Privacy Notice

  • Home
  • Privacy Policy

PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA – PLATFORM

Let's Donation S.r.l., with registered office at Via Indipendenza, n. 22, 40121, Bologna (BO), Italy, and VAT No. 03188581205 (hereinafter, the "Data Controller"), in its capacity as Data controller, hereby informs you, pursuant to Regulation (EU) 2016/679 (the "GDPR") and the applicable data protection legislation, that your personal data, in connection with the "LET'S DONATION" platform (hereinafter, the "Platform"), will be processed in the manner and for the purposes set out below.

For the avoidance of doubt, any processing of personal data carried out for purposes other than those specified herein shall be governed by the privacy notices applicable to the relevant services from time to time.

1. RECITALS AND DEFINITIONS

  • "Processing of personal data" means any operation or set of operations which is performed on information relating to a natural person who is identified or identifiable.
  • "Personal data" means any data that Let's Donation has collected and/or collects in relation to you as an individual.
  • Let's Donation is defined under applicable data protection law as the "data controller" because it determines the purposes for which personal data relating to natural persons, referred to as "data subjects", are processed and how such processing is carried out. Data subjects are entitled to receive information about who we are, which personal data we process and for what reasons, as well as how and for how long we process them.
  • "Community" means a digital space that brings together a network of Users who can connect with each other and view each other's profiles according to the visibility settings selected during registration. If the User chooses to join the Community, they may determine the visibility level of their profile during the registration process. In particular, the User may decide whether to display their first name and surname to the Community or to appear as an anonymous donor by using only a nickname. In the latter case, the User is advised to carefully select a nickname if they do not wish to be identifiable. The User may also choose whether to be visible within the Community and/or the rankings. This option entails the simultaneous visibility of the organisations supported through donations.
  • "Third Sector Entities" means non-profit entities, organisations and associations which receive donations from Users via the Let's Donation platform. The personal data of donors that are necessary to complete and manage the donation are shared with such Third Sector Entities, which process those data for purposes related to their institutional activities and for any further purposes determined by them. In relation to these processing activities, the Third Sector Entities act as a data controller. Users are therefore invited to consult the privacy notices made available by each Third Sector Entity that receives the donation.

2. CATEGORIES OF PERSONAL DATA PROCESSED

In the context of the use of the Platform, the Data Controller processes only common personal data of the User, and in particular, by way of example: name and surname, contact details, browsing data, professional role/position, payment data, image and any other data necessary to create the User's profile, as well as information on the type of organisation supported.

3. PURPOSES AND LEGAL BASES OF PROCESSING

Personal data are processed for the purposes and on the legal bases described below:

  • performance of contractual and pre-contractual obligations (Article 6(1)(b) GDPR), in particular in order to:
    • create and manage the User's account on the Data Controller's Platform;
    • manage donations made via the Platform, including those processed through the Zucchetti portal in the case of payroll giving;
    • manage participation in contests and the issuance of gift cards;
    • handle requests for demos or information received via the relevant contact form;
  • subject to the User's consent (Article 6(1)(a) GDPR) the User's personal data may be processed in order to:
    • share the User's personal data with other Users in the Community, as further specified in the "Recitals and Definitions" section of this notice;
    • send, by newsletter, communications containing commercial and promotional information relating to the Controller and its services and/or products;
    • disclose personal data to third parties, in particular to the Third Sector Entities receiving the donation, for promotional purposes. Where the User provides the relevant consent, such entities may send promotional, informational or update communications concerning their initiatives. For this purpose, the beneficiary entity or association acts as a data controller. The User is therefore invited to consult the Privacy Notice of the relevant entity in order to understand in detail how their personal data are processed by such entity;
  • compliance by the Data Controller with legal obligations, arising from laws, regulations or EU or national legislation or imposed by competent authorities, such as the obligation to report donor data to the relevant body/entity; (Article 6(1)(c) GDPR);
  • pursuit of the Data Controller's legitimate interests (Article 6(1)(f) GDPR), such as:
    • establishment, exercise or defence of legal claims before a court or an authority;
    • management of the Platform and its operational functions, including monitoring its proper functioning, improving the quality of the services provided and optimising the Platform's features;
    • prevention and detection of fraudulent activities or abuses harmful to the Platform: the Data Controller's interest derives from a real and current legitimate interest in avoiding damage resulting from unlawful conduct of others;
    • sending, by e-mail, of commercial communications relating to the Data Controller's services and products similar to those already used by the data subject ("soft spam").

4. METHODS OF PROCESSING

Your personal data are processed, both in paper and electronic form, in such a way as to minimise the risk of destruction, loss (including accidental loss), unauthorised access/use or use that is incompatible with the purposes for which the data were initially collected. This is achieved through the technical and organisational security measures implemented by the Data Controller.

5. DATA RETENTION

The Data Controller processes personal data for as long as is necessary to achieve the purposes for which they are collected and, in any event, not beyond the time periods indicated below. It is understood that, upon expiry of such periods, the Data Controller may nonetheless retain personal data, in whole or in part, for specific purposes, where expressly required by law or for the establishment, exercise or defence of legal claims.

In the context of the use of the Platform, the Data Controller processes personal data for the time necessary to fulfil the purposes set out in Section 3 (Purposes and legal bases of processing) and, by way of example:

  • for 10 years from collection for the performance of contractual and pre-contractual obligations;
  • for the period required by applicable legal provisions in relation to the Data Controller's legal obligations;
  • for 24 months for marketing purposes.

6. PROVISION OF DATA

In the context of the use of the Platform, the provision of personal data:

  • for the purposes related to the performance of contractual and pre-contractual obligations connected with the use of the Site is mandatory. Such data are necessary for the relationship with the Data Controller and for the use of the services. The User may decide not to provide personal data; however, in the absence of such data it will not be possible to use the Controller's services;
  • for the purposes that are based on your consent is optional. Failure to provide data for these purposes does not prevent the use of the Data Controller's services.

7. DISCLOSURE OF DATA

For the purposes outlined above, the Data Controller may disclose your personal data to:

  • collaborators of the Data Controller who have been duly instructed and authorised to process personal data pursuant to Article 29 GDPR and Section 2-quaterdecies of Italian Legislative Decree no. 196/2003;
  • third parties necessary for the performance of activities connected with and instrumental to the execution of the contract (e.g. Third Sector Entities, companies participating in the "payroll giving" scheme, providers of IT, banking, insurance, accounting, tax, legal and other services), acting either as processors or data controllers;
  • only subject to your explicit consent, members of the Community to which you belong.

You may request from the Data Controller, at any time, the updated list of data processors.

8. TRANSFERS OF DATA

For the purposes set out above, the Data Controller may transfer personal data outside the European Economic Area. Such transfers will take place exclusively on the basis of an adequacy decision pursuant to Article 45 GDPR or, in any event, in compliance with the safeguards set out in Chapter V of the GDPR.

9. DATA SUBJECT RIGHTS

The Data Controller informs you that, as a data subject and where the statutory conditions are met and no legal limitations apply, you have the right to:

  • obtain confirmation as to whether or not personal data concerning you are being processed, even if not yet recorded, and to have such data made available to you in an intelligible form;
  • obtain indication of, and, where applicable, a copy of: a) the source and the categories of personal data; b) the logic applied in the case of processing carried out with the aid of electronic tools; c) the purposes and methods of the processing; d) the identity and contact details of the Data Controller and of any processors; e) the recipients or categories of recipients to whom the personal data may be disclosed or who may become aware of them, in particular if recipients in third countries or international organisations; f) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; g) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; h) the existence of appropriate safeguards in the event of transfers of data to a non-EU country or an international organisation;
  • obtain, without undue delay, the updating and rectification of inaccurate data or, where you have an interest, the completion of incomplete data;
  • withdraw, at any time and easily, without hindrance, any consent given, using, where possible, the same channels used to provide such consent;
  • obtain the erasure, anonymisation or blocking of data: a) that have been processed unlawfully; b) that are no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) where consent on which the processing is based is withdrawn and there is no other legal ground for the processing; d) where you have objected to the processing and there are no overriding legitimate grounds for the processing; e) where erasure is required for compliance with a legal obligation; f) where the data relate to minors. The Data Controller may refuse erasure only where necessary: a) for exercising the right to freedom of expression and information; b) for compliance with a legal obligation, the performance of a task carried out in the public interest or the exercise of official authority; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; e) for the establishment, exercise or defence of legal claims;
  • obtain restriction of processing where: a) the accuracy of the personal data is contested by you; b) the processing is unlawful and you oppose the erasure of the data; c) the data are required by you for the establishment, exercise or defence of legal claims; d) verification is pending as to whether the legitimate grounds of the Controller override those of the data subject;
  • receive, where processing is carried out by automated means, the personal data concerning you in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance, or – where technically feasible – to have the personal data transmitted directly from one controller to another;
  • object, in whole or in part, on grounds relating to your particular situation, to the processing of personal data concerning you;
  • lodge a complaint with the Data Protection Authority or with the competent supervisory authority.

In the cases referred to above, where necessary, the Data Controller will inform third parties to whom your personal data have been disclosed of any exercise of rights by you, except in specific cases (for example, where this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected). If you consider that your rights have been infringed, you also have the right to lodge a complaint.

For further information, you are invited to consult the website of the relevant Data Protection Authority where you will find a section dedicated to these rights.

10. EXERCISING YOUR RIGHTS

You may exercise your rights at any time by:

  • sending a registered letter with return receipt to the Data Controller's registered office;
  • sending an e-mail to: privacy@letsdonation.com
back to top