Privacy

Privacy

INFORMATION ON THE PROCESSING OF PERSONAL DATA pursuant to Article 13 of EU Regulation 2016/679,
General Data Protection Regulation ('GDPR'), and Legislative Decree No. 196/2003, Code on the Protection of Personal Data ('Privacy Code').
Version – January 9, 2022

1. Scope, Data Controller, and Definitions

1.A. Scope of this Privacy Policy
This privacy policy is provided for the website "https://tickets.frasassi.com/" owned and operated by Grotte di Frasassi Srl, headquartered at Largo Leone XII no. 1 – 60040 GENGA (hereinafter referred to as "Grotte di Frasassi"), as the Data Controller. It does not apply to other third-party websites that may be accessed by the user via links.
The website "https://tickets.frasassi.com" and mobile applications will hereafter be referred to individually as the "Site." Other websites are not covered by this privacy information and provide their specific data protection information.
This privacy policy is provided pursuant to Article 13 of the GDPR and the Privacy Code, limited to provisions applicable in line with the GDPR, and in accordance with Recommendation No. 2/2001 adopted by the European Data Protection Authorities gathered in the Group established by Article 29 of Directive No. 95/46/EC on May 17, 2001, to determine some minimum requirements for collecting personal data online, and subsequent amendments and additions.
Any future additions or changes to this list will be promptly brought to your attention.
This policy is intended for all subjects interacting with the web pages of the Site, both those using the Site without registration and those who, after a specific procedure, register on the Site and use the online services provided through it.
1.B. Data Controller
Unless otherwise indicated in this privacy policy, the data controller of your personal data is Grotte di Frasassi Srl, headquartered at Largo Leone XII no. 1, 60040 GENGA, email: privacy@frasassi.com.
1.C. Definitions
This privacy policy is based on the definitions provided in Article 4 of the European Data Protection Regulation (GDPR), which are summarized below to facilitate the understanding of this policy:
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC.
Recipient: a natural or legal person, public authority, agency, or other body to which personal data are disclosed, whether or not they are a third party. However, public authorities that may receive personal data in the context of a specific investigative mandate under Union or Member State law are not considered recipients; the processing of such data by these authorities is conducted in accordance with the applicable data protection rules according to the purposes of the processing. Depending on the payment method chosen for purchasing tickets, the recipients of your personal data may include banks or postal service providers through which we send you the ticket by mail.
Personal Data: information relating to an identified or identifiable natural person, i.e., the data subject. An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data may include, for example, your name, contact details, user behavior, or banking information.
Data Controller: a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processing of Personal Data: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing may include, for example, the collection and use of your order data for ticket sales.

2. Types of Data Processing Conducted by Grotte di Frasassi and Involved Data Categories

The processing of your personal data may be carried out by Grotte di Frasassi for the reasons listed below.
2.A. Processing of Personal Data During Visits to the Website and as Part of Marketing Measures on Third-Party Websites and Social Networks
We inform you that when you access the Website (whether registering or not with a customer account or signing up for other services offered by the Website), to obtain information about our products and use the services provided by the Website, we will process your data in the manner detailed in this policy.

Furthermore, your data may be processed by us as part of marketing measures on third-party websites and social networks for the purposes detailed below and based on the legal grounds listed:
Data Processing for Ensuring the Website's IT Security
We process your personal data where technically necessary to make the Website available for your use and to ensure its stability and security during your visit. This processing includes the following data:
- IP Address
- Browser Fingerprints
- Browser IUser Agents
- Cookies
To identify and defend against threats (protection against bots and DDoS attacks) and to deliver and accelerate online applications, we use the services of Akamai Technologies (GmbH, Parkring 20-22, 85748 Garching, Germany) on the Website. Akamai processes, in particular, the IP address of your device and uses this information on behalf of TicketOne to prevent technical threats and ensure high availability of our Website. The IP address is generally transmitted to Akamai servers in the USA and processed there. This data transfer is based on the EU's standard contractual clauses, ensuring adequate protection of your personal data under Article 46 of the GDPR.
On the Website, we also use Google reCaptcha v2, a service provided by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), which helps prevent abusive automatic entries in web forms and thus protects the host's technical systems.
When one of the Website's pages containing reCaptcha is accessed, a connection is established with Google's servers, and a reCaptcha cookie is set. Additionally, your IP address is transmitted to Google.
Google reCaptcha also collects the following data through "fingerprinting":
- used browser plugins
- cookies set by Google in the last 6 months
- the number of mouse clicks and touches you have made on the screen
- CSS information for the page you are currently viewing
- Javascript objects
- browser date and language
In tal caso, la raccolta e l'analisi dei dati ha come base giuridica l'art. 6 par. 1 lett. c ed f del GDPR.
In this case, the legal basis for data collection and analysis is Article 6 para. 1 (c) and (f) of the GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automatic spying and spam. Moreover, to comply with Italian law on secondary ticketing (see Section 2.C of this policy), TicketOne is required to take all necessary measures to prevent the bulk purchase of tickets by so-called bots.
Please note that to the extent personal data is transferred to Google in the USA, this is done based on the EU's standard contractual clauses, ensuring adequate protection of your personal data under Article 46 of the GDPR.
You can refuse the use of cookies and fingerprinting by selecting the appropriate settings on your browser; however, please note that this may prevent you from using all the Website's functionalities.
To enhance the attractiveness, content, and functionality of the Website, we may use Google Optimize. This allows us to offer new features and content to a percentage of our users, statistically evaluate changes in Website usage, and consequently improve our offering regularly.
Cookies linked to a pseudonymous ID may be used for these activities. Google may use this information to evaluate your use of the Website and create reports on optimization tests and related activities.
Google's privacy policy and terms of use are available at:
https://www.google.com/policies/privacy/ and here: https://policies.google.com/terms
Data Processing for Analytical Purposes
We inform you that we may analyze and document how you use the Website. Specifically, we may analyze the number of visitors to the Website, your browsing behavior on the Website, the events and areas of the Website you are interested in, the origin of the Website visitors, and if you purchase a ticket from us, your order and shopping cart data. For these purposes, we process the following personal data:
- IP address (shortened)
- Cookies
In this case, we process the aforementioned data based on your consent as defined in Article 6(1)(a) of the GDPR. If you wish to object to the processing of data for analytical purposes, please adjust your preferences in the Cookie Preferences Center.
To carry out this processing, we use Google Analytics 360 (GA360), a web analytics service provided by Google LLC ("Google"). GA360 uses cookies that enable analysis of the Website's use. The information generated by the cookie may be transmitted to a Google server in the United States and stored there. Since IP anonymization is activated on the Website, Google will shorten the IP address of the Website visitor beforehand in member states of the European Union or other states party to the Agreement on the European Economic Area. Only in exceptional cases may the full IP address be transmitted to a Google server in the United States. On behalf of TicketOne, Google will use this information to evaluate the use of the Website, compile reports on Website activity, and provide TicketOne with additional services related to the use of the Website and the Internet.
The IP address transmitted by the user's browser within the framework of GA360 is not combined with other data from Google.
You may refuse the use of such cookies by selecting the appropriate settings on your browser.
Our websites use GA360 with the "_anonymizelp()" extension. As a result, IP addresses are further processed in anonymized form; personal reference can thus be excluded.
Further information on the terms of use and data protection is available at the following links:
- https://policies.google.com/terms?hl=en.
- https://policies.google.com/privacy?hl=en.
For an explanation of how Google uses data from third parties, see:
- https://policies.google.com/technologies/partner-sites?hl=en.
Please note that in connection with the use of GA360, if your personal data is transferred to the United States, this data transfer is based on the EU's standard contractual clauses, which ensure adequate protection of your personal data under Article 46 of the GDPR.
Data Processing for Personalized Recommendations on the Website (Product Recommendations)
When you visit the Website, we may analyze your usage behavior to display personalized recommendations on the Website based on this data. For this purpose, the processing involves the following data:
- IP address (shortened)
- Cookies
In this case, we process the data based on your consent as outlined in Article 6(1)(a) GDPR. If you wish to object to the processing of your data for this purpose, please adjust your preferences in the Cookie Preferences Center.
We inform you that we use a function on the Website to anonymize your IP address. This means that IP addresses are processed in a shortened form, excluding direct personal reference.
Data Processing for Advertising and Retargeting Purposes on Third-Party Websites and Social Networks
When you visit the Website, we may process your personal data for remarketing and display advertising activities, including through the use of social media advertising plug-ins.
In display advertising, we may run marketing campaigns using tags (pixels) and cookies from our retargeting providers.
When you visit the Website, these tags and cookies are set and associated with the products you have viewed or purchased. This allows you to see personalized product offers based on your preferences.
Furthermore, we may display banner ads to Facebook users who have a profile similar to that of our current customers and Website visitors. For this purpose, we may process the following data:
- The type of webpage accessed
- The product number viewed
- In the case of ticket purchase: the product number ordered, the sale value and the order number, as well as preferences and cookie IDs
For this purpose, we process your personal data based on your consent as per Article 6(1)(a) GDPR.
If you do not wish for your data to be processed for these retargeting activities, please adjust your preferences in the Cookie Preferences Center.
Regarding the use of Google and Facebook tags and cookies, your personal data is transferred to the United States. This data transfer is based on the EU Standard Contractual Clauses, ensuring adequate protection of your personal data as per Article 46 GDPR.
For further details on data processing by retargeting providers, please refer to their respective data protection information:
- Google Privacy Policy: https://policies.google.com/privacy?hl=en;
- SExplanation of Third-Party Data Use by Google:
https://policies.google.com/technologies/partner-sites
- Facebook Privacy Policy: https://www.facebook.com/privacy/explanation
If you have purchased a ticket from Grotte di Frasassi, a Google AdWords cookie is set on the Website. If, after purchasing, you enter corresponding search terms on Internet search engines, this cookie may allow you to see individualized suggestions for products and services from Grotte di Frasassi based on your purchase (search engine marketing). We process your data based on your consent as per Article 6(1)(a) GDPR. If you wish to object to data processing by Google AdWords, please adjust your preferences in the Cookie Preferences Center.
Regarding the use of Google AdWords, your personal data is transferred to the United States. This data transfer is based on the EU Standard Contractual Clauses, ensuring adequate protection of your personal data as per Article 46 GDPR.
For further details on the processing of your data by Google AdWords, please refer to the respective data protection information:
• Google AdWords Privacy Policy: https://policies.google.com/privacy?gl=GB&hl=en
• Explanation of Third-Party Data Use by Google:
https://policies.google.com/technologies/partner-sites
Additionally, we place ads (so-called social media ads) on social networks such as Facebook, Instagram, and Twitter. If you have an account on these social networks and agree through your account settings to view advertising and announcements related to our products and services, these ads are displayed based on your interests (e.g., "likes" clicked on artist pages) stored in your public profile on Facebook, Instagram, or Twitter. Consequently, the ads displayed are personalized based on your interests.
For this purpose, we inform you that we process your public social profile data.
In particular, to measure the effectiveness of the campaigns carried out, we process the following data based on your consent as per Article 6(1)(a) GDPR:
- Your IP address
- Your cookie ID
- Page and feed activity
- Internet speed
- Purchase activities and social connections
To perform the above activities, your data is transferred to the United States and thus processed outside the EU/EEA. This data transfer is based on the EU Standard Contractual Clauses, ensuring adequate protection of your personal data as per Article 46 GDPR.
For more details on this type of data processing, please refer to the privacy policies of the social networks Facebook, Instagram, and Twitter:
• Facebook: https://www.facebook.com/privacy/explanation
• Instagram: https://help.instagram.com/155833707900388
• Twitter: https://twitter.com/it/privacy
Cookies
When you use the Site, cookies are stored on your device.
Cookies are small text files that are assigned and stored on your device by the browser you use, and they enable certain information to be transferred to the entity setting the cookie.
These may also contain personal data, allowing us to make the Site easier to use and more effective.
Please note that cookies cannot transmit viruses to your device.
If you consent to the use of some or all cookies on your computer, a corresponding consent ID is generated and stored. You can modify your preferences at any time by accessing the "Cookie Preferences Center," located at the bottom left of every page on the Site and accessible by clicking on the cookie-shaped button.
This processing is carried out to fulfill contractual obligations as defined under Article 6, paragraph 1, letter c) of the GDPR.
2.B. Registration and Creation of a Customer Account on the Site
When you visit the Site, you can also register, thereby creating a customer account through which you can purchase tickets and enjoy other related benefits.
Registration and use of the customer account require you to provide Grotte di Frasassi with your personal data, some of which are mandatory (i.e., those marked in the input form).
In this case, we process your personal data to:
(i) Allow you to create and use your customer account and purchase tickets.
(ii) Verify the user in case of changes to personal data in the customer account.
(iii) Send you communications related to events for which you have purchased tickets.
This processing is carried out based on Article 6, paragraph 1, letters b) and f) of the GDPR, respecting our legitimate interest as well as for the performance of the ticket purchase contract.
2.C Ticket Purchase through Authorized Channels of Grotte di Frasassi
When you purchase a ticket on the Site or at our authorized sales points, we process the personal data you provide at the time of purchase.
In this case, data processing is carried out for the purpose of executing the ticket purchase contract under Article 6, paragraph 1, letter b) of the GDPR.
If you purchase a ticket for a third party, we process the personal data of the third party (name and, if applicable, contact details) provided by you for the personalization of the ticket and, if applicable, for sending the ticket to the third party. This data is also processed for the purpose of executing the purchase contract under Article 6, paragraph 1, letter b) of the GDPR.
If you provide third-party data at the time of ticket purchase, please ensure that they are sufficiently informed by you about the data processing carried out by Grotte di Frasassi and that you are authorized to provide us with this data.
Additionally, please note that if you fail to meet your payment obligations, we will initiate a collection procedure. For the execution of this procedure, we transfer your personal data to collection service providers who carry out the procedure on our behalf. In this case, we process your personal data for the execution and handling of the contract with you under Article 6, paragraph 1, letter b) of the GDPR and for our legitimate interest in enforcing our legal rights, including collection, under Article 6, paragraph 1, letter f) of the GDPR.
It should be noted that, for the purpose of executing and managing the contract under Article 6, paragraph 1, letter b) of the GDPR, your data necessary for the 3D-Secure 2.0 procedure is also processed. This procedure applies when you make payments on the Site with a credit card, to ensure the security of these payments and protect against the potential fraudulent use of credit card data. This is a global standard for card networks (e.g., VISA, VISA ELECTRON, MASTERCARD, AMERICAN EXPRESS, JCB, DINERS, DISCOVER, and POSTEPAY) that confirms that the person initiating a digital transaction is also authorized to use the respective payment card, or is intended to prevent misuse of your credit card. For more information on the procedure, see the Terms and Conditions of Purchase.
Depending on the circumstances, the credit institution may require the credit card holder to authenticate the payment transaction, for example, through a transaction authentication number or via an app. This procedure was introduced by European Directive 2366/2015 (PSD2).
Also, to ensure the security of payments made on the Site and prevent potential fraud, Grotte di Frasassi reserves the right to ask you, via email, to send a front-and-back copy of your identity card and, if the order holder is different from the cardholder, the identity card of the latter. The document must be valid. The email request will specify the deadline by which the document must be sent to Grotte di Frasassi. This deadline will not, in any case, exceed 5 working days from the receipt of the request by the user.
Please note that some events may require nominative tickets, which, when applicable, make the issuance of nominative tickets mandatory to comply with the following regulatory provisions:
- Reform to combat secondary ticketing: art. 1, paragraph 1100, law 30 December 2018 n. 145;
In the case of events subject to nominative tickets, we process your personal data (name, surname, and, in the cases of nominative tickets required under Ministerial Decree 6 June 2005, also place and date of birth) to comply with a legal obligation under Article 6, paragraph 1, letter c) of the GDPR.
2.D. Communications Regarding "Abandoned Cart"
If you have started a purchase process on the Site but did not complete it, by adding some items to the cart without completing the order, we will send you a reminder via App Push Notification or email to the email address indicated in your customer account related to the purchase process you started.
Please note that from this communication, you can directly access the Site to complete your purchase.
We collect and store your personal data to identify unfinished shopping carts. For this activity, the collection of your personal data is based on consent (Article 6, paragraph 1, letter a) of the GDPR).
Additionally, as part of marketing measures, we process your data to remind you of purchase processes you have not yet completed, based on your consent (Article 6, paragraph 1, letter a) of the GDPR).
2.G. Informational Emails, Newsletters, and App Notifications
If you wish to be informed about major upcoming events, access exclusive pre-sales, or receive promotions and special discounts, you can subscribe to the Newsletter Service, even without necessarily registering on the Site. Please note that for users not registered on the Site, requesting the activation of the Newsletter Service does not equate to registering on the Site. If you want to be informed about key dates for artists/events you are interested in, you can also subscribe to our Ticket Alert Service.
For users not registered on the Site, requesting activation of the Ticket Alert Service does not equate to registering on the Site.
We inform you that through the Newsletter, we may also provide you with personalized information about products and services, subject to your consent for profiling activities.
In all these cases, we process your personal data solely based on your consent as defined in Article 6, paragraph 1, letter a) of the GDPR.
If you have purchased a ticket from us (Section 2.C), we may send you informational emails to inform you, for example, about directions to the event location, parking details, organizer specifics (such as bag size allowed at the event), and other event-related information.
In this case, we process your personal data for the execution of the contract based on Article 6, paragraph 1, letter b) of the GDPR.
From the moment you subscribe to our Newsletter and/or Ticket Alert service, we analyze and document whether you open the Newsletter and/or Ticket Alert and how you use them. In this case, we process your personal data based on Article 6, paragraph 1, letter f) of the GDPR to pursue our legitimate interest in structuring the Newsletter/Ticket Alert service according to your needs and improving the offering of our marketing campaigns.
2.H. Customer Service
If you have any questions about events, ticket purchases, your customer account, or other products and services offered by Grotte di Frasassi, or if you wish to exercise your rights under this data protection policy or file a complaint, you can contact us directly using the contact information found in Section 9 of this policy.
Depending on the nature of your request, we may use the personal data stored in our systems that you have provided during other data processing activities (e.g., the data provided when purchasing tickets) to respond to your inquiries. In this case, your data is processed for the purpose of executing the contract as per Article 6, paragraph 1, letter b) of the GDPR.
If and to the extent necessary to respond to your request, we also collect data from external sources (for example, in the case of a request to the shipping service provider as part of a shipment tracking or an investigation request by the competent authorities).
If the processing is carried out to enable you to exercise your rights or to respond to requests from the competent authorities, your data will be processed to fulfill legal obligations pursuant to Article 6, paragraph 1, letter c) of the GDPR.
If you wish to inquire about our products and services or file a complaint, we will process your personal data for our legitimate interests in responding to your request based on Article 6, paragraph 1, letter f) of the GDPR.
2.I. Transaction Reversals on Orders
If necessary, we will reverse the transaction you made on the Site. In such cases, your data is processed based on Article 6, paragraph 1, letter b) of the GDPR.
If you did not purchase your ticket directly from us but received it as a gift from the purchaser and wish to request a refund due to the event's cancellation or postponement, we will process the data you, as a requester different from the purchaser, provide to us informally or via our refund platform.
In this case, we process your personal data to return your ticket and refund your order based on Article 6, paragraph 1, letter b) of the GDPR.
2.L. Soft spamming
We may use the email address you provided during a purchase on the Site and/or push notifications via the FrasassiExperiences App for direct marketing purposes, even without your consent, based on Article 130, paragraph 4 of the Privacy Code, provided it is for a service similar to those previously sold (so-called soft spamming). You may, however, refuse this processing at any time by communicating your objection to Grotte di Frasassi in the manner indicated in Section 8 of this policy. In this case, the processing is based on the legitimate interest of Grotte di Frasassi to offer you products or services similar to those of previous purchases, limited to the email address provided by you during the purchase.
2.M. Other
Internal Audit and Compliance
We implement compliance programs and measures in accordance with sector regulations, such as adhering to Consumer Code requirements and identifying and correcting any improper conduct. In this case, we may process your data accordingly. This is done to fulfill our legal obligations under Article 6, paragraph 1, letter c) of the GDPR.
Furthermore, for these purposes, we may process your personal data within the Eventim Group in Germany and abroad as part of internal group audits, in accordance with our legitimate interest in verifying the processes and efficiency of the group of companies, correcting any improper conduct, and preventing fraud, and, if necessary, asserting and/or defending our rights, based on Article 6, paragraph 1, letters c) and f) of the GDPR.
Preparation of Analyses
We may conduct analyses on the data we process under Section 2 of this policy. These analyses serve as a basis for making and modifying business decisions aimed at improving our products and services and adapting them to our customers' needs.
In such cases, due to our legitimate interest in improving our offering, we process your personal data based on Article 6, paragraph 1, letter f) of the GDPR.
Please note that the processing to conduct these analyses does not include any personal references, meaning that it is no longer possible to draw conclusions about your person through this processing.

3. Provision of Data and Consequences of Non-Provision

The provision of data for the fulfillment of contractual obligations, compliance with legal obligations, and in relation to the legitimate interest of Grotte di Frasassi is purely optional. However, since such processing is necessary to allow registration on the Site and the provision of services offered by Grotte di Frasassi through the Site, including ticketing services and the Newsletter and Ticket Alert services, failure to provide, partial or inaccurate provision of the requested data will result, depending on the case, in the inability to register on the Site and to use the online services provided by Grotte di Frasassi through the Site, and generally to carry out the contractual relationship established or to fulfill the obligations provided for by the contract or applicable law, or to process your specific requests. It also prevents the Company from sending you general information about products or services similar to those of a previous purchase, conducting market research aimed at assessing user satisfaction and improving services, or pursuing its legitimate interests (such as defending a legal right).
Please note that, with your consent, Grotte di Frasassi may process the personal data you provide to send you advertising material related to its or third-party products and/or services (data provision for marketing purposes). Additionally, personal data provided by you during a purchase on the Site may be processed by Grotte di Frasassi, with your consent, for profiling purposes, i.e., analyzing your consumption choices through the detection of the type and frequency of purchases made by you, in order to send you advertising material from Grotte di Frasassi or third parties of specific interest to you (data provision for profiling purposes).
With respect to the processing of your data for marketing and profiling purposes, please note that providing your data is purely optional, and the related processing is based on your consent, which is optional and revocable at any time. Non-provision will not affect your ability to register on the Site and use the services provided by Grotte di Frasassi through the Site, including the ability to make purchases, and will solely result in the following consequences:
- lack of consent to data processing for marketing purposes will make it impossible for you to receive advertising material related to products and/or services from Grotte di Frasassi and/or third parties;
- lack of consent to the processing of your personal data for profiling purposes will prevent Grotte di Frasassi from developing your commercial profile by analyzing your purchasing choices and habits on the Site (also to better meet customer needs and continuously improve services offered) and from sending you advertising material related to products and/or services from Grotte di Frasassi and/or third parties of specific interest to you.
Notwithstanding the above, it is understood that if you refuse consent to the processing of your personal data for marketing and profiling purposes, our Company may still use your data solely to fulfill legal obligations and obligations arising from contractual relationships established between you and Grotte di Frasassi and/or for pursuing its legitimate interest.
You may, in any case, revoke any consent given for marketing and profiling purposes at any time through the "Account" section of the Site or via the "Privacy Preferences" box provided during the purchase process.
It is understood that any subsequent revocation of consent does not affect the lawfulness of data processing carried out before such revocation.
Additionally, regarding so-called soft spam, please remember that you can object to the processing of your data by sending an email to the following address: privacy@ticketone.it.

4. Communication and Disclosure of Personal Data

Your data may be disclosed to the following categories of subjects ("recipients"), which will be further detailed in the continuation of this notice:
a) to all entities (including public authorities) that have access to personal data by virtue of regulatory or administrative provisions;
b) to third-party companies whose services are offered or sold through the Grotte di Frasassi Site (specifically, to companies or entities organizing concerts, shows, sports events, or other events whose tickets are sold through the Site), for the execution of all services related to the entry and enjoyment of events;
c) to banking institutions and companies that manage national or international payment circuits through which online payments for products purchased through the Site are made, also potentially for the reversal of transactions you have made on the Site;
d) to companies within the Eventim Group as part of an efficient work-sharing process when we provide, implement, and manage our products and services;
e) To all public and/or private entities, individuals, and/or legal entities (Judicial Offices, Chambers of Commerce, Chambers and Employment Offices, etc.), where the communication is necessary or functional for the proper fulfillment of the contractual obligations undertaken, as well as obligations arising from the law. The data concerning you will not be disseminated, except in anonymous and aggregated form, for statistical or research purposes.
In addition to the above, for the pursuit of the purposes described, personal data may be made accessible to third parties operating on behalf of Grotte di Frasassi, such as, but not limited to:
- companies or third parties responsible for printing, enveloping, shipping, and/or delivering tickets purchased through the Site;
- couriers or shippers responsible for delivering products purchased through the Site;
- companies, consultants, or professionals potentially responsible for the installation, maintenance, updating, and, in general, the management of Grotte di Frasassi's hardware and software or those used by Grotte di Frasassi to provide its services;
- companies or Internet providers responsible for sending documentation and/or informational material;
- companies responsible for processing and/or sending advertising and informational material on behalf of Grotte di Frasassi.
When you make a purchase, your data is also processed by the organizer for the execution of the contract, creating a situation of independent data ownership concerning the customer.
The transfer of data to the event organizer is based on the agreements made by Grotte di Frasassi with them under Article 26 of the GDPR and Article 6(1)(a) and (f) of the GDPR.
Please note that we have the right to make such a transfer even if there is suspicion that you have violated the organizer's terms and conditions, allowing the organizer to take legal action or assert other legal rights against you. This transfer is carried out for the implementation and execution of the contract under Article 6(1)(b) of the GDPR, as well as based on the legitimate interests of the respective organizer to assert their legal rights under Article 6(1)(f) of the GDPR.
In case you select PayPal as the payment option during the purchase, we transfer your personal data to process your payment. In this way, your personal data is transferred to the United States for the execution of the contract under Article 6(1)(b) in conjunction with Article 49(1)(b) and (c) of the GDPR.
Furthermore, your personal data is transferred to IT service providers who provide platforms, databases, and tools to manage our products and services (e.g., our website, ticket sales, sending of Newsletters and other informational emails/communications), create analyses of user behavior on the Site, allow the generation of marketing campaigns, and process your personal data on behalf of Grotte di Frasassi in the context of ticket purchases. In this case, the transfer of your personal data is carried out for the execution of the contract under Article 6(1)(b) of the GDPR, for our legitimate interest in improving and promoting our products, under Article 6(1)(f) of the GDPR, and provided you have given your consent to the processing under Article 6(1)(a) of the GDPR.
Beyond what is stated above, we only transfer your personal data when there is a legal obligation on our part to do so. The transfer occurs under Article 6(1)(c) of the GDPR (e.g., to police authorities in the context of criminal investigations or to data protection supervisory authorities).
In any case, the personal data processed will not be transferred to non-EU countries or outside the European Economic Area, except for the processing carried out in the context of the transfers declared in this notice.
Please note that for a range of services, there is an issue concerning the transfer of data to so-called Insecure Countries. Pending guidance from the Data Protection Authority and further investigation, Grotte di Frasassi limits itself at this stage to highlighting these cases and ensuring that, within the framework of the application of the European standard contractual clauses under Article 46 GDPR, all precautions are taken to protect the personal data of the user.

5. Duration of Data Processing

Please note that your personal data will no longer be processed for marketing and profiling purposes based on the guidelines provided by the data protection authority.
Specifically, we inform you that:
- after 48 months, your personal data will no longer be processed for marketing purposes.
- after 24 months, your personal data will no longer be processed for profiling purposes.
However, if you provide your consent again for one or both of these purposes, the data, including order history, may once again be used for the aforementioned purposes.
Except as indicated above, your data will be processed and retained for the entire duration of the contractual relationship and, subsequently, for the maximum period provided by applicable legal provisions concerning the statute of limitations and/or expiration of rights, and in general, for the exercise/defense of Grotte di Frasassi's rights in disputes initiated by public authorities, public entities, and private individuals.

6. Minors Under 16 Years of Age

Please note that the Site does not contain information, features, or services directly intended for users under 16 years of age. Minors should not provide information or personal data without the consent of their parents or legal guardians.
Grotte di Frasassi, therefore, urges all users under 16 not to provide any personal data under any circumstances without prior authorization from a parent or legal guardian.
If Grotte di Frasassi becomes aware that personal data has been provided by a minor (under 16), Grotte di Frasassi will immediately destroy such data or request the transmission of explicit consent from the parents (or legal guardian), reserving the right to prohibit access to the services available on the Site to any user who has concealed their minor status or who has otherwise communicated personal data without the consent of their parents (or legal guardian).

7. Data Subject Rights

As a data subject, you have the right to request the Controller to exercise the following rights:
Right of Access
You may request confirmation as to whether or not personal data concerning you are being processed and, if so, access to such data and specific information about the processing, such as, for example, the purposes, the categories of data being processed, and the existence of the other rights listed below. You may also request a copy of your data.
Right to Rectification
You have the right to request and obtain the rectification of personal data concerning you and/or the completion of incomplete personal data.
Right to Erasure
You may obtain the erasure of your data without undue delay if:
(i) the data are no longer necessary for the purposes for which they were collected
(ii) you have withdrawn your consent on which the processing is based (unless there is another legal basis for the processing)
(iii) you object to the processing of your data (as detailed below) and there is no overriding legitimate ground for the processing or if you object to the processing of your data for marketing or profiling purposes related to marketing
(iv) your data have been unlawfully processed
(v) your data need to be erased to comply with a legal obligation, or (vi) personal data of a child under 16 have been collected in relation to the offer of information society services. Please note that this right does not apply if the processing is necessary, among other things:
- for compliance with a legal obligation
- for the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing
You have the right to obtain the restriction of processing in the event of:
- disputing the accuracy of the personal data concerning you, for the period necessary for the Controller (Company) to verify the accuracy of such data
- unlawful processing and your request for restriction of use instead of deletion
- your need for the data for the establishment, exercise, or defense of a legal claim
- your objection to the processing, as detailed below, pending verification of the overriding legitimate grounds of the Controller.
Right to Data Portability
You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and to transmit them to another Controller in cases where the processing is based on consent or concerns special categories of data processed on the basis of your consent, or the processing is based on the performance of a contract and is carried out by automated means.
You also have the right to obtain the direct transmission of the data from one Controller to another, where technically feasible.
This does not affect your right to request the deletion of data as mentioned above.
Right to Object
You have the right to object at any time to processing based on the legitimate interests of the Controller, unless the Controller demonstrates compelling legitimate grounds for the processing that override your interests, rights, and fundamental freedoms, or for the establishment, exercise, or defense of a legal claim..
Additionally, you have the right to lodge a complaint with the Supervisory Authority.
The rights listed above may be exercised by making an informal request to the Controller. The request can be sent to the Controller by mail or email to the following addresses: Largo Leone XII n. 1, 60040 Genga, and/or to: privacy@frasassi.com.

8. Contacts

All requests and inquiries related to the processing of your personal data may be addressed to the Controller at the following addresses:
- Grotte di Frasassi Srl, largo Leone XII n. 1, 60040 Genga
- Email address: privacy@frasassi.com;
Additionally, we inform you that the Grotte di Frasassi has appointed a Data Protection Officer who can be contacted for matters related to the processing of personal data at the above address or via email at: privacy@frasassi.com
This privacy notice will be effective from February 1, 2023.
Lastly, you can view the previous privacy notice at the following link:
www.frasassi.com/privacy