In accordance with article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) and in accordance with Legislative Decree no. 196/2003 (“Privacy Code” as amended by Legislative Decree no. 101/2018), which adapts Italian legislation to the requirements of the GDPR, Fondazione Francesca Rava N.P.H. Italia Onlus, with registered office in Milan, Viale Premuda 38/A (hereinafter referred to as the “Foundation“), as Data Controller, undertakes to protect the privacy and the Data Subject rights. The processing of personal data provided will be based on the principles of fairness, lawfulness and transparency. The Foundation is required to provide the Data Subject with information about methods and purposes of the processing of personal data.

1. Source and categories of data processed. Personal data are collected by the Foundation directly from the Data Subject, when he/she registers on the “ninna ho” site in order to access the “ninna ho responds” section or the “Contact us” form. The data processed are, for example, identity details (name and surname, e-mail, telephone number, etc.). All personal data are processed in compliance with current legislation on the protection of personal data.

2. Purpose of the processing. The processing of personal data by the Foundation is necessary to allow the management of requests for information relating to the services offered by the Foundation and to answer the questions forwarded by the Data Subject.

The processing of personal data for the purposes referred is necessary to respond to requests and questions posed by the Data Subject who contacts the Foundation; the processing of personal data requires the Data Subject prior consent, which constitutes the legal basis of the processing.

If the Foundation intends to use personal data collected for any other purpose incompatible with the purposes for which the data were originally collected, the Foundation will inform the Data Subject in advance.

3. Processing methods. Personal data are processed by the Data Controller both using manual tools (paper documents), and with IT methods and procedures (electronic, telephone, telematic or automated means), according to the purposes and ensuring the data security and the data confidentiality.

In compliance with the GDPR, the Foundation undertakes to configure the information systems and computer programs by minimizing the use of personal data, so as to exclude their processing if the purposes can be achieved through anonymous data or appropriate methods that allow to identify the Data Subject only in case of need.

Even when personal data are disclosed to certain subjects (point 4 of the Privacy Notice) for these purposes, the same methods and procedures are used. These subjects must process this personal data for the same purposes indicated in this Privacy Notice and with the methods and procedures compliant with the legislation.

4. Transfer and dissemination of personal data. Personal data collected for the purposes referred to in point 2 of this Privacy Notice will not be disseminated and will not be disclosed to indeterminate subjects, in any form, including availability or consultation.

In accordance with legal obligations, personal data may be known, exclusively for the purpose of point 2, as well as by the Data Controller, also by:

• employees and collaborators of the Data Controller, as subjects authorized to process the data;
• subjects who process the data on behalf of the Data Controller, designated as Data Processors in accordance with art. 28 GDPR (e.g. KPMG);
• other subjects who support the Data Controller in the management and organization of the charity initiative as Autonomous Controller.

Personal data referred to a Data Subject will not be disclosed to other subjects without his consent and they will be kept in accordance with the confidentiality and security criteria.

5. Transfers of personal data outside the European Union. Personal data will be stored and processed within the European Union. Any processing outside the European Union will take place only after the adoption of appropriate safeguards, as required by law.

6. Data retention policy. The Foundation keeps personal information in its systems in a form that allows the identification of the Data Subjects for the period necessary to pursue the purposes referred to in point 2 of this Privacy Notice and, subsequently, for a period of time in compliance with the legislation or in any case not exceeding 10 years (ordinary limitation period).

7. Data Subject Rights. The Data Subject is entitled to assert their rights, which are recognized by articles 15-22 of the GDPR, such as:

• the right to access: the right to obtain from the Data Controller information on the origin, purpose, category of data processed, transfer and dissemination of the data, etc. and the right to obtain a copy of personal data, provided that this does not affect the rights and freedoms of other people;
• the right to rectification: the right to obtain from the Data Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data;
• the right to erasure (“The right to be forgotten”): the right to obtain from the Data Controller the cancellation of personal data without undue delay if:

1. 1. Personal data are no longer necessary with respect to the purposes of the processing;
   2. Consent on which the processing is based is revoked and there is no other legal basis for the processing;
   3. Personal data have been unlawfully processed;
   4. Personal data must be deleted to fulfil a legal obligation;

• the right to object to processing: the right to object at any time to the processing of personal data which has a legitimate interest of the Data Controller as its legal basis;
• the right to restrict processing: the right to obtain from the Data Controller the restriction of the processing, under certain conditions: if the accuracy of personal data is contested, or if the processing is unlawful, or the Data Subject has opposed the processing;
• the right to data portability: the right to receive personal data in a structured format, commonly used and readable by an automatic device and the right to transfer such data to another Data Controller, only for cases in which the processing is based on consent and for data only processed by electronic means;
• the right not to be subjected to automated decisions: the right to obtain from the Data Controller not to be subjected to decisions based solely on automated processing, including profiling, which produce legal effects concerning the Data Subject, unless such decisions are necessary for the conclusion or execution of a contract or such decisions are based on the consent given by the Data Subject;
• the right to lodge a complaint with a supervisory authority: if the Data Subject believes that the processing of personal data (concerning him/her) violates the GDPR, he/she has the right to lodge a complaint with the Member State supervisory authority in which he/she lives and works, that is the state in which the alleged violation occurred.

Furthermore, the Data Subject has the right to revoke his/her consent given for one or more of the purposes listed above (point 2 of the Privacy Notice) at any time, without prejudice to the lawfulness of the processing carried out by the Data Controller until revocation.

8. Contacts. In order to exercise the rights under the GDPR, the Data Subject may contact the Foundation at the following e-mail address: info@nph-italia.org.