PRIVACY POLICY PURSUANT TO REGULATION (EU) 2016/679
(Regulation EU 2016/679 and Legislative Decree 196/2003 and 101/2018)
The FONDAZIONE CENTRO DI DOCUMENTAZIONE EBRAICA CONTEMPORANEA CDEC (FOUNDATION Contemporary Jewish Documentation Center), hereinafter “CDEC”, as Data Controller of personal data according to art. 13 and art. 14 of the Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), to carry out the obligations provided for privacy policy, hereby provides you with the privacy notice regarding the processing of your personal data and the exercise of your rights.
The Data Controller
CDEC, according to art. 24 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: “Regulation EU”), is the Data Controller of the personal data. As pursuant to art. 13 and art. 14 of the Regulation EU, the Data Controller informs that the collected personal data, also with reference to legal relationships already in place, will be processed in the respect of the above mentioned Regulation.
In relation to the processing of the above mentioned data, the Data Controller informs that:
“personal data” (ex-art. 4 number 1 Regulation EU 2016/679) means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” (ex-art. 4 number 2 Regulation EU 2016/679) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; such processing must be based on fair, lawful, transparent principles to protect your privacy and rights.
The collected personal data refer to:
- General identification data such as name and last name, address, telephone, fax, e-mail, tax code, social security number, photo, video, banking data relating to persons, facts and events;
- “Particular” Data suitable to detect images (facial images, “biometric data”) through internal duly signalized video surveillance system for safety purposes and protection of the assets.
Any personal data, processed for the accomplishment of other services which need an explicit consent, will be defined by specific privacy policies.
CDEC hereby declares that the processed personal data are provided, directly or indirectly, by the data subject by – for example – third parties data controllers, public sources, intermediaries of data and other interest subjects.
Data Controller Contact Info
Name and last name or company name: CDEC ETS
Office: Piazza E. J. Safra n. 1, 20125 Milano (MI)
Telephone: +39 02 316338 / +39 02 316092
Email: privacy@cdec.it
Contacts of DPO
Name and Last name: Dott. Michele Pavesi
Telephone: +39 338 2894584
Mail: dpo_privacy@pec.net
Purposes of Personal Data Processing
The purposes of personal data processing are:
1. Collection and preservation of historical and non historical documents for study, research and statistical purposes
2. Organization of cultural events
3. Fulfillment of obligations determined by laws, rules, community legislation, or provisions issued by Authorities, Supervisory and Police headquarters or in any case connected with the performed activities;
4. Fulfillment of administrative, accounting and fiscal processes;
5. Management of the general administrative processes;
The following table specifies, for each of the above mentioned purposes, the categories of data, of personal data and their storage period:
TABLE 1
| Purposes of Personal Data Processing | Legal grounds of Processing | Categories of processed personal data | Personal data storage period | Recipients’ categories | |||||||
| Purpose n° 1 | legitimate interest | • Identification data
• Personal data · Specific data |
Storage for an undetermined period compatibly with the historical/statistic purpose of the company | * | |||||||
| Purpose n° 2
|
legitimate interest |
• Identification data • Personal data · Specific data |
Data will be stored for a maximum of five years from the day of their last use | * | |||||||
| Purpose n° 3 | Legal obligation | • Identification data
• Personal data · Specific data |
Until contract’s expiry date and for a further period of 10 years | * | |||||||
| Purpose n° 4 | Legal obligation | • Identification data
• Personal data • Financial data |
Until contract’s expiry date and for a further period of 10 year | * | |||||||
| Purpose n° 5 | Legitimate interest | • Identification data
• Personal data
|
Data will be stored for a maximum of five years from the day of their last use | * | |||||||
* Recipients’ categories:
In relation to the mentioned purposes, the main recipient of the processed data is the Data Controller itself. Data can be shared also with companies and/or persons that provide services (also from outside) on behalf of the Data Controller. Among them, for clarity and as an example (though not a complete one),these are some typologies:
• Institutions and organizations (third parties)
- Management accounting Advisors
• Labor consultants and payroll processing;
• Law offices;
• Services Companies IT and software suppliers;
• Control and supervision organizations.
The list of the external recipients / processors with further useful data for identification is available by the Data Controller.
Transfer of Data to Third Countries both UE and extra-UE
Personal data might be transferred to UE and extra-UE countries, but Privacy Compliant.
Storage period
See table n° 1, column 4 (storage period)
Data Subject’s Rights
The data subject, in relation to the personal data subject of this information, shall have the right to exercise the following rights provided for by Regulation EU:
. Right to access by the data subject [art. 15 Regulation EU] (The data subject shall have the possibility to be informed about his/her personal data processing and, where that is the case, possibly obtain a copy of the personal data being processed)
. Right to rectify his/her own personal data [art. 16 Regulation EU] (The data subject shall have the right to obtain from the Controller the rectification of inaccurate personal data concerning him or her);
. Right to promptly erasure his/her own personal data without unjustified delay (also known as right to be forgotten) [art. 17 Regulation EU] (The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her);
. Right to restrict processing their personal data in the cases referred to in art. 18 Regulation EU, for example in case the processing is unlawful or the accuracy of the personal data is contested by the data subject [art. 18 Regulation EU];
. Right to data portability [art. 20 Regulation EU]. The data subject shall have the right to receive the personal data concerning him or her in a structured format and have the right to transmit those data to another controller in the cases referred to in the same article;
. Right to object to the processing of his/her own personal data [art. 21 Regulation EU] (the data subjects shall have the right to object to processing of his/her own personal data);
. Right not to be subject to a decision based on automated processing [art. 22 Regulation EU] (the data subjects shall have the right not to be subject to a decision based solely on automated processing).
It is possible to obtain further information asking the Data Controller to provide the whole Regulation EU regarding the above mentioned articles.
The above mentioned rights can be exercised, as per Regulation EU, while sending an email to the Data Controller (privacy@cdec.it), which, pursuant to art. 19 Regulation EU, will inform the recipients of personal data, of any requested rectifications, cancellations or limitations of the proceeding, when possible.
If the purpose of the data processing processed by the Data Controller and external processors (see above mentioned in “Recipients’ categories”) depends on the consent, the data subject has the faculty to withdraw, in every moment, while sending an email to: privacy@cdec.it.
According to art. 7 Regulation EU, he withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint
In case the data subject claims his/her rights to have been compromised, he/she has the right to lodge a complaint with the Data Protection Supervisor following the instructions given by the Authority itself at www.garanteprivacy.it
Obligatory provision of personal data
If the provision of the proceeding of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, the data subject is obliged to provide the requested personal data. Contrarily, the Data Controller will not be able to respect the purposes of the processing.
Our company doesn’t use any automated decision making, including profiling.
Information about Processing of Personal Data
Personal data will be processed in paper form or by computerized and telematics system. They will be included in database (clients, users, etc.) which will be accessible to employees expressly designated by the Data Controller as personal data processors. They can access, use, elaborate, compare personal data and carry out any other necessary operation, even automated, all in compliance with the provisions of the law that protect confidentiality, security and also accuracy of the data, their updating and the respect of the purpose of their processing.
Changes and updating
CDEC might make changes or integrations to this privacy policy also as consequence of data protection law changes or additions. Changes will be notify and the data subject will be able to view the text of the constantly updated privacy policy on the web site www.cdec.it (see link dedicated to privacy policy).
Ver. 00/24