Privacy policy
1. PREMISE
This Privacy Notice or Privacy Policy (the Policy), provided pursuant to Articles 12 et seq. of Regulation (EU) 2016/679 (GDPR), informs users who browse and utilize the services offered by this website (the Site) about the processing of their personal data (the User or Users).
The Policy outlines the types of personal data collected through the Site, the purposes and legal bases for processing, and the rights granted to Users. No automated decision-making processes are involved.
This Policy applies solely to the Site and does not cover other websites that Users may access via links provided on the Site.
2. DATA CONTROLLER
The data controller is Mr. Filippo di Sambuy, born in Rome on 14/09/1956, residing in Monaco (FR), Tax Code BLBFPP56P14H501I (hereinafter, the Controller). In accordance with Article 27 of the GDPR, the Controller has appointed Ms. Marianna Papone, Tax Code PPNMNN94S57E290F, residing in Italy, as his representative in the European Union.
For any inquiries related to the processing of personal data by the Controller, and in particular to exercise their rights (briefly outlined in paragraph 7 below), Users can send their requests via email to archiviofds@gmail.com.
The Controller collects data and information in an accurate, transparent, relevant, and adequate manner, solely for the purpose for which it is collected, without requesting unnecessary information.
3. CATEGORIES OF DATA PROCESSED
3.1 Browsing Data
The computer systems and software procedures used to operate the Site acquire, during normal operation, some personal data whose transmission is implicit in the use of internet communication protocols. This information is not collected to be associated with identified individuals, but due to its nature, it could allow Users to be identified.
This category of data includes:
(i) the IP addresses or domain names of the computers used by Users who connect to the Site; (ii) the URI (Uniform Resource Identifier) addresses of the requested resources; (iii) the time of the request; (iv) the method used to submit the request to the server; (v) the size of the file obtained in response; (vi) the numeric code indicating the status of the response given by the server (successful, error); and (vii) other parameters related to the operating system and the User's IT environment.
3.2 Cookies
The Site also uses tracking tools such as cookies. For more information, please refer to the relevant section available on the Site, which is an integral part of this Policy.
3.3 Data Possibly Provided by the User
Finally, the User can contact the Controller via the "Contacts" section of the Site, for the purposes outlined in the following paragraph, providing their identification and contact data (e.g., name, surname, email address) and/or other personal information.
4. PURPOSE AND LEGAL BASIS OF THE PROCESSING
The Data Controller processes the personal data of Users through the Site, in particular, for the following purposes:
(a) Allow the Data Controller to carry out activities related to the verification of authenticity and digital archiving of artworks, upon request from Users via the “Authentication Request” section on the Site (e.g., collecting preliminary information for verification, using the information to perform the verification, archiving the information in the Filippo di Sambuy Archive, and potentially publishing the information in the Filippo di Sambuy Archive, which will be made available to the public on the Site). The legal basis for this processing is the execution of pre-contractual measures and/or the execution of a contract to which the User is a party, pursuant to Article 6, paragraph 1, letter b) of the GDPR.
(b) Allow Users to contact the Data Controller to receive information about the services offered. The legal basis for this processing is the execution of pre-contractual measures and/or the execution of a contract to which the User is a party, pursuant to Article 6, paragraph 1, letter b) of the GDPR.
(c) Manage and maintain the security of the Site and registered accounts. The legal basis for processing in these cases is the legitimate interest of the Data Controller, pursuant to Article 6, paragraph 1, letter f) of the GDPR.
(d) Assert or defend a right in or out of court. The legal basis for processing is the legitimate interest of the Data Controller, pursuant to Article 6, paragraph 1, letter f) of the GDPR.
(e) Comply with legal obligations and/or requests from authorities. The legal basis for processing is the fulfillment of legal obligations, pursuant to Article 6, paragraph 1, letter c) of the GDPR.
(f) Send the Data Controller’s newsletter to Users. The legal basis for processing is the User's consent, pursuant to Article 6, paragraph 1, letter a) of the GDPR.
5. RECIPIENTS OF PERSONAL DATA
The personal data of Users may be communicated, for the purposes outlined above, to the following categories of recipients, by way of example:
● Collaborators of the Data Controller, as well as external companies and professionals engaged by the Data Controller to carry out activities related to the verification of authenticity and archiving of artworks;
● Auction houses, both national and international;
● Other Users of the Site;
● The Data Controller's IT service providers (e.g., IT service providers, cloud services, etc.); ● Authorities and, in general, public or private entities with public functions, where the communication of data is required by specific regulatory provisions.
These entities will process the data as independent data controllers, data processors pursuant to Article 28 of the GDPR, or authorized subjects to process data pursuant to Article 29 of the GDPR. A list of the data processors can be requested from the Data Controller at the address specified in paragraph 2.2
6. DATA STORAGE
The Data Controller retains the personal data of the Data Subjects for the period necessary to achieve the purposes outlined in this Policy and, in any case, for the standard statute of limitations.
With regard to the consent provided for the purpose referred to in paragraph 4(f), the Data Controller retains the personal data of Users for no longer than 2 years from collection. This is without prejudice to the Users' right to revoke consent at any time, and the data processing carried out before the revocation will remain valid, without affecting the provisions in paragraph 4(d).
7. USER RIGHTS
Data Subjects may exercise all the rights indicated in Articles 15-22 of the GDPR by contacting the Data Controller at the addresses provided in paragraph 2. Specifically, Users have the right to:
● Obtain confirmation of whether or not their personal data is being processed, even if not yet registered, and to receive such data in an intelligible form;
● Obtain, among other things, the following information:
(i) the origin of the personal data;
(ii) the purposes and methods of processing;
(iii) the identity of the Data Controller;
(iv) the recipients or categories of recipients to whom the personal data may be communicated or who may become aware of them, including as data controllers;
(v) the categories of personal data in question;
(vi) where possible, the expected retention period or the criteria used to determine it; (vii) the existence of the right to request rectification, erasure, or restriction of processing of personal data;
(viii) the existence of the right to object to processing;
(ix) the right to lodge a complaint with a supervisory authority;
(x) the existence of automated decision-making, including profiling;
● Obtain:
(i) the rectification or completion of personal data;
(ii) the limitation of processing, where possible;
(iii) the portability of personal data, where applicable;
(iv) certification that the operations referred to in (i) and (ii) above, as well as the erasure referred to in the following point, have been communicated to those to whom the personal data have been disclosed or transmitted, except where this proves impossible or involves disproportionate means; ● Obtain the erasure of personal data in cases provided by law;
● Revoke consent to the processing of personal data (opt-out), without affecting the lawfulness of processing carried out prior to the revocation;
● Object, in whole or in part:
(i) for legitimate reasons, to the processing of personal data, even if relevant to the purpose of collection;
(ii) to the processing of personal data for the purpose of sending communications;
● Lodge a complaint with the Data Protection Authority.
8. TRANSFER OF DATA ABROAD
Users' personal data may be transferred to third countries outside the European Economic Area (EEA). Some of these jurisdictions may not provide the same level of data protection as the country in which the User resides. In such cases, the Data Controller commits to ensuring that the data is processed with the highest level of confidentiality by adopting appropriate measures for the protection of personal data, including, in the absence of adequacy decisions, entering into agreements that ensure an adequate level of protection and/or incorporating standard contractual clauses provided by the European Commission.
9. CHANGES TO THE PRIVACY POLICY
The Data Controller is continually enhancing the services offered and reserves the right to update this Policy at any time, where necessary, in accordance with current regulations on the protection of personal data. Any changes will be published directly on the Site. Users are therefore encouraged to review the Policy periodically to stay informed about any updates.
Collection of Personal Data (Notice at Collection)
On our website, we only collect technical cookies necessary for the proper functioning of the site. We do not collect analytical or personal cookies. The cookies used are strictly necessary for navigation and to ensure the proper functioning of the website. If you would like more information on how we manage cookies and privacy, please refer to our [Privacy Policy] and [Cookie Policy]( https://www.archiviofilippodisambuy.com/en/cookie-policy ).
Last update date: [11/02/2025].