INFORMATION ON THE PROCESSING OF PERSONAL DATA CARRIED OUT BY FONDAZIONE AUGUSTO RANCILIO UNDER ARTT. 13-14 OF REGULATION (EU) 2016/679 (FROM NOW ON "REGULATION" OR "GDPR")
Before processing any Personal Data (the "Data"), the Controller must inform you (the "Data Subject") on the why and how of the Data Processing. For that reason, this notice will give you all the information you need so that you can provide your Data in an informed and conscious manner and, at any time, request and obtain clarifications or corrections, as well as exercise your rights.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is Fondazione Augusto Rancilio, with registered office in Via Fametta - Bollate (MI), Italy, at Villa Arconati, VAT number 97041410156 (the “Controller”). The Data Controller has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address: firstname.lastname@example.org.
2. TYPE OF PERSONAL DATA COLLECTED
The website you are visiting acquires various kinds of Personal Data, such as:
- a) Data directly inserted by you by filling in the website's forms, such as name (*), surname (*), company, city, address (*), telephone (*), e-mail (*), fax number and description of the request (*). Data marked with this symbol (*) are mandatory;
- b) Data collected automatically as a result of your navigation on the website, such as IP addresses, time of the request, country of origin, characteristics of your browser and operating system.
The Data Controller will process your Data in compliance with the provisions of the law and the principles applicable to the protection of Personal Data. Processing operations will only take place with regard to the purposes indicated in paragraph 4 below and according to methods and procedures aimed at ensuring the integrity, availability and confidentiality of what you share with us.
3. SOURCE OF DATA PROCESSING
Personal Data are directly gathered from users or from third parties (cookie).
In relation to the Data gathered from users, in order to allow the Controller to keep the exact and updated Data, we ask the users to communicate any changes of the Data to the contact’s details gave in this notice § 1.
4. PURPOSES OF THE PROCESSING
The Data process is carried out by the Controller for the purposes indicated below:
- i. handle your requests regarding the organisation of an event with the Fondazione, either if we receive them by telephone, e-mail, personally or through a contact form on the website. The Data processed for the pursuit of such purpose are listed in the previous paragraph 2, lett. (a);
- ii. manage your browsing and allow the technical functioning of the website, also in order to improve its performance. Data processed for the pursuit of this purpose are those listed in the previous paragraph 2, lett. (b);
- iii. comply with all legal obligations, regulations or other national or community legal provisions, namely to provisions issued by relevant authorities, and/or according to supervisory a Control Authority’s requests. Data processed for the pursuit of this purpose are those listed in the previous paragraph 2, lett. a) and (b);
- iv. establish, exercise or defend the Controller’s rights out of Court, in Court or administrative place. Data processed for the pursuit of this purpose are those listed in the previous paragraph 2, lett. a) and b);
- v. contact you, also via newsletters, to send you, by e-mail, communications related to seasonal closing of the headquarters or reporting of events in Villa Arconati. The Data processed for the pursuit of this purpose are those listed in the previous paragraph 2, lett. (a) (in particular, e-mail address, first and last name). At the time of the collection of his e-mail’s address and when receive every communication, the Data Subject is informed about the possibility of opposing the process at any time, in way easy and free. To unsubscribe from the mailing list, simply use the "unsubscribe" function at the bottom of each e-mail. The Data processed are the ones about in previous § 2, lett. b), limited to the e-mail address.
5. THE LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
The Controller processes the Data referred to paragraph 4 point (iii), under the following legal basis:
compliance with a legal obligation pursuant to Art. 6, par. 1, let. c) of Regulation.
The Controller processes the Data referred to paragraph 4 point (iv) under the following legal basis:
purposes of the legitimate interest pursued by the Controller pursuant to Art. 6, par.1., let. f) of Regulation.
The Controller processes the Data referred to paragraph 4 point (v), under the following legal basis:
free, informed, specific, unambiguous and always revocable consent pursuing Art. 6, par.1, let. a) of Regulation.
6.NATURE OF DATA PROVISION AND POSSIBLE CONSEQUENCES OF REFUSE
The provision of personal Data can be:
- a) obligatory according to law, regulation, Community legislation or a contract;
- b) strictly necessary for the conclusion of a contract;
- c) facultative.
In this case, for the purposes indicated in previous points (i), (ii), (iii) and (iv) of the previous paragraph 4, the provision of Data is strictly necessary for the conclusion of the agreement and/or obligatory to comply with legal and contractual obligations. Refusal to provide the Data will not allow to establish and /or to continue the contract with the Controller. For the purposes referred to in point (v) previous paragraph 4, the provision of the Data is facultative, however the partial or total refusal to provide the Data for such purposes will not allow to the Controller to send the aforementioned communications.
7.MODALITIES, PLACES AND TIMES OF THE PROCESSING
The processing of data is carried out under the principles of lawfulness, necessity and relevance with the help of electronic means. The Controller doesn’t adopt any automated decision-making, including profiling.
Processing is carried out directly at Controller by authorised personnel. In some cases, external parties may also process your Data (for example, professionals as such obliged to secrecy, like consultants, Accountants, Lawyers etc; suppliers; agents; services companies, professionals and consultants responsible for agreements’ managing, operations of storage, sorting and postal and/or freight transport; computer companies and system’s safety; managers of the infrastructures software used by the Controller). The list of all the subjects involved in the Processing can be requested to the Data Controller at any time.
Your Personal Data will be processed by the Data Controller for the time necessary to achieve the purpose referred to in paragraph 4 of this notice, as indicated in Recital 39 of the Regulation, without prejudice to a further period of retention that may be imposed or permitted by law as also provided for in Recital 65 of the Regulation.
The processing carried out to achieve the purposes referred to in point (v) of § 4 will take place until you communicate your intention to withdraw your consent. If consent is revoked, the Foundation will cease processing your personal data for such purposes.
Even without your express consent, Controller can disseminate your Data, for the purposes referred to paragraph 4, to the subjects to whom dissemination is mandatory by law. These subjects will process the Data in their capacity of independents controllers.
Data will not be disclosed.
9.RIGHTS OF THE DATA SUBJECT
The Regulation grants you the right to:
- obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and obtain information (right of access - Art. 15 Regulation);
- obtain the rectification of inaccurate personal data and to have incomplete personal data completed (right to rectification - Art. 16 Regulation);
- obtain the erasure of data processed in Regulation’s cases referred, including if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Right to erasure - ‘right to be forgotten’ - Art. 17 regulation). The request for removal may not be granted for Regulation’s cases referred, even when the processing is necessary to fulfil a legal obligation or exercise a legal right;
- obtain the restriction of the processing of data if the accuracy of the personal data is contested, and only for the period necessary for the controller to verify the accuracy of these personal data, or in the case of unlawful processing, or when even if the personal data are no more necessary to the purposes of processing, they are anyway necessary for the interested part in the assessment, exercise and right’s defence in judicial, or in the event that the interested part had exercise the opposition right to personal data process only for the period necessary to the verify concerning the Controller’s prevalence good cause over those of the interested part. (right to restriction of processing - Art. 18 Regulation);
- receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (right to data portability - Art. 20 Regulation);
- object to the processing for reasons related to the particular situation of the data subject, to personal data processing necessary for the execution of a public interest job or for the pursuing of controller or third parties’ legitimate interest. However, controller may continue to process the data if demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing (right to object - Art. 21 Regulation).
- request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject except in cases where profiling is necessary for the conclusion of an agreement, is authorized by the Union’s right or member State which the Controller is subject, is based on the explicit consent granted by the data subject (Art. 22 Regulation);
- withdraw the consent at any time without effecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on let. a) of Art. 6 paragraph or let. a) of Art. 9 paragraph 2 of Regulation;
- lodge a complaint to supervisory authority (Art. 77 Regulation).
All the data subject’s requests can be addressed to the Controller, in writing and with a copy of the valid identification document, to the contact’s details gave in this notice paragraph 1. The Controller facilitates the Data subject’s requests and is committed to provide a match within a month of receiving the communication.
Furthermore, the Controller, pursuant to Art.19 Regulation, shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 paragraph 1 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.