Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 No. 196 [“Privacy Code”]

This privacy notice aims to provide maximum transparency on how the personal data of those who register for event or training services, online donations, job applications, volunteer activities, requests for information on institutional activities, or purchases of solidarity products [“The Services”] are processed.

Data Controller

The Data Controller is the Patrizio Paoletti Foundation for Development and Communication (tax ID: 94092660540), based in Rome, Via Nazionale 230; email: [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email: [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone: 06 8082599 [“The Controller”].

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR, Dr. Ilaria Sterpa. You can contact the DPO at any time with any questions or requests regarding your personal data and privacy by writing to [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

When registering for the Services, we will ask you to provide your contact information, including first and last name, email address, phone number, and optionally, social media contacts.

Purposes of data processing, legal basis, and retention periods

1. Use of the Services and the Controller’s obligations

If processing is necessary for:

1. your use of the Services, the legal basis is the necessity for the performance of the contract to which the data subject is a party (Art. 6, para. 1, lett. b) – GDPR);
2. analysis of the quality of the Services and your satisfaction, also for the purpose of improving the Services, the legal basis is the legitimate interest of the Controller (Art. 6, para. 1, lett. f) – GDPR);
3. legal obligations of the Controller, the legal basis is the fulfillment of a legal obligation of the Controller (Art. 6, para. 1, lett. c) – GDPR);
4. protection of a right of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6, para. 1, lett. f) – GDPR.

Retention periods: once the needs related to the use of the Services and analysis of their quality and user satisfaction have ceased, the personal data provided will be used and retained for the time necessary to fulfill the legal obligations of the Controller and to ensure the protection of its rights within the statute of limitations.

2. Sending communications regarding the Controller’s initiatives

The Controller may use your email address to send informational messages, including via automated tools, about initiatives similar to those of the Services: in this case, the legal basis is Article 130, paragraph 4, of the Privacy Code. You are always free to inform us if you do not wish to receive further communications of this nature in the future.

The Controller may use your email, phone number, and social contacts to send informational and promotional messages about its own initiatives, even if different from the Services, including newsletters and market research, through automated tools (email, SMS, fax, MMS, social network messages, WhatsApp, Messenger, online instant messaging apps) and non-automated tools (postal mail, operator phone calls); in this case, the legal basis is your consent, which you are asked to provide freely when registering for the Services.

Retention periods: for these purposes, the data provided, unless consent is revoked, will be retained for a maximum of 36 months, determined by the Controller considering that its project planning and implementation refer to periods not shorter than this.

3. Sharing of personal data

If you wish, the Controller may share your personal data, including email, phone number, and social contacts, with its Partners carrying out related activities, even in different areas, with whom it has partnership agreements to develop significant synergies and optimizations to achieve respective social goals.

Data sharing will allow these Partners, who will become independent data controllers, to send you informational and promotional messages about their initiatives, including newsletters and market research, through automated (email, SMS, fax, MMS, social media messages, WhatsApp, Messenger, online messaging apps) and non-automated (postal mail, operator calls) tools.

In this case too, the legal basis is always your consent, freely provided at registration.

Retention periods: for these purposes, data provided, unless consent is revoked, will be retained for a maximum of 36 months, considering that projects and initiatives carried out in partnership with the Partners are planned for periods not shorter than this.

4. Social network profiles and pages

The Patrizio Paoletti Foundation for Development and Communication manages its own pages on major social networks (e.g., Facebook, Instagram, YouTube) through which it promotes its activities, publishing informational and promotional messages about initiatives, services, and fundraising campaigns to achieve institutional goals.

Those who access and follow the Foundation’s social network profiles and pages indicate their willingness to follow activities and receive information, including promotional messages, via these channels. In this case, sending messages through these channels is considered lawful if, from the context and operation of the social network and information voluntarily provided by the user, it is clear that the user has implicitly consented to receive informational and promotional messages about initiatives, services, and fundraising campaigns.

Retention periods: for these purposes, data will be used as long as the user chooses to follow the social media pages; unsubscribing will indicate revocation of consent.

Consequences of refusing to provide data and of withholding consent

• Failure to provide data required for the use of the Services and Controller obligations will make it impossible for the Controller to process your registration request.
• Failure to provide CONSENT for the processing of personal data for promotional communications and sharing with Partners will have no consequences, and you may revoke consent at any time without affecting the lawfulness of processing based on prior consent.

Processing methods and security measures

Personal data will be processed for the purposes collected, mainly using IT, telematic, and manual tools, adopting security measures to minimize the risk of unauthorized or accidental access, disclosure, alteration, loss, or destruction, even temporarily.

Disclosure and categories of recipients

Personal data will never be disclosed.

Personal data will be processed by authorized persons and by Processors bound to the Controller by specific agreements.

Except for sharing data with Partners based on your consent, which is always revocable, the Controller may share personal data with third parties (Public Authorities, Police, or other Public or Private Entities) only to fulfill contractual, legal, or regulatory obligations.

Transfer to third countries

Data are processed in countries within the European Union. In case of transfer to countries outside the EU, data will only be transferred to countries deemed capable of providing adequate protection, as determined by the European Commission, or with adequate safeguards (e.g., “standard clauses”) and provided that data subjects have enforceable rights and effective remedies, as required by law.

Rights of Data Subjects

As a Data Subject, you may exercise rights under Articles 15–21 of EU Regulation 679/2016, requesting access, correction, deletion, or limitation of your data from the Controller.

You also have the right to object to processing for legitimate reasons, as well as the right to data portability.

To exercise these rights and revoke consent, you may contact the Controller by any suitable means, and in any case, using the contact details above.

Finally, as a Data Subject, you have the right to file a complaint with a supervisory authority in your member state of residence or work, or where a suspected violation occurred, or take appropriate legal action (Art. 79 GDPR).

For Italy: the supervisory authority is the Italian Data Protection Authority, Piazza Venezia n. 11 – 00187, Rome (RM) – email: [garante@gpdp.it](mailto:garante@gpdp.it) – certified email: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it) – website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last updated: 23.02.2022

PATRIZIO PAOLETTI FOUNDATION FOR DEVELOPMENT AND COMMUNICATION