Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30.6.2003 n. 196 [“Privacy Code”]

This privacy notice aims to provide full transparency on how personal data are processed for those requesting registration to event or training services, online donations, job applications, volunteering activities, inquiries about institutional activities, or purchases of solidarity products [“The Services”].

Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (VAT: 94092660540), headquartered in Rome, Via Nazionale 230; email: [fondazione@fondazionepatriziopaoletti.org](mailto:fondazione@fondazionepatriziopaoletti.org); certified email: [fondazionepatriziopaoletti@pec.it](mailto:fondazionepatriziopaoletti@pec.it); phone: 06 8082599 [“The Controller”].

The Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR, Dr. Ilaria Sterpa. You can contact the DPO at any time with questions or requests regarding your personal data and privacy by writing to [privacy@fondazionepatriziopaoletti.org](mailto:privacy@fondazionepatriziopaoletti.org).

Personal Data Processed

When registering for the Services, we will ask you to provide contact details such as your first name, last name, email address, phone number, and optionally your social media contact.

Purposes of Data Processing, Legal Basis, and Retention Periods

1. Use of the Services and Controller’s obligations

Where processing is necessary for:

1. your use of the Services, the legal basis is the necessity for the performance of a contract in which the Data Subject is a party (Art. 6(1)(b) GDPR);
2. analysis of the quality of the Services and your satisfaction, including to improve the Services, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR);
3. fulfilling legal obligations of the Controller, the legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR);
4. protection of a right of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR).

Retention Period: once the need to use the Services and analyze their quality and user satisfaction ceases, personal data will be used and stored only as long as necessary to comply with legal obligations of the Controller and protect its rights within the statute of limitations.

2. Sending communications about the Controller’s initiatives

The Controller may use your email address to send informational messages, including automated tools, about initiatives similar to the Services; the legal basis is Article 130(4) of the Privacy Code. You can always choose not to receive such communications in the future.

The Controller may use your email, phone number, and social contacts to send informational and promotional messages about other initiatives, including newsletters and market research, through automated (email, SMS, fax, MMS, social networks, WhatsApp, Messenger, online messaging apps) or non-automated means (postal mail, phone with operator). In this case, the legal basis is always your consent, freely given when registering for the Services.

Retention Period: for these purposes, data will be stored for a maximum of 36 months, unless consent is revoked, considering that project planning and implementation typically spans extended periods.

3. Sharing of personal data

If you wish, the Controller may share your personal data, including email, phone number, and social contacts, with partners with similar activities, within agreed collaborations for mutual social goals.

Shared data allows these partners, who become independent data controllers, to send you informational and promotional messages about their initiatives, including newsletters and market research, via automated or non-automated means. The legal basis is always your consent, freely given during registration.

Retention Period: for these purposes, data will be stored for a maximum of 36 months unless consent is revoked, considering that partner initiatives also span extended periods.

4. Social Media Profiles and Pages

The Fondazione Patrizio Paoletti manages pages on major social networks (e.g., Facebook, Instagram, YouTube) to promote its activities, posting informational and promotional messages about initiatives, services, and fundraising campaigns.

Users who access and follow these social media pages indicate their willingness to receive information, including promotional messages. Messaging through these channels is considered lawful if the context and platform functionality, as well as voluntarily provided user information, clearly indicate consent to receive informational and promotional messages regarding initiatives, services, and fundraising campaigns.

Retention Period: data will be used as long as the user follows the social media pages; unsubscribing indicates revocation of consent.

Consequences of refusing to provide data and consent

• Failure to provide data required for using the Services and Controller obligations will prevent registration.
• Refusing to give CONSENT for promotional communications and sharing with partners has no consequences, and you may revoke consent at any time without affecting the lawfulness of processing based on prior consent.

Processing Methods and Security Measures

Personal data will be processed using IT, telematic, and manual tools, with security measures to minimize unauthorized or accidental access, disclosure, alteration, loss, or destruction.

Disclosure and Categories of Recipients

Personal data will never be publicly disclosed.

Data will be processed by authorized personnel and data processors under specific agreements. Except for partner sharing with your consent, the Controller may only communicate data to third parties (public authorities, police, or other public/private entities) to comply with contractual, legal, or regulatory obligations.

Transfer to Third Countries

Data are processed in EU countries. Transfers outside the EU occur only to countries deemed to provide adequate protection by the European Commission, or under adequate safeguards (e.g., “standard clauses”) ensuring enforceable rights and effective remedies.

Data Subject Rights

You can exercise the rights under Articles 15–21 of GDPR, including access, correction, deletion, restriction, objection, and data portability.

Requests can be made to the Controller by any suitable means. You also have the right to lodge a complaint with a supervisory authority in your member state of residence, work, or where a violation occurred (Art. 79 GDPR).

For Italy: the supervisory authority is the Garante per la Protezione dei dati personali, Piazza Venezia 11 – 00187, Rome (RM), email: [garante@gpdp.it](mailto:garante@gpdp.it), certified email: [protocollo@pec.gpdp.it](mailto:protocollo@pec.gpdp.it), website: [www.garanteprivacy.it](http://www.garanteprivacy.it).

Last update: 23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE