Skip to main content

In compliance with Reg. EU 2016/679, Italian Legislative Decree 196/2003 and the related rules, in order to manage the contractual relationship correctly, the Data Controller Fondazione Arnaldo Pomodoro may process the personal data of the other Party (if the other Party is a legal person, this will also include data relating to the natural persons who are employed by or have roles within the other Party) for the purposes and by the methods indicated below.

This privacy policy replaces in full any previous ones concerning the same processing.

a) stipulation and performance of the contractual and pre-contractual relationship, and related administrative-accounting purposes contractual performance, in the absence of the data the contract cannot be stipulated and performed up to three months after the termination of the contractual relationship or requests prior to entering into a contract
b) compliance with laws or regulations, also for administrative-accounting purposes relating to the contractual performance regulatory compliance, in the absence of the data the sanctions envisaged by the applicable rules will be applied, meaning there can be no contractual relationship up to the duration envisaged by the applicable regulations
c) establishment, exercise or defence of legal claims legitimate interest of the Controller, considered compelling in accordance with Art. 21 GDPR maximum of 10 years pursuant to Art. 2946 of the Italian Civil Code and up to the maximum limitation period of the rights
d) technical management of email, messaging and cloud for archiving documents and files legitimate interest of the Controller, considered compelling for the correct performance of the contractual relationship maximum of 6 months for logs, other data for the maximum limitation period
e) protection of cyber security and networks legitimate interest of the Controller, considered compelling in accordance with Recital 49 GDPR maximum of 6 months subject to any further use for the protection of rights

A) Processing methods: in general, the data will be processed using paper, IT and electronic tools along with other telecommunications systems, so as to guarantee the security and confidentiality of the data, as well as to comply in full with the regulations.

Categories of data processed: common data (special categories of data or judicial data are excluded; in cases where this is necessary - due to the public interest, a legal obligation or another processing basis - you will be informed in advance).

Sources of data processed: performance of the contractual relationship, the other contractual Party.

Any privacy aspects subject to separate compliance requirements (e.g. the relationship between the Controller and the processor) will be regulated in separate documents.

B) Data recipients: The data will not be disseminated; they may be disclosed to external processors or autonomous controllers or joint controllers, particularly those included in the following categories:

a) banks whose services are used for payment transactions, as well as persons operating within them, for the sole purposes of administrative and accounting management of the contract/relationship and for checks concerning the execution of payments;
b) companies and professionals used by the Controller for consulting or assistance in carrying out its association activities, in particular, lawyers, tax and employment advisors, auditors, shipping agents, IT and security consultants, providers of IT and application services (including cloud and email as well as remote communication);
c) any contractors and subcontractors used to perform the contractual activity, as well as work providers who collaborate with the Controller for contractual fulfilments (as well as its own employees, appointed as processing officers);
d) public institutions or legal authorities if imposed by the applicable regulations or following a request from the authority itself.

Unless otherwise indicated, the data will not be transferred or processed outside the European Community or in another location not considered adequate in line with Community legislation in that regard. If the Controller users suppliers of products or services based in the USA or outside the EU in countries considered inadequate, the respective transfer of data will occur based upon the standard contractual clauses of the European Commission (or another measure which safeguards the transfer in accordance with Chapter V of the GDPR) with the application of supplementary measures, if not otherwise specified.

C) Third party data: if the other Party is a natural person, these provisions apply to the processing of his or her personal data. If it is a legal person, the processing of its data does not have to comply with the GDPR except for any marketing aspects; however, its employees/collaborators who are natural persons may (in the name and on behalf of the other Party) provide their personal data during the performance of the relationship. In that case, the other Party guarantees that those natural persons have been made aware of this privacy policy, delivering it to them on a durable medium and obtaining the respective consent (if required); the other Party therefore expressly indemnifies the Controller against any liability or claim by third parties in that regard.

D) Rights pursuant to Articles 15-22 GDPR: the Counterparty has the following rights, which may be exercised at any time:

a) the right to request from the Controller access to the personal data, requesting confirmation or otherwise of their existence as well as the rectification or erasure of the same or restriction (temporary block) of processing relating to him/her;


c) if consent is provided for one or more specific purposes, the right to withdraw that consent at any time;

d) the right to portability of the personal data (for processing whose legal basis is a contractual performance or consent) by making a request to the Controller, by means of a communication of a file in CSV format, or similar open interoperable format or in the format used by you originally, depending on the type of data requested;

e) the right to lodge a complaint with the following Supervisory Authority: Garante per la protezione dei dati personali (; however, you may alternatively lodge a complaint with the supervisory authority having jurisdiction in the Member State where you habitually reside or work or the place where the alleged breach occurred.

The processing occurs by way of automated means which do not involve the profiling of the data subjects.

E) Controller: the Controller is Fondazione Arnaldo Pomodoro, Tax Code 97163270156, VAT No. 1277562015, with registered office in Vicolo Lavandai 2/A – 20144 Milan, email:, also for the exercise of the rights listed below and for any request for clarification.


For a correct understanding of the following terms, consult the Information Pages of the Garante per la Privacy: To read the text of Regulation 2016/679, consult the following website: To read the Italian Legislative Decree 196/2003 (Privacy Code) in its latest version, consult the following website:

Supervisory authority

The supervisory authority (in Italy, the Garante per la protezione dei dati personali) is an independent public authority established by the privacy regulations. The Authority examines complaints by the data subjects and oversees compliance with the rules protecting private lives. It decides on complaints lodged and prohibits, even ex officio, illegal or incorrect processing. It carries out inspections, applies administrative penalties, and issues opinions in the cases envisaged by the regulations.

Processing officer

The employee or collaborator who, on behalf of the Controller, processes or physically uses the personal data based upon instructions received from the Controller itself.


The act of making the personal data known to one or more specific persons (who are not the data subject, the controller or the processing officer), in any form, also through their provision or consultation (see also dissemination).


The freely given indication of the data subject’s wishes by which he or she expressly accepts a certain processing activity in relation to his or her personal data, of which he or she has been informed in advance by the person having decision-making powers over the processing.

Personal data

Any information relating to an identified natural person or one who can be identified by reference to other information, for example a number or identification code.

Personal data include, for example: name and surname or company name, tax code, but also an image, the recording of a person’s voice, his or her fingerprint, health data, bank details, etc.

Sensitive data

Personal data which, by their nature, require particular precautions: sensitive data include those that may reveal racial and ethnic origin, religious or other beliefs, political opinions, membership of political parties, trade unions or associations, state of health and sex life of the persons.


The disclosure of personal data to the public or, in any case, to an indeterminate number of persons (for example, the publication of personal data in a newspaper or on a web page).

Privacy policy

Information that the data controller must provide to each data subject, verbally or in writing when the data are collected from the data subject him or herself, or from third parties. The privacy policy must specify in brief and in comprehensible language the purposes and methods of processing; whether or not the data subject is obliged to provide the data; any consequences of not providing the data; the entities to whom the data may be disclosed or disseminated; the rights granted to the data subject; the identity of the controller, any joint controllers and their contact details (address, telephone, fax, etc.).

Data subject

The natural person to whom the personal data refer.

Security measures

All technical and organisational measures, electronic devices or computer programmes used to ensure that the data are not destroyed or lost, even accidentally, that only authorised persons have access to the data, and that no processing contrary to the rules or laws or different from the purpose for which the data were collected is carried out.


The natural or legal person, public authority, agency or other body, etc. which actually processes the data or is responsible for making fundamental decisions on the purposes and methods of processing (including the security measures).

In cases where the processing is carried out by a company or by a public administration, controller means the entity as a whole and not the individual or body that administers or represents it (chairman, chief executive officer, auditor, minister, general manager, etc.). Circumstances in which the processing can be attributed to an individual relate to freelancers or sole proprietorships.

Processing (of personal data)

An operation or set of operations concerning personal data. The definition includes the collection, recording, organisation, storage, adaptation, selection, extraction, use, block, disclosure, dissemination, erasure and destruction of data. Each of these operations is a form of data processing.


  • Cookies are computer records of information sent by a web server to the user’s computer for the future identification of that computer upon repeated visits to the same website. Cookies contribute to facilitating the analysis of traffic on the internet and allow web applications to send information to individual users.

With exclusive reference to the users of this Website, the following is noted:
a) the Website uses technical cookies, strictly necessary for browsing and use of the Website functions, and performance analysis cookies (e.g. Google Analytics) used to compile aggregate anonymous statistics. Cookies of this type do not allow for the personal identification data of the user to be acquired, as specific anonymisation procedures have been adopted;

  1. b) this website does not use profiling cookies directly: cookies are not used to transmit information of personal nature and no persistent cookies of any type or systems for tracking users are used;
  2. c) on this Website, however, objects may be incorporated (images, maps, music files, links to specific web pages of other domains) that download third-party cookies which are often able to collect information on the activities performed by users on this Website and/or on advertisements they have clicked on; however, those third-party cookies are used by applying settings capable of anonymising the user who is not, therefore, identifiable. These cookies include, inter alia, social media networks and social media plug-ins (YouTube, Facebook, Twitter, Instagram, Pinterest, Google+, etc.). To disable or reject third-party cookies, the user must refer to the internet websites of the same.
Name Provider Type Duration
Name Provider Third-party tracking cookies (Google Analytics) used to analyse visits. 2 years
_ga Google Third-party tracking cookies (Google Analytics) used to analyse visits. 2 years
_gid Google Third-party tracking cookies (Google Analytics) used to save the number of visits to different pages. 2 years
__qca QuantCast Third-party tracking cookies used to analyse choices regarding the acceptance of cookies. 1 year
_fbp Facebook Third-party tracking cookies used to analyse visits for marketing purposes. 1 year
__utma Google Third-party tracking cookies (Google Analytics). Set to memorise the calculation of the day and time of purchase. 1 year
__utma Google Third-party tracking cookies (Google Analytics). Set to memorise the time of a particular visit. User session
__utmc Google Third-party tracking cookies (Google Analytics). Set to memorise the time of a particular visit. 30 minutes
__utmc Google Third-party tracking cookies (Google Analytics). Set to memorise keywords used in search systems. 6 month
__utmc Google Third-party tracking cookies (Google Analytics). Set to memorise keywords used in search systems. 6 month