and security.

5. DATA RECIPIENTS

Personal Data may be disclosed by FSP to other public and private entities solely pursuant to laws, regulations and/or a relevant order of the Judicial Authority, as defined in Article 12 of the Decree.

The Personal Data collected are processed by expressly authorized personnel (FSP employees or third parties appointed to provide maintenance and development services for the systems used for the computerized management of Personal Data, as well as third parties that manage network traffic) exclusively for purposes connected with the performance of their duties. They act on the basis of specific instructions provided regarding the purposes and methods of the processing, in compliance with the confidentiality and security of the Personal Data themselves and in relation to the services to which they are assigned.

Some of the User’s Personal Data may be shared and/or transferred, always for the processing purposes referred to in the preceding point 4, to recipients located outside Vatican City State. In any case, FSP will introduce all appropriate safeguards and rules of conduct useful for preserving the integrity and confidentiality of the data in accordance with the applicable regulations.

Where there are third-party service providers, they will have access only to the Personal Data necessary for carrying out their activities and may not process the data of which they become aware for further purposes. Furthermore, such third parties are required to process the Personal Data of which they become aware in accordance with this Privacy Policy and the applicable regulations on personal data protection.

6. COOKIES AND OTHER TRACKING SYSTEMS

FSP uses its own session technical cookies (non-persistent) strictly limited to what is necessary for safe and efficient navigation of the Portal. FSP also uses third-party cookies for data analysis. Further information is available on the relevant terms of service page at the following LINK.

For detailed information on the type of cookies used, please refer to the specific Cookie Policy page.

7. DATA RETENTION, SECURITY AND SAFEKEEPING

FSP retains the Personal Data collected accurately, completely and up to date for as long as they are necessary for the provision of the services to which the Personal Data themselves are linked.

Browsing data alone will be retained for a period of 12 months in order to ascertain liability in the event of hypothetical computer crimes against the Portal or third parties, if requested by the competent Police Authorities.

Data collected through satisfaction questionnaires and customer satisfaction activities will be retained for the time necessary to process the statistical analyses and, in any case, for no longer than 12 months, unless further organizational needs are adequately justified.

We can assure you that all necessary steps have been taken to guarantee the User the security of Personal Data once collected, through the use of computer systems with limited access and secure storage solutions in accordance with the security standards provided for the security measures indicated by best practices and as provided for in Article 14 of the Decree.

FSP adopts specific security measures to prevent data loss, unlawful or improper use and unauthorized access.

8. RIGHTS OF DATA SUBJECTS

Users to whom the Personal Data refer, in their capacity as data subjects and in accordance with Articles 15-24 of the Decree, may exercise the following rights at any time:

- the right of access or to obtain a copy of the Personal Data, allowing them to know the type of the User’s Personal Data processed by FSP and the characteristics of the processing carried out;

- the right to request rectification of the Personal Data in the event of omissions or errors;

- erasure or restriction of processing;

- the right to object to processing.

The data subject also has the right to withdraw/revoke their consent at any time, without prejudice to the lawfulness of processing based on the consent given before the revocation/withdrawal.

The data subject may also, at any time, object to receiving communications aimed at measuring satisfaction with the service using the methods indicated in the communication received.

9. METHODS FOR EXERCISING THE DATA SUBJECT’S RIGHTS AND UNSUBSCRIBING FROM OPTIONAL SERVICES

To exercise the rights referred to in point 8, or to lodge a complaint in accordance with Article 25 of the Decree, the data subject may contact FSP by sending an email to privacy@FSP.va with the subject “PERSONAL DATA”; this will be handled by FSP’s DPO, who will respond in accordance with Article 27 of the Decree.

10. CHANGES

This Privacy Policy will automatically incorporate any regulatory changes that may occur in this area. FSP reserves the right to modify this Privacy Policy to update its content; it is the User’s responsibility to check periodically for any changes. If this policy is subject to acceptance, in the event of a change it will be submitted to the User for renewed acceptance.

Browsing the Portal implies acceptance of this Privacy Policy.