PRIVACY POLICY – JOIN ASSOCIATION ASSO DPO

Information notice pursuant to Article 13 of the Reg. UE 2016/679 (GDPR)

1.WHO IS THE DATA CONTROLLER? HOW TO CONTACT THEM?

The data controller, pursuant to Articles 4 and 24 of EU Regulation 2016/679, is the Association Data Protection Officer (ASSO DPO), headquartered at Viale Monza, 44- 20127 - Milan, VAT number 08258580961, Tax code 97656960156, represented by its President and legal representative pro-tempore, Dr. Matteo Colombo.
To contact the data controller: email info@assodpo.it or toll-free number 800561720

2. PURPOSE OF PROCESSING, LEGAL BASIS, DATA RETENTION PERIOD, NATURE OF PROVISION

Purpose A)
Disclosure – with prior consent – of identifying data, through their publication in the "Members Register" (applicable only to the categories of "Educational Members", as defined within the Bylaws).

LEGAL BASIS: The legal basis varies depending on the type of member: consent (Art. 6, para. 1, lett. a) GDPR) is only requested where types of members other than "Effective Members", such as "Educational Members", wish to appear in the list ("Members Register").
DATA RETENTION PERIOD: The data subject is always free to revoke the given consent.
NATURE OF PROVISION: Providing data is optional. Failure to provide data for this purpose will not affect membership in the Association.

Purpose B)
Disclosure of additional personal information in the "Members Register": all categories of members, upon registration, may also freely choose to provide, with consent, further identifying information to be included in such a list (such as, for example, name, surname, and province of residence).
If individuals do not consent to such processing, their identifier in the "Members Register" will be reported with the "membership number" linked to pseudonymized personal data (instead of full name and surname, only initials followed by an asterisk will be reported).

LEGAL BASIS: Consent (Art. 6 para. 1 lett. a) GDPR): The data subject has given consent to the processing of their personal data.
DATA RETENTION PERIOD: The data subject is always free to revoke the given consent.
NATURE OF PROVISION: Providing data is optional. Failure to provide data for this purpose will not affect membership in the Association.

Purpose C)
Disclosure of personal data, including images (photos/videos/audio), for promotional and educational activities aimed at advertising the activities and services of the Association. Personal data may be collected during events organized by ASSO DPO (e.g., conferences, seminars, training, etc.), also through webinars or remote events via event registration. The dissemination will occur through the publication of personal data (including images) through various communication tools and channels such as magazines, brochures, presentations, websites, and social networks.

LEGAL BASIS: Consent (Art. 6 para. 1 lett. a) GDPR): The data subject has given consent to the processing of their personal data.
DATA RETENTION PERIOD: The potential use of printed promotional material will occur until exhaustion of the produced material stocks. Upon subsequent production of promotional material, personal data and images will no longer be reproduced. The data subject is always free to revoke the given consent.
NATURE OF PROVISION: Providing data is optional. Failure to provide data for this purpose will not affect membership in the Association.

Purpose D)
Transfer of data to third parties (partners and sponsors of the Controller) for marketing purposes, namely to receive promotional material and commercial/informational communications from third-party entities, which operate, for example, in the following sectors: insurance companies for Data Protection Officer professional liability policies, certification bodies, consulting and training companies, universities, software houses, and in general, third parties affiliated with ASSO DPO.
The list of the aforementioned third parties and active agreements is available at the following link: https://www.assodpo.it/convenzioni/.

LEGAL BASIS: consent (Art. 6 para. 1 lett. a) GDPR), the data subject has given consent to the processing of their personal data.
DATA RETENTION PERIOD: the data subject is always free to revoke the given consent.
NATURE OF PROVISION: providing data is optional. Failure to provide data for this purpose will not affect membership in the Association.

Purpose E)
Registration for membership in the Association Data Protection Officer and pursuit of all purposes related to membership and the achievement of the Association's objectives, including, in particular:

organizing meetings and moments of discussion, also through online tools, in order to promote "discussion and exchange of information among members" (see Article 4 para. 1 lett. a) of the Bylaws), also for "developing shared solutions to the practical problems posed by privacy regulations" (see Article 4 para. 1 lett. d) of the Bylaws).
organizing "cultural activities, conferences, seminars, debates, assemblies, meetings, training courses, qualification and specialization courses, scholarships, various activities in the cultural and recreational sector, related to the social purpose" (see Article 4 para. 1 lett. g) of the Bylaws).
organizing examination sessions for the certification of the Data Protection Officer (see Article 4 para. 1 lett. i) of the Bylaws).

LEGAL BASIS: the legal basis is constituted by the fulfillment of contractual obligations (Article 6, paragraph 1 letter b) GDPR).
DATA RETENTION PERIOD: duration of enrollment and, after termination of the relationship, 10 years.
NATURE OF THE PROVISION: data provision is necessary for joining the Association. Failure to provide data marked with the symbol* or labeled (required) will result in the inability to register. Provision of data without * is optional and will not prevent completion of registration.

Purpose F)
Release of professional certificates upon request by the Members and subject to verification of the presence of all necessary requirements as provided by law.

LEGAL BASIS: the legal basis is constituted by a legal obligation (Art. 6, para. 1 lett. c) GDPR and Law of January 14, 2013, no. 4, article 7) paragraph 1, which provides that 'In order to protect consumers and ensure transparency in the market for professional services, professional associations may issue to their members, subject to necessary checks, under the responsibility of their legal representative, a certificate [...].'
DATA RETENTION PERIOD: duration of enrollment and, after termination of the relationship, 10 years.
NATURE OF THE PROVISION: providing the required data through the appropriate form is mandatory to allow the Association to carry out the verifications required by law and issue the certificate. In case of non-provision, the Association will not be able to issue the requested certificate.

Purpose G)
Dissemination of identifying data through the publication of the 'Members Registry'.

LEGAL BASIS: the legal basis is constituted by a legal obligation (Art. 6, para. 1 lett. c) GDPR and Law of January 14, 2013, no. 4, art. 4 para. 1 and art. 5 para. 2 letter b)) which requires the Association to prepare and publish the list of registered 'Effective Members - Natural Persons' updated annually (the 'Members Registry').
DATA RETENTION PERIOD: duration of enrollment.
NATURE OF THE PROVISION: providing data is mandatory for joining the Association.

Purpose H)
Newsletter service. In pursuing the fundamental purposes provided by the Bylaws, including 'promoting research and dissemination of knowledge'; 'promoting the enhancement of the DPO role and fostering theirprofessional growth,' the association offers a newsletter service. This activity is conducted through the email addresses provided directly by the data subject during the association's registration phase. The data subject will receive, through this channel, institutional communications, news about the association, and more generally, notifications regarding events such as the Congress, new webinars, new articles published on the website, and on the Association's official channels.
The Data Controller, to compare and potentially improve communication results, uses newsletter delivery systems with reports. Through these reports, the Data Controller will be able to know, for example: the number of readers, openings, unique “clickers”, and clicks; the devices and operating systems used to read the communication; the details of emails sent, delivered and undelivered. All this data are used for the purpose of comparing and, if necessary, improving communication results.

LEGAL BASIS: the processing is necessary for the pursuit of the legitimate interests of the data controller or third parties, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail. The legitimate interest of the controller is to pursue the institutional information purposes pursued by the Association (Art. 6, para. 1 lett. f) GDPR, and considering recital 47). As provided for in Opinion 6/2014 of the Article 29 Working Party - WP29 - on the concept of legitimate interest, the Controller has conducted a Legitimate Interests Assessment (LIA), balancing the interests of the parties and the rights at stake. The data subject may object to the legitimate interest of the data controller both at the time of joining the Association and subsequently.
DATA RETENTION PERIOD: The data subject can easily and free of charge oppose the processing (by using the automated cancellation systems provided for email only; each communication will contain a link to exercise the opt-out).
NATURE OF THE PROVISION: The provision of data is optional, and in the absence of it, the data of the data subject will not be processed for the purpose. Refusal to provide data will not affect the usability of other services of the Association.

3.TO WHOM WILL THE PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS

The personal data will be disclosed to entities who will process the data as independent data controllers, or data processors (art. 28 GDPR) and processed by individuals (art. 29 GDPR) acting under the authority of the Controller and Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing. The data will be disclosed to recipients belonging to the following categories:

to other Members, upon request;
users of the website / visitors who freely choose to consult the members list (the data included therein depend on the eventual consent of the data subjects to purpose b), to which reference is made);
companies, based in Italy, contractually bound to the Association Data Protection Officer;
entities, based in Italy, providing services for the management of the information system used by the Association Data Protection Officer and telecommunication networks;
entities, based in Italy, providing services for the website and communication networks, including email, hosting, and management of the newsletter service;
providers of platforms used for organizing meetings in person and online (distribution of invitations, collection of registrations and participation), for the management and delivery of 'cultural activities, conferences, seminars, debates, assemblies, meetings, training courses, qualification and specialization, scholarships, various activities in the cultural and recreational sector, related to the social purpose', also based in non-EEA countries (see para. 4 below);
Freelancers, firms, or companies in the context of assistance and consultancy relationships, based in Italy;
Only with prior consent, entities, based in Italy, providing services for the management of activities related to purpose c) - image dissemination - such as photography and videography, communication, brochure printing, flyer creation, publication of photos and videos on websites and Association's social media channels, etc.;
only with prior consent to purpose c) - image dissemination - providers of social media platforms and related service providers (for example, for uploading videos made during events), also based in non-EEA countries (see para. 4 below);
only with prior consent, commercial partners / sponsors, based in Italy, for purpose d) - transfer of data to third parties;
Competent Authorities for compliance with legal obligations and/or provisions of public bodies.

The list of Data processors is constantly updated and available by writing to info@assodpo.it or at the Data Controller's registered office.

4.DOES ASSO DPO TRANSFER THE DATA TO COUNTRIES OUTSIDE THE EEA?

Personal data will also be transferred to countries located outside the European Economic Area (EEA), if the data subjects consent to dissemination for promotional and informational activities conducted by the Association, also through the use of social media platforms. Such transfer will then be managed as established in the terms and conditions and privacy policies of those platforms. In particular, reference is made to the following policies:

YouTube, located in the United States - https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/;
X, located in the United States - https://twitter.com/en/privacy;
Linkedin, located in the United States - https://www.linkedin.com/legal/privacy-policy;
Facebook/Meta, located in the United States - https://www.facebook.com/privacy/policy/.

In addition, the transfer of personal data outside the European Economic Area (EEA) will also occur in the context of the organization and management of meetings and other online initiatives, through tools such as:

Doodle, located in Switzerland - https://doodle.com/it/privacy-policy/#location-of-data;
Microsoft Teams, located in the United States - https://learn.microsoft.com/en-us/microsoftteams/privacy/location-of-data-in-teams;
GoToWebinar, located in the United States - https://www.goto.com/it/company/legal/privacy/international.

In cases where it is necessary to transfer personal data of data subjects to countries located outside the EEA, this will be done in compliance with the limits and conditions set forth in Articles 44 and following of Regulation (EU) 2016/679.
In particular:

Art. 45 of the GDPR - to third countries / international organizations for which the Commission has issued an adequacy decision:
United States. For further information reference is made to the website of the Data Privacy Framework: https://www.dataprivacyframework.gov/;
Switzerland. For further information, reference is made to the adequacy decision of 26 July 2000 and to the report of 15 January 2024 by which the European Commission confirmed the adequacy of the level of data protection in Switzerland (https://www.edoeb.admin.ch/edoeb/it/home/kurzmeldungen/km2024/15012024_angemessenheitsbeschluss.html ).

The data subject will be able to obtain information concerning guarantees for the transfer of data by writing to info@assodpo.it or at the Data Controller’s registered office.

5.IS THERE AN AUTOMATED PROCESS?

Personal data will be subject to traditional manual, electronic, and automated processing. It is specified that no fully automated decision-making processes are carried out.

6. WHAT ARE THE RIGHTS OF DATA SUBJECTS? HOW TO EXERCISE THEM?

The data subjects may enforce their rights as expressed in articles 15 and following of the GDPR by contacting the Data Controller at the email address: info@assodpo.it, or by writing to the above-mentioned contacts. The data controller ensures data subjects the possibility to request, at any time, access to their personal data (art. 15), rectification (art. 16), erasure of the same (art. 17), and restriction of processing (art. 18). The data controller communicates (art. 19) to each recipient to whom the personal data have been disclosed any rectifications, erasures, or restrictions of processing carried out. The data controller informs the data subjects who request it about such recipients.

The data controller ensures the right to data portability (art. 20) and, in the event of requests under art. 20, will provide data subjects with the data in a structured, commonly used format, readable with an automatic device.

Data subjects are recognized the right to object (art. 21), at any time, to the processing of data based on legitimate interest, by writing to the contacts listed above with the subject 'objection'. In the event of exercising the right to object to processing based on legitimate interest, the controller acknowledges to data subjects the possibility of obtaining, upon request, information about the balancing test performed.
To unsubscribe from the newsletter service (email), data subjects are invited to write an email to the address info@assodpo.it with the subject 'unsubscribe from automated' or to use our automatic unsubscribe systems within the communication emails.

In cases provided for, data subjects have the right to withdraw consent without affecting the lawfulness of processing based on consent before its withdrawal.

If data subjects believe that the processing of personal data carried out by the Data Controller violates the provisions of Regulation (EU) 2016/679, they are free to lodge a complaint with the national supervisory authority, particularly in the Member State where they habitually reside or work, or where the alleged violation of the Regulation occurred (Italian Data Protection Authority - https://www.garanteprivacy.it/), or to seek judicial remedies.

7. AMENDMENTS TO THE PRIVACY POLICY

The Data Controller may change, modify, add, or remove any part of this Privacy Policy. In order to facilitate the verification of any changes, the policy will include the indication of the update date.

Date of review: 02/04/2024