PRIVACY NOTICE

PRIVACY NOTICE IN ACCORDANCE TO ARTICLE 13 OF REGULATION (EU) 2016/679

In compliance with the provisions of Article 13 of the EU Regulation 2016/679 (hereinafter ‘EU Regulation’) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, this information is provided to website users of www.fondazionecariplo.it (hereinafter, the ‘Website’).

Note. During browsing, specific privacy notices may be made available whenever you are asked to provide personal data.

Definitions:

• By ‘personal data’ (art. 4, no. 1, of EU Regulation) we mean any information relating to an identified or identifiable natural person (‘data subject’) with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factor specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
• By ‘processing’ (Art. 4, no. 2, of EU Regulation) we mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Identity of the Data Controller and Data Protection Officer
Pursuant to article 4, no. 7, of the EU Regulation, Cariplo Foundation, based in Milan, via Daniele Manin 23, is the Data Controller (hereinafter also just ‘Foundation’).

Fondazione Cariplo has appointed a Data Protection Officer (‘DPO’), that can be contacted at privacy@fondazionecariplo.it.

Data processed
In pursuit of the purposes set forth below, the Foundation, as appropriate and when necessary, will process personal data belonging to the following categories:

• Navigation data (‘common’ personal data).
  Data belonging to this category are collected via cookies. For detailed information on the cookies used, please refer to the specific cookie policy available via the cookie banner, the ‘Cookie Policy’ link in the footer of the Website or through the ‘cookie settings’ button available at the bottom of the page.

Purpose of processing and retention period
The purposes of processing are as follows:

1. Purpose related to the acquisition of consent
   • Carrying out traffic measurement and navigation analysis activities to improve the services offered by the Foundation;
   • Performance of promotional campaigns.

The data processed for the above purposes will be stored in accordance with the cookie policy, available via the cookie banner, the ‘Cookie Policy’ link in the footer of the Website or through the ‘cookie settings’ button available at the bottom of the page.

2. Purposes for the protection of a legitimate interest
   • Ensure the proper functioning of the Website;
   • If necessary, to protect contractual and pre-contractual rights or otherwise arising from existing relationships.

The data processed for the above purposes will be stored in accordance with the cookie policy, available via the cookie banner, the ‘Cookie Policy’ link in the footer of the Website or through the ‘cookie settings’ button available at the bottom of the page.

Note. Should it be necessary to establish, exercise or defend the rights of the Foundation in court, the retention period may be extended until the end of the litigation.

Legal basis for processing
The processing of the above-mentioned personal data is based on the following legal bases:

• Consent of the data subject (Art. 6(1)(a) of the EU Regulation);
• Legitimate interest of the Foundation (Art. 6(1)(f) of the EU Regulation).

Sharing of data outside the Foundation

The data acquired by the Foundation, for the purposes mentioned earlier may be shared for various reasons: the data may be made available to subjects carrying out activities for the management of the Foundation's IT system, consultants, consultancy firms, professional firms, as well as to other subjects who collaborate - for whatever reason - with the Foundation for the achievement of the purposes mentioned above.
The complete and updated list of the autonomous data controllers, the data processors appointed by the Foundation and the recipients of the data in any capacity (pursuant to article 4, no. 9, of the EU Regulation) may be requested at the offices of the Foundation.

Extra-EU personal data transfer
The Foundation may transfer personal data to third parties as autonomous data controllers or to data processors to enable the performance of the activities listed in this privacy notice. In the event that such transfer takes place to countries that do not provide the same level of protection as provided by the GDPR or applicable legislation, or in any case an adequate level of personal data protection, the Foundation will ensure that each such recipient assumes specific contractual obligations in accordance with applicable data protection regulations (including the signing of the Standard Contractual Clauses approved by the European Commission), unless the Foundation may refer to any other legal basis for the transfer of such information.

In any case, the data subject may always request more information regarding the transfer of his or her personal information by writing to the e-mail address privacy@fondazionecariplo.it

Personal data will not be disseminated, and therefore will not be made available to unspecified parties.

Right of the data subject
The data subject, in relation to the personal data provided, is entitled to exercise at any time and in accordance with the provisions of the applicable legislation the rights set out therein and listed below:

• Right to withdraw consent [art. 7(3) of EU Regulation] (right to withdraw the consent given. Note. withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the withdrawal);
• Data subject's right of access [Art. 15 of the EU Regulation] (the right to obtain confirmation as to whether or not personal data concerning the data subject exist and, if so, access to such data and further information, such as the purposes and categories of data processed, the recipients of communications and/or data transfers, including a copy in an intelligible form);
• Right to rectification [art. 16 of the EU Regulation] (right to rectify without undue delay inaccurate personal data concerning the data subject and to supplement incomplete personal data, including by providing a supplementary explanation);
• Right to erasure (‘right to be forgotten’) [art. 17 of the EU Regulation] (right to obtain the erasure of personal data regarding the data subject);
• Right to restriction [art. 18 of the EU Regulation] (right to obtain a restriction on processing, e.g. if the accuracy of the data is disputed or if the processing is unlawful);
• Right to data portability [art. 20 of the EU Regulation] (the right to receive the personal data provided to the Foundation in a structured, commonly used and machine-readable format and the right to have such data communicated to another controller without hindrance by the Foundation, where the processing is carried out on the basis of consent or by contract and is automated);
• Right not to be subjected to automated decision-making [art. 22 of the EU Regulation] (right not to be subject to a decision based solely on automated processing which produces legal effects or significantly affects the data subject in a similar way).

The above rights can be exercised in writing by sending an e-mail to privacy@fondazionecariplo.it. In the same manner, more information regarding the processing of personal data may be requested at any time. It is also specified that the exercise of one's rights will not prejudice and/or infringe on the rights and freedoms of others.

Note. Consents given for cookies other than the necessary ones can be changed / withdrawn via the “Cookie Settings” button constantly available while browsing this Website at the bottom of the user interface or at the bottom of this page.
The Foundation undertakes to respond to requests within a period of one month, except in the case of particularly complex requests, for which it may take up to three months. In any case, the Foundation will explain the reason for the wait within one month of the request.
The outcome of the request will be provided in writing (at the request of the data subject) or in electronic format (and, in this case, free of charge). The Foundation specifies that the data subject may be asked to contribute if his or her requests are manifestly unfounded, excessive or repetitive: in this regard, the Foundation will keep track of the requests.
The Foundation, in compliance with Article 19 of the EU Regulation, undertakes to report to the recipients to whom the data subject's personal data have been disclosed any rectification, deletion or restriction of processing requested by the data subject, where possible.

Further information regarding rights and how to exercise them is provided on the Foundation's website at the following link (page available in Italian only).

Right to object (art. 21 of the EU Regulation)
The data subject also has the right to object to the processing on grounds of legitimate interest (art. 6(1)(f) of the EU Regulation) by contacting the Foundation at the contact details indicated in the previous paragraph.

Right to lodge a complaint (art. 77 of the EU Regulation)
If the data subject considers that their rights have been compromised or infringed, or that the processing of their data is contrary to the legislation in force, they have the right to lodge a complaint with the Italian Data Protection Authority in accordance with the procedures indicated by it at the following link (page available in Italian only).

Nature of provision of data
Please note that, with regard to the above processing purposes, the provision of data by the data subject is optional. If the data are not provided, it will still be possible to navigate on the Website, without any further activities being carried out.

Note. The above does not apply to the use of necessary cookies It should be noted that if the functionality of these cookies has been restricted through the settings of the browser used, it may be difficult or impossible to navigate properly, depending on different situations.

Data processing and communication methods
Personal data will be processed in paper and digital form and will be included in the relevant company databases that can be accessed, and therefore come to the knowledge of, employees and collaborators of the Foundation specifically appointed for this purpose. These subjects will be able to carry out consultation, use, processing, comparison and any other appropriate operation, even automated, in compliance with the applicable provisions of the law necessary to ensure, among other things, the confidentiality and security of the data as well as its accuracy, updating and relevance to the stated purposes.

Changes and updates
The Foundation may also make changes and/or additions to this privacy notice as a consequence of any subsequent regulatory changes and/or additions. In such cases, the new version of this privacy notice will be communicated as soon as possible in such a way as to reach all the data subjects as quickly as possible.

Read more: 

NEWSLETTER PRIVACY NOTICE