Dear Mr / Mrs, Miss
Data subject
pursuant to the legislation on the protection of personal data Legislative Decree 30 June 2003, n. 196 (hereinafter “Privacy Code”) and subsequent amendments and art. 13 and 14 of EU Regulation 2016/679 (GDPR) we inform you that the personal data you communicate or collect will be processed in the manner and for the purposes specified below.

Identification details and contact details of the Data Controller.
Lega Italiana Anti Fumo
Via Siena n. 24 – 95128 CATANIA
Tel. +39 339 379 5767
E.mail: info@liaf-onlus.org

Type of data processed
The data processed related to you are the common data such as: name, surname, age, gender, tax code, address of residence or domicile and contact details – telephone, e-mail address, bank and payment references.

Purpose and legal basis of the processing:
a) completion of all phases related to the donation, including instrumental activities (e.g. communications on payments, summaries of donation and reporting) and compliance with internal administrative procedures. The legal basis for the provision and processing of the aforementioned data is the execution of the contract of which it is a part (art. 6, par. 1, letter b) of EU Reg. 679/2016)
b) fulfillment of legal obligations or regulations in force in Italy (e.g. communication to the Revenue Agency – for the preparation of the pre-filled tax returns – of personal data and data relating to the donations made, pursuant to the Minister of Economy and Finance 30.01.2018 ). The legal basis for the provision and processing of the aforementioned data is the fulfillment of legal obligations.
c) Ascertain, exercise or defend the rights of the Data Controller in court. The legal basis for the provision and processing of the aforementioned data is to guarantee the legitimate interest of the Data Controller pursuant to Article 6, paragraph 1, lett. F) of the GDPR.

Mandatory or non-mandatory nature of the provision of data
The provision of data for the purposes referred to in letter a) is necessary to guarantee the execution of contractual relations and compliance with internal administrative procedures respectively. Refusal, even partial, to the conferment or communication will make it impossible to accept and manage your donation.
The provision of data for the purposes referred to in letter b) is mandatory. Refusal, even only partial, to the conferment or communication will make it impossible to accept and manage your donation and to fulfill all the formalities required by law, including those of a fiscal nature.
The provision of data for the purposes referred to in letter c) is necessary to guarantee the legitimate interest of the Data Controller. Refusal, even only partial, to the conferment or communication will make it impossible to accept and manage your donation. The Data subject can exercise, among other things, the rights referred to in Article 21 of the GDPR.

Methods of treatment: The data indicated above will be subject to manual and / or computerized processing, carried out on individual personal data or sets of personal data and may include: collection, recording, organization, structuring, conservation, storage adaptation or modification, extraction, consultation, use, communication by transmission or any other form available, comparison, cancellation or destruction, in the following ways: a) processing of data directly at the data subject; b) treatment on paper; c) treatment on magnetic, IT support. The treatment will be carried out in compliance with the principles of necessity, relevance and with the use of suitable technical and organizational measures, aimed at guaranteeing the security and confidentiality of the data.
For the purposes set out above, if necessary, the data may be transferred to countries of the European Union and to third countries with respect to the European Union for which there is an adequacy ruling by the Commission or in the presence of one of the additional conditions legitimizing the transfer.
Data retention
The Data Controller will retain personal data for the time strictly necessary to guarantee the correct management of the donation and, in any case, for a period not exceeding 10 years from the termination of the contract, unless personal data must be kept for the legal regulations or to assert a right in court.
Access to data
Your data may be made accessible:

  • to personnel specifically in charge of data processing operations;
  • to third-party companies or other subjects (for example, professional firms; legal, administrative, tax and/or IT consultancy firms; hosting provider, etc..) who carry out, as external data processors, data elaboration and / or data processing on behalf of the Data Controller.
    The updated list of data processors and persons in charge may be requested from the Data Controller.
    Categories of specific subjects to whom the data can be communicated
    Your data may be communicated, exclusively for the purposes specified above and in compliance with the principle of relevance, to the categories of subjects indicated below, who will carry out the processing as Autonomous Data Controllers, as subjects unrelated to our organization and precisely:
  • subjects to whom communication is mandatory by law or by virtue of secondary or community legislation;
  • banks, credit card issuers or PayPal to allow the transactions necessary for the donation and which will process the data for the purposes related to the management of the means of payment;
  • Revenue Agency for the preparation of pre-filled tax returns;
  • Judicial authorities for the protection of rights.
    Rights of the data subject
    The data subject, at any time, may exercise the rights provided for in articles 15 to 22 of the New Regulation 2016/679 (GDPR) and this also pursuant to Legislative Decree no. 196 of 30 June 2003, as amended by Legislative Decree no. 101/2018, towards the Data Controller and more precisely:
    Right of access to personal data, pursuant to art 15 of the GDPR: the data subject has the right to obtain from the data controller the confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and to be informed about the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; if the data have not been collected from the data subject, the right to receive all the information available on their origin; right to receive information on the existence of an automated decision-making process, including profiling and significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject.
    Right to rectification and integration of personal data, pursuant to art 16 of the GDPR: the data subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing a supplementary statement.
    Right to obtain the erasure of personal data in the cases provided for by art 17 of the GDPR: the data subject has the right to obtain from the Data Controller the erasure of personal data concerning or her without undue delay: (a) if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) if the data subject revokes the consent on which the treatment is based and there is no other legal basis for the treatment; (c) the data subject objects to the processing pursuant to Article 21, paragraph 1, of the GDPR and there are no overriding legitimate grounds for the processing, or pursuant to Article 21, paragraph 2 of the GDPR, the data subjects objects to the processing of data that are processed for marketing or profiling purposes; (d) if the personal data have been unlawfully processed; (e) or the personal data must be erased to fulfill a legal obligation under Union or Member State law to which the Data Controller is subject; (f) or concern information collected from minors, in violation of art. 8 of the Regulations. The right to obtain the erasure cannot be exercised if there are the reasons indicated in art. 17 paragraph 3 of the Regulation.
    Right to restriction of processing of personal data in the cases provided for by Article 18 of the GDPR: the data subject has the right to obtain from the controller restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (b)the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; (d) the data subject has objected to processing pursuant to Article 21, paragraph 1 pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data, with the exception of storage, are processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing of personal data is informed by the controller before the restriction of processing is lifted.
    Right to the notification of the recipients of the personal data being processed, pursuant to Article 19 of the GDPR: The controller communicates any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17, paragraph 1 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller informs the data subject about those recipients if the data subject requests it.
    Right to data portability of personal data, in the terms and conditions referred to in Article 20 of the GDPR: The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent or on a contract; and b) the processing is carried out by automated means. In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right to data portability shall be without prejudice to the right to cancellation referred to in article 17 of the GPDR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.
    Right to object to the processing of personal data, pursuant to art 21 of the GDPR: The data subject had the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her pursuant to Article 6, paragraph 1, letters e) and f) (respectively for the execution of a task of public interest or connected to the exercise of public powers with which the data controller is invested or carried out for the pursuit of the legitimate interest of the data controller or third parties), including profiling. Where personal data are processed for direct marketing purposes or for profiling purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such purposes.
    Right not to be subject to automated decisions, including profiling, pursuant to art 22 of the GDPR: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in cases where the automated decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent.
    The data subject also has the:
    Right to obtain the contact details of the Data Protection Officer, if appointed, to whom he or she can send his requests.
    Right to revoke any consent given to the processing of data, at any time and without this prejudicing the lawfulness of the processing carried out before the revocation.
    The rights are exercised with a request addressed, without formalities and free of charge, to the Data Controller, also through a designated person. The request can be transmitted using the contact details indicated in the epigraph.
    It should be noted that only in the event of a request for further copies of the data by the data subject, the Data Controller may charge a reasonable expense contribution based on administrative costs. It is understood that, where the request is submitted by electronic means and unless otherwise indicated by the data subject, the information will be provided in a commonly used electronic format, upon identification of the data subject.
    RIGHT TO LODGE A COMPLAINT
    Pursuant to art. 77 GDPR 2016/679, the data subject also has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement; for Italy, the Guarantor for the protection of personal data is competent to the Data Protection Authority. Pursuant to art 2 – undecies of the Legislative Decree n. 196 of 30 June 2003, as amended by Legislative Decree 101/2018, the data subject is informed of the following:
    “1. The rights referred to in Articles 15 to 22 of the Regulation cannot be exercised with a request to the Data Controller or with a complaint pursuant to Article 77 of the Regulation if from the exercise of these right can derive an actual and concrete prejudice to:
    a) the interests protected under the provisions on money laundering;
    b) the interests protected under the provisions on support for victims of extortion requests;
    c) the activity of parliamentary committees of inquiry established pursuant to article 82 of the Constitution;
    d) the activities carried out by a public entity, other than economic public bodies, based on the express provision of the law, for exclusive purposes relating to monetary and currency policy, the payment system, the control of intermediaries and credit and financial markets, as well as the protection of their stability;
    e) to carry out defensive investigations or to exercise a right in court;
    f) the confidentiality of the employee’s identity who reports pursuant to law 30 November 2017, no. 179, the offense of which he or she became aware because of his office.
  1. In the cases referred to in paragraph 1, letter c), the provisions of the parliamentary regulations or the law or the founding rules of the Commission of inquiry apply.
  2. In the cases referred to in paragraph 1, letters a), b), d) e) and f) the rights referred to in the same paragraph are exercised in accordance with the provisions of law or regulation governing the sector, which must at least bear direct measures to regulate the areas referred to in Article 23 (2) of the Regulation. The exercise of the same rights can, in any case, be delayed, limited or excluded with reasoned communication and made without delay to the data subject, unless the communication may compromise the purpose of the limitation, for the time and within the limits in which this constitutes a necessary and proportionate measure, taking into account the fundamental rights and the legitimate interests of the data subject, in order to safeguard the interests referred to in paragraph 1, letters a), b), d), e) and f). In such cases, the rights of the data subject can also be exercised through the Guarantor in the manner referred to in Article 160. In this case, the Guarantor informs the data subject that all the necessary checks have been performed or that a review has been carried out, as well as the right of the data subject
    to bring a judicial appeal. The Data Controller informs the data subject of the faculties referred to in this paragraph”.
    Privacy policy changes
    The Data Controller reserves the right to make changes to this privacy policy at any time by advertising it on the institutional web page.
    Lega Italiana Anti Fumo