This document describes the management procedures for the website www.change.ong (hereinafter, the “Website”) and the processing of personal data of users who consult it and of the subscribers to the newsletter of the Association Change ETS (hereinafter the “Association”).
This privacy notice is provided pursuant to Article 13 of EU Regulation 2016/679 (GDPR). This Privacy Policy applies solely to the Website and the services offered by the Data Controller, and does not extend to third-party websites accessible via links.
1. The Data Controller
The Data Controller is the Association Change ETS, headquartered at Via Arbe 33, 20125 Milan, Tax ID 974 192 301 52. For any information, please contact: segreteria@change.ong.
2. Purposes of Processing and Legal Basis
Data is collected to process donations according to your instructions and to send informational content, appeals, and updates regarding the activities of the Association Change ETS.The processing of Data necessary for the management and collection of donations is based on the performance of the contractual/pre-contractual relationship established with you and on compliance with legal obligations (Art. 6, para. 1, lett. b) and c), GDPR).
The processing aimed at sending appeals and updates regarding the Association's activities to individuals who have already made a donation is based on the legitimate interest of the Controller, within the limits established by Art. 130, paragraph 4, of the Code regarding the protection of personal data (see the clarification at the end of this paragraph regarding the legal basis of legitimate interest).
If you have subscribed to the newsletter without having made any donation, the processing is based on your consent (Art. 6, para. 1, lett. a), GDPR), which can be freely revoked at any time.Knowing your first and last name allows us to personalize the communications we send you. Knowing your email address allows us to deliver information and appeals without additional costs and with certainty of delivery. Knowing your postal address and tax code, when voluntarily provided by you, allows us to send you the donation receipt (a legal obligation); furthermore, your postal address allows us to send you printed appeals and updates. Knowing your phone or mobile number allows us to notify you via direct communications about specific initiatives, to communicate with you in case of problems with other communication channels, or to verify any inaccuracies detected in the data you originally provided.
If you subscribe to a membership card, your personal data allows us to make entries in the social registers, as required by law. Your bank details are required to activate, upon your request, a recurring donation. Your credit card details are required to collect, upon your request and with your consent, a one-off or recurring donation, according to your instructions. In any case, the processing of your Data based on the legitimate interest of the Controller is carried out, in addition to complying with Art. 6, paragraph 1, letter f of the GDPR, also in conformity with Recital 47 and Opinion No. 6/2014 of the Article 29 Data Protection Working Party, para. III.3.1.The provision of Data necessary to finalize the donation (e.g., name, surname, email address, and payment details) is mandatory: without it, it will not be possible to proceed with your donation request. The provision of additional Data (e.g., phone number, postal address, tax code) is optional; failure to provide them does not prevent the completion of the donation but may limit the Controller's ability to send you certain communications or documents (e.g., paper receipts, phone alerts) (Art. 13, para. 2, lett. e), GDPR).
3. Types of Data Processed
- Navigation Data: (IP, URI, request time) acquired implicitly during navigation. These are not associated with identified persons.
- Data Provided Voluntarily: Name, surname, email (sent by the user to contact the Association or subscribe to the newsletter), residential or domicile address, contact details (phone, email), tax code, bank and/or payment details.
- Data Collected via Cookies and Similar Technologies: For the type of cookies used, purposes, and management of preferences, please refer to the Website's Cookie Policy.
4. Methods of Processing
Your Data is collected and recorded lawfully and fairly for the purposes indicated above and is processed also with the aid of electronic and automated tools, including entry and organization in databases, in compliance with the security measures required by the GDPR, and, in any case, in such a way as to guarantee the security and confidentiality of the Data itself.
5. Recipients or Categories of Recipients
The Data may be made accessible to, disclosed to, or communicated to the following subjects, who will be appointed by the Controller, as the case may be, as processors or authorized persons:Employees and/or collaborators of the Controller in any capacity;Public or private entities, natural or legal persons, whom the Controller uses to carry out activities instrumental to achieving the aforementioned purpose or to whom the Controller is required to communicate the Data due to legal or contractual obligations. In any case, the Data will not be disseminated.
6. Transfer of Data Abroad
For processing instrumental to the management of the donor database, Data may be transferred to third countries (outside the EU). In such cases, the transfer will occur according to the Standard Contractual Clauses adopted with Commission Implementing Decision (EU) 2021/914 of June 4, 2021, following the completion of a Transfer Impact Assessment and the adoption of any necessary supplementary measures, in accordance with the ruling of the Court of Justice of the European Union in the “Schrems II” case (Case C-311/18), and in a manner that provides appropriate and suitable guarantees pursuant to Articles 46, 47, or 49 of the GDPR.
7. Retention Period
Data relating to donations and fiscal/accounting documents will be retained for a period not exceeding 10 years, for administrative and accounting purposes, in accordance with the terms provided by applicable regulations (Art. 2220 of the Italian Civil Code).Data processed for the purposes of sending appeals, updates, and newsletters (e.g., name, surname, email address) will be retained until the revocation of consent or the exercise of the right to object by the data subject and, in any case, for the time strictly necessary to pursue the purposes for which they were collected (Art. 5, para. 1, lett. e), Art. 7, para. 3, and Art. 21 GDPR).
8. Rights of Access, Erasure, Restriction, and Portability
The Controller informs you that you are recognized the rights referred to in Articles 15 to 20 of the GDPR. By way of example, by sending a specific request to the email address comunicazione@change.ong, you may:Obtain confirmation as to whether or not personal data concerning you is being processed;If processing is underway, obtain access to the data and information relating to the processing, as well as request a copy of the data itself;Obtain the rectification of inaccurate data and the integration of incomplete personal data;Obtain, if one of the conditions provided for in Art. 17 of the GDPR exists, the erasure of data concerning you;Obtain, in the cases provided for in Art. 18 of the GDPR, the restriction of processing of data concerning you;Receive the data concerning you in a structured, commonly used, and machine-readable format and request their transmission to another controller, if technically feasible;Revoke consent at any time, without affecting the lawfulness of processing based on consent given before the revocation (Art. 7, para. 3, GDPR).
9. Right to Object
Pursuant to Art. 21 of the GDPR, you also have the right to object at any time to the processing of your Data carried out for the pursuit of the legitimate interest of the Controller by writing to the email address comunicazione@change.ong. In the event of an objection, the Data will no longer be processed, unless there are legitimate grounds for proceeding with the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of a right in legal proceedings.
10. Right to Lodge a Complaint with the Supervisory Authority
The Controller also informs you that you may lodge a complaint with the Data Protection Authority if you believe that the rights you hold under the GDPR or any other applicable legislation have been violated, according to the procedures indicated on the website of the Data Protection Authority accessible at: www.garanteprivacy.it
