Privacy

Introduction

The Bracco Foundation (“Foundation”) attaches the maximum importance to the protection of the personal data of the users of its website and undertakes to ensure such protection in accordance with the applicable laws (specifically EU Regulation 2016/679 General Data Protection Regulation – hereinafter “Regulation” or “GDPR”).

This document (“Privacy Policy”) provides information about the processing of personal data collected by the Foundation through the website www.fondazionebracco.com (“Site”) and is therefore to be considered as a disclosure for interested parties pursuant to arts. 13 and 14 of the GDPR.

This Privacy Policy supplements the privacy disclosure usually published in the sections of the Site where users’ personal data is collected for specific purposes.

The disclosure is provided for the Foundation Site only and not for other websites the user may visit through links on the Site.

Data Controller

The Data Controller is the Bracco Foundation, headquartered in Via Cino del Duca 8, 20122 Milan (Italy). The Data Protection Officer may be contacted at the email address dpo@bracco.com

Types of Data Processed and Purposes of Processing

Browsing data

Processing of personal data of users who visit the Site without sending communications or using any of the available services/functions is limited to browsing data, that is, data whose transmission to the Site is necessary for the correct functioning of the IT systems that manage the Site and the Internet communication protocols. This category includes, for example, the IP addresses or the domain of the computer used to visit the Site and other parameters relating to the operating system employed by the user to connect to the Site. The Foundation collects these and other technical data (for example, the number of visits) solely for statistical purposes and anonymously, in order to ascertain the operation of the Site and improve its functionalities. Although this information is not collected in order to be associated with other information on users and to identify users, by its very nature it may enable users to be identified through processing and association with data held by third parties. Browsing data is normally erased after anonymous processing, but may be stored and used by the Foundation to ascertain and identify the authors of possible computer crimes committed against or through the Site. Excepting this possibility and the indications set out in the Cookie Policy section [http://www.fondazionebracco.com/en/utility/cookie-policy], browsing data as described above are stored only on a temporary basis as required by law.

Cookies

To ensure the correct functioning of the Site and improve the service provided, cookies are used on the Site. Cookies are small text files sent by the sites visited by the user to the user's computer (usually to the browser), where they are stored and then transmitted back to the same sites the next time the user visits them. The Foundation uses temporary session cookies, which are automatically erased every time the user leaves the Site, and persistent cookies, which remain on the user's hard disk until they are erased. The purpose of these cookies is to ensure that the Site is functioning correctly and to improve the user browsing experience, by collecting anonymous information about the way the user uses the Site. This information enables us to update the Site on a continuous basis in order to improve the user experience. The Site also uses tracking cookies whose purpose is to detect the interests of users browsing the Site. This information enables us to communicate with users more effectively. All information about these processes can be consulted in the Cookie Policy section [http://www.fondazionebracco.com/en/utility/cookie-policy] of the Bracco Foundation.

Data provided by the user on a voluntary basis

The optional and voluntary transmission of emails by the user/sender to the addresses shown on this Site, and the registration of the user in the private area of the Site, generate subsequent acquisition of the user/sender email address, to enable us to respond to requests, and of any other personal data included in the email and all the data inserted in the private area registration form.

The Foundation may process the user's personal data for the following purposes:a) to manage requests and observations received through the Site (special forms) or through emails sent by the user on a voluntary basis to the Foundation's email addresses published on the Site, also with regard to candidacies for Foundation projects;b) to manage registration in the private area of the Site and subsequent registration for initiatives such as competitions, events, programs, scholarships and so on, directly through the private area;c) to send institutional notices and/or promotional material of the Foundation or its Partners via email or the traditional postal service;d) to identify, through profiling, information of significance for the user, in order to suggest events deemed to be interest, and to conduct statistical analyses, in order to improve the content and functioning of the Foundation's communication services. In this case, in addition to the data supplied voluntarily by the user (e.g., areas of interest indicated on the registration form for access to the Private Area), the Data Controller may also process data relating to the user’s interaction with notices sent by the Foundation (e.g., delivery of emails to the user's electronic mailbox, the opening of emails, etc.);e) to comply with legal requirements, regulations, community laws.

With regard to the purposes indicated in heads a) and b), data processing may take place without the user’s consent, as envisaged by art. 6.1 (b) of the GDPR, since processing is necessary for execution of pre-contractual measures (information requests, reports) at the user’s specific request; should the mandatory personal data marked with an asterisk (*) not be provided, it will not be possible to proceed with the user’s request/observation.

With regard to the purposes indicated in heads c) e d), no consent is required, since processing is based on the Data Controller's legitimate interest in efficient communication of the events it organises to achieve its mission: to support the creation and dissemination of culture, art and science in order to improve the quality of life and social cohesion, as envisaged by art. 6.1 (f) of the GDPR.

With regard to the purpose indicated in head e), the legal basis for processing is set out in art. 6.1 (c) of the Regulation.

All user data is also processed with paper-based and automated tools that guarantee security and confidentiality.

The personal data of people accompanying the user – which may be provided by the user on the event registration form – will be processed solely for the purpose of managing the event registration request.

All data provided by users on a voluntary basis is processed solely for the purposes indicated above for which the data are provided. Specific summaries are gradually set out or shown on the Site pages relating to particular services and/or initiatives.

Links to other sites

The Site may contain links to other sites (so-called third-party sites). The Foundation does not access or run checks on cookies, web beacons and other user tracking technologies used by the third-party sites the user may access from the Site. The Foundation does not run any checks on content and material published by or obtained through third-party sites nor on the methods employed by third-party sites to process users’ personal data, and expressly declines all liability relating to such eventualities. The user should check the privacy policy of the third-party sites they access via the Site and obtain information on the conditions that apply to processing of their personal data. This Privacy Policy applies only to the Site as defined above.

Conferment of data

Conferment of Personal Data is optional. If, however, the user wishes to register on the Site and/or take part in Foundation initiatives and/or receive information about Foundation activities, all the fields marked as mandatory on the relevant forms must be filled in, and, where requested, consent must be given to the processing of data. Refusal to give consent will not produce any effects other than that it will not be possible to register the user on the Site and for Foundation initiatives and inform the user about programs/initiatives that might be of interest and/or send the user any other information about the Foundation and its Partners. At any time the user may amend or revoke their consent or oppose processing, by writing to the address of the Data Controller.

Processing methods

Data will be processed by the Foundation with appropriate electronic or otherwise automated information technology and communication tools, or by means of manual and paper-based processing methods, strictly for the purposes set out above for which the data were provided and in any case in a manner that ensures the security and confidentiality of the data. Data will be processed by internal Foundation staff specifically authorised to process data in connection with the performance of the duties assigned to them, and eventually, to the extent necessary and/or useful for the execution of the purposes indicated above, by third parties acting on behalf of the Foundation in the capacity, as the case may be, of independent Data Controllers, Co-Data Controllers or Data Processors designated pursuant to art. 28 of the GDPR (e.g., Partners of Foundation initiatives, service providers, engineers responsible for maintenance of IT services, other providers whom the Foundation may use in connection with the above purposes, Bracco Group companies).

All data recipients shall receive only the data they require to perform their functions and they shall undertake to use the data only for the purposes indicated above and to process them in compliance with applicable laws. Except as indicated above, data are not shared with third-party natural or legal persons who do not perform any functions of a commercial, professional and/or technical nature for the Data Controller, and shall not be circulated.

As regards the possible transfer of data to other countries, including countries that might not guarantee the same level of protection as that envisaged by the data protection Regulation (i.e., non-EU countries), the Data Controller declares that processing will in any case be performed in compliance with one or more of the methods allowed under the Regulation, as the case may be, for example, the explicit consent of the user, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of parties adhering to international programs for the free circulation of data or who operate in countries deemed secure by the European Commission.

The list of data recipients is available upon request from the Data Controller through the contacts indicated in this policy.

Data storage period

In compliance with art. 5.1 (c) of the Regulation, the information systems and computer programs used by the Foundation are configured to minimise use of personal and identifying data. Data are processed only to the extent necessary to achieve the purposes indicated in this disclosure. Data will be stored for the length of time strictly necessary to achieve the purposes actually pursued and, in any case, the criterion used to determine the storage period is based on compliance with the terms allowed by law, by the principles of minimisation of processing, limitation of storage and rational management of the archives, and also by the provisions of the Data Protection Authority with reference to specific data or processing.

Rights of interested parties

At any time, the user may exercise the rights recognised under arts. 15-22 of the Regulation, including the right to obtain confirmation of the existence or otherwise of their personal data, to check its content, origin, accuracy, location (also with reference to any third-party countries), to request a copy, to request amendments and, in the cases envisaged by current laws, limitation of processing and erasure. The user has the right to object at any time, and in the cases envisaged by current laws, to processing procedures by the Foundation, for example, direct contact activities, promotional activities (also when limited to specific means of communication) or profiling activities. Similarly, the user may at any time revoke consent, when provided, and/or report observations on specific use of the data with regard to particular personal situations deemed not to be correct or justified by the existing relationship or request a complaint by a controlling authority to the Data Protection Authority.

For all queries regarding processing of personal data by the Foundation, to exercise the rights recognised under the applicable laws and to receive an updated list of the parties who may access the data, the user may contact the Data Controller by sending an email message to segreteria@fondazionebracco.com or through the normal postal service to the following address: Fondazione Bracco, via Cino del Duca 8, 20122 Milano, Italy.