• Privacy policy and personal data processing

With this privacy policy, we wish to inform you about the methods of processing personal data of users (hereinafter referred to as “Personal Data”) who browse the website www.basilicasanpietro.va (hereinafter referred to as the “Portal”), according to the Decree No. DCLVII issued by the Pontifical Commission for the Vatican City State (hereinafter referred to as the “Decree”).

Below, you will find information on how we collect, use, and transfer the User’s Personal Data (hereinafter referred to as “User”), which includes all information that can be used to identify or contact the User.

1. DATA CONTROLLER

The Data Controller is Fabbrica di San Pietro (hereinafter referred to as “FSP”), Palazzo della Canonica, 00120 Vatican City, privacy@fsp.va, through its Data Protection Officer (DPO).

2. PERSONAL DATA SUBJECT TO PROCESSING

The Personal Data subject to processing will consist of data suitable to make the User identified or identifiable within the Portal. Specifically, the Personal Data processed through the Portal includes:

a. Browsing Data

The computer systems and software procedures used to operate the Portal acquire, during their normal operation, some Personal Data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers used by the User who connects to the Portal, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.), and other parameters related to the User’s operating system and IT environment. This data is used solely to obtain anonymous statistical information on the use of the Portal and to monitor its correct operation, identify anomalies and/or misuse. Data may also be used to determine responsibility in case of hypothetical cybercrimes against the Portal or third parties.

b. Data Voluntarily Provided by the User

When using certain services, the User may be requested to provide additional Personal Data, which the User voluntarily provides if they wish to use such services.

In particular, for services that involve payments, the User may be requested to provide Personal Data such as name, surname, email address, credit card information (in the case of donations or payments through virtual POS), etc.

User payments for booked and purchased services are processed via the site booking.basilicasanpietro.va, operated by Trueitalian Experience S.r.l., and some of the data will be shared with FSP for the provision of purchased services. Data will be processed in compliance with EU Regulation 2016/675. Further information is available Here.

3. LEGITIMACY OF USER PERSONAL DATA PROCESSING

The information we collect mostly originates directly from the User: it has been voluntarily provided or deemed necessary for the provision of our services.

The provision of Personal Data, which is used exclusively for the purposes listed in section 2.b., is optional and subject to the rights listed in Articles 15-24 of the Decree.

4. PURPOSES AND METHODS OF PROCESSING

The processing of the User’s Personal Data, with the User’s specific consent where required, has the following purposes:

a. to allow navigation and consultation of the Portal and its content;

b. to enable the provision of the requested services;

c. to ensure data retention, security, and protection;

d. to fulfill legal obligations;

e. to ensure security and prevent fraudulent behavior.

FSP will not process the information provided by the User for purposes other than those explicitly indicated above.

Moreover, FSP will not make automated decisions based on the provided information and will not share Personal Data with third parties for purposes unrelated to the provision of requested services.

All collected Personal Data is processed using automated and manual tools for the time strictly necessary to achieve only the previously indicated purposes and in such a way as to ensure data integrity, confidentiality, and security.

5. DATA RECIPIENTS

Personal Data may be disclosed by FSP to other public and private entities only pursuant to laws, regulations, and/or relevant judicial authority orders, as defined in Article 12 of the Decree.

Collected Personal Data is processed by authorized personnel (FSP employees or third parties engaged in maintaining and developing systems used for managing computerized Personal Data, as well as third parties who manage network traffic) exclusively for purposes related to their functions. They act based on specific instructions regarding the purpose and method of processing while respecting confidentiality and security of Personal Data in relation to the services to which they are assigned.

Some of the User’s Personal Data may be shared and/or transferred, always for the processing purposes outlined in section 4, with recipients located outside the Vatican City State. In any case, FSP will introduce all appropriate safeguards and conduct rules necessary to preserve data integrity and confidentiality according to applicable regulations.

If there are third-party service providers, they will only have access to Personal Data necessary for performing their tasks and will not process data for further purposes. These third parties are also required to handle Personal Data in compliance with this Privacy Policy and applicable personal data protection regulations.

6. COOKIES AND OTHER TRACKING SYSTEMS

FSP uses its own session technical cookies (non-persistent) strictly limited to what is necessary for safe and efficient navigation of the Portal. FSP also uses third-party cookies for data analysis. Further information is available on the relevant terms of service page at the following LINK.

For detailed information on the type of cookies used, please refer to the specific Cookie Policy page.

7. DATA RETENTION, SECURITY, AND PROTECTION

FSP retains collected Personal Data accurately, completely, and up-to-date as long as it is necessary for the provision of services to which Personal Data is linked.

Browsing data will be retained for 12 months to determine responsibility in the event of hypothetical cybercrimes against the Portal or third parties, in case of requests from the competent police authorities.

We assure you that all necessary steps have been taken to guarantee the security of Personal Data once collected, by using limited-access IT systems and implementing secure storage solutions in accordance with best practice security standards and Article 14 of the Decree.

FSP adopts specific security measures to prevent data loss, illegal or improper use, and unauthorized access.

8. DATA SUBJECT RIGHTS

Users to whom Personal Data refers, in their capacity as data subjects and according to Articles 15-24 of the Decree, may at any time exercise the following:

• The right of access or to obtain a copy of Personal Data, allowing knowledge of the type of Personal Data processed by FSP and the characteristics of the processing performed;

• The right to request rectification of Personal Data in cases of omissions or errors;

• The right to deletion or restriction of processing;

• The right to object to processing.

The data subject also has the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

9. HOW TO EXERCISE DATA SUBJECT RIGHTS AND UNSUBSCRIBE FROM OPTIONAL SERVICES

To exercise the rights mentioned in section 8 or to file a complaint as specified in Article 25 of the Decree, the data subject may contact FSP by emailing privacy@fsp.va with the subject “PERSONAL DATA.” The request will be handled by FSP’s DPO and responded to according to Article 27 of the Decree.

10. CHANGES

This Privacy Policy will automatically reflect any regulatory changes that may occur in the field. FSP reserves the right to modify this Privacy Policy to update its content; it is the User’s responsibility to periodically check for any changes. If this policy is subject to acceptance, it will be resubmitted for User acceptance in case of modifications.

Browsing the Portal implies acceptance of this Privacy Policy.