This privacy policy is intended to provide all the information on the processing of personal data carried out by the BuonoLopera Foundation when users browse its website or whenever an interested party comes into contact with the Foundation.

The “BuonoLopera Foundation – Third Sector Organization” (hereinafter the “Foundation”), headquartered in Via Galliano, 27 – 10129 Turin, Italy (VAT number IT11934330017, fiscal code 97875430015), e-mail: info@buonolopera.foundation (hereinafter, the “Data Controller”), owner of the website https://www.buonolopera.foundation (hereinafter, the “Site”), as data controller responsible for the processing of personal data belonging to users who browse the Site (hereinafter, “Users”) and to individuals interested in interacting with the Foundation, whether Users or non-Users, (hereinafter, “Data Subjects”), provides the privacy policy below pursuant to article 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, “Regulation”, or “Applicable Law”).

The Data Controller takes into utmost account Users’ and Data Subjects’ right to privacy and the protection of their personal data. For any information relating to this privacy policy, Users and all other Data Subjects can contact the Data Controller at any time:

• By sending a registered letter with return receipt to the registered office in Via Galliano, 27 – 10129 Turin, Italy;
• By sending an e-mail to the following address, which is always at their disposal: info@buonolopera.foundation.

The Data Controller has not identified a Data Protection Officer (DPO), as it is not subject to the designation obligation set forth in article 37 of the Regulation.

By browsing the Site or entering into contact with the Foundation, Data Subjects can always stay up to date on news concerning the Foundation, and its ongoing or planned projects, initiatives or events. As regards the activities that can be carried out through the Site or other opportunities for contact, the Data Controller collects personal data relating to Users or other Data Subjects.

The personal data belonging to Users or other Data Subjects will be processed lawfully by the Data Controller for the following purposes:

• To answer requests for information from the Foundation, received through the Site or other channels: in order to follow up on a request for information or contact (received via e-mail or telephone) the Data Controller needs to process some Personal Data, as requested in the form on the Site and/or as spontaneously offered by the Data Subject in contacting the Foundation.

Legal basis and lawfulness of the processing: pre-contractual purpose pursuant to article 6 letter b) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller to provide feedback to a request for information or contact, and will be legally based on the pre-contractual or contractual relationship that will form between the Foundation and the Data Subject;

• To provide the Site navigation service: i.e. to allow Users to browse the Site. User data collected by the Data Controller for this purpose include all personal data whose transmission is implicit in the use of Internet communication protocols, which the IT systems and software procedures supporting the Site’s functioning acquire during their normal operation: the IP addresses or domain names of the computers used by the Users, the addresses in URI (Uniform Resource Identifier) notation for the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters relating to the User’s operating system and IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the Site and to allow its correct operation. Without prejudice to the provisions elsewhere in this privacy policy, in no case will the Data Controller make the Users’ personal data accessible to other Users and/or to third parties.

Legal basis and lawfulness of the processing: contractual purpose pursuant to article 6 letter b) of the Regulation – the Processing of Personal Data will be conducted by the Data Controller to allow the execution of a contract in which the User is a party, and will be legally based on the contractual relationship that will form with the latter;

• To complete all phases connected to donations and/or participation in specific projects or appeals promoted by the Foundation, including instrumental activities, such as sending informative communications on the progress of fundraising initiatives in which a donor has taken part. Donations are managed, on behalf of the Foundation, by Donorbox.org and for any further details we refer here to their privacy policy: https://donorbox.org/privacy.

Legal basis and lawfulness of the processing: legitimate interest and/or contractual purpose pursuant to article 6 letters f) and b) of the Regulation – the Processing of Personal Data will be conducted by the Data Controller in accordance with its legitimate interest to pursue the purposes of the BuonoLopera Foundation or to allow the execution of a contract in which the User or other Data Subject is a party and will be legally based, in the latter case, on the contractual relationship that will form with them;

• To participate in events: the Data Controller, in order to allow Data Subjects to participate in one of the events it organizes, may need to collect some Personal Data, as requested in the event registration form.

Legal basis and lawfulness of the processing: contractual purpose/legal obligations pursuant to article 6 letters b) and c) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller to register the Data Subject for the event and guarantee their participation, and therefore will be legally based on the contractual relationship which will form with them;

• To access the headquarters of the Foundation: the Data Controller, in order to allow Data Subjects to access the headquarters of the Foundation, needs to collect some Personal Data, as requested by the staff in charge of identifying visitors.

Legal basis and lawfulness of the processing: legitimate interest and/or legal obligations pursuant to article 6 letters f) and c) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller and will be legally based on its legitimate interest in the safeguard and protection of its headquarters and its employees and collaborators, as well as in the application of any applicable legal obligations;

• For administrative-accounting purposes, or to carry out activities of an organizational, administrative, financial and accounting nature, such as internal organizational activities and functional activities for the fulfillment of contractual and pre-contractual obligations.

Legal basis and lawfulness of the processing: legitimate interest and/or contractual purpose pursuant to article 6 letter b) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller in accordance with its legitimate interest or to carry out or allow the execution of a contract of which the User or other Data Subject is a party and will be legally based on the contractual relationship that will form with them;

• To fulfill legal obligations: the Data Controller, in order to fulfill legal obligations, needs to collect and process some Personal Data as required, from time to time, by specific legal provisions;

Legal basis and lawfulness of the processing: legal obligations pursuant to article 6 letter c) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller to fulfill legal obligations and will be legally based on the applicable laws;

• To select personnel: in order to initiate personnel selection processes and correctly evaluate applications – both for specific research activities and volunteer positions – the Data Controller needs to process the personal data of the candidates contained in their curriculum vitae and/or others that may be requested or spontaneously provided.

Legal basis and lawfulness of the processing: pre-contractual purpose pursuant to article 6 letter b) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller to evaluate the applications from Data Subjects, and will be legally based on the pre-contractual relationship that will form with them.

• To establish and manage employment, collaboration or volunteering agreements: in order to establish and manage employment, collaboration or volunteering agreements, the Data Controller needs to collect some personal data, as requested within the employment or collaboration contract or provided for by the provisions that concern third-sector bodies. The processing of personal data will be carried out by the Data Controller and will be legally based on the contractual employment or collaboration relationship that will form with the Data Subjects.

Legal basis and lawfulness of the processing: contractual purpose/legal obligations pursuant to article 6 letters b) and c) of the Regulation – the Processing of Personal Data will be carried out by the Data Controller to follow up on the establishment and management of employment agreements or collaborations with them, and will be legally based on the contractual employment or collaboration relationship that will form between the worker and the Data Controller. Further details will be provided in specific policy documents to employees and para-subordinate workers;

• To conduct promotional or sales or direct marketing activities, such as sending informative and/or promotional material and/or material related to fundraising via e-mail (newsletter).

Legal basis and lawfulness of the processing: consent of the Data Subject or legitimate interest of the Data Controller. The purpose is to send, to those who have requested it by implicitly expressing consent, the information contained in the newsletter, i.e. the purpose referred to in article 6 letters d) and f) of the Regulation (“processing is necessary for the purposes of the legitimate interests pursued by the controller…”). For example, data processing will take place to inform Data Subjects about the Foundation’s initiatives.

With free and optional consent from the User or other Data Subject, some personal data belonging to the User or other Data Subject may be processed by the Data Controller also for marketing purposes other than those described above, i.e. so that the Data Controller is able to contact the User via SMS and/or WhatsApp text, to propose services to the User or other Data Subject or to invite them to projects or to follow specific initiatives offered by the Data Controller, and/or by third-party organizations, or also, for example, to gain permission to use their image on social networks after they took part in one of the Foundation’s initiatives. The legal basis will be represented in this case by article 6 letter a) of the Regulation, i.e. the Data Subject has given consent for a specific purpose.

Providing personal data for the processing purposes indicated above is optional but necessary, as failure to do so will make it impossible for the User to access the Site and use the service.

The Data Controller will process personal data belonging to Users and other Data Subjects using manual and IT tools, according to logics strictly related to the purposes and, in any case, in such a way as to guarantee the security and confidentiality of the data.

The personal data belonging to Users and other Data Subjects will be kept for the time strictly necessary to carry out the primary purposes (as described in paragraph 3 above), or in any case according to what is necessary to protect the interests of the Data Controller and Users under civil procedure.

The personal data belonging to Users and other Data Subjects may be transferred outside the European Union and, in this case, the Data Controller will ensure that the transfer takes place in compliance with the Applicable Law and, in particular, in compliance with articles 45 (Transfers on the basis of an adequacy decision) and 46 (Transfers subject to appropriate safeguards) of the Regulation.

Collaborators of the Data Controller in charge of managing the Site or of carrying out other activities described above may become aware of the personal data belonging to Users and other Data Subjects; they will have been instructed to do so by the Data Controller pursuant to article 29 of the Regulation, and will process the data belonging to Users exclusively for the purposes indicated in this policy and in compliance with the provisions set forth by the Applicable Laws.

The personal data belonging to Users and other Data Subjects may also become known to third parties who may process personal data on behalf of the Data Controller as Data Processors, pursuant to article 28 of the Regulation, such as, by way of example, suppliers of IT and logistics services required for the operation of the Data Controller’s Site, as well as providers of outsourced or cloud computing services, professionals and consultants.

Users and other Data Subjects have the right to obtain a list of any Data Processors appointed by the Data Controller, by submitting a request to the Data Controller following the instructions in paragraph 2 above.

Users and other Data Subjects may exercise the rights guaranteed by the Applicable Law at any time, by contacting the Data Controller following the instructions in paragraph 2 above.

Pursuant to the Applicable Law, Users and other Data Subjects have:

a) The right to revoke their consent at any time, if the processing is based on the latter;

b) The right to access their personal data;

c) (If applicable) the right to data portability (the right to receive all personal data concerning them in a format that is structured, commonly used and readable by an automatic device), the right to limit the processing of their personal data, the right to rectification and the right to removal (“right to oblivion”);

d) The right to object:

i) In whole or in part, for legitimate reasons, to the processing of personal data concerning them, even when the processing is pertinent to the purpose of the collection;

ii) In whole or in part, to the processing of personal data concerning them for the purpose of sending advertising material, promoting direct sales or carrying out market research or commercial communication;

iii) If the personal data are processed for direct marketing purposes, at any time, to the processing of data carried out for this purpose, including profiling to the extent that it is connected to such direct marketing.

e) If the User or any other Data Subject believes that the processing concerning them infringes the Regulation, the right to submit a complaint with the Data Protection Authority (in the Member State where they usually reside, where they work or where the alleged violation occurred). The Italian Data Protection Authority is the Garante per la protezione dei dati personali, headquartered in Piazza Venezia, 11 – 00187 Rome, Italy (https://www.garanteprivacy.it/ English version).

_____________

The Data Controller is not responsible for updating all the links included in the present policy. Therefore, whenever a link is not working and/or not updated, Users or other Data Subjects acknowledge and accept that they must always refer to the documents and/or sections of the websites referred to by such link.

Thank you for your kind attention,

BUONOLOPERA FOUNDATION