Privacy statement pursuant to Italian Legislative Decree 196 of 30 June 2003 (Personal Data Protection Law) and the General Data Protection Regulation (EU) 2016/679
Published: 25 May 2018
Website policy - general provisions
We take users’ privacy very seriously and undertake to comply with the applicable legal requirements (Italian Legislative Decree 196 of 30 June 2003, hereinafter the “Law”) and Regulation (EU) 2016/679 - hereinafter the “Regulation”).
This page provides information on the processing of the personal data collected by us, in our capacity as Controller, through this website (hereinafter the “Website”) and therefore constitutes a privacy statement for data subjects who use the Site (hereinafter “Users"), under the terms of the aforesaid legislation. This statement does not apply to information collected through channels other than our Website. The aim of this privacy statement is to ensure maximum transparency with regard to the information we collect via the Website and how such information is used.
Identity and contact details of the Controller and of the Data Protection Officer
The Data Controller is Fondazione Telethon, with registered office in Via Varese 16/B, Rome, in the person of its Representative Ms. Francesca Pasinelli, appointed by a resolution of the Board of Directors on 7 February 2013 (hereinafter the “Data Controller” or “Controller”). The DPO is Ms. Michela Maggi, whose contact details are: Piazza del Liberty 8, City: Milan, Postal code: 20121, Province: MI, Telephone: +39 0249450269; Fax: +39 0247977003; website: www.maggilegal.it; E-mail email@example.com; Certified e-mail address: firstname.lastname@example.org.
The kind of data we process
The types of information we might process include:
- Ordinary personal data which you may provide - always of your own free will - when you use Website functions or request the services offered on the Website (to make donations, sign up for the newsletter, request information and register for initiatives, including by submitting contract forms, etc.).
- Sensitive personal data, such as data concerning your health, which belong to special categories of personal data as defined by Article 9 of the Regulation. Where data of this type are processed, this will only be done on the basis of your explicit consent;
- Navigation data.
Purposes of processing and legal basis
For the sake of clarity, we wish to point out that reference should be made to the sections of the Website in which personal data are collected and which therefore include a specific statement.
The current list of such sections is provided below, although this list may change based on the Controller’s specific requirements:
- Info-rare, where the data collected are processed in order to provide an assistance service and respond to questions by those who have been diagnosed with a rare genetic disease or people who would like information about research projects. Read the privacy statement.
- https://malattiesenzadiagnosi.telethon.it/msd/accreditati.html, where the data collected are processed for the purpose of registering with the Telethon Undiagnosed Disease Programme/UDP.
Different types of data are processed in the sections of the Website listed above. For that reason, each of these sections includes the privacy statement referring to the specific kind of processing that is carried out. Each privacy statement provides the identity of the Controller and of the Data Protection Officer, the purposes of processing and the respective legal basis, the recipients or categories of recipients of the data, if any, the period for which personal data will be stored, data subjects’ rights, all in accordance with Article 13 of the EU Regulation.
This page contains specific information about browsing data and the ordinary personal data collected via cookies, since these categories of data processed by the Controller are not included in the privacy statements included in the sections of the Website listed above.
During the course of their normal operation, the IT systems and software procedures used to operate this Website collect some personal data, the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects; it could, however, by virtue of its intrinsic nature, permit the identification of Users through processing and association with data held by third parties. This category of data includes IP addresses or the domain names of the computers used to connect to the Website, the URI (Uniform Resource Identifier) address of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server’s reply (OK, error, etc.) and other parameters related to the User’s operating system or IT environment. These data are only used to obtain statistical information in an anonymous form on how the Website is used. Browsing data could be used to ascertain liability in the event of suspected cybercrime to the detriment of the Website.
Data you provide voluntarily when you use this Website
When you send e-mails to the addresses indicated on this Website, we will acquire your address, in order to respond to your requests, as well as any other personal data included in your message. Specific summary notices will be provided or displayed on the Website pages you visit dedicated to specific services available on request.
Methods of processing and period for which personal data will be stored
Your personal data will be processed by automated means for the time strictly necessary to achieve the purposes for which they were collected. Specific security measures are in place to prevent loss of data, illegal or improper use and unauthorised access. Your data will be stored for the time strictly necessary to achieve the purposes set out in this notice and will be deleted at the end of that period, unless such data must be retained by law or for the enforcement of a legal claim.
COMMUNICATION OF DATA TO THIRD PARTIES
We may make your personal data available to third parties, in their capacity as independent controllers, for purposes related to the supply of the services requested or in compliance with statutory or regulatory requirements regarding the transmission of such data, or to supervisory bodies. Fondazione Telethon reserves the right to:
- transmit data to third parties (processors - Article 4(8), GDPR: “Article 4(8), GDPR: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”) solely for purposes strictly related to the service expressly requested and carefully selected by us;
- communicate data to third parties for activities related to the service requested or in order to comply with the law or with EU regulations or legislation.
Transfer of data to countries outside the EU
This Website might share some of the data that are collected with agencies located outside the European Union. In particular, with Google, Facebook and Microsoft (LinkedIn) through social plugins and Google Analytics. The transfer of data is authorised on the basis of specific decisions of the European Union and of the Data Protection Authority, in particular decision 1250/2016 (Privacy Shield - click here to open the notice published by the Italian Data Protection Authority), and no further consent is required. The above-mentioned agencies provide assurance that they adhere to the Privacy Shield.
Your rights as Data Subject
You may, at any time, exercise your rights under Articles 15-22 of the GDPR, as set forth below, by sending an email to email@example.com (or by writing to the Controller, Fondazione Telethon – Via Varese 16/B, 00185 Rome, Italy).
- obtain confirmation of the existence or otherwise of personal data concerning you, regardless of whether or not such data have been registered, and communication of such data in intelligible form;
- request from the Data Controller access to your personal data, as well as the right to data portability;
- ask for your data to be updated, rectified or, if necessary, supplemented;
- object, wholly or partially: a) on legitimate grounds, to the processing of personal data concerning you, even if relevant to the purpose for which they were obtained; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for conducting market research or sending commercial information;
- have any unlawfully processed personal data erased, made anonymous or blocked, including data that do not need to be kept in relation to the purposes for which they were collected or subsequently processed;
- withdraw your consent (only in cases where consent constitutes the legal basis for processing) at any time without affecting the lawfulness of the processing based on consent before the withdrawal;
- lodge a complaint with a supervisory authority;
- obtain confirmation that the actions referred to in points 4 and 6 above, including their content, have been brought to the attention of each recipient to whom the personal data were communicated or disclosed, unless this proves impossible or involves the use of means that are manifestly disproportionate with respect to the protected right.
The security of your personal data
Fondazione Telethon adopts suitable preventive and security measures to safeguard the privacy, integrity, completeness and availability of your personal data. In accordance with the provisions of legislation governing the protection of personal data, we follow technical, logistics and organisational procedures aimed at preventing any damage, loss, including accidental loss, alteration, improper or unauthorised use of data concerning you. Similar preventive security measures are also put in place by the third parties (processors) appointed by us to process your data on our behalf. On the other hand, Fondazione Telethon cannot be held responsible for any untruthful information provided directly by you (e.g.: e-mail address, postal address or other personal details), or for information concerning you but provided by third parties, even when the subject of fraudulent action.
*Article 13 Information to be provided where personal data are collected from the data subject 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: a) the identity and the contact details of the controller and, where applicable, of the controllers’ representative; b) the contact details of the data protection officer, where applicable; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; 4.5.2016 L 119/40 Official Journal of the European Union EN d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; e) the recipients or categories of recipients of the personal data, if any; f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing: a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; d) the right to lodge a complaint with a supervisory authority; e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.