1. Our Commitment to Your Privacy
Stichting ITECA (ITECA Foundation, Chamber of Commerce KvK 71180737), a non-profit legal entity duly represented by its President (hereinafter “the Foundation”, “ITECA”, or “ITECA Foundation”), attaches the highest importance to the protection of personal data and to compliance with applicable data protection and privacy laws.
The Foundation acts as the Data Controller for personal data processed within the framework of the artistic activities, projects, and archives relating to the works of Paolo Maria Pavan (“MISA”), photographer and visual artist whose oeuvre is managed and curated by the Foundation.
All processing of personal information, including photographic portraits, is carried out in accordance with the General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG).
Personal data are handled with integrity, transparency, and respect for the rights of the data subjects portrayed. Each processing activity is designed to meet the requirements of lawfulness, necessity, and proportionality, ensuring that the data are collected and used only for clearly defined purposes.
Certain processing activities, in particular those relating to the creation, publication, exhibition, and dissemination of artistic works, are also governed by the principle of freedom of expression and information.
This principle, recognised under Article 85 GDPR and implemented by Article 43 of the UAVG, provides a legal framework to reconcile the protection of personal data with the exercise of artistic and editorial freedom.
Accordingly, where processing is undertaken for artistic or cultural expression, specific GDPR provisions may be limited to the extent strictly necessary to preserve the autonomy and integrity of artistic creation.
2. Data Controller and Contact Information
The Data Controller responsible for processing personal data within the framework of this artistic project is Stichting ITECA (ITECA Foundation), Chamber of Commerce KvK 71180737, a non-profit legal entity duly represented by its President.
All questions, data-access requests, or privacy inquiries can be addressed to:
Email: privacy@iteca.nl
Postal address: De Stuwdam 33–35, 3815 KM Amersfoort, The Netherlands
3. Purpose of Processing and Categories of Data
Activity | Category of Personal Data | Purpose | Legal Basis |
Organization and administration of photographic sessions | Identification data (name, contact details), administrative data (emails, correspondence, consent forms) | To organize and manage participation in photographic sessions and related artistic projects | Legitimate interest (Art. 6(1)(f) GDPR) in the exercise of artistic freedom under Art. 85 GDPR / UAVG 43 |
Creation, publication, and exhibition of photographic works | Visual data (photographic portraits, related metadata) | To create, exhibit, and publish works in artistic, editorial, and cultural contexts | Legitimate interest (Art. 6(1)(f) GDPR): artistic expression under Art. 85 GDPR / UAVG 43 |
Archival and documentary preservation | Identification data, visual data, metadata | To preserve the artistic archive as part of MISA’s legacy and ITECA’s cultural patrimony | Legitimate interest (Art. 6(1)(f) GDPR): artistic expression under Art. 85 GDPR / UAVG 43 |
Communication and dissemination of works | Visual data (photographs, metadata), identification data (as relevant for credits) | To communicate and promote artistic works via official catalogues, exhibitions, or online platforms | Legitimate interest (Art. 6(1)(f) GDPR): freedom of expression and information under Art. 85 GDPR / UAVG 43 |
Contact form on website | Name, phone number, email address (fields required by the form) | To respond to inquiries and manage correspondence initiated by website visitors | Legitimate interest (Art. 6(1)(f) GDPR): to respond to user-initiated communication |
Website operation (technical cookies only) | Technical identifiers (session cookies, IP address, device and browser type, timestamp) | To ensure proper functioning, security, and optimisation of the website | Legitimate interest (Art. 6(1)(f) GDPR): operation of a secure, functional website; no tracking or marketing cookies used |
No special categories of personal data within the meaning of Article 9 GDPR are intentionally collected.
According to the Telecommunicatiewet Art. 11.7a, technical cookies are strictly necessary for the technical operation of the site and do not require prior consent.
4. Lawful Basis for Processing
4.1 Artistic/editorial processing (primary basis).
Processing of personal data (including portraits) for the creation, publication, exhibition, and preservation of artistic works is carried out under Article 6(1)(f) GDPR (legitimate interests), with the articulated interest being the exercise of freedom of expression and information. This sits within the framework of Article 85 GDPR as implemented by UAVG Article 43, which provides derogations from certain GDPR provisions where processing is exclusively for artistic or literary expression. We apply necessity and proportionality, secure the material appropriately, and document our balancing.
4.2 Administrative operations.
For ancillary administration strictly necessary to run the project (e.g., scheduling, contact, delivery of selected images), we process minimally under Article 6(1)(f) GDPR (legitimate interests).
4.3 Effect of Article 85/UAVG 43 derogations.
When processing is exclusively for artistic expression, certain GDPR provisions, including Chapter III data-subject rights and some transparency and transfer obligations, may not apply to the extent necessary to protect freedom of expression; core principles and security still guide our processing. Requests are nevertheless considered through our voluntary online takedown/hardship channel described in this statement.
5. Retention, Archiving, and International Dissemination
All personal data and photographic materials collected in the context of MISA’s artistic activity form part of the author’s archive, preserved for artistic, cultural, and documentary purposes within the meaning of Article 85 GDPR and its Dutch implementation, UAVG Article 43.
Retention Period
Data are retained without a predefined time limit, insofar as necessary to preserve the integrity of the artistic record and the continuity of MISA’s work. Indefinite retention is justified because these materials constitute an integral part of artistic expression and cultural heritage, and their ongoing preservation is essential to the exercise of freedom of expression and information.
Outside this artistic and archival framework, personal data are retained only for as long as required to fulfil the specific purpose for which they were collected.
Archival Principles
Archival processing follows the principles of necessity, proportionality, and security. Original and reproduced materials are securely stored under the supervision of the ITECA Foundation, using EU-based storage infrastructure such as NextCloud or equivalent providers located within the European Economic Area. Access is restricted to authorised persons engaged in curatorial, conservation, or research tasks, all of whom are bound by confidentiality obligations.
International Dissemination and Data Transfers
Because artistic expression inherently involves public exhibition and worldwide publication, certain data (including portraits) may be made accessible outside the EEA through online display, catalogues, or social-media channels. Such dissemination constitutes an international transfer of personal data, but it occurs exclusively for artistic and editorial purposes and falls within the derogations permitted under Article 85 GDPR and UAVG Article 43. Where technically feasible, MISA and the ITECA Foundation ensure that hosting, communication, and publication platforms apply adequate safeguards consistent with the GDPR’s data-protection principles.
Outside this specific framework of artistic dissemination, any international transfer of personal data, for example, for administrative coordination, correspondence, or technical maintenance purposes, will only take place in compliance with Chapter V of the GDPR. In such cases, transfers will occur either (i) to countries covered by a valid adequacy decision of the European Commission, or (ii) under Standard Contractual Clauses or equivalent safeguards ensuring that the level of protection of natural persons guaranteed by the GDPR is not undermined.
Deletion or Takedown
As the works are recognised as part of an artistic archive, complete deletion of portraits or personal data is generally not possible once publication, exhibition, or cataloguing has occurred.
Nevertheless, data subjects may request removal from online or social-media publications.
Such requests will be reviewed individually through the procedure described later in this statement, balancing the data subject’s interests with the protection of artistic freedom.
Outside this specific framework, these requests will be treated according to section 7.
6. Security Measures
All personal data and photographic materials are stored within the European Economic Area using cloud infrastructure located in the EU (such as NextCloud or equivalent providers).
Retouching, layout, and any related processing activities are carried out internally or by collaborators within the European Union, each bound by a non-disclosure agreement (NDA) and acting solely within the artistic purpose of the project. No processing or storage takes place outside the EEA, except where publication or online display inherently involves international accessibility as described in Section 5. All service providers and collaborators are periodically reviewed or replaced to maintain full compliance with data-protection and technical-security standards.
7. Data-Subject Rights and Applicable Exceptions
Data subjects have the following rights under the General Data Protection Regulation (GDPR):
Right of access: to obtain confirmation whether personal data are being processed and to receive a copy of such data;
Right to rectification: to request correction of inaccurate or incomplete personal data;
Right to erasure (“right to be forgotten”): to request deletion of personal data under the conditions of Article 17 GDPR;
Right to restriction of processing: to request limitation of processing in specific circumstances;
Right to data portability: to receive personal data in a structured, commonly used, and machine-readable format and to transmit them to another controller;
Right to object: to object, on grounds relating to one’s particular situation, to processing of personal data based on legitimate interest;
Right not to be subject to automated decision-making, including profiling.
Application of the Artistic-Expression Exception
In accordance with Article 85 GDPR and UAVG Article 43, these rights may be restricted where their exercise would seriously impair or prevent the realisation of artistic or editorial expression.
This exception applies only to the extent strictly necessary to protect freedom of expression and information.
Requests for access, rectification, or takedown will always be reviewed individually and answered transparently, balancing the rights of the data subject with the legitimate interest in preserving artistic integrity and cultural heritage.
Where the exception does not apply, data-subject requests will be handled in accordance with Article 12(3) GDPR, and a substantive response will be provided within one month of receipt.
8. Contact and Supervisory Authority
For any questions, concerns, or requests regarding the processing of personal data under this Privacy Statement, please contact:
GDPR Contact:
Email: privacy@iteca.nl
Postal address: De Stuwdam 33–35, 3815 KM Amersfoort, The Netherlands
Requests submitted under the GDPR will be reviewed and handled in accordance with the applicable procedures described in Section 7.
If a data subject believes that their personal data have been processed in violation of the GDPR, they have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl.
If you reside outside the Netherlands, you may also lodge a complaint with your local supervisory authority.
9. Joint Processing of Personal Data
For certain activities, Stichting ITECA (ITECA Foundation, Chamber of Commerce KvK 71180737), a non-profit legal entity duly represented by its President, and Palazzo Italia B.V., operating under the trademark ALTROVERSO, act as joint controllers within the meaning of Article 26 GDPR. This joint controllership applies specifically to the promotion, communication, exhibition, and worldwide distribution of the photographic works created by Paolo Maria Pavan (“MISA”) and managed or disseminated through ALTROVERSO..
The parties have determined their respective responsibilities for compliance with data-protection obligations:
MISA / ITECA Foundation retains primary responsibility for the creation, storage, and archival integrity of the artistic materials;
Palazzo Italia B.V. (ALTROVERSO) is responsible for the distribution, public communication, and media dissemination of such materials.
The ITECA Foundation serves as the primary contact for data-protection questions concerning joint processing activities, but you may contact either party using the contact details provided in Section 8 of this Privacy Statement. Both entities have agreed to cooperate fully in handling data-subject requests and ensuring that data subjects may effectively exercise their rights under the GDPR.
10. Amendments
This Privacy Statement may be amended or updated from time to time to reflect changes in legal requirements, artistic practice, or data-processing operations. Any material modifications will be published in the most recent version available online or otherwise communicated through the official channels used for the project. The date of the latest revision will always be indicated at the top of the document. Substantive changes that significantly affect participants’ rights or the scope of processing will be communicated in advance whenever feasible.
