Dr. Francesco Raggi is aware of the importance of safeguarding people’s privacy and rights and since the Internet is a potentially strong tool for the circulation of your personal data, he wanted to seriously commit himself to respecting rules of conduct – in line with European Regulation 679 / 2016 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as to the free movement of such data (hereinafter “GDPR”) – which guarantee a secure, controlled and confidential surfing the net.
This policy to protect the confidentiality of information may change over time, also depending on the additions and legislative and regulatory changes in the matter or for our institutional decisions, therefore, we invite you to periodically consult this section of our site.
Thank you, therefore, for viewing the rules that our organization has imposed itself in collecting and processing personal data and in always providing a satisfactory service to users of its sites.
perform the treatment (art. 4, paragraph 2, GDPR: “any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, l organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction “) of personal data (art. 4, paragraph 1, GDPR:” any information concerning an identified or identifiable natural person (“interested”); the natural person who can be directly identified is considered identifiable or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements i of his physical, physiological, genetic, psychic, economic, cultural or social identity “) exclusively for the purposes and according to the methods illustrated in the information to be provided that is presented to the user from time to time who accesses a section of the site in the which is the provision, direct or indirect, of personal data;
use the data that was spontaneously released by the user;
use technical cookies to facilitate navigation on the site and analytical cookies for statistical purposes;
use profiling cookies only if the user has consented to such use;
transmit data to third parties (data processors – art. 4, paragraph 8, GDPR: “art. 4, paragraph 8, GDPR:” the natural or legal person, public authority, service or other body that processes data personal data on behalf of the data controller “) exclusively for purposes instrumental to what is expressly requested and carefully selected by us;
communicate data to third parties for activities related to what is of interest or if this is required by law, regulation or community legislation;
if applicable and subject to explicit consent (art. 4, paragraph 11, GDPR: “any manifestation of free, specific, informed and unequivocal will of the interested party, with which the same expresses its consent, through unequivocal declaration or positive action, that the personal data concerning him are processed “), communicate the data to third parties for their independent processing;
respond to requests for access to personal data, rectification or cancellation of the same, to exercise the right to be forgotten, to limit the processing or the right to object to their treatment. Ensure the exercise of the right to data portability as well as, object to the processing of data for the purpose of informative communications on our projects and requests for financial contributions in support of our institutional activities, surveys and research, make known the possibility of making a complaint to the supervisory authority;
ensure correct and lawful processing of your data, safeguarding your confidentiality, as well as apply appropriate security measures to protect the confidentiality, integrity and availability of the data.
Purpose of data processing and methods of treatment – legal basis of treatment – data collection criteria
Purpose of data processing
As better explained in the sections that allow you to join – by releasing your personal data – to the services reserved for users of our site, the requested data are used to respond to requests expressly made by the user. In particular, all data collection – and subsequent processing – activities are aimed at pursuing the institutional purposes of ImpresioneOK and, in particular for:
registration on the site to use the services provided by the same;
regular and one-off donations, performed in various ways (credit card, bank domiciliation, PayPal or other);
request for collaboration with ImpresioneOK (through volunteering or as an employee for open positions);
know how to donate the 5xmille in favor of ImpresioneOK in the context of your tax return and to take advantage of the related tax deductions and request to receive a reminder on our tax code;
request for information on various topics related to our mission and of interest to the user;
direct the user to our social channels;
send comments and request information to the expert via blog;
comply with laws, regulations and community legislation;
send promotional and advertising material on our mission and on medical-scientific dissemination and awareness actions, carry out surveys and research;
make personalized contacts proposing adherence to actions or soliciting donations in line with the characteristics of behavior, interest and preference, only if the person has expressed a desire for such contact personalization.
As reported in the list above, personal data may be processed for purposes other than those for which the user has released them. In particular, they may be processed for marketing purposes (point 9), that is, for the purpose of promotional contacts on events, initiatives, awareness and scientific dissemination projects, solicitation of donations, surveys and research, based on the condition of the “legitimate interest. “(Art. 6, paragraph 1, letter f, GDPR, recital C47 and Opinion 6/2014 of the Working Party 29) of ImpresioneOK. This legitimate interest lies in keeping the relationship established with the data subject constant, in order to keep him / her informed on the awareness actions that it is considered useful to make known in order to demonstrate one’s constant commitment in carrying out one’s mission of collective and social interest in the medical field. This legitimate interest is admitted pursuant to art. 6, paragraph 1, letter f), GDPR and from recital C47, GDPR and from the Opinion n. 6/2014 Article 29 Data Protection Working Party, par. III.3.1., As an alternative mechanism to the explicit consent of the interested party. This legitimate interest is acquired by ImpresioneOK (and counterbalanced by the interest of the person) to the extent that – through its actions on the site (e.g. participation in the project, donation) – the user has shown that he is interested in and share the principles of ImpresioneOK. For these direct marketing activities, the data will be kept in our archives for the period of time necessary to provide these information services. Obviously, this retention period is extended as long as the person’s interest in staying in touch with ImpresioneOK lasts: if it is no longer of interest, it is sufficient to be communicated through the methods explained below and the appropriate technical and organizational measures will be adopted to not disturb plus the person.
As per point 10 of the above list, these promotional contacts may also involve a “profiling” process (art. 4, paragraph 4, GDPR – “any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of said natural person “) and will be carried out only if the interested party has expressly desired – and therefore, unequivocally consented – to be subjected to such treatment. In this case, as it is not lawful to apply the condition of legitimate interest, the legal basis of the processing will be the consent expressed by the person (art.6, paragraph 1, letter a, GDPR). This process will involve the selection of the archived information with respect to the interested party, crossed to determine a profile that reflects the characteristics and behaviors of the person, so that he receives communications of his interest and in line with his preferences, actions and personal characteristics (e.g. amount donated, frequency of donation, adherence to initiatives, type of advanced requests) and, therefore, are of specific interest and not disturbing. The data will be kept as long as it is believed that the person maintains this profile and, therefore, the personalized contacts created with profiling are actually to his liking. Again, this retention will cease if there is opposition at any time to the processing of personal data concerning him carried out for profiling to the extent that it is connected to direct marketing.
In any case, ImpresioneOK will not use the data provided for purposes other than those connected to the service to which the user has subscribed, and, in any case, only within the limits indicated from time to time in the information to be provided pursuant to art. 13, GDPR.
Methods of data processing
All the treatments carried out within this site will be carried out with both paper and electronic or telematic tools, with logic related to the purposes for which the data were collected and in compliance with the current security standards, for the purposes specified from time to time. time in the information to be provided pursuant to art. 13, GDPR.
Criteria for data collection
The forms to be completed – online or to be downloaded – provide both data that are strictly necessary to comply with what is of interest and whose failure to indicate does not allow the request to be processed, as well as optional conferment data. Therefore, the user is free to provide personal data contained in the request forms or otherwise indicated in contacts with ImpresioneOK to request information or for the other purposes listed above. In these cases of mandatory data provision, their absence can make it impossible to obtain what is requested. The need to request data as mandatory for adherence to individual projects or individual initiatives or to make requests has been considered in compliance with the provisions of art. 25, GDPR (“Data protection by design and protection by default” – “Data Protection by design and by default”), which require to evaluate in advance the appropriate technical and organizational measures, such as “pseudonymisation” (art. 4 , paragraph 5, GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific interested party without the use of additional information, provided that such additional information is stored separately and subject to technical measures and organizational measures intended to ensure that such personal data are not attributed to an identified or identifiable natural person “), aimed at effectively implementing data protection principles, such as minimization, and integrating the necessary guarantees in the treatment in order to satisfy GDPR requirements and protect the rights of data subjects. In addition, ImpresioneOK has implemented adequate technical and organizational measures to ensure that only the personal data necessary for the specific purpose of the processing deriving from the project to which the interested party has voluntarily adhered is processed by default.
Criteria used to define the limit of data retention
The data will be kept in our archives (art. 4, paragraph 6, GDPR: “any structured set of personal data accessible according to specific criteria, regardless of whether this set is centralized, decentralized or distributed functionally or geographically”) according to criteria variables according to the category of the data, the nature of the treatment and the purposes of the treatment itself. The criteria or the precise retention limit are described in the information to be provided pursuant to art. 13, GDPR at the time of providing personal data.
In principle, the following assessments of ImpresioneOK apply to establish the data retention criterion:
all the data with respect to the various forms of donation are kept as long as the relationship remains active and for a number of years equal to what laws, regulations, including EU regulations, impose for administrative and accounting purposes. In addition, they will be kept for the time strictly necessary for the pursuit of the legitimate interest of ImpresioneOK in the case of asserting or defending a right in court or otherwise ordered by law enforcement, judiciary and control bodies for their institutional activities. For administrative and accounting purposes, the data will be mandatory for n. 10 (ten) years.
all the data of the donors or interested in our activity processed for marketing purposes are kept for the period of time necessary to provide the information services reserved to said people. This right and interest of information is acquired upon joining any initiative that demonstrates the user’s sharing of the principles of ImpresioneOK, whether this involves donation or is an action of interest and participation in the institutional philosophy of ImpresioneOK. This period is also justified by the legitimate interest of ImpresioneOK to keep the relationship established with the person constant in order to keep it informed on what projects could be financed with the contribution of donors or on the awareness actions that it is considered useful to make known to demonstrate the its constant commitment to the realization of its scientific projects in the field of research. This legitimate interest is admitted pursuant to art. 6, paragraph 1, letter f), GDPR as an alternative mechanism to the explicit consent of the interested party. Obviously, this retention period is extended as long as the person’s interest in staying in contact with ImpresioneOK lasts: if he no longer has interest, it is sufficient to communicate it through the methods referred to in the paragraph “Rights of the interested parties with respect to the data concerning them “And ImpresioneOK will take the appropriate technical and organizational measures to not disturb the person anymore. In the event that the “legitimate interest” mechanism is not applicable and the consent of the interested party has been requested, also through forms of similar content that unequivocally demonstrate the user’s desire, the retention criteria will, however, be those illustrated in this point
all the data used for marketing activities with profiling, the treatment of which is supported by a positive action of the person to such treatment, explicitly declaring that he wants it, are kept as long as the profile of the interested party is in line with the personalized communications created through the intersection of the information available to us and, therefore, as long as ImpresioneOK continues its institutional research objectives with projects, initiatives, actions and activities that require economic contributions or that encourage awareness (e.g. solicitation of adhesion to initiatives and events , requests for opinions and surveys) which are of interest to the person who has expressed a desire to receive information of this content and which reflect the characteristics and behavior of the same and are, therefore, of his specific interest and not of disturbance. Even in this case, this retention will cease if there is opposition at any time to the processing of personal data concerning him carried out for these purposes, including profiling to the extent that it is connected to such direct marketing.
Once the above periods have elapsed, the identification data are transformed into anonymous form and used only for statistical reports that do not allow to trace the identity of the person but which are useful for adapting the projects, initiatives and actions for the realization and achievement of the statutory and institutional objectives of ImpresioneOK. The personal data (identification of the person) will therefore be destroyed.
Place of data processing
The treatments connected to the web services of this site take place at the aforementioned ImpresioneOK headquarters and are handled by technical personnel authorized to process. In case of need, the connected data can be processed by the staff of third-party companies that take care of the maintenance of the technological part of the site (responsible for processing pursuant to art. 28, GDPR), at its offices.
Holder of the treatment
ImpresioneOK – is the data controller (art. 4, paragraph 7, GDPR: “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data of personal data “), pursuant to and for the purposes of the GDPR, since it decides in what way and for what reasons, communicated in the information to be provided to the interested parties, collect and use the personal data provided by the user, as well as with what tools treat them and what security procedures to activate to guarantee their integrity, confidentiality and availability, subjecting themselves to the obligations and responsibilities provided for by art. 24, GDPR.
Data Protection Officer
The Data Protection Officer is the person who ImpresioneOK involves in many matters concerning the protection of personal data and who supports her in controlling, where required, how to process and protect data. It is also the contact point for data subjects who want to know details on the processing of their data. The Data Protection Officer can be contacted at the email firstname.lastname@example.org.
Data processors and persons authorized to process
Your personal data can be processed, both manually and electronically or electronically, either directly by ImpresioneOK or by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on our behalf, in compliance with safety and security. confidentiality of information and constantly monitored by us in their work. The controller is “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller” (art. 4, paragraph 8, GDPR) and is contractually bound by ImpresioneOK, with definition of the operating limits on the data, the data that can be processed and the categories of data subjects to which they refer, the nature and purpose of the processing, the data retention limits, the obligations and rights that ImpresioneOK has towards the manager , and with the prohibition to use it differently from the assignment entrusted. If authorized, formally, in a general or specific way, by ImpresioneOK, it can make use of other managers, who are contractually bound by the initial manager directly appointed by ImpresioneOK: the violations committed by these other managers fall under the responsibility of the initial manager and not of ImpresioneOK.
The complete and updated list of data processors (and, if applicable, of the managers appointed by the initial manager, subject to our authorization) can be requested at the address email@example.com alternatively, by writing to ImpresioneOK.
The personal data collected will be made available to people authorized by ImpresioneOK pursuant to art. 29, GDPR that carry out processing activities essential for the pursuit of the aforementioned purposes; the categories of persons authorized to process are, from time to time, specified in the information to be provided pursuant to art. 13, GDPR. Generally speaking, these are the persons responsible for the provision of specific services, the administration, the management of information services, relations with actual and potential donors, the organizers of information campaigns on our projects and institutional activities to support our initiatives social and collective interests.
Third parties to whom your data are disclosed
For purposes related to the provision of the service to which the user has adhered, the data may be made available to third parties, who will act as independent data controllers, and who provide instrumental services to meet the user’s request (for example, issuers of credit cards or Paypal for transactions relating to donations) or to whom the communication of data is necessary to comply with the law or regulations.
Your data may also be made available to supervisory bodies, police forces and the judiciary by virtue of laws and regulations that provide for their communication and for carrying out their institutional activities.
In addition, the data may be communicated to third-party non-profit organizations, project partner companies, entities, for independent uses (as autonomous data controllers) for their institutional purposes: this “communication” will only take place if the interested party has expressed your explicit consent. The dissemination of data, subject to the explicit consent of the user, could be consequent to the type of service or initiative to which the user has joined.
Other third parties who collaborated with ImpresioneOK
ImpresioneOK, in the context of its awareness-raising activities and presentation of its institutional activity, as well as to improve the services rendered to people who have relationships with ImpresioneOK or in any case interested and close to our institutional principles, can contact third-party services that collaborate with and who receive from ImpresioneOK information and data held in their archives.
Here it is clarified that these transmissions of information and data always take place anonymously or with “pseudonymisation” techniques (art. 4, paragraph 5, GDPR (“the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures aimed at ensuring that such personal data is not attributed to an identified or identifiable natural person “). anonymized data are processed, by way of example and not limited to:
Rights of the interested parties with respect to the data concerning them
Right of access (article 15, GDPR)
The person has the right to request whether personal data is being processed and, therefore, has the right to access information concerning him and to have information on:
purpose of the treatment (e.g. management of a donation);
categories of personal data; (e.g., personal data, behavioral data)
recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients from third countries or international organizations;
when possible, the expected retention period of personal data or, if not possible, the criteria used to determine this period;
existence of the right to request the correction or cancellation of personal data or the limitation of the processing of personal data or to oppose their treatment;
right to lodge a complaint with a supervisory authority;
if the data are not collected directly by the person, all available information on their origin;
existence of an automated decision-making process, including profiling and significant information on the logic used, as well as the importance and expected consequences of such treatment for the person. (e.g. if the person has associated a donation habits profile by crossing the donation amount with frequency and campaign).
Right of rectification (article 16, GDPR)
The person has the right to obtain the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the person has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
Right to cancellation (“right to be forgotten” – “right to be forgotten”) (article 17, GDPR)
The person has the right to obtain the deletion of personal data concerning him; he has the obligation to delete personal data without undue delay, for one of the following reasons:
personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
the consent on which it is based is revoked