Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 n. 196 [“Privacy Code”]

This privacy information is intended to provide maximum transparency on how the personal data of those registering for event or training services, online donations, job applications, volunteer activities, requests for information on institutional activities, and purchases of solidarity products [“The Services”] are processed.

Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (tax code: 94092660540), based in Rome, Via Nazionale 230; email [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone 06 8082599 [“The Controller”].

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, Dr. Ilaria Sterpa. You can contact the DPO at any time and send any questions or requests regarding your personal data and privacy by writing to [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

At the time of registration for the Services, we will ask you to provide your contact information, including first name, last name, email address, phone number, and optionally, social contact.

Purposes of data processing, legal basis, and retention periods

1. Use of the Services and Controller obligations

Where processing is necessary for:

1. your use of the Services, the legal basis is the necessity for the performance of the contract to which the Data Subject is a party (Art. 6, para. 1, lit. b) – GDPR;
2. analyzing the quality of the Services and your satisfaction, also for the purpose of improving the Services, the legal basis is the legitimate interest of the Controller (Art. 6, para. 1, lit. f) – GDPR;
3. the Controller’s legal obligations, the legal basis is compliance with a legal obligation of the Controller (Art. 6, para. 1, lit. c) – GDPR;
4. the protection of a right of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6, para. 1, lit. f) – GDPR.

Retention period: once the need for use of the Services and analysis of their quality and user satisfaction ceases, personal data provided will be used and retained for the time necessary to comply with legal obligations and to ensure the protection of the Controller’s rights within the statute of limitations.

2. Sending communications regarding the Controller’s initiatives

The Controller may use your email to send informative messages, including via automated tools, regarding initiatives similar to the Services: in this case, the legal basis is Art. 130, para. 4 of the Privacy Code. You are always free to opt out of future communications.

The Controller may use your email, phone number, and social contact to send informational and promotional messages regarding its initiatives, including those different from the Services, such as newsletters and market surveys, via automated tools (email, SMS, fax, MMS, social media messages, WhatsApp, Messenger, instant messaging apps) or non-automated (postal mail, telephone with operator). In this case, the legal basis of processing is always your consent, which you are asked to freely provide at the time of registration.

Retention period: for these purposes, the data provided, unless consent is revoked, will be retained for a maximum of 36 months, determined by the Controller considering that projects and initiatives are implemented over periods not shorter than this.

3. Sharing of personal data

If you wish, the Controller may share your personal data, including email, phone number, and social contact, with its Partners carrying out related activities, even in different fields, with which a partnership agreement exists to develop synergies and optimize achievement of social goals.

Sharing will allow these Partners, as independent data controllers, to send you informational and promotional messages about their initiatives, including newsletters and market surveys, via automated and non-automated tools. Again, the legal basis is your consent, freely given at the time of registration.

Retention period: for these purposes, the data provided, unless consent is revoked, will be retained for a maximum of 36 months, determined by the Controller considering that projects with Partners run over periods not shorter than this.

4. Social Network Profiles and Pages

Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione manages its own pages on major Social Networks (e.g., Facebook, Instagram, YouTube) to promote its activities, posting informational and promotional messages on initiatives, services, and fundraising campaigns.

Users following these profiles express their willingness to receive information, including promotional messages. Sending messages through these channels is lawful if it is clear from the context and user behavior that consent to receive messages has been implicitly given.

Retention period: data will be used until the user decides to unfollow the pages, at which point consent to receive messages is revoked.

Consequences of refusal to provide data or consent

• Failure to provide data required for use of the Services and Controller obligations will prevent registration.
• Refusal to give CONSENT for promotional communications or sharing with Partners will not have any negative consequence, and you can revoke consent at any time without affecting the lawfulness of processing based on prior consent.

Processing methods and Security measures

Personal data will be processed mainly via IT, telematic, and manual tools, adopting security measures to minimize the risk of unauthorized or accidental disclosure, modification, loss, or destruction.

Disclosure and categories of recipients

Personal data will never be publicly disclosed. They will be processed by authorized personnel and Data Processors bound by agreement with the Controller. Except for sharing with Partners with your consent, data may be communicated to Third Parties (Public Authorities, Police, or other public/private entities) only to fulfill contractual, legal, or regulatory obligations.

Transfer to Third Countries

Data are processed within the European Union. Transfers outside the EU will only occur to countries deemed to provide adequate protection, as recognized by the European Commission, or with adequate safeguards (e.g., standard contractual clauses), ensuring enforceable rights and effective remedies.

Rights of Data Subjects

You may exercise your rights under Articles 15–21 GDPR, requesting access, rectification, deletion, or limitation of processing. You may also object to processing for legitimate reasons and request data portability. Requests can be made to the Controller using any appropriate means.

You also have the right to file a complaint with a supervisory authority in your country of residence, work, or where the alleged violation occurred, or take legal action (Art. 79 GDPR).

In Italy, the Supervisory Authority is the Italian Data Protection Authority, Piazza Venezia n. 11 – 00187, Rome (RM) – email: [garante@gpdp.it](mailto:garante@gpdp.it), certified email: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it) – website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last update: 23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE