Privacy cookie policy

in compliance with Art. 14 of Regulation (EU) 2016/679 governing the protection of personal data.

The Data Controller – as defined in Articles. 4 and 24 of Regulation (EU) 2016/679 –  is the Opera di Santa Croce, whose registered office is situated in Piazza Santa Croce, 16, Florence (FI), Italy – VAT Reg. No. 05489970482.
The Controller may be reached at the following e-mail address:
The Controller has also appointed a Data Protection Officer (DPO) – the lawyer Avv. Domenico Vispo – who may be contacted in connection with matters regarding the processing of the user’s personal data at the following e-mail address:

The Controller will process the following personal data:
– personal and contact details;
– data concerning educational qualifications and profession;
– data collected passively, in other words via the website (e.g. IP address, position, type of browser and so forth);
– cookies and other tracking systems, as illustrated in the cookie notice (see relevant information notice for more in-depth information).

The communication of personal data is a contractual obligation, or at any rate a necessary prerequisite, for completing the contract for the sale of tickets providing access to the monumental complex, and the prospective purchaser is obliged to supply his or her personal data inasmuch as without it the Controller is unable to process the purchaser’s application. Despatch of the newsletter is enabled only when consent is granted by the user. Data for the website’s security and for the prevention of misuse and spam, as well as data for analysing website traffic (statistics) in aggregate form, is processed on the basis of the Controller’s legitimate interest in protecting both the website and its users.

Personal data is processed by the Controller in order to enable the user to surf the website and to use the services it provides; for the on-line sale of tickets providing access to the monumental complex of Santa Croce; and, in the event the user grants his or her specific consent, for the despatch of the Controller’s newsletter. In addition to the relevant instrumental and necessary purposes associated with provision of the service, processing of the data collected from the website is required for the following purposes:
– Statistics (analysis): the collection of data and information, solely in an aggregate and anonymous fashion, in order to verify the website’s proper functioning. None of this information is linked to the website’s physical user, nor does it permit the user’s identification in any form whatsoever. Prior consent is not required;
– Security: the collection of data and information for the purpose of protecting the website’s security (anti-spam filters, firewalls, virus detection) and users’ security, and to prevent or to detect fraud or misuse detrimental to the website. The data is recorded automatically and may also include personal data (IP address) which may be used, in accordance with the relevant law in force at the time, to thwart attempts to damage the website or to harm other users, or in any case for harmful or criminal activities. This data is never used on any account to identify or to profile users, and it is periodically erased. Prior consent is not required.

Data collected may be forwarded to end users, as listed in Article 28 of Regulation (EU) 2016/679, who process the data in their capacity as external professional figures and/or bodies acting as independent controllers. Specifically, the data may be forwarded: – to the Controller’s staff and collaborators, including external collaborators, and to figures who provide services instrumental to the purposes described above. These figures will act in their capacity as supervisors or appointees tasked with processing. Personal data may also be forwarded to other public or private figures but solely in compliance with a legal measure or regulation requiring such a move.
Data collected on the website is not generally forwarded to third parties, other than in the following specific instances – a legitimate request from the judicial authorities and in legally specified cases; – if required for the provision of a specific service requested by the user; – for the performance of website security and optimisation controls.

Data collected will not be transferred to third countries outside the European Union. Users should be aware, however, that the use of cloud services may entail the transfer of data onto servers situated abroad (whether in the EU or elsewhere) but always in compliance with the relevant legal measures and in every instance in compliance with maximum security standards.

Data collected during the functioning of the website is stored only for as long as is strictly necessary to perform the activities specified. On expiry, the data will be erased or anonymised unless there are further reasons for storing it. Data (IP address) used for website security purposes (thwarting attempts to harm the website) is stored for 30 days. Data used for analytical purposes (statistics) in stored only in aggregate form. Data processed in connection with the sale of tickets providing access to the monumental complex of Santa Croce will be stored for 10 years; and in connection with the despatch of newsletters, it will be stored for the time required to provide the service. The data is not subject to automatic processing.

The user may exercise his or her rights as laid down in Section III (articles 15-22) of Regulation (EU) 2016/679 by addressing an e-mail to the Data Controller at, by registered post with reply – c/o the address of the organisation’s registered office – or by submitting a hardcopy request.
The rights which the user enjoys under Regulation (EU) 2016/679 are the following:
– access;
– rectification;
– erasure;
– withdrawal of consent;
– restriction of processing;
– opposition to processing;
– portability.
The above rights are guaranteed at no expense to the user and require no particular formalities for their exercise, which is essentially free of charge.
Without impairment or prejudice to the user’s right to undertake legal action, he or she may also submit a complaint to the supervisory authority (ombudsman) as stipulated both in Regulation (EU) 2016/679 and in the Italian Privacy Code as modified by Decree Law 101/2018.

Personal data granted will be recorded, processed, managed and stored in hardcopy format and/or with the assistance of electronic instruments, and in every circumstance in such a way as to ensure its security and confidentiality. Processing will be performed by expressly authorised in-house staff and can be peformed at any time.

Personal data collected will never be disseminated under any circumstances whatsoever to third parties not authorised by the Data Controller and may be shown only on demand to the legal, financial and ombudsman authorities and to any other figures with whom we are legally bound to share that data for the achievement of the aforesaid purposes.

Cookie policy


In respect of the Measure formulated by the Ombudsman for the Protection of Personal Data, entitled “Identification of simplified modalities for information regarding, and the acquisition of prior consent to, the use of cookies – 8 May 2014” (Published in the Official Gazette no. 126 dated 3 June 2914) as amended by the guidelines governing cookies and other tracking tools dated 10 June 2021 (Published in the Official Gazette no 163 dated 9 July 2021), the user should be aware that the OPERA DI SANTA CROCE processes only cookies of a technical and/or analytical nature, and on no account uses profiling cookies. The user’s prior consent is not required for the installation of technical and/or analytical cookies, but we are nevertheless bound to provide notice thereof in accordance with Article 16 of Regulation (EU) 2016/679 governing the protection of personal data.

OPERA DI SANTA CROCE, in its capacity as controller, hereby informs the user releasing his or her IP data through consulting the website, regarding the purposes and modalities of the processing of the personal data collected, the circumstances governing its communication and dissemination, and the nature of its granting.

Data collected from the user is exclusively IP-related, in other words it is data that can be defined as coming from public records, thus prior consent for processing purposes is not required.

The data subject to processing is processed and used directly in order to fulfil purposes instrumental to the website (for example, controls to prevent cyberattacks, statistics) in full compliance with the principle of legal propriety and with the legal measures currently in force.

Where the modalities are concerned, the data is processed by electronic means operated by the controller. The user’s data is not communicated to, sold to or exchanged with any third party, nor is it subject to dissemination, other than where mandatorily required by law.

The user may avail him or herself of his or her rights as laid down in Articles 15-22 or the Regulation (EU) 2016/679 by addressing a request to the processing controller. In particular, the user can obtain confirmation of the existence – or otherwise – of personal data concerning him or her, even if such data has yet to be registered, and insist on communicaton of said data in legible form. Users have the right to obtain information regarding:
a) the origin of the personal data;
b) the purpose and modality of its processing;
c) the rationale applied in the event of processing performed with the aid of electronic instruments;
d) the identification details of the controller, managers and appointed representatives as defined in Article 5, Paragraph 2;
e) the end users and categories of end users to whom that personal data may be communicated or who may become acquainted with it in their capacity as appointed representatives on national soil, as managers or as appointees.

The user has the right to obtain:
a) the updating, rectification or, when to his or her benefit, the completion of the data;
b) the erasure, the transformation into anonymous format or the blocking of data processed in breach of the law, including data whose storage is not required for the purposes for which the data was collected or subsequently processed;
c) certification that the operations described in letters a) and b) above have been communicated, including with regard to their content, to all those to whom the data may have been released or disseminated, other than where such communication proves to be impossible or entails the use of resources manifestly disproportionate to the right safeguarded.

The user has the right to oppose, in whole or in part:
a) for legitimate reasons, the processing of personal data concerning him or her, even if that data is relevant to the purpose for which it was collected;
b) for legitimate reasons, the processing of personal data concerning him or her for purposes related to the despatch of publicity or direct sales material or for conducting market research surveys or commercial communication.

The user may exercise his or her rights by sending an e-mail to the one of following addresses: and, or by fax or letter addressed to the addressees on the printed paper.

The data is stored in electronic archives and minimum legal security measures are guaranteed.

The controller reserves the right to block access for those IPs whose visits appear to produce anomalies. Users who cannot see website pages or the website itself may write to one of the following e-mail addresses: and

What are cookies?
“Cookies” are small text files which a server can save on a computer’s hard disk and which can memorise certain information regarding the user. Cookies allow the website to record the user’s activity and to memorise his or her preferences. Cookies help to analyse interaction between the user and the website and to allow smoother and more customised surfing.

What types of cookies are there?
A cookie can be classified as a “session” cookie or a “permanent” cookie according to its duration. “Session” cookies are temporary and disappear from a computer when the user leaves the website visited or closes his or her browser. They are usually memorised in the computer’s cache. “Permanent” cookies remain in the user’s computer even after the browser has been closed, either until their expiry or until the user eliminates them. Their expiry date is determined by the website which installs them. They are often used to track the user’s habits so that when the user returns to the website, the cookie reads the information memorised and adapts it to his or her preferences.
A cookie can be classified as “technical” or “profiling” according to its function.
“Technical” cookies relate to activities strictly necessary for the proper functioning of the website and for provision of the service required. In most cases they are session cookies. No technical cookies require the user’s prior consent because they are not used for purposes other than ensuring that the website can function properly. “Profiling” cookies may be used to track the user’s habits and surfing preferences in order to deliver advertising and services which reflect his or her interests. This kind of cookie is installed or activated only with the user’s prior consent granted on the first occasion on which he or she visits the website. Consent can be expressed by interacting with the short information banner on the website’s homepage according to the modalities specified (by closing the banner, by explicitly agreeing, by browsing the page or by clicking on any element on the page).

What cookies does OPERA DI SANTA CROCE use?
In its website OPERA DI SANTA CROCE uses technical cookies generated and used for its own website and on no account by third parties. Visiting this website can generate the following kinds of cookie: – internal cookies and – technical session cookies: these are used to improve the user’s surfing experience and interaction with the website.

How to disable cookies using the browser: It is possible to configure the browser used for surfing in order to eliminate cookies and/or to prevent their installation. The user can control what cookies are installed and what their duration is, and/or eliminate them. The steps required to perform these operations differ from browser to browser. These are the guidelines for the most commonly used browsers.

Instructions on how to disable cookies may be found in the following web pages:
Mozilla Firefox – Microsoft Internet Explorer – Microsoft Edge – Google Chrome – Opera – Apple Safari

Disabling certain cookies may hinder access to the website and/or impair the proper functioning of the e-mail pages.