The International Centre for the Study of the Preservation and Restoration of Cultural Property (hereafter, ICCROM) is an intergovernmental organization working in service to its Member States to promote the conservation of all forms of cultural heritage, in every region of the world. It operates in the spirit of the 2001 UNESCO Universal Declaration on Cultural Diversity, which states that “respect for the diversity of cultures, tolerance, dialogue and cooperation, in a climate of mutual trust and understanding are among the best guarantees of international peace and security.”
ICCROM, in adherence to its mission and institutional values, undertakes to protect personal data of natural persons regardless of their nationality or residence, respecting every human being’s identity, dignity and fundamental freedoms in accordance with standards adopted regarding the processing and circulation of personal data.
The Data Controller (Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; in this case ICCROM) is ICCROM, based in Rome, via di San Michele n. 13, Tel.: (+39) 06 585531; Fax: (+39) 06 58553349. The Data Controller is also available at the following e-mail address: data-protection@iccrom.org.
Personal data protection is based on compliance with data protection principles that ICCROM undertakes to implement, adhere to and require of its staff members or third parties with whom it collaborates in its activity and mission. Specifically, ICCROM undertakes to:
This Data Protection Manual will be brought to the attention of all internal staff (both at the Headquarters and Regional Office), as well as to collaborators and partners, through specific awareness-raising meetings and other means.
This policy is addressed to Users of the www.iccrom.org website (“Website”) and to all individuals concerned about the processing of their personal data by the Data Controller, within its activity and mission (“Concerned person/s” or “User/s”).
Access to some sections of the Website and/or requests for information or services from Users requires the disclosure of personal data; the processing of these data will comply with Organization’s privacy policy.
This policy concerns only the ICCROM Website and not other websites Users may access through links on the ICCROM Website.
Computer systems and software procedures that ensure the proper function and running of the portal acquire, during normal activity and only for the time of the connection, some personal data implicitly shared during the use of Internet communication protocols. Such data are not collected for the purpose of matching them with the concerned identified Users, but these data, by their nature, could, through processing and matching with data detained by third parties, allow identification of Users (e.g. IP protocols), the domain name of utilized computer terminal, Users’ URI strings (Uniform Resource Identifiers), time of requests, and so on. Such data, once processed, are utilized for the sole purpose of gaining anonymous statistical information concerning Website use and for checking that it is functioning properly.
For more information, refer to Cookies Policy.
Users may voluntarily supply personal data such as contact details, e-mail address, etc., for example when requesting information through e-mail communications. These data are processed in order to fulfil and respond to Users’ requests or perform related activities.
Data processing will be carried out either manually or through electronic media, in compliance with the Organization’s privacy policies and the principles of correctness, lawfulness, transparency, relevance, completeness and process limitation, data minimization and accuracy. The organization and processing of the data and the reason for the processing will follow logics strictly related to the pursued objectives and be performed in a manner suitable to grant security, integrity and confidentiality of processed data. Such measures shall be upgraded and increased from time to time in accordance with technological advancement, in order to assure confidentiality, availability and integrity of processed data.
Personal data may be disclosed to appropriate third parties deemed as Recipients or to persons authorized to process personal data under Data Controller’s authority. In order to correctly perform all processing activities necessary for the scopes indicated in this policy, the following Recipients might process personal data:
It is understood that processed data, including those data processed through third parties, will be limited to solely those necessary for achieving stated purposes. Personal data will not be disseminated.
Right of access | Data Subjects have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed, to access such personal data and to obtain the following information: a) the purposes of the processing operation; b) the personal data categories concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular those in third countries or international organizations; d) the expected period of personal data storage or applicable criteria for determining such period; e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning or to object to such processing; f) data source, if personal data are not being provided by Data Subjects themselves; g) existence of automated decision making process, including profiling and, in such cases, relevant information concerning applied logic, as well as importance and consequences for Data Subjects arising from the processing. |
Right to rectification | Data Subjects have the right to amend inaccurate Personal Data. Taking into account the purposes of the processing, Data Subjects are entitled to have incomplete personal data completed, including by means of providing a supplementary statement. |
Right to erasure | Data Subjects have the right to request erasure of personal data to be obtained without unjustified delay and the Data Controller will be bound to erase Personal Data for any of the following reasons: a) Personal Data are no longer necessary to the purposes for which they were collected or processed; b) consent on which Data Processing is based has been withdrawn and there is no other legal basis for Processing; c) Data Subject has denied the right of Processing and there is no other prevailing legitimate reason for Personal Data Processing; d) Personal Data have been unlawfully processed. In some cases, the Data Controller will have the right not to erase Personal Data should the Processing be mandatory to fulfil legal obligations, for public interest reasons, for filing purposes in the public interest or for statistical use or establishment, exercise or defence of legal claims. |
Right to limit processing | Data Subjects have the right to restrict processing in the following cases: a) the Data Subject contests the accuracy of the personal data (restriction will last for the time necessary for the Data Controller to assess accuracy of the data); b) the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Data Controller no longer needs the personal data for processing but they are required by the Data Subject for establishment, exercise or defence of legal claims; d) the Data Subject objects to the data processing and is awaiting verification whether the Data Controller’s legitimate grounds override those of the Data Subject. Should a processing restriction apply, personal data will only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. |
Right to data portability | Data Subjects have the right to request and obtain any personal data they have provided to the Data Controller in a structured, commonly used and legible format or to ask for the data to be transmitted to another Data Controller, where technically feasible. In such case, the Data Subject shall be bound to give specific authorization in written form regarding the new Data Controller to whom the personal data is to be transferred. |
Right to object | Data Subjects have the right to object, in any situation, for reasons related to their personal situations, to the processing of personal data related to them, included profiling. The Data Controller will refrain from further processing operations on the data in question, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedom of the data subject, or for the establishment, exercise or defence of a legal claim. |
Personal data will be processed by ICCROM only to fulfil specific purposes listed in this policy. Data may be kept for longer periods, or permanently, solely for archiving purposes in accordance with ICCROM’s records retention and disposal schedule.
Users who wish to receive our newsletter must provide an e-mail address. Such data are necessary to fulfil the User’s request and to forward information notices. Data provided for the aforementioned purposes shall be processed until the User’s cancellation request. If the User is no longer interested in receiving e-mail messages from the Data Controller, it will be sufficient to click on the unsubscribe link at the end of any e-mail to avoid any further communication, even via other contact means for which permission was obtained.
For expressions of interest concerning job applications, it will be necessary to follow instructions on the Website. Personal and specific data (if voluntarily disclosed by the candidate) will be processed only for review of the application for possible selection and establishment of an employment relationship. Users can, at any time, request the erasure of their data from Data Controller’s records.
Users applying for courses, internships and fellowships organized by ICCROM, and/or in collaboration with its partners, shall fill in specific web forms for each programme. Personal data collected will be processed only for candidate selection purposes, including the sharing of profiles with partners and for reviewing and evaluating. ICCROM will store applications data in its database and, upon the User’s consent, data shall be processed to promote new courses, internships, fellowships, programmes, initiatives, projects, events, round tables or other institutional activities or reports of ICCROM and/or its partners. Users can, at any time, request the erasure of their data from Data Controller’s records.
Users willing to financially contribute to ICCROM shall provide contact information, identity and financial information (e.g. credit card number, expiry date, etc.). Such information is necessary to complete the transaction and to help donor management. Should any difficulty arise from the processing of the donation, such information is used to contact the User. In this case, ICCROM will store the information in an appropriate way and shall not disclose it with any other organization not being ICCROM’s partner. Under no circumstances will personal data be shared or sensitive financial information disclosed. ICCROM shall ensure the utmost confidentiality and security.
Users who wish to participate in webinars and seminars organized by ICCROM and partners must provide their contact details in order to be able to take part. The data collected will be used for the performance of institutional tasks, including statistical analysis, archiving and historical research. as well as to invite Users to other possible seminars or webinars.
Webinars will be broadcast on ICCROM’s website and its social channels. Users are not visible during webinars. Data processing will be carried out manually or by electronic means, in compliance with the limits and conditions set by ICCROM’s Privacy Policy. The data acquired will be kept in accordance with the ICCROM records retention and disposal schedule.
Users’ contact details may be communicated to the co-organizers of the webinars, to the partners, and to the sponsoring bodies, who may use the data to send information related to the same event or may provide services related only to the event itself.
The data provided for the above purposes will be processed until the User requests to be removed from the mailing list in order not to receive invitations to or communication about other events.
ICCROM and its partners use online questionnaires in order to collect opinions or information for statistical purposes or for selected studies or surveys. Users who wish to freely fill in questionnaires, even in a non-anonymous form, must provide the data requested in order to participate.
The data collected will be used for the performance of ICCROM’s institutional tasks, including statistical analysis, archiving and historical research, as well as to inform Users about other questionnaires and invite them to respond. Data processing will be carried out both manually and with the help of electronic means, in compliance with the limits and conditions set by the Data Protection Manual.
Data acquired will be stored in accordance with the Organization’s records retention schedule. These data will be processed exclusively by ICCROM staff and collaborators and will not be disclosed or communicated to third parties. The data provided for the above purposes will be processed until the User requests to be removed from the mailing list in order not to receive invitations to participate in the Organization’s surveys.
Anything set forth in this Web Privacy Policy or referring to the Website shall ever be deemed a waiver of any privilege and immunity accruing to ICCROM.
Any request or need shall be addressed by the User to: ICCROM, via di San Michele 13 - Rome, Italy; Tel.: (+39) 06 585531; Fax: (+39) 06 58553349; E-mail: data-protection@iccrom.org.
Users also may consult the Privacy section of the website to find information concerning the Personal Data Policy applied by Data Controller, usage and processing of personal data, updated information concerning contacts and ways to communicate with the Data Controller.