12.1 Privacy policy AI-powered museum guide

PERSONAL DATA PROCESSING PRIVACY POLICY

pursuant to Article 13 of Regulation EU 2016/679

AI-powered museum guide (Additional service for visitors to the museum)

Introduction

Dear user, the ‘European Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data’, requires the protection of natural persons and other entities in relation to the processing of personal data.

This notice only concerns the additional service known as ‘UranIA – Esplora, chatta, scopri‘ (‘UranIA – Explore, chat, discover’). For information on how we process data relating to the purchase of a museum ticket and other related activities, please refer to the relevant privacy notices.

MUSE – MUSEO DELLE SCIENZE (‘MUSE – Trento Science Museum’, ‘MUSE’), in its capacity as the ‘Data Controller’, informs you of the purposes and methods of collection and processing of your personal data. More specifically, the following information is provided.

1. Identity and contact details of the data controller

The Data Controller is MUSE – MUSEO DELLE SCIENZE located in Corso del Lavoro e della Scienza, 3 – 38122 Trento, Italy. You can contact the data controller using the following contact details:

Phone: +39 0461.270311
E-Mail: amministrazione@muse.it
Certified e-mail (locally known as PEC): museodellescienze@pec.it

2. Identity and contact details of the Data Protection Officer

The Data Protection Officer of MUSE – MUSEO DELLE SCIENZE is QSA S.r.l. – ENGINEERING CONSULTING TRAINING, with headquarters in Via alla Marcialonga No. 3, 38030 Ziano di Fiemme (TN), Italy. Below are the contact details where the Data Protection Officer may be reached:

E-mail: privacy@qsa.it
Certified e-mail (locally known as PEC): privacy.qsasrl@pec.it

3. Purpose and legal basis of the processing

The MUSE – Trento Science Museum has created an interactive museum tour guide in collaboration with Erlang Solutions Limited. The guide uses artificial intelligence (AI) to access a scientific database specifically developed by the museum, and to interact with users. Users interact with the guide via the Whatsapp messaging platform, using their own device and account, after entering the code provided by the museum. This enables visitors to use the interactive guide via text and/or voice messages for the duration of their visit. The providers of the AI systems used by the museum declare that they comply with the standards set out in the GDPR (General Data Protection Regulation) and are signatories to the ‘General-Purpose AI Code of Practice’. However, please note that we advise you not to provide the chatbot with any personal information.

Use of chatbot
Any data you provide during conversations with the AI system will be processed by museum staff for the purpose of organising the service.

The lawful basis for processing your data for these purposes is the performance of a task carried out in the public interest (Articles 6(1)(e) and 9(2)(g) of the GDPR), specifically to inform, engage in dialogue with, and inspire discussion among visitors on themes relating to nature, science, and a sustainable future. The Museum is responsible for this purpose pursuant to Article 2 of the Provincial President’s Decree No. 4 – 62/Leg of 11 March 2011.

4. Method of processing

The processing of personal data is carried out for the stated purposes using manual, computer and telematic tools, applying logic strictly related to the purposes themselves and in ways ensuring the security and confidentiality of the data in accordance with the aforementioned law.

5. Categories of third parties to whom the data may be communicated

MUSE – MUSEO DELLE SCIENZE may disclose your personal data to the following entities:

Firms and companies in the context of professional assistance and consultancy relations;
Public authorities, subject to the necessary prerequisites;
Insurance and legal institutions;
Technicians to maintain and manage the IT infrastructure system;
Contractors involved in the management of services offered by the Museum;

The entities mentioned above operate, in some cases, entirely on their own as separate Data Controllers; in other cases, they act as Data Processors and are, as such, specifically appointed by the Data Controller in accordance with Article 28 of the GDPR. You may request a list of the Data Processors using the contact details of the Data Controller provided under 1 above.

6. Duration of processing and storage

Your data will only be processed for as long as is necessary to achieve the above purposes and, in any case, only until the activation activities (training and quality checking of the AI’s responses) are complete. As a rule, data is anonymised before being stored.

7. Transfer of data outside the European

As a rule, the data collected is not transferred to non-European countries. However, in certain specific cases, collected data may be transferred to non-European countries, but only to entities that have subscribed to a set of rules certified by the European Commission as ensuring an adequate level of protection (e.g. the Data Privacy Framework).

8. Rights as the data subject

In your capacity as a data subject, you may assert the rights set forth in Articles 15 and following of the GDPR, and in particular:
Rights of access, rectification, amendment and erasure of data, portability, limitation of processing and withdrawal of consent given.

(a) According to Regulation EU 2016/679, you have the right at any time to obtain from the Data Controller access to your data, as well as the rectification, amendment or cancellation of such data. Within 30 days of submitting your request, including by electronic means, you will be provided with a written response.

(b) You also have the right to object to or request the restriction of the processing, for legitimate reasons and in the cases set out in Articles 18 and 21 of EU Reg. 2016/679.

(c) You may revoke at any time any previous consent to data processing given for the purposes determined in this notice.

(d) You may also exercise the right to data portability, by requesting that the Data Controller transmit the data to another data controller.

To exercise the above rights, please use the contact details of the Data Controller indicated in point 1.

Right to lodge a complaint with the supervisory authority
If you believe that your data have been processed unlawfully or in breach of applicable law provisions, you will be entitled to lodge a complaint with the Supervisory Authority.