The International Centre for the Study of the Preservation and Restoration of Cultural Property (hereafter, ICCROM) is an intergovernmental organization working in service to its Member States to promote the conservation of all forms of cultural heritage, in every region of the world. It operates in the spirit of the 2001 UNESCO Universal Declaration on Cultural Diversity, which states that “respect for the diversity of cultures, tolerance, dialogue and cooperation, in a climate of mutual trust and understanding are among the best guarantees of international peace and security.”

ICCROM, in adherence to its mission and institutional values, undertakes to protect personal data of natural persons regardless of their nationality or residence, respecting every human being’s identity, dignity and fundamental freedoms in accordance with standards adopted regarding the processing and circulation of personal data.

Who we are – Whom to contact

The Data Controller (Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; in this case ICCROM) is ICCROM, based in Rome, via di San Michele n. 13, Tel.: (+39) 06 585531; Fax: (+39) 06 58553349. The Data Controller is also available at the following e-mail address: data-protection@iccrom.org.

Our policy concerning personal data protection

Personal data protection is based on compliance with data protection principles that ICCROM undertakes to implement, adhere to and require of its staff members or third parties with whom it collaborates in its activity and mission. Specifically, ICCROM undertakes to:

  • Make public its policy concerning personal data protection;
  • Have due regard and consideration for all parties whose personal data may be processed (staff members, website users, donors, beneficiaries, suppliers) and to respect and respond promptly to their requests regarding processing of their personal data;
  • Process personal data in a lawful, fair and transparent manner, and only for the time strictly necessary for the purposes declared in its statements;
  • Limit the collection of personal data to those necessary to perform its activities (pertinent and limited personal data);
  • Adopt procedures to upgrade and amend personal data processed, in order to ensure that personal data are, as far as possible, correct and up to date;
  • Protect personal data stored in its possession, which may involve drawing up specific agreements with suppliers, and provide appropriate guarantees that data shall be safeguarded and the rights of Data Subjects protected;
  • Implement appropriate procedures to ensure that the measures in place to protect personal information are updated regularly. The Data Controller shall be responsible for ensuring that adequate technical and organizational measures and appropriate procedures are always in place and for demonstrating that data processing is carried out with due regard to ethical standards, employing state-of-the-art procedures, with all respect for the nature of the personal information being held and the risks to which it is exposed;
  • Provide staff training and raise staff awareness, according to the processing tasks being performed, concerning the principles of lawfulness and fairness, as well as security measures, detailed in this Data Protection Manual and with which all data processing procedures comply;
  • Ensure that all staff who handle personal data are aware of their responsibilities under this Policy and promote awareness of accountability throughout the Organization;
  • Prevent and minimize, as far as available institutional funds allow, the impact of potential breaches or unlawful and/or malicious personal data processing;
  • Actively promote the inclusion of data protection principles in the ongoing improvement plan implemented by the Organization across its management systems.

This Data Protection Manual will be brought to the attention of all internal staff (both at the Headquarters and Regional Office), as well as to collaborators and partners, through specific awareness-raising meetings and other means.

Scope of this policy and to whom it is addressed

This policy is addressed to Users of the www.iccrom.org website (“Website”) and to all individuals concerned about the processing of their personal data by the Data Controller, within its activity and mission (“Concerned person/s” or “User/s”).
Access to some sections of the Website and/or requests for information or services from Users requires the disclosure of personal data; the processing of these data will comply with Organization’s privacy policy.

This policy concerns only the ICCROM Website and not other websites Users may access through links on the ICCROM Website.

Data categories and processing – Browsing data

Computer systems and software procedures that ensure the proper function and running of the portal acquire, during normal activity and only for the time of the connection, some personal data implicitly shared during the use of Internet communication protocols. Such data are not collected for the purpose of matching them with the concerned identified Users, but these data, by their nature, could, through processing and matching with data detained by third parties, allow identification of Users (e.g. IP protocols), the domain name of utilized computer terminal, Users’ URI strings (Uniform Resource Identifiers), time of requests, and so on. Such data, once processed, are utilized for the sole purpose of gaining anonymous statistical information concerning Website use and for checking that it is functioning properly.

For more information, refer to Cookies Policy. 

Data provided by User

Users may voluntarily supply personal data such as contact details, e-mail address, etc., for example when requesting information through e-mail communications. These data are processed in order to fulfil and respond to Users’ requests or perform related activities.

Data processing will be carried out either manually or through electronic media, in compliance with the Organization’s privacy policies and the principles of correctness, lawfulness, transparency, relevance, completeness and process limitation, data minimization and accuracy. The organization and processing of the data and the reason for the processing will follow logic strictly related to the pursued objectives and be performed in a manner suitable to grant security, integrity and confidentiality of processed data. Such measures shall be upgraded and increased from time to time in accordance with technological advancement, in order to assure confidentiality, availability and integrity of processed data.

Scope of User data processing

  • User browsing data are utilized solely for gaining statistical information concerning Website usage. When a User accesses the Website, some information, such as Internet protocol (IP) addresses, pages browsed, utilized browser and time spent on the Website, as well as other similar information, is recorded in our servers. The purpose of such data collection is a better understanding of the Website’s visitors’ preferences and the improvement of their experience on our pages. Such information is never matched with personal data that Users provide if registering on the Website.
  • Users are requested to provide their e-mail address in order to receive via e-mail alerts or newsletters from ICCROM. In such cases, ICCROM will record the data in a safe way and will not disclose them with other organizations not in direct partnership with ICCROM. (Please refer to the “Newsletters” section below).
  • Personal data processing is performed for managing employment requests. Personal data requested will be processed only for staff recruitment and in order to formalize the application, for possible selection and beginning of a professional relationship. Data requested for aforementioned aims are required to process and respond to applications. (Please refer to the “Join us (Working with ICCROM” section below).
  • Personal data processing is performed for managing applications for courses, internships and fellowships organized by ICCROM and or in collaboration with its partners and for the unique aim of candidates’ selection and required to process and respond to applications. (Please refer to the “Applying for courses, internships and fellowships” section below).
  • Personal data processing is performed for managing donations received by the Data Controller; under no circumstances will personal data be transferred to third parties, nor will sensitive or financial information be disclosed. (Please refer to the “Donate” section below).
  • Personal data processing is performed for invitation to seminars or webinars organized by ICCROM, also in collaboration with partners. Data requested for these aims are compulsory and may be communicated to the co-organizers of the webinars, partners and sponsoring bodies, who may use the data to send information material related to the same event or provide services related only to the event itself. At any time, Users can request to be removed from the mailing list in order to no longer receive invitations or other communications. (Please refer to the “Participating in seminars and webinars” section below).
  • Personal data processing is carried out for compiling questionnaires, also in non-anonymous form, aimed at collecting opinions or information for statistical purposes or for studies or surveys. The data acquired will be stored in accordance with the Organization’s records retention and disposal schedule, for the performance of institutional tasks, including statistical analysis, archiving and historical research.  (Please refer to the “Questionnaires” section below).
  • Personal data processing is carried out for managing information, reference or document reproduction requests addressed to the ICCROM library. The data collected will be used to perform ICCROM’s institutional tasks, including statistical analysis, archiving, historical research, studies and surveys to promote initiatives and new library activities. (Please refer to the “Library Contact Form” section below).

Personal data disclosure

Personal data may be disclosed to appropriate third parties deemed as Recipients or to persons authorized to process personal data under Data Controller’s authority. In order to correctly perform all processing activities necessary for the scopes indicated in this policy, the following Recipients might process personal data:

  • Third parties who perform part of processing or activities connected and instrumental to the same on behalf of Data Controller, such as people, companies, associations or professional studies in charge of performing the services, assistance or advice activities. Aforementioned third parties are included in the following categories: (a) subjects having a partnership agreement with the Data Controller; (b) subjects operating in the field; (c) credit institutions involved in the provision of services; (d) advisors;
  • Employees and/or partners of the Data Controller, and working on its behalf, who have received appropriate training concerning security and proper use of personal data;
  • Public or legal authorities, if personal data are requested in order to prevent or suppress criminal activities.

It is understood that processed data, including those data processed through third parties, will be limited to solely those necessary for achieving stated purposes. Personal data will not be disseminated.

Rights of Data Subjects

Right of access Data Subjects have the right to obtain from the Data Controller confirmation as to whether or not  personal data concerning them are being processed, to access such personal data and to obtain the following information: a) the purposes of the processing operation; b) the personal data categories concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular those in third countries or international organizations; d) the expected period of personal data storage or applicable criteria for determining such period; e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning or to object to such processing; f) data source, if personal data are not being provided by Data Subjects themselves; g) existence of automated decision making process, including profiling and, in such cases, relevant information concerning applied logic, as well as importance and consequences for Data Subjects arising from the processing.
Right to rectificationData Subjects have the right to amend inaccurate Personal Data. Taking into account the purposes of the processing, Data Subjects are entitled to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasureData Subjects have the right to request erasure of personal data to be obtained without unjustified delay and the Data Controller will be bound to erase Personal Data for any of the following reasons: a) Personal Data are no longer necessary to the purposes for which they were collected or processed; b) consent on which Data Processing is based has been withdrawn and there is no other legal basis for Processing; c) Data Subject has denied the right of Processing and there is no other prevailing legitimate reason for Personal Data Processing; d) Personal Data have been unlawfully processed. In some cases, the Data Controller will have the right not to erase Personal Data should the Processing be mandatory to fulfil legal obligations, for public interest reasons, for filing purposes in the public interest or for statistical use or establishment, exercise or defence of legal claims.
Right to limit processingData Subjects have the right to restrict processing in the following cases: a) the Data Subject contests the accuracy of the personal data (restriction will last for the time necessary for the Data Controller to assess accuracy of the data); b) the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Data Controller no longer needs the personal data for processing but they are required by the Data Subject for establishment, exercise or defence of legal claims; d) the Data Subject objects to the data processing and is awaiting  verification whether the Data Controller’s legitimate grounds override those of the Data Subject. Should a processing restriction apply, personal data will only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
Right to data portabilityData Subjects have the right to request and obtain any personal data they have provided to the Data Controller in a structured, commonly used and legible format or to ask for the data to be transmitted to another Data Controller, where technically feasible. In such case, the Data Subject shall be bound to give specific authorization in written form regarding the new Data Controller to whom the personal data is to be transferred.
Right to objectData Subjects have the right to object, in any situation, for reasons related to their personal situations, to the processing of personal data related to them, included profiling. The Data Controller will refrain from further processing operations on the data in question, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject, or for the establishment, exercise or defence of a legal claim.

Data retention period

Personal data will be processed by ICCROM only to fulfil specific purposes listed in this policy. Data may be kept for longer periods, or permanently, solely for archiving purposes in accordance with ICCROM’s records retention and disposal schedule.

Newsletter

Users who wish to receive our newsletter must provide an e-mail address. Such data are necessary to fulfil the User’s request and to forward information notices. Data provided for the aforementioned purposes shall be processed until the User’s cancellation request. If the User is no longer interested in receiving e-mail messages from the Data Controller, it will be sufficient to click on the unsubscribe link at the end of any e-mail to avoid any further communication, even via other contact means for which permission was obtained.

Join us (Work at ICCROM)

For expressions of interest concerning job applications, it will be necessary to follow instructions on the Website. Personal and specific data (if voluntarily disclosed by the candidate) will be processed only for review of the application for possible selection and establishment of an employment relationship. Users can, at any time, request the erasure of their data from Data Controller’s records.

Applying for courses, internships and fellowships

Users applying for courses, internships and fellowships organized by ICCROM, and/or in collaboration with its partners, shall fill in specific web forms for each programme. Personal data collected will be processed only for candidate selection purposes, including the sharing of profiles with partners and for reviewing and evaluating. ICCROM will store applications data in its database and, upon the User’s consent, data shall be processed to promote new courses, internships, fellowships, programmes, initiatives, projects, events, round tables or other institutional activities or reports of ICCROM and/or its partners.  Users can, at any time, request the erasure of their data from Data Controller’s records. 

Donate

Users willing to financially contribute to ICCROM shall provide contact information, identity and financial information (e.g. credit card number, expiry date, etc.). Such information is necessary to complete the transaction and to help donor management. Should any difficulty arise from the processing of the donation, such information is used to contact the User. In this case, ICCROM will store the information in an appropriate way and shall not disclose it with any other organization not being ICCROM’s partner. Under no circumstances will personal data be shared or sensitive financial information disclosed. ICCROM shall ensure the utmost confidentiality and security.

Participate in webinars and seminars

Users who wish to participate in webinars and seminars organized by ICCROM and partners must provide their contact details in order to be able to take part. The data collected will be used for the performance of institutional tasks, including statistical analysis, archiving and historical research. as well as to invite Users to other possible seminars or webinars.
Webinars will be broadcast on ICCROM’s website and its social channels. Users are not visible during webinars. Data processing will be carried out manually or by electronic means, in compliance with the limits and conditions set by ICCROM’s Privacy Policy. The data acquired will be kept in accordance with the ICCROM records retention and disposal schedule.

Users’ contact details may be communicated to the co-organizers of the webinars, to the partners, and to the sponsoring bodies, who may use the data to send information related to the same event or may provide services related only to the event itself.

The data provided for the above purposes will be processed until the User requests to be removed from the mailing list in order not to receive invitations to or communication about other events.

Questionnaires

ICCROM and its partners use online questionnaires in order to collect opinions or information for statistical purposes or for selected studies or surveys. Users who wish to freely fill in questionnaires, even in a non-anonymous form, must provide the data requested in order to participate.

The data collected will be used for the performance of ICCROM’s institutional tasks, including statistical analysis, archiving and historical research, as well as to inform Users about other questionnaires and invite them to respond. Data processing will be carried out both manually and with the help of electronic means, in compliance with the limits and conditions set by the Data Protection Manual.

Data acquired will be stored in accordance with the Organization’s records retention schedule. These data will be processed exclusively by ICCROM staff and collaborators and will not be disclosed or communicated to third parties. The data provided for the above purposes will be processed until the User requests to be removed from the mailing list in order not to receive invitations to participate in the Organization’s surveys.

Library Contact Form

Users wishing to receive information, reference or request documents from the ICCROM library must provide their contact details and send a message with the material to be reproduced.

Personal data is processed for managing reference or document delivery requests by ICCROM library staff. The data collected will be used to perform ICCROM's institutional tasks including statistical analysis, archiving, historical research, studies and surveys to promote initiatives and new library activities. The data collected will be stored according to the Organization's retention and disposal schedule. This data will be processed exclusively by ICCROM staff and collaborators and will not be disseminated or communicated to third parties. Users can, at any time, request the erasure of their data from Data Controller’s records.

Privileges and immunities

Anything set forth in this Web Privacy Policy or referring to the Website shall ever be deemed a waiver of any privilege and immunity accruing to ICCROM.

Contacts

Any request or need shall be addressed by the User to: ICCROM, via di San Michele 13 - Rome, Italy; Tel.: (+39) 06 585531; Fax: (+39) 06 58553349; E-mail: data-protection@iccrom.org.

Users also may consult the Privacy section of the website to find information concerning the Personal Data Policy applied by Data Controller, usage and processing of personal data, updated information concerning contacts and ways to communicate with the Data Controller.