Privacy Policy
NOTICE FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF EU REGULATION NO. 679 OF APRIL 27, 2016This notice is issued pursuant to Article 13 of EU Regulation No. 679 of April 27, 2016 (or GDPR), concerning the protection of natural persons with regard to the processing of personal data and in compliance with the regulations on the processing of personal data, as well as the free circulation of such data.
DATA PROCESSOR
MOST - National Center for Sustainable Mobility Foundation, located in Milan, at Piazza Leonardo da Vinci No. 32 and with an operational headquarters in Milan, at Via Durando No. 39 Contact point: segreteria@centronazionalemost.it
DATA PROTECTION OFFICER
Contact point: privacy@centronazionalemost.it
PURPOSE OF PROCESSING, LEGAL BASE AND DATA RETENTION PERIOD
Personal data will be used for the following purposes:
Fulfillment of contractual obligations related to the institutional activities of MOST;
Compliance with regulatory obligations;
Promotion and outreach initiatives on sustainable mobility issues.
The legal basis for processing is found:
in Article 6, paragraph 1, letter a) of the GDPR, that is, the consent of the data subject;
in Article 6, paragraph 1, letter b) of the GDPR, that is, the execution of a contract;
in Article 6, paragraph 1, letter c) of the GDPR, that is, a legal obligation of the Controller;
in Article 6, paragraph 1, letter e) of the GDPR, that is, the execution of a task carried out in the public interest.
in Article 6, paragraph 1, letter f) of the GDPR, that is, for legitimate interest.
The personal data subject to processing will be retained for the duration indicated in the various second-level notices, in accordance with the retention obligations provided for by laws or regulations.
See also: second-level notice
TYPE OF DATA SUBJECT TO PROCESSING
The data controller processes the data of the data subjects according to the principle of minimization, that is, to the extent that processing is necessary for the execution of the intended purposes or is required by legal obligations.
PROCESSING METHODS
Personal data may be processed both on paper and in digital form, manually and/or with electronic or, in any case, automated tools.
Data processing is carried out in compliance with the security measures identified pursuant to Article 32 of the GDPR, reducing the risks of destruction, loss, alteration, unauthorized disclosure, or access, in an accidental or unlawful manner, or processing that is not compliant with the purposes of collection.
Moreover, data will be processed exclusively by duly authorized and trained personnel.
CATEGORIES OF RECIPIENTS
In relation to the stated purposes, data may be communicated to public and/or private entities, or may be communicated to companies and/or individuals providing services, even externally, on behalf of the Controller. In particular, collected data may be transmitted to service providers necessary for the fulfillment of the listed purposes, formally appointed by MOST as Data Processors pursuant to Article 28 of the GDPR. Moreover, data will be transferred to the Ministry of Universities and Research (or MUR) for reporting purposes linked to PNRR obligations.
Personal data may also be communicated to public administrations, even in anonymous form, if they need to process them for any proceedings related to their institutional competence, as well as to all those public entities to which, in the presence of the relevant requirements, communication is mandatorily provided by European legislation, laws or regulations, in addition to insurance entities for any accident-related claims.
Processed data may be communicated to:
consultants and accountants or other lawyers providing functional services for the above-mentioned purposes;
entities processing data in execution of specific legal obligations or regulations or internal and/or community legislation, within the limits provided by such regulations;
judicial or administrative authorities, in order to comply with legal obligations;
entities acting as External Data Processors (pursuant to Articles 4.8 and 28 of the GDPR) explicitly appointed by MOST, for ancillary purposes to the activities and services provided.
TRANSFERS TO NON-EU COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Personal data will be processed by the Controller within the territory of the European Union.
If, for technical and/or operational reasons, it becomes necessary to use entities located outside the European Union, or if it is necessary to transfer some of the collected data to technical systems and services managed in the cloud and located outside the area of the European Union, the processing will be governed in accordance with what is established by Chapter V of the EU Regulation and authorized based on specific decisions of the European Union.
Therefore, all necessary precautions will be taken to ensure the utmost protection of personal data, basing the transfer:
a) on adequacy decisions of the third countries recipients expressed by the European Commission;
b) on adequate guarantees expressed by the third country recipient pursuant to Article 46 of the EU Regulation;
c) on the adoption of binding corporate rules, so-called Corporate binding rules.
RIGHTS OF THE DATA SUBJECTS
The data subject has the rights set out in Article 15 of the GDPR and precisely the following rights to:
obtain confirmation of the existence or non-existence of their Personal Data with the Controller, even if not yet recorded;
obtain the indication:
a) of the origin of Personal Data;
b) of the purposes and methods of processing;
c) of the logic applied in the case of processing carried out with the aid of electronic means;
d) of the identifying details of the Controller, the processors, and other authorized persons.
obtain:
a) the update, correction, or integration of the data;
b) the deletion, transformation into anonymous form, or blocking of data processed in violation of the law, including those no longer necessary for the purposes for which they were collected;
c) the confirmation that the operations referred to in letters a) and b) have been communicated, including regarding their content, to those to whom they were disclosed or disseminated, except in cases where such fulfillment proves impossible or involves a manifestly disproportionate effort;
object, in whole or in part and for legitimate reasons, to the processing of their Personal Data even if relevant to the purpose of collection.
The data subject also has the rights set out in Articles 16-21 of the GDPR, namely the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability as well as the right to lodge a complaint with the Data Protection Authority.
The data subject may, at any time, exercise their rights by sending a request to the Controller via the following contact point: privacy@centronazionalemost.it
LIST OF SECOND LEVEL NOTICES
NOTICE FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 OF EU REGULATION NO. 679 OF APRIL 27, 2016This notice is issued pursuant to Article 13 of EU Regulation No. 679 of April 27, 2016 (or GDPR), concerning the protection of natural persons with regard to the processing of personal data and in compliance with the regulations on the processing of personal data, as well as the free circulation of such data.
DATA PROCESSOR
MOST - National Center for Sustainable Mobility Foundation, located in Milan, at Piazza Leonardo da Vinci No. 32 and with an operational headquarters in Milan, at Via Durando No. 39 Contact point: segreteria@centronazionalemost.it
DATA PROTECTION OFFICER
Contact point: privacy@centronazionalemost.it
PURPOSE OF PROCESSING, LEGAL BASE AND DATA RETENTION PERIOD
Personal data will be used for the following purposes:
Fulfillment of contractual obligations related to the institutional activities of MOST;
Compliance with regulatory obligations;
Promotion and outreach initiatives on sustainable mobility issues.
The legal basis for processing is found:
in Article 6, paragraph 1, letter a) of the GDPR, that is, the consent of the data subject;
in Article 6, paragraph 1, letter b) of the GDPR, that is, the execution of a contract;
in Article 6, paragraph 1, letter c) of the GDPR, that is, a legal obligation of the Controller;
in Article 6, paragraph 1, letter e) of the GDPR, that is, the execution of a task carried out in the public interest.
in Article 6, paragraph 1, letter f) of the GDPR, that is, for legitimate interest.
The personal data subject to processing will be retained for the duration indicated in the various second-level notices, in accordance with the retention obligations provided for by laws or regulations.
See also: second-level notice
TYPE OF DATA SUBJECT TO PROCESSING
The data controller processes the data of the data subjects according to the principle of minimization, that is, to the extent that processing is necessary for the execution of the intended purposes or is required by legal obligations.
PROCESSING METHODS
Personal data may be processed both on paper and in digital form, manually and/or with electronic or, in any case, automated tools.
Data processing is carried out in compliance with the security measures identified pursuant to Article 32 of the GDPR, reducing the risks of destruction, loss, alteration, unauthorized disclosure, or access, in an accidental or unlawful manner, or processing that is not compliant with the purposes of collection.
Moreover, data will be processed exclusively by duly authorized and trained personnel.
CATEGORIES OF RECIPIENTS
In relation to the stated purposes, data may be communicated to public and/or private entities, or may be communicated to companies and/or individuals providing services, even externally, on behalf of the Controller. In particular, collected data may be transmitted to service providers necessary for the fulfillment of the listed purposes, formally appointed by MOST as Data Processors pursuant to Article 28 of the GDPR. Moreover, data will be transferred to the Ministry of Universities and Research (or MUR) for reporting purposes linked to PNRR obligations.
Personal data may also be communicated to public administrations, even in anonymous form, if they need to process them for any proceedings related to their institutional competence, as well as to all those public entities to which, in the presence of the relevant requirements, communication is mandatorily provided by European legislation, laws or regulations, in addition to insurance entities for any accident-related claims.
Processed data may be communicated to:
consultants and accountants or other lawyers providing functional services for the above-mentioned purposes;
entities processing data in execution of specific legal obligations or regulations or internal and/or community legislation, within the limits provided by such regulations;
judicial or administrative authorities, in order to comply with legal obligations;
entities acting as External Data Processors (pursuant to Articles 4.8 and 28 of the GDPR) explicitly appointed by MOST, for ancillary purposes to the activities and services provided.
TRANSFERS TO NON-EU COUNTRIES OR INTERNATIONAL ORGANIZATIONS
Personal data will be processed by the Controller within the territory of the European Union.
If, for technical and/or operational reasons, it becomes necessary to use entities located outside the European Union, or if it is necessary to transfer some of the collected data to technical systems and services managed in the cloud and located outside the area of the European Union, the processing will be governed in accordance with what is established by Chapter V of the EU Regulation and authorized based on specific decisions of the European Union.
Therefore, all necessary precautions will be taken to ensure the utmost protection of personal data, basing the transfer:
a) on adequacy decisions of the third countries recipients expressed by the European Commission;
b) on adequate guarantees expressed by the third country recipient pursuant to Article 46 of the EU Regulation;
c) on the adoption of binding corporate rules, so-called Corporate binding rules.
RIGHTS OF THE DATA SUBJECTS
The data subject has the rights set out in Article 15 of the GDPR and precisely the following rights to:
obtain confirmation of the existence or non-existence of their Personal Data with the Controller, even if not yet recorded;
obtain the indication:
a) of the origin of Personal Data;
b) of the purposes and methods of processing;
c) of the logic applied in the case of processing carried out with the aid of electronic means;
d) of the identifying details of the Controller, the processors, and other authorized persons.
obtain:
a) the update, correction, or integration of the data;
b) the deletion, transformation into anonymous form, or blocking of data processed in violation of the law, including those no longer necessary for the purposes for which they were collected;
c) the confirmation that the operations referred to in letters a) and b) have been communicated, including regarding their content, to those to whom they were disclosed or disseminated, except in cases where such fulfillment proves impossible or involves a manifestly disproportionate effort;
object, in whole or in part and for legitimate reasons, to the processing of their Personal Data even if relevant to the purpose of collection.
The data subject also has the rights set out in Articles 16-21 of the GDPR, namely the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability as well as the right to lodge a complaint with the Data Protection Authority.
The data subject may, at any time, exercise their rights by sending a request to the Controller via the following contact point: privacy@centronazionalemost.it
LIST OF SECOND LEVEL NOTICES
Purchasing Information