Disclosure pursuant to arts. 13 and 14 of Regulation (EU) no. 2016/679 General Data Protection Regulation (“GDPR”)


The Bracco Foundation (“Foundation”) hereby informs you that processing of your personal data (“Data”) on the website www.fondazionebracco.com (“Site”) or collected through the registration/online contact form (“Form”) available on the Site is compliant with the applicable personal data protection laws (EU Regulation 2016/679 “General Data Protection Regulation” – hereinafter referred to as “Regulation” or “GDPR”) and with the Site’s Privacy Policy [http://www.fondazionebracco.com/en/utility/privacy].

Data Controller

The Data Controller is the Bracco Foundation, headquartered in Via Cino del Duca 8 - 20122 Milan, to whom you may apply for any information about the processing of your data. The Data Protection Officer may be contacted at the email address This email address is being protected from spambots. You need JavaScript enabled to view it..

Processed data

The Foundation processes the personal data provided by you when filling out the registration/online contact Form (“Form”). Specifically, the data includes your name, surname, email address and any other data you provide to the Data Controller (“Data”).

To enable us to process your event registration request, you are required to provide at least the mandatory information marked with an asterisk (*) on the Form. If the mandatory information is not provided, we shall be unable to proceed. The information in the fields not marked with an asterisk is voluntary: there will be no consequences if you decide not to provide it.

The personal Data of the people accompanying you – which may be provided by you on the registration form – will be held by the Data Controller solely for the purpose of managing the event registration request.

The Data Controller will also process data relating to images, video and recordings that may show you at the event, for the purpose of internal communication by any means in the Foundation and/or the Bracco Group, and also externally, through public circulation in print, advertising and social networks in the pages in which the Foundation is present. The processing of the above data is necessary for participation at the event. Should you refuse it will not be possible for the Foundation to complete your registration for the event.

Furthermore, in the performance of its activities, the Data Controller will automatically collect data relating to your interaction with the Foundation (such as data relating to the delivery of emails to your electronic mailbox, the opening of emails, etc.). This data will enable the Foundation to identify the content of greatest interest to you and will be processed in accordance with the purposes indicated in points 2) and 3) of the following section.


Purposes of and legal basis for processing

Your Data are processed for the following purposes:


  • to manage your event registration request, including transmission of information about the event [and management of related images and video]. No consent is required for this purpose, since your data is managed in order to satisfy your request to take part in the event, as envisaged by art. 6.1 (b) of the GDPR;
  • to send you promotional and communication material (e.g., newsletters, information about events, workshops or seminars) from the Foundation and its Partners. No consent is required for this purpose, since processing is based on the Data Controller's legitimate interest in efficient communication of the events it organises to achieve its mission: to support the creation and dissemination of culture, art and science in order to improve the quality of life and social cohesion, as envisaged by art. 6.1 (f) of the GDPR;
  • to identify, through profiling, information of relevance to you, for example events of greatest interest to you, in order to indicate other events believed to be of interest to you and to perform statistical analyses in order to improve the content and operation of the Foundation's communication services. No consent is required for this purpose, since processing is based on the Data Controller's legitimate interest in efficient communication of the events it organises to achieve its mission: to support the creation and dissemination of culture, art and science in order to improve the quality of life and social cohesion, as envisaged by art. 6.1 (f) of the GDPR.

In any case, even without your prior consent, the Data Controller may process your Data in order to comply with legal, regulatory and EU obligations, to exercise its rights in legal proceedings and for all cases envisaged by the Regulation, where applicable.


Processing methods

Your Data will be processed by the Foundation with appropriate electronic or otherwise automated information technology and communication tools, or by means of manual and paper-based processing methods, strictly for the purposes set out above for which the Data were provided and in any case in a manner that ensures the security and confidentiality of the Data. Your Data will be processed by internal Foundation staff specifically authorised to process data in connection with the performance of the duties assigned to them, and eventually, to the extent necessary and/or useful for the execution of the purposes indicated above, by third parties acting on behalf of the Foundation in the capacity, as the case may be, of independent Data Controllers, Co-Data Controllers or Data Processors designated pursuant to art. 28 of the GDPR (e.g., Partners of Foundation initiatives, service providers, engineers responsible for maintenance of IT services, other providers whom the Foundation may use in connection with the above purposes, Bracco Group companies).

All Data recipients shall receive only the data they require to perform their functions and they shall undertake to use the data only for the purposes indicated above and to process them in compliance with applicable laws. Except as indicated above, Data are not shared with third-party natural or legal persons who do not perform any functions of a commercial, professional and/or technical nature for the Data Controller, and shall not be circulated.

As regards the possible transfer of data to other countries, including countries that might not guarantee the same level of protection as that envisaged by the data protection Regulation (i.e., non-EU countries), the Data Controller informs you that in any case processing will be performed in compliance with one or more of the methods allowed under the Regulation, as the case may be, for example, the explicit consent of the user, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of parties adhering to international programs for the free circulation of data or who operate in countries deemed secure by the European Commission.

The list of Data recipients is available upon request from the Data Controller through the contacts indicated in this policy.

Data storage period

In compliance with art. 5.1 (c) of the Regulation, the information systems and computer programs used by the Foundation are configured to minimise use of personal and identifying data; such data are processed only to the extent necessary to achieve the purposes indicated in this disclosure; the data will be stored for the length of time strictly necessary to achieve the purposes actually pursued and, in any case, the criterion used to determine the storage period is based on compliance with the terms allowed by law, by the principles of minimisation of processing, limitation of storage and rational management of the archives, and also by the provisions of the Data Protection Authority with reference to specific data or processing.

Rights of interested parties

You may exercise the rights recognised under arts. 15-22 of the Regulation, including the right to obtain confirmation of the existence or otherwise of your personal data, to check its content, origin, accuracy, location (also with reference to any third-party countries), to request a copy, to request amendments and, in the cases envisaged by current laws, limitation of processing and erasure. You have the right to object at any time, and in the cases envisaged by current laws, to processing procedures by the Foundation, for example, direct contact activities, promotional activities (also when limited to specific means of communication) or profiling activities. Similarly, you may at any time revoke your consent, when provided, and/or report observations on specific use of the data with regard to particular personal situations deemed not to be correct or justified by the existing relationship or request a complaint by a controlling authority to the Data Protection Authority. For all queries regarding processing of personal data by the Foundation, to exercise the rights recognised under the applicable law and to receive an updated list of the parties who may access the data, you may contact the Data Controller by sending an email message to This email address is being protected from spambots. You need JavaScript enabled to view it. or through the normal postal service to the following address: Fondazione Bracco, via Cino del Duca 8, 20122 Milano, Italy.


Follow Fondazione Bracco
on Instagram