Privacy Policy

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 [“GDPR”] and Legislative Decree 30 June 2003 no. 196 [“Privacy Code”]

This privacy notice is intended to provide maximum transparency regarding how personal data is processed for individuals who request registration for event or training program subscriptions, online donations, applications for job positions, volunteering activities, requests for information about institutional activities, and purchases of solidarity products [“the Services”].

The Data Controller

The Data Controller is the Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione (tax code: 94092660540), with registered office in Rome, Via Nazionale 230; email fondazione@fondazionepatriziopaoletti.org; certified email (PEC) fondazionepatriziopaoletti@pec.it; telephone +39 06 8082599 [“the Controller”].

The Data Controller has appointed a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR, Dr. Ilaria Sterpa. You may at any time contact the DPO and submit any questions or requests regarding your personal data and privacy by writing to privacy@fondazionepatriziopaoletti.org.

Personal data processed

At the time of registration to the Services, you will be asked to provide your contact details, such as name, surname, email address, phone number, and optionally social media contact.

Purposes of processing, legal basis and retention periods

1. Provision of the Services and compliance by the Controller

Where processing is necessary for:

1. the provision of the Services to you, the legal basis is the necessity for the performance of a contract to which the data subject is party (Art. 6(1)(b) GDPR);
2. analysis of service quality and user satisfaction, with a view to improving the Services, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR);
3. compliance with legal obligations, the legal basis is compliance with a legal obligation (Art. 6(1)(c) GDPR);
4. the protection of a legal claim of the Controller, the legal basis is the legitimate interest of the Controller (Art. 6(1)(f) GDPR).

Retention period: once the need related to the provision of the Services and analysis of their quality and user satisfaction has ceased, the personal data provided will be processed and stored for the time necessary to comply with legal obligations and to ensure the protection of the Controller’s rights within the limitation period.

2. Sending communications regarding the Controller’s initiatives

The Controller may use your email address to send informational messages, including through automated tools, about its own initiatives similar to those of the Services: in this case, the legal basis is Article 130(4) of the Privacy Code. You are always free to request not to receive such communications in the future.

The Controller may use your email address, phone number, and social contact to send informational and promotional messages about its initiatives, including those different from the Services, such as newsletters and market research, through automated tools (email, SMS, fax, MMS, social media messages, WhatsApp, Messenger, instant messaging applications) and non-automated tools (postal mail, telephone with operator): in this case, the legal basis is your consent, freely given at the time of registration.

Retention period: for these purposes, data will be stored for a maximum period of 36 months, unless consent is withdrawn.

3. Sharing of personal data

If you wish, the Controller may share your personal data, including email, phone number, and social contact, with its Partners operating in related fields, with whom cooperation agreements exist to develop synergies and optimize the achievement of respective social goals.

Data sharing is intended to allow these Partners, who will become independent data controllers, to send you informational and promotional messages about their own initiatives, including newsletters and market research, through automated and non-automated means.

In this case as well, the legal basis is your consent, freely given at the time of registration.

Retention period: data will be stored for a maximum of 36 months, unless consent is withdrawn.

4. Social network profiles and pages

Fondazione Patrizio Paoletti per lo Sviluppo e la Comunicazione maintains official pages on major social networks (e.g., Facebook, Instagram, YouTube) through which it promotes its activities by publishing informational and promotional messages about initiatives, services, and fundraising campaigns.

Users who access and follow these social media profiles and pages express their willingness to receive updates, including promotional messages. In this case, sending messages through these channels is considered lawful when, from the context and the user’s actions, it is clear that consent has been implicitly given.

Retention period: data will be used until the user stops following the social media pages.

Consequences of refusal to provide data and consent

• Failure to provide data required for the provision of Services and compliance obligations will make it impossible for the Controller to process the registration request.
• Failure to provide consent for promotional communications and data sharing with Partners will have no consequences, and consent may be withdrawn at any time without affecting the lawfulness of prior processing.

Processing methods and security measures

Personal data will be processed for the purposes for which it was collected, mainly using electronic, telematic, and manual tools, adopting security measures to minimize risks of unauthorized access, disclosure, alteration, loss, or destruction.

Disclosure and categories of recipients

Personal data will never be disclosed.

Data will be processed by authorized personnel and by data processors bound by specific agreements with the Controller.

Except where data is shared with Partners based on consent, the Controller may disclose data to third parties (public authorities, law enforcement, or other public/private entities) only to comply with legal or contractual obligations.

Transfer to third countries

Data is processed within the European Union. If transferred outside the EU, it will only be transferred to countries deemed to provide adequate protection or subject to appropriate safeguards (e.g., standard contractual clauses), ensuring enforceable rights and legal remedies.

Rights of the data subject

As a data subject, you may exercise rights under Articles 15–21 of the GDPR, including access, rectification, erasure, restriction of processing, objection, and data portability.

You also have the right to lodge a complaint with a supervisory authority or take legal action under Article 79 GDPR.

In Italy, the supervisory authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11 – 00187 Rome – email: garante@gpdp.it – certified email: protocollo@pec.gpdp.it – website: www.garanteprivacy.it.

Last update of this notice:

23.02.2022

FONDAZIONE PATRIZIO PAOLETTI PER LO SVILUPPO E LA COMUNICAZIONE