Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 n. 196 [“Privacy Code”]

This privacy notice aims to provide maximum transparency on the methods of processing personal data of those who request registration for services such as event or training course enrollment, online donations, applications for job positions, volunteering activities, requests for information on institutional activities, or purchases of solidarity products [“The Services”].

Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (VAT: 94092660540), based in Rome, Via Nazionale 230; email: [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email: [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone: 06 8082599 [“The Controller”].

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 of the GDPR, Dr. Ilaria Sterpa. You can contact the DPO at any time with any questions or requests regarding your personal data and privacy at [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

When registering for the Services, we will ask you to provide your contact details, such as first and last name, email address, phone number, and optionally, social media contacts.

Purposes of Data Processing, Legal Basis, and Retention Periods

1. Use of the Services and Controller obligations

Where processing is necessary for:

1. your use of the Services, the legal basis is the necessity for the performance of a contract to which the data subject is party (Art. 6(1)(b) – GDPR);
2. analyzing the quality of the Services and your satisfaction, also for the purpose of improving the Services, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) – GDPR);
3. compliance with legal obligations of the Controller, the legal basis is the fulfillment of a legal obligation of the Controller (Art. 6(1)(c) – GDPR);
4. protection of a right of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) – GDPR).

Retention periods: once the need for use of the Services and analysis of their quality and user satisfaction has ceased, the personal data provided will be used and stored for the time necessary to comply with the Controller’s legal obligations and to ensure the protection of its rights within the statutory limitation period.

2. Sending communications regarding the Controller’s initiatives

The Controller may use your email address to send informational messages, also through automated tools, about its initiatives similar to those of the Services: in this case, the legal basis for processing is Art. 130, paragraph 4, of the Privacy Code. You are always free to inform us of your decision not to receive such communications in the future.

The Controller may use your email, phone number, and social contacts to send informational and promotional messages about its initiatives, including those different from the Services, such as newsletters and market research, through automated tools (email, SMS, fax, MMS, social network messages, WhatsApp, Messenger, instant messaging apps) and non-automated methods (postal mail, phone with operator). In this case, the legal basis for processing is always your consent, freely provided at the time of registration for the Services.

Retention periods: for these purposes, the data provided, unless consent is withdrawn, will be retained for a maximum of 36 months, determined by the Controller considering that the planning and implementation of its projects and initiatives refer to periods not shorter than this.

3. Sharing of Personal Data

If you wish, the Controller may share your personal data, including email, phone number, and social contacts, with its Partners operating in related, though different, areas, with whom there is a partnership agreement to develop significant synergies and optimizations for achieving respective social purposes.

Data sharing will allow the Partners, who will become independent data controllers, to send you informational and promotional messages about their initiatives, also different from the Services, including newsletters and market research, through automated (email, SMS, fax, MMS, social network messages, WhatsApp, Messenger, instant messaging apps) and non-automated tools (postal mail, phone with operator).

Also in this case, the legal basis for processing is always your consent, freely given at the time of registration for the Services.

Retention periods: for these purposes, the data provided, unless consent is withdrawn, will be retained for a maximum of 36 months, determined by the Controller considering that the planning and implementation of projects and initiatives carried out in synergy with its Partners refer to periods not shorter than this.

4. Social Media Profiles and Pages

The Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione owns pages on major social networks (e.g., Facebook, Instagram, YouTube) through which it promotes its activities, posting informational and promotional messages about initiatives, services, and fundraising campaigns for its institutional purposes.

Those who access and follow the Foundation’s social media profiles and pages express their willingness to receive information, including promotional messages, via these channels. In this case, sending messages through these channels is lawful if it is clear from the context and functioning of the social network, and from the information voluntarily provided by the user, that the individual has given an implicitly declared consent to receive informational and promotional messages about the initiatives, services, and fundraising campaigns for institutional purposes.

Retention periods: for these purposes, data will be used as long as the user decides to follow the social media pages, since unsubscribing indicates the withdrawal of consent to receive messages.

Consequences of refusing to provide data and refusing consent

• Failure to provide the data required for the use of the Services and Controller obligations will make it impossible for the Controller to complete the registration request for the Services.
• Failure to provide consent for the processing of personal data for promotional communications and sharing with Partners will not have any consequence, and you will always have the right to revoke it at any time without affecting the lawfulness of processing based on consent given before revocation.

Methods of processing and Security Measures

Personal data will be processed for the purposes for which they were collected, mainly using IT, telematic, and manual tools, adopting security measures necessary to minimize the risks of unauthorized or accidental disclosure, access by third parties, unauthorized or accidental modification, loss, or destruction, even if temporary.

Disclosure and categories of recipients

Personal data will never be disclosed.

Personal data will be processed by authorized personnel and Data Processors bound to the Controller by a specific agreement.

Except for sharing data with Partners (subject to your consent, always revocable), the Controller may communicate personal data to third parties (public authorities, police, or other public and private entities) only to comply with contractual, legal, or regulatory obligations.

Transfer to Third Countries

Data are processed in countries within the European Union. If transferred to countries outside the EU, data will only be sent to countries deemed capable of providing an adequate level of protection of personal data, as recognized by the European Commission, or with adequate safeguards (e.g., “standard clauses”) and provided that data subjects have enforceable rights and effective remedies, as required by applicable law.

Rights of Data Subjects

As a Data Subject, you can exercise the rights provided under Articles 15 to 21 of Regulation (EU) 679/2016, requesting access, rectification, deletion, or limitation of your personal data.

You also have the right to object to processing for legitimate reasons, as well as the right to data portability.

To exercise these rights and to revoke consent, you may contact the Controller by any means deemed appropriate, and in any case, using the contact details provided above.

Finally, as a Data Subject, you always have the right to file a complaint with a supervisory authority of the EU Member State where you usually reside, work, or where a presumed violation occurred, or to bring appropriate judicial proceedings (Art. 79 GDPR).

For Italy: the supervisory authority is the Garante per la Protezione dei Dati Personali, Piazza Venezia n. 11 – 00187, Rome (RM) – email: [garante@gpdp.it](mailto:garante@gpdp.it) – certified email: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it), – website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last update of this privacy notice:

23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE