Privacy policy

Privacy Policy for the Processing of Personal Data Pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

In accordance with the applicable legislation, including Regulation (EU) 2016/679 “General Data Protection Regulation” (“GDPR“) and Legislative Decree No. 196/2003 (“Privacy Code“), as well as other applicable provisions on the protection of personal data (“Privacy Legislation“), Fondazione Leonardo Del Vecchio, as the data controller, informs you that it will process the data provided by the user or otherwise obtained through the use of the website www.fondazioneldv.org (“Website“) in the manner and for the purposes described below in this notice (“Notice“).

The terms of this Notice apply solely and exclusively to the Website and not to other websites owned by the Data Controller or third-party websites to which the user may access through links contained on the Website. If the user accesses another website, it is recommended to read the information regarding the processing of personal data applicable to that website.

By navigating the Website, the user acknowledges that they have read and understood the content of this Notice.

  1. Contact details of the Data Controller and Data Protection Officer
    The Data Controller is Fondazione Leonardo Del Vecchio (hereinafter also referred to as “Data Controller” or “Foundation“), with its registered office at Piazza San Fedele 2, Milan, 20121. You can contact the Data Controller by email at info@fondazioneldv.org or by regular mail at the above address.
  2. Types of Personal Data Processed through the Website
    The Data Controller processes the following types of personal data of users who browse and interact with the web services of the Website, in particular:
    • Navigation Data
      The IT systems and software procedures responsible for the operation of the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of internet communication protocols or is used to improve the quality of the service offered. This information is not collected to be associated with identified data subjects, but due to their nature, they could, through processing and associations, allow the identification of users.
      This category of data includes IP addresses or domain names of computers used by users connecting to the Website, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server’s response (successful, error, etc.), and other parameters related to the user’s operating system and computing environment.
      These data are used to obtain anonymous statistical information about the use of the Website and to monitor the correct functioning of IT systems. The data may also be used to investigate responsibility in the case of potential cybercrimes or in the event of damage to the Foundation or third parties.
    • Data Provided Voluntarily by the User
      Users are not required to provide personal data to visit the Website. However, communication between users and the Foundation through the sending of emails, messages, or any type of communication to the addresses provided on the Website will result in the acquisition of personal data, such as, by way of example, name, surname, email address, and any other personal data that the user voluntarily provides while interacting with the Foundation via the Website. Therefore, if the user wishes to avoid the processing of their data by the Foundation, they are advised not to submit any requests or, at the very least, to provide the minimum number of personal data possible.
  3. Purposes and Legal Basis of Processing
    Personal data may be collected and processed for the following purposes:
Purpose of ProcessingLegal Basis of ProcessingNature of Providing Data
a) allow users to use the web services of the Website and the online services available on the Website;Article 6, par. 1, letter b) of the GDPR: performance of a contract to which the data subject is a party or pre-contractual measures taken at the request of the data subject;The provision of personal data is necessary and does not require your consent. Refusing to provide the data may result in the Foundation’s inability to fulfill the requested service, comply with legal obligations, and process and respond to your requests. Providing personal data through the contact forms on the Website is not a legal or contractual requirement; however, providing the data is necessary to respond to your request.
b) manage user information requests;Article 6, par. 1, letter b) of the GDPR: performance of a contract to which the data subject is a party or pre-contractual measures taken at the request of the data subject;
c) prevent the commission of illegal acts through the Website;Article 6, par. 1, letter b) of the GDPR: pursuit of a legitimate interest of the Controller;
d) protect the rights of the Foundation in the event of potential legal disputes;Article 6, par. 1, letter b) of the GDPR: pursuit of a legitimate interest of the Controller;
e) fulfill the legal obligations to which the Foundation is subject;Article 6, par. 1, letter c) of the GDPR: compliance with legal obligations to which the Controller is subject.

For any personal data processing carried out through cookies, please refer to the specific Cookie Policy.

If the Data Controller intends to use the personal data collected for any other purpose incompatible with the purposes for which the data was originally collected or authorized, the Data Controller will inform the user in advance, and the user will also have the right to deny or revoke their consent.

  1. Processing Methods
    Within the organizational structure of the Foundation, personal data will be processed by authorized persons acting under the authority of the Data Controller, adequately trained by the Controller itself, primarily using electronic systems in compliance with the principles applicable to personal data processing as per Article 5 of the GDPR.
  2. Criteria Used to Determine the Retention Period of Personal Data
    Your data will be stored for the period necessary to fulfill legal obligations.
    The retention period of data depends on the purposes for which it is processed and may therefore vary. The criteria used to determine the applicable retention period are as follows: the retention of personal data subject to this Notice will occur for the time necessary to (i) manage the contractual relationship with the user, (ii) manage complaints or specific user requests, (iii) assert rights in judicial proceedings, and (iv) for the time required by applicable legal provisions.
    For the retention periods of any personal data processed via cookies, please refer to the Cookie Policy.
  3. Communication, Dissemination, and Transfer of Personal Data
    Personal data will not be disseminated and may be communicated to the competent authorities or public or private entities for the fulfillment of legal obligations.
    The personal data collected may be processed by third-party service providers, acting as data processors, in relation to services provided on behalf of the Foundation based on specific contractual agreements, possibly for occasional maintenance operations and as necessary to carry out services upon specific requests. The complete list of such parties or categories of parties is available at the Controller’s premises and can be requested by sending a communication to the contact details provided in paragraph 1 of this Notice.

    Your personal data will not be transferred outside the European Union and/or the European Economic Area (“EEA“).
  4. Rights of the Data Subject
    Within the limits provided by Article 2-undecies of the Privacy Code, you have the right to exercise at any time the rights recognized by Articles 15 to 22 and 77 of the GDPR, as briefly summarized below:
    • Right of access: You may request information regarding the processing of your data or confirmation that the Controller is processing your personal data. In this case, you may request us to provide a copy of your data and to verify which data we hold.
    • Right to rectification: You have the right to request the rectification of your personal data if they are incorrect, including the right to request the completion of incomplete personal data.
    • Right to erasure: You have the right to request the deletion of the data (or part of it) that you have provided to us, including data that no longer need to be retained in relation to the purposes for which they were collected or otherwise processed.
    • Right to restriction of processing: You may request us to restrict the processing of your personal data where there are legal grounds for doing so.
    • Right to object: You may object to the processing of your personal data, unless there is a prevailing legitimate reason for continuing such processing.
    • Right to data portability: You may obtain from the Foundation, in a structured, commonly used, and machine-readable format, the personal data you have provided, for the purpose of transmitting them to another entity. This right applies where the Foundation processes such data through automated tools, based on consent or for the provision of services.
    • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
    • Right not to be subject to automated decision-making: You may request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right cannot be exercised if: i) the processing is necessary for the conclusion of a contract between you and the Controller; ii) the processing is authorized by law; iii) the processing is based on your consent.
    • Right to lodge a complaint with the Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent Supervisory Authority if you believe that the processing of your personal data violates the applicable data protection laws.

Without prejudice to the procedures established by the Data Protection Authority for lodging a complaint, for all other rights, you may send a request to the Controller via the contact details provided in paragraph 1 of this Notice.