Privacy & cookie policy

Information pursuant to Article 13 of Regulation (EU) No. 2016/679 ("GDPR")

Last update 19.05.20

mfCLassrooms protects the confidentiality of your personal data and guarantees it the necessary protection from any risk of violation.

Unlike other online services, mfClassrooms does not sell music lessons, does not advertise any particular school, method or teacher and above all does not come into direct contact with students in any way. Furthermore, mfClassrooms is particularly attentive to the privacy of Teachers and Students and will never sell, give or transfer their data to third parties for commercial, marketing or profiling purposes.

As provided for by the European Union Regulation no. 2016/679 ("GDPR"), and in particular Article 13, below we provide the user (or, according to the terminology of the GDPR, the data subject) with information relating to the processing of their personal data.


Who we are and what data we process (Article 13, paragraph 1, letter a, Article 15, letter b GDPR)

The Data Controller is Associazione Mendelssohn, in the person of its legal representative pro tempore Roberto Prosseda, with registered office in Via Abamonti 1, 20129 Milan, VAT number IT06585780965, and can be contacted at The Controller collects and/or receives information regarding the user, such as:

Personal data (e.g. name, surname, physical address, date of birth, nationality, province and municipality of residence, fixed and/or mobile phone, fax, tax code, e-mail address(es))

Bank data (e.g. IBAN and bank/postal data (except credit card number)

Telematic traffic data (e.g. Log, source IP address)

mfClassrooms does not require the data subject to provide so-called "special category" data, i.e., in accordance with the provisions of the GDPR (art. 9), personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data aimed at uniquely identifying a natural person, data concerning the health or sexual life or sexual orientation of the person.

For any information or request the data subject may contact


For which purposes we need personal data (art. 13, 1st paragraph GDPR)

The data are used by the Controller to follow up the registration request and the supply contract of the Platform, to provide assistance, to fulfil the legal and regulatory obligations to which the Controller is bound in relation to the activity carried out.

In no case mfClassrooms resells your personal data to third parties or uses them for undeclared purposes.

In particular, the data of the data subject will be processed for:

(a) the request for information material (pre-contractual phase)

The processing of the personal data of the interested party takes place in order to carry out the preliminary activities and subsequent to the request for information and / or sending information material, as well as for the fulfillment of any other obligations arising, during the phase prior to the establishment of a contractual relationship.

The legal basis of these treatments is the fulfilment of the services inherent to the request for information and/or the sending of information material and the respect of legal obligations.


(b) user registration and management of the contractual relationship

The processing of the user's personal data is carried out in order to carry out the activities prior to and consequent to the purchase of the service, the management of the relative order, the provision of the service itself, the relative invoicing and payment management, the handling of complaints and/or requests for support and/or reports to the assistance service and the provision of the assistance itself, as well as the fulfilment of any other obligation deriving from the contract.

The legal basis for these treatments is the fulfilment of the services inherent to the contractual relationship and the respect of legal obligations.

(c) promotional activities on Services/Products similar to those purchased by the person concerned (Recital 47 GDPR)

The Controller will not be able to use the contact data communicated by the subject, for the purposes of direct sales of its Services/Products.


(d) computer security

The Data Controller, in line with the provisions of Recital 49 of GDPR, processes, also through its suppliers (third parties and/or recipients), the personal traffic data of the data subject to the extent strictly necessary and proportionate to ensure network and information security.

The Data Controller will promptly inform the parties concerned if there is a particular risk of violation of their data, without prejudice to the obligation set forth in art. 33 of the GDPR regarding notifications of personal data violation.

The legal basis of these treatments is the respect of legal obligations and the legitimate interest of the Controller to carry out treatments inherent to purposes of protection of the company's assets and security of its systems.


Communication to third parties and categories of recipients (Article 13, paragraph 1 GDPR)

The communication of the user's personal data mainly takes place towards third parties and/or recipients whose activity is necessary to carry out the activities inherent to the relationship established and to respond to certain legal obligations, such as:

Categories of recipients


Third-party suppliers of the Mendelssohn Association

Administrative, accounting and contractual performance-related tasks

Provision of services (support, maintenance, provision of additional services, providers of electronic communications networks and services) related to the provision requested

Credit and digital payment institutions, Bank/Postal Institutions

Management of receipts, payments, refunds related to the contractual service

External professionals/consultants and consulting firms

Fulfilment of legal obligations, exercise of rights, protection of contractual rights, debt recovery

Financial administration, Public bodies, Authorities

Judicial, Supervisory and Control Authority

Fulfillment of legal obligations, defence of rights; lists and registers kept by public authorities or similar bodies under specific legislation, in relation to the contractual performance



The Data Controller imposes on its Third Party suppliers and the Data Processors the respect of security measures equal to those adopted in relation to the data subject, restricting the scope of action of the Data Processor to the processing connected to the requested service.

The Controller does not transfer personal data to countries where the GDPR is not applied (non-EU countries).

The legal basis for these treatments is the fulfilment of the services inherent to the established relationship, the respect of legal obligations and the legitimate interest of Associazione Mendelssohn to carry out treatments necessary for these purposes.


What happens if the user does not provide his identified data as necessary for the performance of the requested service? (Art. 13, 2nd paragraph, letter e GDPR)

The collection and processing of personal data is necessary to provide the Service. If the interested party does not provide the personal data expressly provided for as necessary at the time of registration, the Controller will not be able to follow up the processing related to the management of the contract or the consequent fulfilments.


How we process the data of the interested party (art. 32 GDPR)

The Controller provides for the use of appropriate security measures in order to preserve the confidentiality, integrity and availability of personal data of the data subject and imposes similar security measures on third party suppliers and Managers.


Where we process user data

The personal data of the data subject are stored in paper, computer and telematic archives located in countries where the GDPR is applied (EU countries).


How long are the data of the Data Subject stored for? (art. 13, 2nd paragraph, letter a GDPR)

Unless you explicitly express your wish to remove them, your personal data will be kept for as long as it is necessary for the legitimate purposes for which it was collected.

In particular, they will be kept for the duration of its registration and in any case no longer than a maximum period of twelve months of its inactivity.

It should also be added that, in the event that a user submits unsolicited or unnecessary personal data to the Data Controller for the purpose of performing the requested service, the latter will not be considered the Controller of such data, and will delete them as soon as possible.

In any case, personal data will be kept for the fulfilment of the obligations (e.g. fiscal and accounting obligations) that remain even after the termination of the contract (art. 2220 Civil Code); for these purposes, the Controller will keep only the data necessary for the relative pursuit.

This is without prejudice to cases in which the rights deriving from the contract and/or registration are asserted in court, in which case the user's personal data, exclusively those necessary for such purposes, will be processed for the time necessary to pursue them.


What is the source of personal data processed (with reference to non-private teacher and student users)

The personal data of (non-private) teachers and students come from the institutions of reference and are entered into our systems at the time of registration and updated when necessary. The Data Controller is not responsible for the processing of these data carried out by the Institution and assumes that the communication of such data by the Institutions is in compliance with the regulations on the protection of personal data.

Which is the source of the personal data processed (with reference to the users Private teacher and his Student)

The personal data of private lecturers and their students comes from each private lecturer and is entered into our systems at the time of registration and updated when necessary. The Data Controller is not responsible for the processing of these data carried out by the Private Teacher and assumes that the communication of such data by the Teacher is in compliance with the regulations on the protection of personal data.


What are the user's rights? (Articles 15 - 20 GDPR)

The rights of the data subject are set out in Articles 15 - 20 of the GDPR.

According to art. 15 (Right of access by the data subject), the data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him/her are being processed and, if so, to obtain access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organisations;

(d) where possible, the intended period of retention of personal data or, if that is not possible, the criteria used to determine that period;

  1. e) the existence of the right of the data subject to ask the data controller to rectify or delete personal data or to limit the processing of personal data concerning him/her or to object to its processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the data are not collected from the data subject, all available information on their origin.

The data controller provides a copy of the personal data being processed. In case of further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject submits the request by electronic means, and unless otherwise indicated by the data subject, the information shall be provided in an electronic format in common use. The right to obtain a copy shall not adversely affect the rights and freedoms of others.


According to Article 16 (Right of rectification) the data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him/her without undue delay. Having regard to the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.


According to Article 17 (Right to erasure, so-called "right to be forgotten") the data subject has the right to obtain from the data controller the erasure of personal data concerning him/her without undue delay and the data controller is obliged to erase personal data without undue delay, if one of the following reasons exists:

  1. a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

(b) the person concerned revokes the consent given;

(c) the data subject opposes the processing;

(d) personal data have been processed unlawfully;

(e) personal data must be erased in order to comply with a legal obligation under Union law or the law of the Member State to which the controller is subject;

If the data controller has disclosed personal data to the public and is obliged to delete them, taking into account available technology and implementation costs, it shall take reasonable measures, including technical measures, to inform the data controller who is processing the personal data of the data subject's request to delete any link, copy or reproduction of his personal data.

The right is excluded in some cases expressly provided for in Article 17 of the GDPR.

Finally, the data subject has the right to obtain from the data controller the limitation of processing when one of the cases expressly provided for in Article 18 (Right to restriction of processing) and the right to data portability (Article 20), or the right, in the cases provided for by the rule, to receive in a structured format, in common use and readable by automatic device the personal data concerning him/her provided to a data controller and has the right to transmit such data to another data controller without hindrance by the data controller to whom it has provided them.


How and when can the data subject object to the processing of his/her personal data? (Art. 21 GDPR)

For reasons relating to the particular situation of the data subject, the data subject may object at any time to the processing of his/her personal data if it is based on a legitimate interest or if it is carried out for commercial promotion activities.

The interested party has the right to the deletion of his/her personal data if there is no legitimate reason prevailing over that which gave rise to the request, and in any case if the interested party has opposed the processing for commercial promotion activities.


To whom can the user complain? (Art. 15 GDPR)

Without prejudice to any other action in administrative or judicial proceedings, the data subject may submit a complaint to the supervisory authority competent on Italian territory (the Italian Data Protection Authority) or to the authority which carries out its duties and exercises its powers in the Member State where the breach of the GDPR occurred.


Cookie policy

Cookies are small text files that the web server deposits on the device with which the user navigates, without identifying him/her. A cookie cannot read personal data saved on the hard disk or cookie files created by other sites, as the only information it can contain is that provided by the user himself.

The mfClassrooms Platform uses cookies as described below:

technical cookies: mfClassrooms uses technical cookies, which are not permanently stored on the user's computer and are necessary to enable the safe and efficient exploration of the site. This use is limited to session cookies and in general to domain cookies, such as user preference cookies and tracking cookies. The use of such cookies does not allow the acquisition of personal identification data of the user and is necessary in order to avoid the use of other computer techniques potentially prejudicial to the confidentiality of users' browsing.

cookie analytics: the Service uses Google Analytics, a web analytics service provided by Google, which adheres to the privacy principles established by the U.S. government (US Safe Harbor Privacy Principles), whose Privacy Policy please refer to. Google Analytics uses cookies for statistical purposes and collects information in aggregated form only, without associating the user's browsing IP address with any other data held by Google itself. We have adopted tools that reduce the identification power of cookies by masking significant portions of the IP. In addition, Google Analytics settings have been activated so that Google does not cross-reference the data collected with other information it already has.

third party profiling cookies: The Platform does not use third party cookies.

By browsing the site and using mfClassrooms, you accept the functionality related to cookies, which may be disabled using the specific options available in different browsers.


Any update of this information will be communicated promptly by updating this page and in any case through the website

compatibility and ease of use: 

mfClassrooms does not require you to download any software or app, and works both from PCs, Android tablets and iPads, and from Android and iPhone smartphones..
“It is very easy to use, even for those who are not familiar with computers.”

Copyright © 2024