The processing concerns individuals who, for various reasons, have been included on the Data Controller’s mailing lists and may receive communications via e-mail (newsletters). The data included in the processing are, or may be:
• first and last name
• e-mail address
• outcome of the mailing
The e-mail address is strictly necessary for sending the newsletter and for receiving or sending communications.
The first and last name permit the Data Controller to identify the recipient.
The datum regarding the outcome of the mailing (newsletter not received, received, opened, clicking on any links) is necessary in order to evaluate the effectiveness of the communication.
The purpose of the processing is to permit sending the newsletter to the data subjects.
Most of the data were collected by Fondazione Valter Baldaccini via a specific expression of consent.
The data are not subject to further processing by third parties.
The Fondazione Valter Baldaccini informs the stakeholders on its activities and communicates with them through the mailing lists. The data on these mailing lists that are processed are the first names, last names, and e-mail addresses. These mailing lists make it possible to send communications to specific groups of recipients or to all recipients. Specifically, the Data Controller breaks down the data subjects into several mailing lists, which it continually updates.
To manage the newsletters, NUR s.r.l. has designed and runs the Jeenius platform. The platform makes it possible to enter the necessary data or obtain them from external lists, and to send messages to subgroups or entire mailing lists.
Considering the fact that:
• the personal data were collected during the registration process and after the signing of a consent in accordance with the laws in effect at the time;
• the receipt/sending/storage of the messages is a premise or foreseeable consequence of every e-mail communication;
• receiving periodic communications from the Fondazione Valter Baldaccini is a foreseeable consequence of the acts that led the data subjects to receive them (donation, manifestation of interest, being employees of UMBRAGROUP);
• each mailing contained, and contains, a quick and easy procedure for cancelling the registration;
the Data Controller does not consider it strictly necessary to request further consent from the data subjects, or render the processing conditional on an explicit consent. It will notify all data subjects:
• that it has several categories of personal data regarding them;
• of the purposes of this processing and its legitimacy;
• of the possibility for data subjects to know these data, modify them, or request their deletion.
The Jeenius platform provides for a GDPR-compliant consent form that will be presented to all new members through a “double opt-in” procedure. A selective deletion will thus be possible: the data subject may request not to receive the newsletter, and/or the deletion of his or her data.
The data are physically stored and processed by the servers of NUR s.r.l., which are located within the European Union.
The Data Controller agrees to accept immediately, or within 5 days at most, the requests for access, rectification, or erasure of personal data or objection to further processing if such requests come from the data subject, and it has prepared a form for the purpose that is available at its headquarters. In any case it will also accept requests – provided they are in writing and signed – that may arrive in any other way.
In the event of destruction of the mailing list, the damage for the privacy of the data subject would be extremely limited. In the event of wrongful access or dissemination of the information, the damage would in any case be small.
The mailing list and e-mail messages are accessible by the Data Controller only by means of a secure password that is frequently changed and known only to two persons at the Foundation.
The Processor has guaranteed:
• that it has set up procedures that comply with the GDPR;
• that adequate hardware and software security measures have been implemented to protect the data stored on the servers, in particular against the risk of wrongful access to the data.
In the case where the Data Controller suffers a theft of the data and has reason to believe that sensitive personal data have been divulged (data breach), it will make – if deemed necessary – a report to the Personal Data Protection Authority and will inform all data subjects concerned of the breach.
The risk entailed in this processing is improbable and very small for the customer’s privacy. However, considering the fact that:
• the Data Controller has a legitimate interest in carrying on this activity, which coincides with the interest of the stakeholders;
• the data subjects receive information of interest to them free of charge;
• the data processed are very few in number and necessary for the performance of the services requested;
• the data subjects have been notified of the existence of a processing of their personal data;
• it is possible to exercise the right to access, modification, and erasure of the data at any time;
the Data Controller deems the data processing in question legitimate and in compliance with the spirit and wording of the European General Data Protection Regulation 679/2016, and that the legal basis to continue it exists.
The Data Controller is Fondazione Valter Baldaccini, Via V. Baldaccini, 1 – 06034 Foligno (Perugia, Italy), Tel. +39 0742 348 428, e-mail: email@example.com.
The Processor is NUR s.r.l., Via del Commercio 1/N – 46030 San Giorgio di Mantova (MN), Tel. +39 0376 369728, e-mail: firstname.lastname@example.org.
The Data Controller, considering the nature and scale of the data processed, deems it unnecessary to appoint a Data Protection Officer (DPO).