Information pursuant to articles 13 et seq. of the EU Regulation 679/2016 for the processing of personal data and consent to data processing
Pursuant to the articles 13 at seq. of the EU Regulation 679/2016 (hereinafter GDPR) regarding the protection of personal data CIES Onlus, based in Rome, Via Merulana 198 (hereinafter the “Owner”), as data controller, informs you that your data will be processed in the manner described below.
Subject, method of processing and legal basis
The Data Controller processes personal identification data (for example but not limited to, name, surname, tax code, address, telephone number, e-mail address, bank and payment details, VAT number, images, photographs and videos) by you provided when stipulating and performing a service contract or for work relationships stipulated with the Data Controller himself.
‘Personal data’ shall mean any information relating to an identified or identifiable natural person “interested party”; an identifiable natural person is an individual who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identification number or one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
Personal Data Processing shall mean any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, even not recorder in a database, such as the collection, registration, organization, structuring, retention, processing, selection, block, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction.
The legal basis for the processing is contractual, based on consent.
Purposes of data processing
The data will be processed for the following purposes, manually and/or with the aid of computer or telematic means, however suitable for guaranteeing the security and confidentiality of the data.
A – Your personal data may be processed in compliance with Article 6 letter b), e) GDPR without your express consent for the following service purposes: to stipulate contracts for services and performances provided by the Data Controller; fulfil the pre-contractual, contractual and fiscal obligations deriving from any existing relationship with you; fulfil the obligations established by the law, by a regulation by the community legislation, by an order of the Authority or by any action having force or value of law; exercise the rights of the Data Controller, for example the right of defence in court, for purposes related to the management and administration of your working relationship with the Data Controller.
B – Your data is processed in compliance with the art. 7 GDPR only with your specific consent, expressed through a separate authorization for the following purposes: to send you via e-mail, mail, SMS and/or telephone contacts, newsletters, information on the Organization’s activities, communications and/or advertising material on services and performances offered or events organized by the Data Controller and the degree of satisfaction with the quality of the services, performances and events themselves; to send you via e-mail, mail, SMS and/or telephone contacts, newsletters, communications and/or promotional materials of third parties (i.e. “Altrove Srl” – www.altroveristorante.it); to send you via e-mail, mail, SMS and/or telephone contacts communications relating to fundraising.
These actions could be designed in a personalized manner based on the characteristics of behaviour (e.g. donated amount, donation frequency, area of residence), interests and preferences with respect to our actions, with the consequence of identifying the interested party as a potential interested party to our initiatives with certain characteristics (e.g. projects, participation in events, testamentary legacies, etc.) and to direct them only to content in line with their needs (so-called “profiling”).
In any case, information regarding age, sex, health status, participation in trade unions or associations or ethnic, cultural or religious origins will be used exclusively for the purpose of enabling the Data Controller to verify compliance with the law and the its best application in terms of equal opportunities, non-discrimination and correct management of human resources (for example for sick, maternity, accident, belonging to protected categories, suitability for performing duties, health surveillance certificates in accordance with the rules that protect health at work, leaves, allocation of sums to institutions or associations, etc.).
Please note that if you are already our supporter, donor or subscriber to our newsletter, we may send you communications and/or information relating to the services, performance and events of the Data Controller similar to those that you have already received, unless you indicate that you do not wish to receive such communications.
The Data Controller will process your personal data for the time necessary to fulfil the aforementioned purposes and for a period not exceeding 10 years from the termination of the relationship for service purposes or for the relationship itself and not exceeding 2 years from the collection of data for the purposes as referred to in point 2B.
Access to data
Your data may be made accessible for the purposes referred to in this information and above specified for the following subjects:
to employees and collaborators of the Data Controller or its subsidiaries in Italy, in their capacity as persons in charge and/or internal processing managers and/or system administrators;
to third-party companies or other entities (e.g. credit institutes, professional firms, experts, insurance companies, etc.) which perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processing managers.
Provision of the data
Without the need for an express consent pursuant to art. 6 lett. b) and c) GDPR), the Data Controller may communicate your data for the purposes described in this information to Supervisory and public bodies (such as IVASS, INPS, INAIL), Judicial Authorities, insurance companies for the provision of insurance services, as well as those subjects to whom the communication is mandatory by law for the fulfilment of said purposes.
These subjects will process the data in their capacity as independent Data Controllers.
Your data will not be disclosed.
Personal data is located and stored on our servers, which are physically located within the European Union. In any case, it shall be understood that if necessary, the Controller reserves the right to relocate the servers, including outside the EU. In this case, the Data Controller guarantees from this moment that the transfer of the data outside the European Union will take place in accordance with the applicable legal provisions by stipulating, if necessary, agreements which guarantee an adequate level of protection and/or by adopting the standard contractual clauses provided by the European Commission.
Nature of data provision and consequences of refusal
The provision of data for the purposes referred to in point 2A) is mandatory. In their absence and in the absence of such transfer, the Data Controller will not be able to guarantee the services mentioned in point 2A) of this information.
However, the provision of Data for the purposes referred to in Article 2B is optional. You can, therefore, decide not to provide any data or to subsequently deny the possibility of processing data provided earlier: in this case, you will not be able to receive newsletters, commercial communications about Organisation’s activities, fundraising communications and/or advertising material concerning the services offered by the Data Controller or events organised by him. However, you will still be entitled to the services referred to in art. 2A) as above.
Rights of the data subject
In your capacity as data subject, you have the rights set forth in art. 15 GDPR and precisely the right to:
obtain confirmation of the existence or not of personal data concerning you, even if not yet recorded, and their communication in intelligible form;
be informed: a) of the origin of the personal data; b) of the purposes and methods of processing; c) of the criteria applied in case of processing carried out with the aid of electronic means; d) of the identification of the controller, the processors and the representative appointed pursuant to article 3, paragraph 1, GDPR; e) of the subjects or categories of subjects to whom the personal data may be disclosed or who may become aware of it as appointed representative in the territory of Italian State, Data Processors or persons in charge of processing;
obtain: a) updating, rectification or, when interested, integration of data; b) the deletion, transformation into anonymous form or blocking of data processed breaching the law, including data which does not need to be kept for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also with regard to their content, of those to whom the data have been communicated or disseminated, except in the event that such fulfilment proves to be impossible or involves a manifestly disproportionate use of resources with respect to the protected right; d) object, in whole or in part: a) for legitimate reasons to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you for the purpose of sending information material on the activities of the Organization or for carrying out researches aimed at fundraising activities or the promotion of events, through the use of automated systems, through e-mail and/or through traditional promotional methods, by telephone and/or mail.
Please note that, with regard to promotional purposes through automated methods, the data subject’s right to object, as set out in point b) above, also extends to traditional methods and that, in any event, the subject of the data retains the right to object, even in part. Therefore, the data subject may choose to receive only communications by traditional methods or only automated communications or neither of the above.
Where applicable, you also have the rights referred to in the Arts. 16-21 GDPR (right of rectification, right to be forgotten, right to restrict processing, right to data portability, right to object), as well as the right to lodge a complaint with the Supervisory Authority.
How to exercise your rights
You may exercise your rights at any time by sending a registered letter to CIES Onlus, based in Rome, Via Merulana 198
Data controller, data manager and data processors
The Data Controller is CIES Onlus, based in Rome, Via Merulana 198 as expressly stated at the beginning of this document.
The updated list of Data Processors and those responsible for processing is kept at the Data Controller’s registered office.
Changes to this Policy
This Policy may be subject to changes. We therefore recommend that you regularly check this Policy and refer to the latest version.