POLICY ON DATA PROCESSING PURSUANT TO EU REGULATION 2016/679
Codici Cooperativa Sociale Onlus – with headquarters in viale Sondrio 3, 20124, Milan (hereinafter, for the sake of brevity, “Codici”) – is the Data Controller, responsible for the processing of personal data. Pursuant to and for the purposes of EU Regulation 2016/679 (hereinafter, “Regulation”), in compliance with the law and the rights of the interested parties, it establishes: which personal data provided by the interested parties are collected; in which way and for which reasons they are collected; the purposes and modalities of their use; the tools used for their processing; and the safety measures in place to guarantee their integrity, confidentiality and availability. This policy concerns the majority of data processing connected with the activities of Codici. Different policies are provided for specific types of projects and for interactions between Codici and interested parties. They will be presented in the preliminary stages of such projects and interactions.
Codici has appointed Data Protection Officers (DPOs), who can be contacted by interested parties for any related requests and in order to exercise their rights.
Purposes and legal basis of data processing
The data collection and subsequent processing activities at Codici serve the following purposes:
a) registration on our website;
b) subscription to email newsletters;
c) donations, via several methods (credit card, direct debit or other), aimed at supporting the activities of Codici;
d) requests for publications and other editorial services by Codici;
e) purchases of Codici brand products;
f) generic requests for information;
g) use of Codici’s applications, developed on different platforms (e.g. Facebook, Instagram, Twitter, etc.).
Data processing connected with c), d) and e) is of a contractual nature. For the remaining purposes, data are processed with ancillary purposes (discretionary opt-in by the interested parties) based on consent.
Projects and research
a) processing the personal data of interested parties (participants in activities, interviewees, service beneficiaries…) limited to the purposes of the project itself;
b) managing relations with the contact persons of the project’s client;
c) other processing activities envisaged by the specific project.
The legal basis of these treatments is the contract. Acceptance by the interested parties is therefore of a mandatory nature in order to implement the projects. More specific assessments regarding the envisaged data processing and related obligations are reported in the specific project documentation.
a) communication with the participants in the training activity when there is a direct relationship between them and Codici;
b) processing activities connected with training (registers, reports, certificates…);
c) managing relations with the contact people of the client.
The legal nature of all these processing activities is stipulated in the contract and is of a mandatory nature.
In the event that interested parties maintain regular contact with Codici, their data may be used for activities that fall within the institutional scopes identified in our Memorandum of Association and in our Charter, and for activities which aim to:
Free and optional consent is required from the interested parties before receiving emails, SMS or other automated messages with promotional content, except in the cases provided for by article 130 of Legislative Decree 196/03 and 101/2018.
Interested parties always have the right to object to this use of their personal data by Codici, pursuant to art. 21, para. 1, of the Regulation.
Finally, the processing of data relating to the fulfilment of legal, accounting and tax obligations, to which Codici is subject, is legitimate pursuant to art. 6, para. 1, lit. c) of the Regulation.
Codici will not use the data provided for purposes other than those connected to the services included in the previous list and to which the interested parties have subscribed, or only within the limits indicated in any additional specific policy accompanying the different and specific services requested by the interested party.
The personal data collected in reference to services requested by interested parties are only made available to those third parties who provide instrumental services strictly necessary to satisfy the request (e.g. companies providing the delivery service in order for the client to receive the requested publications), and to the third parties to whom the communication of data is necessary to comply with legal obligations.
Personal data will also be made available to people expressly authorised and appointed by Codici to carry out the processing activities that are strictly essential to satisfy user requests or to comply with legal obligations. The persons authorised and in charge may be involved in: administrative and accounting management of Codici; communication and advocacy activities; technical maintenance of IT systems; relations with current and potential donors; the organisation of informative and awareness-raising campaigns on Codici’s projects and topics of interest.
The updated list of data processors and appointees is available upon a simple request to the Data Controller’s e-mail address: firstname.lastname@example.org.
The personal data collected will not be processed by others, for activities or purposes other than those explicitly stated in this section.
How we process data
The processing can be performed via electronic or telematic tools, but can also be done via paper or manual tools.
The data are processed according to the purposes for which they were collected and in compliance with current safety standards, for the purposes set out in this policy or specified in any additional policy presented to the user.
How we store data and for how long
Codici’s Processing Register provides more specific information on storage times for each specific processing activity. Adopting a data processing policy which respects the dignity of the person is an integral part of Codici’s approach: we minimise storage times where not dictated by legal obligations; and we adopt organisational and technical security measures aimed at preventing usage that are incorrect, extraneous to our needs or which expose data to risk.
Rights of the Interested Party art. 15-22 of the Regulation
Interested parties, in relation to the personal data provided, have the right to exercise the rights as provided for by the Regulation listed below:
Interested parties, if they believe that their rights have been compromised, have the right to lodge a complaint with the Guarantor Authority for the Protection of Personal Data, according to the methods indicated by the same Authority at the following internet address: http://www.garanteprivacy. it/web/guest/home/docweb/-/docweb-display/docweb/4535524.
In order to exercise their rights, interested parties may contact Codici directly by sending a written request to email@example.com
Computer systems and the software used to operate this website collect, during their normal operation, several personal data whose transmission is implicit in the use of Internet communication protocols. These data are not collected to be associated with users. However, by their very nature, they could allow users to be identified through processing and association with data held by third parties.
This category of data includes: IP addresses or domain names of the computers used by users navigating the site; the addresses in URI (Uniform Resource Identifier) notation of the requested resources; the time of the request; the method used to submit the request to the server; the size of the file obtained in response; the numerical code indicating the status of the response given by the server (successful, error, etc.); and other parameters relating to the operating system and the user’s IT environment.
These data are used exclusively to obtain anonymous statistical information on the usage of the site and to check its correct functioning. They are deleted immediately after processing. The data could be used to ascertain responsibility in the event of any computer crimes against the site: except for this eventuality, web contact data will not be stored for more than seven days.
Data provided voluntarily by the user
The personal data normally required for the use of the services of this site are personal, contact and payment details. The optional, explicit and voluntary sending of emails to the addresses indicated on this site or the completion of electronic contact forms entails the subsequent acquisition of the sender’s address, necessary to respond to requests, as well as any other personal data entered. Specific policies will be reported or displayed on the pages of the site set up for particular services on request.
Sensitive data pursuant to former art. 9 of the Regulation are not processed.
The site, or the services offered in it, does not require access using credentials provided by a third party, such as Twitter, Facebook, Linkedin or a similar service (so-called social login).
Personal data processed for the purposes indicated in this policy will be stored only for the time necessary, respecting the principle of minimisation set forth in art. 5, para. 1, let. c) of the Regulation. In any case, since data are processed for the provision of services, Codici will process personal data up to the time allowed by Italian law to protect its interests (Article 2946 of the Italian Civil Code and subsequent amendments).
Further information regarding the data retention period and the criteria used to determine it can be requested by writing to Codici at the email address firstname.lastname@example.org.