Processing of personal data

In compliance with the provisions of Regulation (EU) 2016/679 on Personal Data Protection, pursuant to Articles 12, 13 and 14, the purpose of this document is to provide all necessary information relating to the processing of personal data.

Data controller

Pursuant to art. 4, paragraph 7, the Data Controller is:

Fondazione LIA, established in Corso di Porta Romana 108 – 20122 Milano

Purposes of Processing

Personal data will be processed by means of paper records, computers and other informatic or telematic means for the following purposes:

  1. To follow-up contact requests regarding the presentation of our services, to receive, upon request, specific information on a service offered by the Controller, to send an estimate, to acquire information prior to the conclusion of a contract;
  2. To allow subscription to the LIA Foundation Newsletter, if requested by the data subject;
  3. Prior data subject consent, sending updates, proposals for support through donation or destination of the 5×1000, communications about events, courses and other promotional activities through traditional contact and automated methods;
  4. Prior data subject consent, sending updates, informative and commercial communications, advertising of events and other promotional activities promoted, through traditional contact and automated methods, by AIE – Associazione Italiana Editori (Italian Publishers Association), and its service company Ediser S.r.l., in partnership with Fondazione LIA.

Legal basis

For the purposes set out in points 1 and 2 above, pursuant to Art. 6 of the Regulations, the processing is lawful as it is necessary for the correct and complete execution of the contractual or pre-contractual obligations with the data subject, and as such, does not require consent to the processing of the data.

For different and further purposes, referred to in points 3 and 4 above, the processing is based on the explicit consent of the interested party.

Provision of data

The provision of data is necessary for the purposes set out in points 1 and 2 above. If the data is not provided, it will not be possible to process the request submitted by the data subject.

The provision of data for marketing purposes (points 3 and 4) is optional, the refusal does not imply any consequence, except for the impossibility to receive information and promotional material.

Methods of data processing

Processing of personal data means the collection, recording, organization, storage, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction, or the combination of two or more of these operations, including through automated tools to store, manage and transmit the data, using appropriate tools to ensure security and confidentiality.

With regard to security, we inform you that the database is accessible only by personnel authorized by the Conroller, as well as the related operations described above and that the processing of your data may be carried out by electronic or automated means and by non-automated means (paper records), both provided with adequate security measures, as mandated by the Regulation (EU) 2016/679 on the Protection of Personal Data, to prevent the loss of data, unlawful or incorrect use and unauthorized access.

The data collected will not be used in contexts or for uses and/or purposes other than those indicated above, or which may, in any way, compromise the rights and freedoms of the parties concerned.

Recipients of the Data

Without prejudice to any communications in order to comply with legal obligations, the Data Controller will communicate the personal data of the data subjects with attention only to suppliers and third parties selected for the performance of activities related and auxiliary to the above-mentioned purposes, and appropriately authorized to the processing, such as:

  • Third party companies that provide services of technical or administrative and commercial nature in order to comply with obligations deriving from the Law, Regulations, and EU regulations;
  • Commercial and operational partners, which operate in collaboration with the Controller, for the execution of the above-mentioned purposes.

Transfer of Extra EU Data

The Data Controller does not directly transfer the data outside the European Union.

Please note that the Data Controller benefits from the Microsoft Azure Cloud service, chosen as a guarantee of adequate and appropriate security measures to protect personal data, including:

  • Certification on information security ISO/IEC 27001 and certification of compliance with ISO/IEC 27018 guidelines dedicated to the cloud and privacy sector

With regard to the transfer of data outside the EU, the Controller has requested to keep the data within the territory of the European Union, however, a transfer of data outside the EEA could still be made, for technical and maintenance reasons, by means of the following guarantees, assured by the provider:

  • Transfer of data to countries considered adequate by the EU Commission.
  • Subscription of standard contractual clauses for the transfer of data outside the EU, as defined by the European Commission, in order to ensure a safe and lawful transfer and subsequent processing of data outside the EU.

Data retention

The data will be processed for the time necessary to fulfill the purpose referred to in point 1.

The data will be processed for the purposes set out in points 2, 3 and 4 above and stored until data subject unsubscribes from the Newsletter service, or until the withdrawal of the consent given by the latter for the purposes set out in points 3 and 4 above, without prejudice to any obligations deriving from the law.

Rights of the Data Subjects

According to the European Regulation, data subjects have the right to ask the Data Controller for access to personal data (art. 15), rectification (art. 16), cancellation or oblivion (art. 17), limitation of the processing of personal data concerning him/her (art. 18), right to data portability (art. 20) or to oppose their processing (art. 21), in addition to the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that affect him or her in the same way significantly (art. 22). If the processing of personal data is based on the express consent provided by the data subject, pursuant to art. 7 paragraph 3 of the Regulations, he/she is recognized the possibility to withdraw the consent at any time from the subscription to the Newsletter service or revoke the consent provided for sending communications and updates for promotional and commercial purposes.

Requests may be made to the Data Controller by writing to the following e-mail address: privacy@fondazionelia.org.

The data subject also has the right to lodge a complaint with the relevant Supervisory Authority (art. 77 of the Regulations) if he considers that the processing carried out by the Data Controller does not comply with the provisions of the law on the protection of personal data.

Last Update: September 2020