Privacy notice pursuant to Article 13 of Regulation (EU) 2016/679
In compliance with the provisions set out in Article 13 of Regulation (EU) 2016/679 (hereinafter the “Regulation” or “GDPR”), concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, this privacy notice is provided to users of the website www.fondazionecariplo.it (hereinafter, the “Website”).
Note. During navigation, specific privacy notices may be made available whenever users are required to provide personal data.
Definitions
“Personal data” (pursuant to Article 4(1) of the Regulation) means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” (pursuant to Article 4(2) of the Regulation) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Identity of the Data Controller and Data Protection Officer
Pursuant to Article 4(7) of the Regulation, Fondazione Cariplo, with registered office in Milan, Via Daniele Manin 23, is the Data Controller of the personal data (hereinafter also the “Foundation”).
Fondazione Cariplo has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: privacy@fondazionecariplo.it.
Categories of Personal Data Processed
For the purposes described below, the Foundation, where applicable and where necessary, processes personal data belonging to the following categories:
- Browsing data (ordinary personal data).
Data falling within this category are collected through cookies.
For detailed information regarding the cookies used, please refer to the specific cookie policy available through the cookie banner, via the “Cookie Policy” link in the footer of each page of the Website, or by selecting the “Cookie settings” button available at the bottom of the page.
Purposes of Processing and Data Retention Period
The purposes of the processing are as follows.
Purposes Based on the Data Subject’s Consent
- carrying out traffic measurement activities and navigation analysis in order to improve the services offered by the Foundation;
- implementation of promotional campaigns.
Personal data processed for the purposes set out above shall be retained in accordance with the provisions set out in the cookie policy, available through the cookie banner, via the “Cookie Policy” link in the footer of each page of the Website, or by selecting the “Cookie settings” button available at the bottom of the page.
Purposes Related to the Protection of a Legitimate Interest
- ensuring the proper functioning of the Website;
- where necessary, protecting contractual and pre contractual rights or, in any event, rights arising from existing relationships.
Personal data processed for the purposes set out above shall be handled and retained in accordance with the provisions set out in the cookie policy, available through the cookie banner, via the “Cookie Policy” link in the footer of each page of the Website, or by selecting the “Cookie settings” button available at the bottom of the page.
Note. Where it is necessary to establish, exercise or defend the rights of the Foundation in judicial proceedings, the data retention period may be extended until the conclusion of the dispute.
Legal Bases for Processing
The processing of the personal data referred to above is based on the following legal bases:
- consent of the data subject (Article 6(1)(a) of the Regulation);
- legitimate interest of the Foundation (Article 6(1)(f) of the Regulation).
Disclosure of Data Outside the Foundation
The data acquired by the Foundation, within the scope of the purposes described above, may be disclosed and/or otherwise made available outside the Foundation for various reasons.
In particular, data may be made available to entities performing IT system management activities for the Foundation, consultants, consulting companies, professional firms, as well as to other parties who, in any capacity, cooperate with the Foundation for the achievement of the aforementioned purposes.
The complete and updated list of independent Data Controllers, Data Processors appointed by the Foundation, and data recipients in any capacity (pursuant to Article 4(9) of the Regulation) may be requested at the Foundation’s offices.
Transfer of Personal Data Outside the EU
The Foundation may transfer personal data to third parties acting as independent Data Controllers or to Data Processors in order to enable the performance of the activities listed in this Privacy Notice.
Where such transfer takes place to countries that do not ensure the same level of protection provided by the GDPR or applicable legislation, or in any case an adequate level of personal data protection, Fondazione Cariplo shall ensure that each recipient undertakes specific contractual obligations in compliance with applicable personal data protection laws, including the execution of the Standard Contractual Clauses approved by the European Commission, unless the Foundation may rely on any other legal basis for the transfer of such information.
In any event, the data subject may always request further information, including the recipient countries of the personal data, by writing to privacy@fondazionecariplo.it.
Personal data shall not be disseminated and shall therefore not be made available to unspecified recipients.
Rights of the Data Subject
With regard to the personal data provided, the data subject has the right to exercise at any time, in accordance with the Regulation, the rights set out therein and listed below:
- Right to withdraw consent [Article 7(3) of the Regulation] (right to withdraw the consent given.
Note: the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal). - Right of access by the data subject [Article 15 of the Regulation] (right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, to obtain access to such data and to further information, such as the purposes of processing, the categories of personal data processed, the recipients of disclosures and/or transfers of personal data – including a copy of the data in an intelligible form).
- Right to rectification [Article 16 of the Regulation] (right to obtain without undue delay the rectification of inaccurate personal data concerning him or her, and to have incomplete personal data completed, including by means of a supplementary statement).
- Right to erasure (“right to be forgotten”) [Article 17 of theRegulation] (right to have personal data erased).
- Right to restriction of processing [Article 18 of the Regulation] (right to obtain restriction of processing, for example, in the event of a contestation of the accuracy of the personal data or in the event of unlawful processing).
- Right to data portability [Article 20 of the Regulation] (right to receive the personal data concerning him or her, provided to the Foundation, in a structured, commonly used and machine readable format, and the right to transmit those data to another data controller without hindrance from the Foundation, where the processing is carried out on the basis of consent or of a contract and is carried out by automated means).
- Right not to be subject to automated decision making [Article 22 of the Regulation] (right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her).
The above rights may be exercised in writing by sending an email to: privacy@fondazionecariplo.it.
Further information regarding the processing of personal data may also be requested at the same contact details at any time. It is also specified that the exercise of these rights must not adversely affect and/or infringe the rights and freedoms of others
Cookie Notice
Note. Consent given for cookies other than strictly necessary cookies may be modified or withdrawn using the “Cookie Settings” button, which is constantly available during navigation on the Website at the bottom of the user interface or at the end of this page.
Timeframes and Response Modalities
Fondazione Cariplo undertakes to respond to requests within one month, except in cases of particularly complex requests, for which a maximum period of three (3) months may be required.
In any case, the Foundation shall explain the reasons for the delay within one month of the request.
The outcome of the request shall be provided in writing (at the data subject’s request) or in electronic form and, in the latter case, free of charge.
The Foundation specifies that a fee may be charged to the data subject where requests are manifestly unfounded, excessive or repetitive; for this purpose, Fondazione Cariplo shall keep track of such requests.
In compliance with Article 19 of the Regulation, Fondazione Cariplo undertakes to inform the recipients to whom the personal data of the data subject have been disclosed of any rectification, erasure or restriction of processing requested by the data subject, where feasible.
Further information on the rights of data subjects and how to exercise them is provided in the document “Exercise of Rights in Personal Data Protection Matters”, which can be downloaded from this page.
Right to Object
The data subject also has the right to object to processing based on legitimate interest (Article 6(1)(f) of the Regulation) by contacting the Foundation using the contact details provided above.
Right to Lodge a Complaint
Where the data subject considers that his or her rights have been infringed or that the processing of his or her personal data is in breach of the applicable legislation, he or she has the right to lodge a complaint with the Italian Data Protection Authority, in accordance with the procedures indicated by the Authority.
Nature of Data Provision
With reference to the purposes of processing described above, the provision of data by the data subject is optional.
In the event that data are not provided, navigation on the Website shall nonetheless remain possible, without any additional processing being carried out.
Note. The above does not apply to the use of strictly necessary cookies.
It is specified that where the functionality of such cookies has been limited through the settings of the browser used, depending on the circumstances, correct navigation of the Website may be difficult or impossible.
Methods of Processing
Personal data shall be processed by electronic and telematic means and shall be stored in relevant databases accessible to employees and collaborators of the Foundation who have been duly authorised.
Such persons may carry out operations of consultation, use, processing, comparison and any other appropriate operation, including automated processing, in compliance with the legal provisions necessary to ensure, inter alia, the confidentiality and security of the data, as well as their accuracy, updating and relevance in relation to the stated purposes.
Amendments and Updates
Fondazione Cariplo may make amendments and/or additions to this privacy notice, also as a consequence of any subsequent legislative or regulatory changes.
In such cases, the updated version of this privacy notice shall be communicated as soon as possible using methods intended to reach data subjects as promptly as possible.