Privacy Policy

Privacy Notice pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 n. 196 [“Privacy Code”]

This privacy notice aims to provide full transparency regarding the processing of personal data of those who register for event or training services, make online donations, apply for job positions, participate in volunteer activities, request information about institutional activities, or purchase solidarity products [“the Services”].

Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (VAT: 94092660540), based in Rome, Via Nazionale 230; email: [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email: [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone: 06 8082599 [“the Controller”].

The Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, Dr. Ilaria Sterpa. You may contact the DPO at any time with any questions or requests regarding your personal data and privacy at [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

When registering for the Services, we will ask you to provide contact information such as name, surname, email address, phone number, and optionally social contacts.

Purposes of Data Processing, Legal Basis, and Retention Periods

1. Use of Services and Controller Obligations

Processing is necessary for:

1. your use of the Services – legal basis: necessity for the performance of the contract to which the data subject is a party (Art. 6, para.1, lett. b GDPR);
2. analysis of Service quality and user satisfaction for Service improvement – legal basis: legitimate interest of the Controller (Art. 6, para.1, lett. f GDPR);
3. compliance with legal obligations – legal basis: compliance with a legal obligation of the Controller (Art. 6, para.1, lett. c GDPR);
4. protection of a right of the Controller – legal basis: legitimate interest of the Controller (Art. 6, para.1, lett. f GDPR).

Retention Period: Personal data will be retained as long as necessary to fulfill legal obligations and protect the Controller’s rights within the statute of limitations.

2. Sending Communications about the Controller’s Initiatives

The Controller may use your email to send informational messages, including automated tools, about initiatives similar to the Services: legal basis: Art. 130, para. 4, Privacy Code. You are free to opt out at any time.

For promotional communications via email, phone, social media, or messaging apps, legal basis is your consent, freely given during registration.

Retention Period: Data will be retained for a maximum of 36 months unless consent is revoked.

3. Sharing Personal Data

If you consent, the Controller may share your data with Partners who will become independent data controllers to send promotional communications via automated or non-automated means.

Retention Period: Maximum 36 months unless consent is revoked.

4. Social Network Profiles and Pages

The Foundation owns pages on major social networks (e.g., Facebook, Instagram, YouTube) to promote its activities. Users following these pages implicitly consent to receiving informational and promotional content.

Retention Period: Until the user unfollows the pages, thereby revoking consent.

Consequences of Refusal to Provide Data or Consent

• Failure to provide data necessary for Service use prevents registration.
• Refusal to give consent for promotional communications or Partner sharing has no consequences; you may revoke consent at any time without affecting previous lawful processing.

Processing Methods and Security Measures

Data is processed using IT, telematic, and manual tools with security measures to minimize risks of unauthorized access, alteration, or loss.

Disclosure and Recipients

Personal data will not be publicly disclosed. Authorized personnel and appointed processors will handle the data. Data may be communicated to third parties only to fulfill contractual or legal obligations.

Transfers to Third Countries

Data is processed within the EU. Transfers outside the EU are only to countries deemed to provide adequate protection or with adequate safeguards.

Data Subject Rights

You may exercise rights under Articles 15–21 GDPR, including access, rectification, deletion, restriction, objection, and data portability. Complaints may be filed with your national data protection authority.

For Italy: the authority is the Garante per la Protezione dei Dati Personali, Piazza Venezia n. 11 – 00187, Rome (RM), email: [garante@gpdp.it](mailto:garante@gpdp.it), certified email: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it), website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last update: 23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE