DATA PROTECTION POLICY
This Data Protection Policy is provided pursuant to and in compliance with Article 13 of the Regulation (EU) 2016/679 (hereinafter ‘GDPR’) on the protection of natural persons regarding the processing of personal data. It aims to explain in a transparent manner how and why we collect, store and use your personal data and how you can exercise your rights concerning such processing.
1. Who is the Data Controller, and how can I contact them?
The Data Controller is the Wellness Foundation (VAT no.: 03340690407) with registered office at Via Uberti 48, Cesena (hereinafter the ‘Foundation’ or the ‘Data Controller’). You can contact the Foundation at the above address or by email at: email@example.com. To know your rights, please consult section 9 of this document.
2. When does this policy apply? What are the purposes for which your data is processed?
This Data Protection Policy applies to data collected on the website or during initiatives and events organised by the Foundation or by others to which the Foundation participates as a sponsor or guest. This data will be processed in compliance with the privacy legislation referred to above and the principles of correctness, lawfulness and transparency for the following purposes:
- the promotion of Wellness culture, understood as a lifestyle combining regular physical activity, healthy eating and a positive mental approach; in such instances, we will use the data voluntarily provided by the data subject when participating in a wellness promotion event organized by the Foundation, through the completion of an online or paper form; the legal basis for processing in this case will be the data subject’s request to participate in the initiative pursuant to Article 6, paragraph 1(b) of the GDPR;
- research activities on topics relating to wellness, such as the investigations on lifestyles through voluntary questionnaires (e.g. Wellness Index); also in such instances, data is collected and processed only upon the data subject’s voluntary participation in the questionnaire or survey, following which the subject typically receives feedback useful for their wellness experience, pursuant to Article 6, paragraph 1(b) of the GDPR;
- training and dissemination activities in which the data subject voluntarily participates, pursuant to Article 6, paragraph 1(b) of the GDPR;
- communication and promotion campaigns of the wellness lifestyle towards those who have declared their willingness to receive the Foundation’s newsletters.
The Foundation does NOT pursue marketing purposes.
3. What personal data are collected?
The Foundation processes, for example but not limited to, the following categories of personal data:
- Personal and contact data such as: name, surname, place of residence or domicile, telephone number, email address; in the context of events organized by the Foundation or in which the Foundation participates, it is also possible that the collection of photos and portraits of the data subject may occur;
- Other personal data such as: date of birth, gender, weight, height, organization affiliation, job title, profession;
- Qualitative and quantitative data on lifestyles in anonymous and aggregate form only, collected through voluntary questionnaires or interviews. In this context, where an email is requested at the end of a questionnaire (e.g., the Wellness Index), this identifying data will be used exclusively to communicate the questionnaire outcome to the data subject and will not be retained by the Foundation, which therefore will not have access to any identifying data of the data subject who has completed and responded to an exploratory survey.
4. Personal data of minors?
We do not process the data of individuals under the age of 13 except in relation to specific initiatives involving the activation of information society services (e.g., Wellness Week). Where we process the data of individuals under the age of 13, we will ensure to obtain parental consent or consent from those exercising parental responsibility over minors.
5. How data are processed
Data is collected and processed mainly in electronic and digital format. Sometimes, it may be collected in paper format, for example, when filling out paper forms during in-person events. The Foundation applies privacy-by-design and privacy-by-default criteria to all processing of personal data, adopting appropriate security measures according to identified risks.
6. Who can have access to your personal data?
The data collected for the purposes outlined in paragraph 3 may be accessed by: employees of the Foundation, who act as data processors, or third parties to whom the Foundation has entrusted the performance of specific processing activities as external data processors. All of these parties access the data exclusively for the purposes outlined above and in compliance with the data processing agreement (or “DPA”) signed with the Foundation. Authorized parties may also access the data based on legal provisions, regulations, or EU legislation, or pursuant to orders from the Judicial Authority. The list of individuals or legal entities who may have had access to your personal data on behalf of the Foundation can be requested by writing to firstname.lastname@example.org.
7. What about international transfers?
Personal data collected for the purposes outlined in paragraph 3 is hosted on servers located in the EU territory and is processed by operators subject to EU provisions. If a transfer to non-EU countries is required, the Foundation will verify the existence of adequacy decisions and, if the destination countries are not guaranteed by adequacy decisions, the transfer will only take place after suitable guarantees are adopted in accordance with the GDPR, including the execution of Standard Contractual Clauses.
8. How long do we keep personal data?
Personal data will be processed only for the time necessary to achieve the purposes for which they were collected and will be deleted from our databases and archives or rendered irreversibly anonymous within 5 years from the last active interaction with the data subject.
9. What are the Data Subject’s rights concerning personal data processing, and how can they be exercised?
The GDPR guarantees the Data Subject a series of rights that can be exercised by notifying the Foundation at the address given in paragraph 1.
A brief description of the Data Subject’s rights concerning the processing of personal data follows.
- The right of access allows the Data Subject to obtain confirmation of whether or not the Foundation is processing their personal data and, if necessary, to obtain access to such data and related information;
- The right of rectification enables the Data Subject to have inaccurate personal data amended without undue delay and, taking into account the purposes of the processing, to have incomplete data supplemented;
- The right to erasure allows the Data Subject to have the data erased without undue delay (e.g. when the personal data are no longer necessary for the purpose for which it was collected), without prejudice to exceptions provided for in applicable legislation (e.g. when the retention of data is necessary to fulfil the Data Controller’s legal obligations). This right does not extend to the lawfulness of data processing based on consent given before its revocation.
- The right to data portability allows the Data Subject, in certain circumstances provided for by applicable legislation, to receive in a structured, commonly used and machine-readable format the personal data concerning them as provided to the Foundation.
- The right to restriction of processing allows the Data Subject to limit the processing of their personal data. In such cases, the Foundation may continue to process the Data Subject’s data, but only under certain circumstances (e.g. to exercise its right of defence and to protect the rights of other natural persons or legal entities);
- The right to object to processing allows the Data Subject, in certain circumstances pursuant to applicable legislation, to object to the processing of personal data concerning them, unless there are freedoms, rights or overriding legitimate reasons for the Foundation to continue such processing.
The Data Subject may complain to the Data Protection Authority if they feel they have not received a satisfactory response from the Data Controller regarding their rights or think they have been violated. The Italian Data Protection Authority’s contact details are available at this link: https://www.garanteprivacy.it/.
We may occasionally make changes to this Policy. Should they be of material significance, we will provide the Data Subject with a clearly visible notice, depending on the circumstances, e.g. on the Foundation’s Website or by email.