The Bracco Foundation (“Foundation”) attaches the maximum importance to the protection of the personal data of the users of its website and undertakes to ensure such protection in accordance with the applicable laws (specifically EU Regulation 2016/679 General Data Protection Regulation – hereinafter “Regulation” or “GDPR”).
The disclosure is provided for the Foundation Site only and not for other websites the user may visit through links on the Site.
The Data Controller is the Bracco Foundation, headquartered in Via Cino del Duca 8, 20122 Milan (Italy). The Data Protection Officer may be contacted at the email address firstname.lastname@example.org
Types of Data Processed and Purposes of Processing
Data provided by the user on a voluntary basis
The optional and voluntary transmission of emails by the user/sender to the addresses shown on this Site, and the registration of the user in the private area of the Site, generate subsequent acquisition of the user/sender email address, to enable us to respond to requests, and of any other personal data included in the email and all the data inserted in the private area registration form.
The Foundation may process the user's personal data for the following purposes: a) to manage requests and observations received through the Site (special forms) or through emails sent by the user on a voluntary basis to the Foundation's email addresses published on the Site, also with regard to candidacies for Foundation projects; b) to manage registration in the private area of the Site and subsequent registration for initiatives such as competitions, events, programs, scholarships and so on, directly through the private area; c) to send institutional notices and/or promotional material of the Foundation or its Partners via email or the traditional postal service; d) to identify, through profiling, information of significance for the user, in order to suggest events deemed to be interest, and to conduct statistical analyses, in order to improve the content and functioning of the Foundation's communication services. In this case, in addition to the data supplied voluntarily by the user (e.g., areas of interest indicated on the registration form for access to the Private Area), the Data Controller may also process data relating to the user’s interaction with notices sent by the Foundation (e.g., delivery of emails to the user's electronic mailbox, the opening of emails, etc.); e) to comply with legal requirements, regulations, community laws.
With regard to the purposes indicated in heads a) and b), data processing may take place without the user’s consent, as envisaged by art. 6.1 (b) of the GDPR, since processing is necessary for execution of pre-contractual measures (information requests, reports) at the user’s specific request; should the mandatory personal data marked with an asterisk (*) not be provided, it will not be possible to proceed with the user’s request/observation.
With regard to the purposes indicated in heads c) e d), no consent is required, since processing is based on the Data Controller's legitimate interest in efficient communication of the events it organises to achieve its mission: to support the creation and dissemination of culture, art and science in order to improve the quality of life and social cohesion, as envisaged by art. 6.1 (f) of the GDPR.
With regard to the purpose indicated in head e), the legal basis for processing is set out in art. 6.1 (c) of the Regulation.
All user data is also processed with paper-based and automated tools that guarantee security and confidentiality.
The personal data of people accompanying the user – which may be provided by the user on the event registration form – will be processed solely for the purpose of managing the event registration request.
All data provided by users on a voluntary basis is processed solely for the purposes indicated above for which the data are provided. Specific summaries are gradually set out or shown on the Site pages relating to particular services and/or initiatives.
Links to other sites
Conferment of data
Conferment of Personal Data is optional. If, however, the user wishes to register on the Site and/or take part in Foundation initiatives and/or receive information about Foundation activities, all the fields marked as mandatory on the relevant forms must be filled in, and, where requested, consent must be given to the processing of data. Refusal to give consent will not produce any effects other than that it will not be possible to register the user on the Site and for Foundation initiatives and inform the user about programs/initiatives that might be of interest and/or send the user any other information about the Foundation and its Partners. At any time the user may amend or revoke their consent or oppose processing, by writing to the address of the Data Controller.
Data will be processed by the Foundation with appropriate electronic or otherwise automated information technology and communication tools, or by means of manual and paper-based processing methods, strictly for the purposes set out above for which the data were provided and in any case in a manner that ensures the security and confidentiality of the data. Data will be processed by internal Foundation staff specifically authorised to process data in connection with the performance of the duties assigned to them, and eventually, to the extent necessary and/or useful for the execution of the purposes indicated above, by third parties acting on behalf of the Foundation in the capacity, as the case may be, of independent Data Controllers, Co-Data Controllers or Data Processors designated pursuant to art. 28 of the GDPR (e.g., Partners of Foundation initiatives, service providers, engineers responsible for maintenance of IT services, other providers whom the Foundation may use in connection with the above purposes, Bracco Group companies).
All data recipients shall receive only the data they require to perform their functions and they shall undertake to use the data only for the purposes indicated above and to process them in compliance with applicable laws. Except as indicated above, data are not shared with third-party natural or legal persons who do not perform any functions of a commercial, professional and/or technical nature for the Data Controller, and shall not be circulated.
As regards the possible transfer of data to other countries, including countries that might not guarantee the same level of protection as that envisaged by the data protection Regulation (i.e., non-EU countries), the Data Controller declares that processing will in any case be performed in compliance with one or more of the methods allowed under the Regulation, as the case may be, for example, the explicit consent of the user, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of parties adhering to international programs for the free circulation of data or who operate in countries deemed secure by the European Commission.
The list of data recipients is available upon request from the Data Controller through the contacts indicated in this policy.
Data storage period
In compliance with art. 5.1 (c) of the Regulation, the information systems and computer programs used by the Foundation are configured to minimise use of personal and identifying data. Data are processed only to the extent necessary to achieve the purposes indicated in this disclosure. Data will be stored for the length of time strictly necessary to achieve the purposes actually pursued and, in any case, the criterion used to determine the storage period is based on compliance with the terms allowed by law, by the principles of minimisation of processing, limitation of storage and rational management of the archives, and also by the provisions of the Data Protection Authority with reference to specific data or processing.
Rights of interested parties
At any time, the user may exercise the rights recognised under arts. 15-22 of the Regulation, including the right to obtain confirmation of the existence or otherwise of their personal data, to check its content, origin, accuracy, location (also with reference to any third-party countries), to request a copy, to request amendments and, in the cases envisaged by current laws, limitation of processing and erasure. The user has the right to object at any time, and in the cases envisaged by current laws, to processing procedures by the Foundation, for example, direct contact activities, promotional activities (also when limited to specific means of communication) or profiling activities. Similarly, the user may at any time revoke consent, when provided, and/or report observations on specific use of the data with regard to particular personal situations deemed not to be correct or justified by the existing relationship or request a complaint by a controlling authority to the Data Protection Authority.
For all queries regarding processing of personal data by the Foundation, to exercise the rights recognised under the applicable laws and to receive an updated list of the parties who may access the data, the user may contact the Data Controller by sending an email message to email@example.com or through the normal postal service to the following address: Fondazione Bracco, via Cino del Duca 8, 20122 Milano, Italy.