We hereby inform you that, pursuant to Articles 13 and 14 of EU Regulation 679/2016 (hereinafter referred to as ‘GDPR’), your data provided to us through the use of the website fondazionesomaschi.it (hereinafter, also just ‘Site’) will be processed as follows, in accordance with the principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights. This information provides the user (Data Subject) with any further information necessary to ensure fair and transparent processing, in relation to the specific context in which personal data are collected and subsequently processed.

This information is provided only for the Site and its related sub-domains and not for third party websites accessible through hypertext links contained in the Site, for which the Data Controller is in no way responsible. For such processing, the respective Data Controllers shall provide independent information.

Purpose of processing

(The purpose of data processing)

• Monitoring the technical operation and performance of the Site, allow technical assistance and maintenance and, in general, the activities instrumental to ensuring the proper functioning of the Site
• Obtaining anonymous statistical information on the use of services (most visited pages, number of visitors per time slot or per day, geographical areas of origin, etc.)
• Evaluating the application by filling in the work with us form and sending a curriculum vitae if necessary
• Responding to requests sent by e-mail or by filling in the online form
• Working with the Foundation as a volunteer
• Allowing subscription to the newsletter for commercial and promotional communications by e-mail.
• Allowing the online purchase of solidarity products
• Fulfilling legal obligations in the field of taxation and accounting

Legal basis of processing and nature of the provision of data

The Data Controller processes your anonymous navigation data in order to monitor the technical operation and performance of the site, to understand how to improve services and make them evolve. This data is necessary to ensure the provision of the site (purposes 1 and 2).

The optional, explicit and voluntary sending of messages to the contact addresses, as well as the filling in and forwarding of the Contact Forms from the Site, imply the acquisition of the sender’s contact data, necessary to reply/manage the requests, as well as all the personal data included in the communications.  The processing for this purpose is based on the relationship established between the Controller and the interested party relating to the sending of the aforementioned information. The provision of all necessary data is compulsory and without it, it will be impossible to manage the requests of the interested party (purposes 4, 6).

Receipt of communications of a commercial and promotional nature to your email inbox is based on consent (purpose 7). Should you decide to subscribe to our newsletter, either through the website or by filling in one of the contact forms on our Marketing channels, we inform you that you may revoke your registration at any time.

The donation and online purchase of solidarity products involves the acquisition of data necessary to fulfil legal and contractual obligations (purposes 5 and 8).

Specific free and informed consent is required for the assessment of the application; if denied, we will not be able to consider it (purpose 3).

Target audience

(Persons to whom data may be disclosed)

In addition to the Data Controller, other subjects involved in the organization (appointed personnel) or external subjects (third party technical service providers, hosting providers, any other external consultants) also appointed, if necessary, as Data Processors by the Data Controller, may have access to the Data. The updated list of Data Processors can be requested at any time from the Data Controller.

Dissemination

In no case will personal data be communicated, disseminated, transferred or otherwise transferred to third parties for unlawful purposes and, in any case, without providing adequate information to the Interested parties and obtaining their consent, where required by law. This is without prejudice to the possible communication of data upon request of judicial authorities or public security, in the manner and in the cases provided for by law.

Processing methods

The processing will be carried out using paper and/or electronic instruments, also by authorized persons, who operate under the direct authority and according to the instructions given by the Data Controller, with logic strictly related to the purposes indicated and, in any case, in such a way as to guarantee the security and confidentiality of the processed data.

Processing operations are carried out in such a way as to guarantee the security of data and systems. Specific security measures are adopted in order to minimize the risks of destruction or loss, including accidental loss, of the data; unauthorized access, unauthorized processing or processing that is not in accordance with the purposes specified in this information notice. In particular, the Website uses the HTTPS protocol for server authentication and communication channel encryption. The security measures adopted, however, do not allow the absolute exclusion of risks of interception or compromise of personal data transmitted by telematics. We therefore recommend that you check that the device you are using is equipped with appropriate software systems to protect the telematics transmission of data, both incoming and outgoing (such as, for example, up-to-date antivirus systems, firewalls and anti-spam filters).

Data transfer abroad

Personal data will not be transferred abroad, to non-EU Countries or International Organizations that do not guarantee an adequate and recognized level of protection pursuant to Article 45 GDPR, based on an adequacy decision by the EU Commission. In the event that, it is necessary for the provision of the Website services the transfer of personal data to non-EU countries or International Organizations, for which the Commission has not adopted an adequacy decision pursuant to Article 45 GDPR, will take place only if there are adequate safeguards provided by the recipient country or Organization, pursuant to Article 46 GDPR and provided that the data subjects have enforceable rights and effective remedies.  In the absence of an adequacy decision by the Commission, pursuant to Article 45 GDPR, or adequate safeguards, pursuant to Article 46 GDPR, including binding corporate rules, the cross-border transfer will only take place if one of the conditions set out in Article 49 GDPR is fulfilled.

Data categories and retention period

The data processed may be:

1. a) Navigation data

Navigation data is collected automatically, exclusively for the purpose of obtaining aggregate and anonymous statistical information relating to the use of the Website (including, by way of example, IP addresses, browsing times, geographical data and other parameters relating to the user’s operating system and computer environment). Such information could however, also through processing and/or association with other data held by the provider or by third parties, make it possible to trace the identity of the user. Navigation data is not, nor will it under any circumstances be used by the Data Controller to carry out user profiling activities, nor will it be disclosed or communicated to third parties;

1. b) Cookies

This site uses cookies or markers, which are technically packets of information sent by a web server (in this case, this site) to the user’s browser and stored on the user’s device (personal computer, tablet, mobile phone, etc.) and automatically sent back to the server each time the site is accessed. To find out the type and purpose of the cookies used, please refer to the Cookie Policy on the site.

1. c) Data provided voluntarily by users/visitors

If, when you connect to this website, you decide, where applicable, to send your personal data (e.g. name, surname, email address) in order to access certain services, or to make requests via email, the Data Controller will process such data in order to respond to your request, in accordance with this policy. The data provided by the user may be acquired and stored by the Data Controller, in electronic form, for purposes related to their collection through the Site and will not be used for profiling or direct marketing activities. In particular, the optional and voluntary sending of e-mail messages to the addresses indicated on the Website entails the acquisition and consequent processing of the sender’s address and any other personal data contained in the message, to the extent necessary to respond to the requests of the interested party.

1. d) Data required for accounting and tax purposes

Data rendered in the event that the data subject decides to become a donor or make a purchase (method of payment)

1. e) Data provided voluntarily by the user by filling in the present form.

These data, subject to consent, will be used to send commercial/promotional communications by e-mail.

The processed data will be kept for a period of time not exceeding the time necessary to achieve the purposes for which they were collected or subsequently processed, for the time necessary to provide the requested service and to handle any complaints, or until consent is revoked where required.

Rights

Data subjects may exercise certain rights with regard to the Data processed by the Controller. In particular, you have the right to:

Access your Data: you have the right to obtain information on the Data processed by the Controller, on certain aspects of the processing and to receive a copy of the Data processed.

Verify and request correction: you may verify the accuracy of your Data and request that they be updated or corrected.

Obtain the deletion or removal of your Personal Data: when certain conditions are met, you may request the deletion of your Data by the Controller.

Revoke consent at any time: you may revoke your consent to the processing of your Personal Data previously given.

Object to the processing of your Data: you may object to the processing of your Data when it is done on a legal basis other than consent.

Obtain restriction of processing: when certain conditions are met, you may request restriction of the processing of your Data.

Obtain data portability: you have the right to receive your Data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred without hindrance to another data controller. This provision is applicable when the Data is processed by automated means and the processing is based on consent, on a contract to which you are a party or on contractual measures related thereto.

Lodge a complaint: you may lodge a complaint with the competent data protection supervisory authority or take legal action.

Details of the right to object

When Personal Data is processed in the public interest, in the exercise of official authority vested in the Controller or in pursuit of a legitimate interest of the Controller, you have the right to object to the processing on grounds relating to your particular situation.

Please note that if your data is processed for direct marketing purposes, you may object to the processing without giving any reasons.

How to exercise your rights

In order to exercise your rights, you may address a request to the contact details of the Controller indicated in this document. Requests are filed free of charge, and processed by the Controller as soon as possible, in any event within one month.

In order to exercise their rights, the Data Subject may avail themselves of the assistance of non-profit bodies, organizations or associations, whose statutory objectives are in the public interest and which are active in the field of the protection of the rights and freedoms of the Data Subjects with regard to the protection of personal data, giving them an appropriate mandate for this purpose. A trusted person may also assist the Data Subject.

In order to know your rights, submit a complaint/appeal and keep up-to-date on the legislation on the protection of persons with regard to the processing of personal data, the Data Subject may contact the Guarantor Authority for the protection of personal data by consulting the website at http://www.garanteprivacy.it/.