Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 No. 196 [“Privacy Code”]

This information notice on the processing of personal data aims to provide maximum transparency regarding the methods of handling personal data of those who request registration for event or training services, online donations, applications for job positions, volunteer activities, requests for information on institutional activities, purchases of solidarity products [“The Services”].

Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (VAT: 94092660540), located in Rome, Via Nazionale 230; email: [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email (PEC): [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone: 06 8082599 [“The Controller”].

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Art. 37 GDPR, Dr. Ilaria Sterpa. You can contact the DPO at any time for questions or requests regarding your personal data and privacy at [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

When registering for the Services, we will ask you to provide contact information such as your first and last name, email address, phone number, and optionally social media contacts.

Purposes of Data Processing, Legal Basis, and Retention Periods

1. Use of Services and Controller Obligations

When processing is necessary for:

1. your use of the Services, the legal basis is the necessity for the execution of a contract to which the data subject is party (Art. 6(1)(b) GDPR);
2. analysis of service quality and your satisfaction, including for service improvement purposes, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR);
3. compliance with legal obligations, the legal basis is compliance with a legal obligation of the Controller (Art. 6(1)(c) GDPR);
4. protection of a right of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR).

Retention Period: once the needs related to the use of the Services and service quality analysis have ceased, personal data provided will be used and stored only as long as necessary to comply with legal obligations and to protect the Controller’s rights within statutory limitation periods.

2. Sending Communications about the Controller’s Initiatives

The Controller may use your email address to send informative messages, including through automated tools, regarding initiatives similar to the Services. The legal basis for this processing is Art. 130(4) of the Privacy Code. You may always opt out of receiving such communications in the future.

The Controller may also use your email, phone number, and social contacts to send promotional messages regarding its initiatives, including newsletters and market research, through automated (email, SMS, fax, MMS, social networks, WhatsApp, Messenger, online messaging apps) or non-automated (postal mail, operator-assisted phone) means. The legal basis for this processing is your freely given consent at the time of registration.

Retention Period: for these purposes, data will be retained for a maximum of 36 months unless consent is revoked, considering that project planning and execution extend over multi-year periods.

3. Sharing Personal Data

If you wish, the Controller may share your personal data, including email, phone, and social contacts, with its Partners performing related but different activities, with whom it has partnership agreements for the development of synergies and optimization for achieving respective social objectives.

Partners will become independent data controllers and may send you promotional messages, including newsletters and market research, via automated or non-automated tools. The legal basis is your freely given consent.

Retention Period: data shared under this purpose will be stored for up to 36 months unless consent is revoked.

4. Social Network Profiles and Pages

The Fondazione Patrizio Paoletti manages its own pages on main social networks (e.g., Facebook, Instagram, YouTube) to promote its activities, publishing informative and promotional messages about initiatives, services, and fundraising campaigns.

Those who follow these social profiles indicate their willingness to receive information, including promotional messages. Sending messages through these channels is considered lawful if it is clearly implied that the user has voluntarily expressed their consent to receive them.

Retention Period: data will be retained while the user continues to follow the social profiles; unsubscribing revokes consent.

Consequences of Refusal to Provide Data or Consent

• Failure to provide data necessary for Service use or Controller obligations will prevent the Controller from processing your registration request.
• Failure to give consent for promotional communications or data sharing with Partners will have no consequences; you may revoke consent at any time without affecting prior lawful processing.

Processing Methods and Security Measures

Data will be processed mainly by digital, telematic, and manual tools, adopting measures to minimize risks of unauthorized access, accidental disclosure, modification, or loss.

Disclosure and Recipients

Personal data will not be disclosed. Data will be processed by authorized personnel and Data Processors under agreements with the Controller. Except for sharing with Partners with your consent, data may only be disclosed to third parties (public authorities, police, or others) to fulfill contractual, legal, or regulatory obligations.

Transfer to Third Countries

Data is processed in EU countries. Transfers outside the EU will occur only to countries deemed to provide adequate protection by the European Commission, or under appropriate safeguards (e.g., “standard clauses”) and provided that enforceable rights and remedies are available to data subjects.

Data Subject Rights

You may exercise your rights under Articles 15–21 GDPR, including access, correction, deletion, restriction, objection, and data portability. Requests and consent revocation may be sent to the Controller by any appropriate means.

You also have the right to lodge a complaint with the supervisory authority in your country of residence or work, or where an alleged violation occurred (Art. 79 GDPR).

For Italy: the supervisory authority is the Garante per la Protezione dei Dati Personali, Piazza Venezia 11 – 00187, Rome (RM), email: [garante@gpdp.it](mailto:garante@gpdp.it), PEC: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it), website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last update: 23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE