Cittadinanzattiva Onlus, through its branch Active Citizenship Network, is aware of the importance of safeguarding personal data and attentive to people's rights. Since the Internet is a potentially risky tool for the circulation of your personal data, Cittadinanzattiva Onlus is committed to promoting the rights of people and, among them, the right to privacy with the introduction of the European Regulation 679/2016 of the European Parliament and of the European Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter called "GDPR" ) - guaranteeing a safe, controlled and confidential surfing on the net.
This policy aimed to protect the confidentiality of information may change over time, depending also on the additions and amendments in laws or regulations in this regard or for our institutional decisions, therefore, we invite you to periodically consult this section in our website.
- carry out the processing (article 4, par. 2, GDPR: " means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction") of personal data (Article 4, par. 1, GDPR: " any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person") exclusively for the purposes and according to the methods illustrated in the information to be provided, which from time to time are presented to the data subject who accesses a section of the website to which the provision, directly or indirectly, of personal data is supplied;
- use the data supplied voluntarily by the data subject;
- use technical cookies to help navigation on the website and analytical cookies for statistical purposes;
- use profiling cookies only prior to data subject’s consent;
- transmit the data to third parties (processor - article 4, par. 8, GDPR: "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller") exclusively for purposes instrumental to what is expressly requested and carefully selected by us;
- communicate the data to third parties for activities related to what is of interest or if it is required by law, regulation or community legislation;
- prior to explicit consent (article 4, paragraph 11, GDPR: "the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her") communicate the data to third parties for their autonomous processing;
- answer requests for access to personal data, rectify or delete them, exercise the right to be forgotten, limit the processing or the right to object to their processing. Guarantee the exercise of the right to data portability and the opposition to the processing of data for purposes of information communications regarding our projects and requests for financial contributions to support our institutional activities;
- guarantee correct and lawful processing of data, safeguarding confidentiality, and apply appropriate safety measures to protect the confidentiality, integrity and availability of said data.
Information to be provided pursuant to art. 13, GDPR and the criteria used to determine the limits of data storage
As detailed in the sections which allow you to access - by releasing your personal data - the services reserved for data subjects of our website, the data requested are used to answer requests expressly made by the data subject. In particular, all data collection and subsequent processing activities are aimed at pursuing the institutional aims of Cittadinanzattiva Onlus, in particular for:
- regular and one-off donations (by credit card, bank transfer or other means of payment);
- access or request for information for citizens' rights protection services;
- subscription to our newsletter;
- request to collaborate with our organization;
- signing of petitions, initiatives or specific projects;
- request for information.
The forms to be completed - on-line or to be downloaded - include both data that are strictly necessary to access what is of interest, their non-disclosure not allowing the processing of the request, and optional data. Therefore the data subject is free to supply personal data contained in the request forms or requested in contacts with Cittadinanzattiva for information or for other purposes listed above. In the case of mandatory data supply, their absence may make it impossible to obtain what has been requested. The need to consider the supply of data as mandatory to join individual projects or individual initiatives or to ask for information is in compliance with the provisions of art. 25, GDPR "Data Protection by design and by default", which require prior assessment of appropriate technical and organizational measures, such as "pseudonymisation" (Article 4, par. 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"), aimed at effectively implementing data protection principles, such as minimization, and to incorporate the necessary guarantees into the processing in order to comply with the requirements of the GDPR and protect the rights of data subjects. Cittadinanzattiva Onlus has implemented appropriate technical and organizational measures to ensure that, by default, it processes only the personal data necessary for the specific purpose of the processing deriving from the project to which the data subject has voluntarily agreed to. All the processing operations carried out on our website will be both on paper and electronic or telematic tools, with methods related to the purposes for which the data were collected and in compliance with the current safety regulations, for the purposes specified from time to time in the information to be provided pursuant to art. 13, GDPR.
Cittadinanzattiva Onlus will not use the data supplied for purposes other than those related to the service to which the data subject has subscribed, and, in any case, only within the limits indicated from time to time in the information to be provided pursuant to art. 13, GDPR.
For purposes regarding the supply of the service requested by the data subject, the data may be made available to third parties, who will act as autonomous data controllers, and who will provide instrumental services apt to satisfy the data subject's request (e.g. credit institutions or credit card issuers for donation payments) or to whom data communication is necessary in order to comply with legal or regulatory provisions.
Personal data may be processed for purposes other than those for which the data subject has given consent only prior explicit assent by the latter. In particular, they may be processed for purposes of "social advertising" and for marketing purposes with or without "profiling" (art. 4, par. 4, GDPR - "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements"), that is, based on the interests and preferences shown by browsing the website or filling in the forms presented therein, as well as surveys and researches. For further clarification, the data will also be processed for purposes of promotional, informative and institutional contacts regarding our projects, fundraising activities and initiatives, surveys and research reserved for participants to our activities. This right and the right to information services are acquired upon joining any single Cittadinanzattiva outreach project. Therefore, the data will be stored in our archives for the period of time necessary to provide such information services. This period will be also justified by the legitimate interest of Cittadinanzattiva Onlus to keep a constant relationship with the party involved and to keep him or her informed about awareness actions which Cittadinanzattiva Onlus considers useful to disseminate their full commitment to the realization of its mission. This legitimate interest is admitted pursuant to art. 6, par. 1, letter f), GDPR as an alternative way in place of the explicit consent by the interested party. Obviously, this storage period will be extended as long as the interest the data subject is interested in staying in contact with Cittadinanzattiva Onlus: when the relationship with our organisation is no longer in the data subject’s interest it will be sufficient to inform Cittadinanzattiva Onlus by using the procedures explained below and Cittadinanzattiva Onlus will adopt all technical and organisational measures to avoid any future contacts. Likewise, if desired, the data will be processed for future contacts which will be entertained for the above mentioned purposes and executed in a personalised manner on the basis of behavioural characteristics (e.g. activities joined, area of residence, age), regarding interests and preferences linked to our operations ("profiling", as defined above). Profiling will involve the selection of the information stored regarding the data subject and communications will be in line with the information at our disposal thus avoiding to propose initiatives which might be of no interest. The data will be stored as long as Cittadinanzattiva Onlus continues its mission with projects, initiatives, actions and activities which may require economic contributions or that intend to raise public awareness (e.g. petitions, participation in civic action projects) that are of interest to the data subject since they reflect his or her characteristics and behaviour and are therefore of his or her interest. Also in this case, such storage will cease if the interested party expresses opposition at any time to the processing of personal data concerning him or her for profiling that is connected to direct marketing.
The storage of data for administrative, accounting and tax purposes is limited to the time period specifically set in the current regulations.
Moreover, the data may be disclosed to third-party non-profit organizations, project partners, institutions, for autonomous use (as independent data controller) for their institutional purposes: such "communication" will occur only if the data subject concerned has expressed his or her explicit consent. The transfer of personal data to other countries can only take place with the data subject’s consent. These are activities mainly related to the data subject's support of the distance adoption project, to allow the creation of a link between beneficiary and contributor. These third parties are members of the international network of which Cittadinanzattiva Onlus is a partner or has a partnership relation.
The data may be supplied to third parties, subject to the data subject’s express and specific informed consent, as described above, for autonomous, use having primary purpose of promotional contact. The dissemination of data, subject to the data subject’s consent, may be connected to the type of service or initiative to which the data subject has subscribed (e.g. list of subscribers of an online petition).
The personal data collected will be made available to persons authorized by Cittadinanzattiva Onlus pursuant to art. 29, GDPR which carry out essential processing activities for the pursuit of the purposes indicated above; the categories of persons authorized for processing are each time specified in the information note. In general terms, these are the persons responsible for providing specific services, for administration, for the management of information services, for relationships with real and potential supporters, for organizers of information campaigns on our projects.
The processing connected to the web services of this website takes place at the aforementioned headquarters of Cittadinanzattiva Onlus and is handled by technical personnel authorized to process it. Should the need arise, the related data can be processed by the staff of third-party companies who are responsible for the maintenance of the technological part of the website (responsible for the processing pursuant to art. 28, GDPR), at their offices.
Cittadinanzattiva Onlus - domiciled in Via Cereate 6, 00183, Rome, is the data controller (art. 4, par. 7, GDPR: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"), pursuant to and for the purposes of the GDPR, as it decides how and for what reasons, indicated in the information to be provided to data subjects, collects and uses personal data supplied by the data subject, as well as with which tools it processes them and which safety procedures are activated to guarantee their integrity, confidentiality and availability, in compliance with the obligations and responsibilities set forth in art. 24, GDPR.
The right to delete, modify or supplement the data already voluntarily supplied are guaranteed, as well as requesting blocking, transformation into an anonymous form or opposing their processing for legitimate reasons or if the data subject does not wish to receive "social advertising" even with "profiling", or limit the processing and exercises the right to data portability. Furthermore, it is also possible to apply to the supervisory authority. Thanks to the exercise of these rights data subjects will be able to control the handling of their data even after their being supplied.
Rights of data subjects
Data subjects can exercise at any time their rights by contacting
Right of access by the data subject (art. 15, GDPR)
Any person has the right to know if his or her personal data are being processed and, therefore, has the right to access to the personal data and the following information:
- 1. the purposes of the processing (e.g. management of a donation, management of a case ...);
- 2. the categories of personal data concerned; (e.g. personal data, behavioural data)
- 3. recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- 4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- 5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- 6. the right to lodge a complaint with a supervisory authority;
- 7. where the personal data are not collected from the data subject, any available information as to their source;
- 8. the existence of automated decision-making, including profiling, as well as the significance and the envisaged consequences of such processing for the data subject (e.g. if the data subject has linked a profile of donation habits by cross-referencing the donation amount with frequency and campaign).
Right to rectification (art. 16, GDPR)
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing an additional statement.
Right to erasure (“right to be forgotten”) (art. 17, GDPR)
The data subject has the right to obtain the deletion of personal data concerning him or her and Cittadinanzattiva Onlus is under the obligation to delete the personal data without undue delay, where one of the following grounds applies:
- 1. personal data are no longer necessary regarding the purposes for which they were collected or otherwise processed;
- 2. the consent on which the processing is based is revoked and if there is no other legal ground for the processing itself (e.g. legitimate interest, regulatory or contractual obligations);
- 3. Opposition to processing for marketing and profiling purposes and there is no legitimate prevailing reason to proceed with the processing;
- 4. personal data have been unlawfully processed;
- 5. personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
Right to restriction of processing (art. 18, GDPR)
The data subject has the right to obtain the restriction of the processing of his or her personal data for one of the following reasons:
- 1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- 2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead (e.g. the processing not be carried out for marketing purposes but only for management and administrative reasons);
- 3. although data for processing purposes are no longer required, personal data are necessary for the data subject to ascertain, exercise or defend his or her right in court;
- 4. the data subject has objected to the processing if the said processing is based on his or her own legitimate interest, pending verification of the possible prevalence of his or her legitimate reasons in respect of those of the owner.
Notification obligation regarding rectification or erasure of personal data or restriction of processing (art. 19, GDPR)
The data subject has the right to request that the correction or erasure of data or the limitation of their processing be communicated by Cittadinanzattiva Onlus to other subjects to whom the said data have been disclosed. Cittadinanzattiva Onlus might not comply with the request, if the means to be used are disproportionate to the right to privacy invoked by the data subject.
Right to data portability ("data portability") (art. 20, GDPR)
This right allows the data subject to receive in a structured, commonly used and automatically readable form his or her personal data supplied to a subject who submits the said data to processing and has the right to transmit them to a subject for use of the latter without impediment by the subject to whom he has provided them. This right can be exercised in the following cases:
- 1. processing is based on consent or on a contract or on pre-contractual measures requested by the same data subject and at the same time
- 2. processing is carried out by automated means.
The data subject has the right to obtain that his or her data be transmitted directly from one subject to another (from the one he or she has given them to another he or she wants them to be transmitted to), if technically possible.
Right to object (art. 21, GDPR)
The data subject has the right to object to the processing of his or her data for the pursuit of the legitimate interest of Cittadinanzattiva Onlus or that of third parties. If personal data are processed for marketing purposes, the data subject has the right to object at any time to said processing of his or her personal data for such purposes, including profiling if connected to such marketing activity.
Automated individual decision-making, including profiling (Article 22, GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. In particular, it has the right to oppose to profiling through automated processes.
This right shall not apply if the decision:
- is necessary for entering into, or performance of, a contract;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
- is based on the data subject's explicit consent.
The data subject has the right to express his or her opinion and to challenge the decision of Cittadinanzattiva Onlus.
Criteria used to define the data storage time limit
The data will be kept in our archives (art. 4, par. 6, GDPR: "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis") by different criteria according to the data category, the nature of the processing and the purposes of the processing itself. The criteria or precise storage time limits are described in the information to be provided pursuant to art. 13, GDPR at the time of the supply of personal data.
In principle, the following evaluations of Cittadinanzattiva Onlus are valid to establish the criterion for data storage:
- 1. all data relative to donations are kept as long as the relationship remains active and for a number of years equal to that which laws, regulations, also those of the EU, set for administrative and accounting purposes
- 2. all data of contributors or people interested in our mission used for marketing purposes are kept for the period necessary to provide the information services reserved for these individuals. This right and information services are acquired upon joining the project involving the donation. This period is also justified by the legitimate interest of Cittadinanzattiva Onlus to maintain a constant relationship with the contributor to keep him or her informed about the projects which could be funded with the contribution of the donor or on awareness campaigns that Cittadinanzattiva Onlus considers useful to organise in order to show its full commitment to the realization of its mission. This legitimate interest is admitted pursuant to art. 6, par. 1, letter f), GDPR as an alternative approach to explicit consent by the interested party. Obviously, this storage period will be extended as long as the data subject’s interest in interacting with Cittadinanzattiva Onlus lasts: if there is no more interest, it will be sufficient to send a communication in this respect through the procedures referred to in the paragraph "Rights of the data subjects" and Cittadinanzattiva Onlus will adopt the appropriate technical and organizational measures to interrupt the contact
- 3. all data used for marketing activities which include profiling, the processing of which is supported by the explicit consent of the data subject, are kept as long as the profile of the interested party is in line with the personalised communications created through the cross-referencing of the information at our disposal and, therefore, as long as Cittadinanzattiva Onlus continues its mission with projects, initiatives, actions and activities that require economic contributions or that aim at raising public awareness (e.g. petitions, emergency appeals, canvassing and surveys) which are of interest to the data subject who has given consent to receive information of this kind and which reflects the characteristics and behaviour of the said subject and are, therefore, of his or her specific interest and are not irrelevant. Also in this case, such storage would come to an end if the interested party expresses opposition at any time to the processing of his or her personal data for such purposes, including profiling if connected to direct marketing.
Once the periods of time set out above have elapsed, the identification data are transformed into an anonymous form and used only for statistical reports which do not allow to trace the identity of the person, but which are useful for adapting the projects, initiatives and actions for the realization and achievement of the statutory and institutional objectives of Cittadinanzattiva Onlus. Personal data will therefore be destroyed.
Personal data can be processed, either manually or electronically or telematically, directly by Cittadinanzattiva Onlus or by third parties – constantly monitored in their work by the latter - who, with their experience, technical and professional skills and reliability, carry out processing operations on behalf of our association, in compliance with safety and the confidentiality of information regulations. The person responsible for the data processing is "the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller" (art. 4, par. 8, GDPR) and is contractually bound by Cittadinanzattiva Onlus with the definition of operating limits on data, the data it may process and the categories to which they refer and with the prohibition of using in any other way from that to which was entrusted to him or her. The person responsible for the data processing can, if formally authorized by Cittadinanzattiva Onlus, make use of other processors who are contractually bound to those appointed directly by Cittadinanzattiva Onlus, therefore any violation committed by the said other processors fall under the responsibility of the primary processor not of Cittadinanzattiva Onlus.
The complete and updated list of data processors can be requested by e-mail to the following
Third parties to whom data are transmitted.
What are cookies and how they are used by Cittadinanzattiva.
Cookies are pieces of data saved on the hard disk of a PC which are sent from the browser to a web server and keep track of the use of the network. They allow to know the services, the websites visited and the movements of a user within a website.
Therefore this information is not provided voluntarily and directly and leaves a trace. The data collected through cookies is used for technical needs, in order to guarantee easier, immediate and quick access to the website and its services and allows an easier navigation to the users.
User profiling cookies may also be used prior to user’s consent in order to create profiles based on website sections or actions performed by the user either on this website or by browsing the web.
The use of c.d. session cookies (which are not stored permanently on the user's computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identification (consisting of random numbers generated by the server) necessary to allow a safe and efficient exploration of the website. The c.d. sessions cookies used in this website avoid the use of other technologies that could compromise the privacy of users' browsing and do not allow the acquisition of personal identification data. In any case, users can set up the browser in order to be notified when a cookie is received and then decide whether to accept it or not.
Computer systems and software procedures employed to operate this website acquire, during their normal operations, some personal data the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users but by their very nature could, through processing and association with data held by third parties, allow to identify the users. This category of data includes IP addresses or domain names employed by users connecting to the website, the addresses in Uniform Resource Identifier (URI) of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error or similar) and other parameters related to the operating system and the user's computer environment. These data are handled only to obtain anonymous statistical information on the use of the website and to check its correct functioning and are then deleted immediately after processing. The data could be used to ascertain responsibility in the case of hypothetical computer crimes against the website.
Safety of personal data
Cittadinanzattiva Onlus adopts appropriate and preventive safety measures to safeguard the confidentiality, integrity, completeness and availability of personal data. As established by the law provisions governing the safety of personal data, technical, logistical and organizational measures are developed to prevent damage including accidental loss, alterations, improper and unauthorized use of data concerning the user.
In particular, Cittadinanzattiva Onlus has implemented suitable technical and organizational measures to ensure a level of safety appropriate to the risk that could affect your rights and your freedom, including privacy and confidentiality. Cittadinanzattiva Onlus adopts safety criteria which include, among others:
- “pseudonymisation” (art. 4, par 5, GDPR: “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”) and data encryption
- systems which permanently safeguard the confidentiality, integrity, availability and resilience of processing systems and services
- systems for promptly restoring the availability of and access to personal data in the event of a physical or technical incident
- procedures for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the safety of the data processing.
Similar preventive safety measures are adopted by third parties (data processors) to whom Cittadinanzattiva Onlus has entrusted data processing operations on its behalf.
Cittadinanzattiva Onlus is not responsible for any false information sent directly by the user (e.g. correctness of the e-mail address or postal address or other personal data), as well as information concerning him or her which has been provided by a third party, also unlawfully.
Credit card and financial information necessary for donations
In the case of donations made by credit card, Cittadinanzattiva Onlus guarantees maximum confidentiality and safety in operations. The financial information about the credit card (number, expiry date, holder’s particulars) may only be known by the issuing institution. Cittadinanzattiva Onlus will only be notified a code ("token") without the possibility of linking it to the identity of the credit card holder or to the credit card details, unless in exceptional cases.
Finally, as a rule, Cittadinanzattiva Onlus assumes no responsibility concerning unauthorized or fraudulent use by third parties of information pertaining to the means used for the transaction related to the donation.
Elio Rosati - Data Processor,