DATA CONTROLLER

Company name: Fondazione Compagnia di San Paolo

Fiscal code: 00772450011

Registered office: C.so Vittorio Emanuele II, 75 10128 - Torino

In accordance with Art. 13 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), Fondazione Compagnia di San Paolo (hereinafter “Data Controller” or “Fondazione Compagnia di San Paolo”), inform you (hereinafter “User”) that your personal data will be processed for the following purposes and in the following manner:

TYPES OF DATA COLLECTED

The Data Controller processes identification data and usage data of the User (hereinafter referred to as "Personal data" or "Data") collected during the User’s navigation through the Data Controller's website, which can be accessed at

https://www.compagniadisanpaolo.it/

(hereinafter referred to as "Website”). The present Privacy Notice is provided exclusively for the afore-mentioned website and does not apply to other websites that the User may access through links accessible from this Website. Regarding the processing of Data carried out by such external websites, please refer to the respective privacy policies available on those websites.

The Data Controller may furthermore collect and process information pertaining to the User's network usage (e.g., IP address).

PURPOSES AND LAWFULNESS OF PROCESSING

Your Personal data will be processed for the following purposes:

1. allow the User to submit information requests to the Data Controller through a specific contact form on the Website or by sending an email (in the latter case, the Data will not be processed directly through interaction with the website);
2. enable the User to interact with the content on the website (e.g., view project announcements, download institutional documents, etc.);
3. allow the User to view multimedia content on the Website upon accepting the corresponding Cookie Policy. Complete details on the cookies used are provided in the Cookie Policy: https://www.compagniadisanpaolo.it/en/cookie-policy
4. allow the User to share material published on the Website on social networks and/or other external platforms (e.g., Facebook, LinkedIn, WhatsApp, etc.);
5. allow the user to access external platforms through links on the website (e.g., ROL platform, In-Recruiting web portal, Supplier Registry, etc.). The processing of personal data will occur according to the respective privacy notices of these platforms;
6. fulfill legal obligations, regulations, European legislation, or orders from authorities;
7. obtain statistics and metrics aimed at ensuring the proper functioning of the Website;
8. exercise the rights of the Data Controller (e.g., defense of legal claims).



The lawful bases of the processing operations listed above are the following:

• In relation to purposes a), b), c), d) and e) the processing is necessary for the fulfillment of contractual or pre-contractual obligations.
• Regarding purpose f), the processing is necessary to fulfill a legal obligation to which the Data Controller is subject to.
• In relation to purposes g) and h), the lawfulness is based on the legitimate interest of the Data Controller, e.g., monitoring the correct operation of the Website and exercising the rights of the Data Controller (e.g., the defense of legal claims).



The provision of Data for the aforementioned purposes is mandatory. In the event of non-disclosure of the Data, the Data Controller will not be able to allow the User to interact with the Website.

In addition, the User's data may be processed only with the explicit consent of the User for the following marketing and statistical purposes:

9. send communications related to the activities and initiatives of Compagnia di San Paolo;
10. customize the above-mentioned communications based on the recipient's interests: nature of interest (personal or professional), professional sector, geographical area, preferred topics of Compagnia di San Paolo's communications (culture goal, people goal, planet goal, etc.), etc.

The provision of Data for marketing and statistical purposes is optional. Therefore, the User may choose not to provide any Data or subsequently deny the processing of Data already provided. In such a case, the User will not be able to receive communications related to the activities and initiatives of Compagnia di San Paolo. The User may revoke consent to the Data processing at any time without affecting the lawfulness of the processing based on consent before revocation. This can be done by clicking on the link provided in each newsletter or by contacting the Data Controller at: privacy@compagniadisanpaolo.it

The processing of data for marketing and statistical purposes will always be based on principles of decency, lawfulness, transparency and protection of the right to privacy. Specifically, to validate the recipient's genuine interest in receiving the newsletter, a double-opt-in mechanism will be employed. The recipient will receive an email containing a registration confirmation link. The data will not be used to send the newsletter until confirmation has been received by the Data Controller. The recipient will be notified with successive confirmation request notices for the following three days, sent every 24 hours. After this period, if no confirmation is received, the recipient will be removed from the waiting list, and their data will be deleted.

Please be informed that in the event you use the services offered by the Data Controller, we may send you commercial communications regarding services similar to those you have already used unless you exercise the right to opt-out (Art. 130(4) of the Italian Privacy Code). The legal basis for the data processing is the legitimate interest of the Data Controller. We will retain your data until you exercise the right to opt-out and in any case, not beyond 10 years from the provision of the Data.

The User's Data may also be processed through the use of Cookies. For further information about the processing, please consult the Cookie Policy: https://www.compagniadisanpaolo.it/en/cookie-policy

STORAGE PERIOD

Personal data of the Website users will be kept for the time necessary to fulfill the purposes indicated in this Privacy Notice.

The Data Controller will store for 10 (ten) years copies of correspondence of legal and commercial relevance. Furthermore, the User's Data may be kept for the time necessary to ensure the defense in court or to prosecute any abuse in the use of the Website.

Data relating to marketing and statistical consents will be kept for a period not exceeding 10 years from the moment when the consent was given by the User. Once the above-mentioned retention period has elapsed, the data will be deleted, unless there is an exceptional need to retain the data to defend the rights of the Data Controller in relation to ongoing disputes.

DISCLOSURE OF PERSONAL DATA

User’s data will not be disclosed but may be made accessible, where necessary for the provision of services or as required by law, to:

• employees or collaborators of the Data Controller in Italy or abroad, in their capacity of subjects authorized to process Personal data and/ or system administrators.
• third-party companies or other subjects (e.g., IT consultants, etc.) that carry out activities in outsourcing on behalf of the Data Controller, in their capacity of Data Processors.

The Data Controller may communicate your Data for the purposes established by the present Privacy notice to supervisory authorities, legal authorities, public authorities to which it is obligatory to communicate the Data, as well as to those subjects to which the communication is obligatory by law for the fulfillment of the purposes established by this Privacy Notice.

TRANSFER OF PERSONAL DATA

The Data will be stored on servers located within the European Union and managed by third-party companies duly appointed as Processors.

The Data Controller may transfer the User’s Personal data to a third country. The data will be transferred exclusively to countries considered “adequate” and therefore, “safe” by the European Commission or to the companies which ensure appropriate safeguards pursuant to Articles 44-50 of the GDPR.

USERS RIGHTS

You may exercise the rights granted by the GDPR (articles 15-22), including:

a. The right to receive confirmation as to whether the Data Controller is processing the User’s Personal data (access rights);

b. The right to update, modify and/ or correct Personal data (right of rectification);

The right to request the erasure of data or the restriction of the processing. This right can be granted if the process is unlawful or the Data Controller no longer needs the Personal data for the purposes of the processing (right to be forgotten and right to restriction of processing);

d. The right to oppose to the processing (right of opposition);

e. The right to propose a complaint to the Supervisory Authority in case of violation of the regulations regarding the protection of Personal data;

f. The right to receive an electronic copy of the User’s Personal data (in a structured, commonly used and machine-readable format) and right to transmit those Data to another Data Controller without hindrance from the Data Controller to which the Personal Data have been provided (right to Data portability).

DATA CONTROLLER CONTACT INFORMATION

The Data Controller: Fondazione Compagnia di San Paolo

Place of Business: C.so Vittorio Emanuele II, 75 10128 - Torino

You can contact the Data Controller to exercise your rights granted by the GDPR by sending the registered letter to Fondazione Compagnia di San Paolo at C.so Vittorio Emanuele II, 75 10128 - Torino or by sending an e-mail at: privacy@compagniadisanpaolo.it providing the following information: name, surname, a copy of your identity document.

INFORMATION NOT CONTAINED IN THIS POLICY

More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.

CHANGES TO THIS PRIVACY POLICY

The Data Controller reserves the right to make changes to this Privacy notice at any time by notifying its Users within this Website at the following link: https://www.compagniadisanpaolo.it/en/privacy-policy e di riferirsi alla versione più aggiornata.

Privacy Notice updated on: 23/01/2024