Privacy and Cookie Policy

written in compliance with articles 13 and 14 of GDPR (General Data Protection Regulation) – EU Regulation 2016/679
In compliance with European Regulation 2016/679 (also known as GDPR), ISTITUTO OIKOS Onlus (“Oikos”) would like to inform you that the personal information you provide or that we acquire as part of our activities, required to execute the services we offer you, will be processed in compliance with the privacy legislation and the principles of correctness, lawfulness, transparency and protection of your privacy and rights.

Please read the following information carefully to understand how we collect, use and store your personal information. We may update this policy from time to time without notice to you, so please check it regularly, particularly if you are sending personal information to us.  ‘Personal information’ is information, or a combination of pieces of information, that could reasonably allow you to be identified.

1. DATA CONTROLLER

ISTITUTO OIKOS ONLUS, with legal office in Varese, Italy, n.2 via Magatti and headquarters in Milan, Italy, n.1 Via Crescenzago.  This organisation is the Data Controller (Controller). The Data Processor is the legal representative of Istituto Oikos Onlus, Rossella Rossi.

2. OUR LEGAL BASIS FOR PROCESSING DATA: WHAT INFORMATION WE COLLECT, HOW WE COLLECT IT AND WHAT WE USE IT FOR

2.1. The computer systems and softwares needed to run this website collect certain personal information implicitly deriving from the use of the information protocols on the Internet (i.e. domain name and IP address). Such data do not come with additional personal information and are used to produce anonymous statistics on the website usage, in order to check how it is being used and to verify potential responsibilities in case of cybercrimes. The legal basis that supports the processing of data is the need to enable the usability of the features of the corporate website following the User’s access.

2.2. The data voluntarily provided by the User are those needed by the data Controller to provide the services available and are lawfully processed according to correctness; they are also collected and registered for specific, clear and legitimate aims, stated below, and are used in processing activities not incompatible with other aims.
Personal information (data that identify the person, such as: name, surname, business name, tax code and VAT number, phone number / fax, email, bank and payment details) is collected and processed:

a) for internal administrative, fiscal and accounting purposes linked to the relationship between donor and organisation, and in compliance with the duties of the Controller provided by laws or regulations, by Community law, by requests from the legal authority or to exercise the rights of the Controller;

b) when the User provides specific consent, for the following marketing aims: sending (via email, post, sms or telephone) newsletters, updates about the Controller’s activities, advertising material or sales information – even customised according to the User’s consumption habits (profiling) – on products and services offered by the Controller which the User may consider interesting, and to evaluate the degree of satisfaction on the services quality, including requests of participation to market research and analysis.

c) when the User provides specific consent, for the following marketing aims: sending (via email, post, sms or telephone) newsletters, updates on the Controller’s activities, advertising material or sales information – even customised according to the User’s consumption habits (profiling) – on products and services offered by third parties.

d) in the case of submission of a CV, exclusively for recruitment purposes and creation of a working relationship.

The legal grounds for data processing contained in point “a” (administrative, accounting or fiscal purposes) is the execution of a contract of service supply of which the User is part, or the implementation of a pre-contract activity requested by the User.

2.3. According to GDPR articles 9 and 10, the User can share with the Controller data qualified as “particular categories of personal information” (meaning the data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs or union membership, general data, biometric data aimed at one specific natural person, data concerning health or sexual life or sexual orientation of that person). Such data categories could be processed by the Controller only with the consent of the User, shown in written form by signing this policy, for contract requirements and related legal and fiscal obligations and for recruitment requirements.

3. DATA PROCESSING METHODS
Personal information processing is carried out through the following operations: collection, recording, management, storage, consultation, processing, modification, selection, extraction, comparison, usage, interconnection, blocking, communication, erasure and destruction of data.
The User’s personal data are collected following direct transmission to the Controller by filling in forms or documents made for such purpose, or put in contracts, or collected by phone by an operator during pre-contract activities. Information is treated both through manual elaboration in paper format as well as through electronic or automated tools, digital or telecommunication based. The information collected is then saved and stored by the Controller in paper and digital archives, guarded and kept under control in order to reduce to the minimum the risk of data loss or destruction, even accidental, unauthorised access or processing which is not allowed or does not comply with the aim of collection.
Data are processed by the Controller or collaborators of the Controller, duly trained to do so.

4. NATURE OF DATA TRANSMISSION

Personal data transfer aimed at processing is optional. However, the missing data transfer, be it partial or total, can mean that we may not be able to process your data any longer or provide you with certain information or services.

The transfer of data for marketing purposes is also optional. The User can decide not to provide any information or later withdraw consent to process data already provided (see point 9 below: THE RIGHTS OF THE USER: HOW TO MAKE CHANGES OR REQUESTS); in that case he or she will no longer be able to receive newsletters, sales and advertising material in general concerning the services offered by the Controller.

5. ADDRESSES OR POTENTIAL CATEGORIES OF ADDRESSEES OF PERSONAL DATA

The processing of User’s data is carried out by the Controller’s internal human resources (employees, collaborators, system administrators), defined and authorised according to the instructions provided in compliance with the privacy and data protection regulation.

If necessary in order to fulfil the purposes listed in article 2, the User’s personal data can be processed by third parties defined as Entity Responsible of the process (according to article 28 of GDPR) or “autonomous” controllers, and more specifically:

1. by Istituto Oikos S.r.l. for the purposes mentioned in article 2.2, letter “c”;

2. by professionals, companies, associations or professional practices that may provide assistance or consultancy to the Controller for administrative purposes, such as legal assistance or recruitment;

3. by public bodies defined by the law and more in general by all the entities defined in the current taxation and accountancy regulation as addressees of mandatory communications;

4. by financial institutions for income and payments and by professionals – as individuals, associations or as a company – for analysis and market research services, for payment management through credit cards or electronic payment tools more generally, couriers, for potential credit recovery or the activities related to the Controller’s balance report.

The Updated list of Responsible Entities and those in charge of the processing is kept in the legal office of the Controller. In any case, the personal information of the User is not subject to distribution.

6. DATA TRANSFER TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATIONS

Within the management of contracts and voluntary work relationships, it is possible that the User’s data are transferred to international organisations linked to Oikos in countries outside the EU.

7. PERSONAL DATA STORAGE: DURATION AND CRITERIA USED TO DETERMINE DURATION

For the purposes outlined in letter “a” (administration, tax and accounting fullfilments) of article 2.2 the User’s personal information will be processed and stored by the Controller for the whole duration of the contract between the User and the Controller and at the end of it for any reason, such data will be stored for the period of time established, for each data category, by the current accounting, tax, civil law and processual regulation.

For the purposes outlined in letter “b” (profiling and marketing) and “c” (marketing and profiling by third parties) the personal information of the User will be processed and stored by the Controller until consent shall be revoked by the User or he/she exercises the right to withdraw consent for the treatment of personal data or request deletion.

For the purposes outlined in letter “d” (curricula vitae) personal information could be processed and stored by the Controller for a maximum period of 120 months after the date the information was received.

8. USER’S RIGHTS

The User has the rights described in articles 7, from 15 to 21 and 77 of the GDPR and, in particular:

Right of access – article 15 GDPR: the User shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and a copy of them.

Right of correction – article 16 GDPR: the User shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her and /or to have incomplete personal data completed.

Right to deletion (‘right to be forgotten’) – article 17 GDPR: the User shall have the right to obtain from the Controller the deletion of personal data concerning him or her without undue delay.

Right to restriction of processing – article 18 GDPR: The User shall have the right to obtain from the Controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the User, for a period enabling the Controller to verify the accuracy of the personal data; the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead; personal data are required by the User for the establishment, exercise or defence of legal claims; the User has objected to processing pursuant to Article 21 GDPR pending the verification whether the legitimate grounds of the Controller override those of the User.

Right to data transferability – article 20 GDPR: The User shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly-used and machine-readable format and have the right to transmit that data to another Controller without hindrance from the Controller to whom the personal data have been provided. Moreover, the User shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

Right to object – article 21 GDPR: the User shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on either the lawfulness of legitimate interest or the performance of a task of public interest or the performance of a public duties, including profiling. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the User shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right of withdrawal of consent – article 7 GDPR: the User shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint – article 77 GDPR: every User shall have the right to lodge a complaint with a supervisory authority, Piazza di Montecitorio 121, 00186, Roma (RM), Italy.

9. THE RIGHTS OF THE USER: HOW TO MAKE CHANGES OR REQUESTS

The User shall have the right to exercise his or her right to make changes or requests at any time by sending a communication through registered letter to: Istituto Oikos – n.2, via Margatti -21100 Varese, Italy, or a communication via certified e-mail to istituto.oikos.onlus@pec.it

In order to exercise the rights mentioned in the current policy and receive any information related to them, the User shall contact the Controller who, also through the nominated facilities, shall take responsibility for the request and provide the User with information regarding the action undertaken regarding his or her request without undue delay or within a month from receiving the request. The exercise of the rights by the User is granted under article 12 of GDPR. However, in the case of unfounded or excessive or repetitive requests, the Controller is entitled to charge the User a reasonable amount, in the light of the administrative costs of managing the request, or deny the request.

10. CHANGES TO THIS POLICY

This policy was last updated in May 2018 to provide you with information about how we collect, use and store your personal data according to the laws set out in the GDPR and to give you more clarity on how we use your data, and your rights in relation to it. We may amend or update this policy at any time to take account of any changes to data protection law or other legislation. When further updates to the policy are made they will be posted on this page, so please check back here regularly.

11. CONTACT US

If you have any questions, please contact us using the details below:
Data Protection Officer: Rossella Rossi (rosella.rossi@istituto-oikos.org). Please specify Privacy Policy in the subject line.

Istituto Oikos’ Cookie Policy

Cookies are small amounts of information stored in files within your computer’s browser, which assist the website owner in the service supply according to the purposes mentioned. Some of the purposes of installing cookies could require the User’s consent. When Cookies installation takes place after consent, such consent can be withdrawn at any given moment following the instructions in this document.

You can find out more about cookies at www.allaboutcookies.org.

TECHNICAL AND AGGREGATE STATISTICS COOKIES

Activities strictly necessary to the website functioning
Like most websites, www.medforval.org uses Cookies to save the User’s last session and to run operations strictly necessary to the functioning of www.medforval.org, such as those related to website traffic.

Saving preferences, optimisation and statistics www.medforval.org uses Cookies to save navigation preferences and improve the User’s experience. Among these Cookies are for instance those used for language set up and statistics management run by the website owner.

OTHER TYPES OF COOKIES AND THE TOOLS THAT COULD INSTALL THEM

Some of the services mentioned below collect aggregate and anonymous data and might not require the User’s consent or might be directly managed by the Controller—depending on what is described—without involving any third party. If third party services are among the tools listed below, those could run User tracking activities, in addition to those specified above, and without the User’s knowledge.

Interaction with external platforms and social media
This type of services enables interaction with social networks, or other external platforms, directly from www.medforval.org. Interaction and information acquired by www.medforval.org are subject to privacy settings chosen by the User for each social network. If there is a social network interaction service installed, the service, even when not used, could collect traffic data about the pages on which it is installed.

Like button and Facebook social widgets (Facebook, Inc.)
Like button and Facebook social widgets are interaction services with social media Facebook, provided by Facebook, Inc.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy.

LinkedIn button and social widget (LinkedIn Corporation)
LinkedIn button and social widgets are interaction services with social media LinkedIn, provided by LinkedIn Corporation.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy.

Tweet button and Twitter social widgets (Twitter, Inc.)
Tweet button and Twitter social widgets are interaction services with social media Twitter, provided by Twitter, Inc.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy.

Instagram button and social widget
Instagram button and social widgets are interaction services with social media Instagram, provided by Instagram Corporation.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy.

YouTube button and social widget (Google Inc.)
YouTube button and social widget are interaction services with social media You Tube, provided by Google Inc.
Personal data collected: Cookies and usage data.
Data handling location: United States –Privacy Policy

Statistics
The services mentioned in this section allow the Controller to monitor and analyse traffic data and are used to track the User’s behaviour.

Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google uses Personal Data to track and analyse the use of www.medforval.org, compile reports and share them with other services developed by Google.
Google could use Personal Data to put in context and customize ads belonging to its advertising network.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy – Opt Out.

Google Analytics with anonymous IP (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google uses Personal Data to track and analyse the use of www.istituto-oikos.org, compiles reports and share them with other services developed by Google.
Google could use Personal Data to put in context and customize ads belonging to its advertising network.
This integration of Google Analytics makes your IP address anonymous. It works by shortening the IP address of Users, within the borders of the European Union member countries or in other countries within the European Economic Area. Only in exceptional cases, the IP will be sent to Google servers and shortened within United States.
Personal data collected: Cookies and usage data.
Data handling location: United States – Privacy Policy – Opt Out.

HOW CAN I GIVE MY CONSENT TO COOKIES INSTALLATION?

In addition to the information above, the User can manage relevant cookies references directly from their browser and avoid, for instance, installation by third parties. Through browser preferences it is also possible to delete Cookies installed in the past, including Cookies where it is possible to store the consent to Install Cookies by this website. The User can find information on how to manage Cookies through the most widespread browsers such as: Google ChromeMozilla FirefoxApple Safari and Microsoft Internet Explorer.

With reference to cookies installed by third parties, the User can also manage their own settings and withdraw their consent by visiting the relevant opt out link (when available) using the tools described in the third party privacy policy or by directly getting in touch with them.

In addition, the User can take advantage of the information provided by EDAA (UE), Network Advertising Initiative (USA) e Digital Advertising Alliance (USA), DAAC (Canada), DDAI (Japan) or other similar services. Through such services you can manage preferences regarding the tracking of most advertising tools. Therefore, the Controller suggests using such resources in addition to the information provided here.

THE DATA CONTROLLER AND DATA PROCESSOR

Istituto Oikos is the owner and the entity processing personal information, with legal base in Varese, n. 2 Via Magatti, and operational headquarters in Milan, n. 1 Via Crescenzago, and represented by the pro tempore legal representative based in the office of Istituto Oikos at the above- mentioned address: privacy@istituto-oikos.org

Since the installation of cookies and other tracking systems operated by third parties through the services used by www.medforval.org cannot be controlled by the Controller, every specific reference to Cookies and tracking systems installed by third parties should be considered as approximate. Given the objective complexity to identify technologies based on Cookies, the User is invited to contact the Controller whenever requiring any additional information about the use of Cookies through www.medforval.org.

DEFINITIONS AND LEGAL REFERENCES

Personal Information (or Data) ‘Personal information’ is information, or a combination of pieces of information, that could reasonably allow you to be identified.
Usage data The information automatically collected through www.medforval.org (also through third parties applications implemented within www.medforval.org) including: IP addresses or domain names of computers used by the User to connect to www.medforval.org, the time of request, the method used to forward the request to the server, the size of the file received in reply, the code number showing the server reply status (success, error, etc) the country of origin, the features of the browser and operative system used by the visitor, the different timing information (such as the amount of time spent on every website page) and the details of the browsing itinerary of the visit within the application, with specific reference to the sequence of pages visited, the operative system parameters and the IT environment of the User.

The User The person using www.medforval.org

Person involved Physical person to whom the personal information refers.

The Data Processor (or Processor) The natural person, legal entity, public administration or any other body that processes data on behalf of the Controller, according to what stated in the current privacy policy.

The Data Controller (or Controller) The natural person, legal entity, public authority, the service or other body that, singularly or together with others, defines the aim, means and tools of the data processing, including the security measures used for the use and functioning of www.istituto-oikos.org. The Data Controller, unless stated otherwise, is the legal representative of Istituto Oikos.

www.medforval.org (or this application) The software and hardware by which Users’ data are collected and managed.

Service The service provided by www.medforval.org, as defined by the relevant terms (if present) in this website/application.

European Union (or EU) Unless stated otherwise, every reference to the European Union contained in this document refers to all the current member states of the European Union and European Economic Area.

Cookie Small portion of data saved within the User’s device.

Legal Reference The current privacy policy is drafted according to different legal systems, including the articles 13 e 14 of the Regulation (EU) 2016/679.