1) DATA CONTROLLER
Lipedema World Alliance (Fiscal Code 96537710582), association established in Via delle Costellazioni, 371 – 00144 Roma (Italy) hereinafter also referred to as ‘LWA’ or ‘the Association’ or ‘the Data Controller’,, is obliged to provide information on the use of personal data of persons (“data subjects”) contacting the Association through the channels made available by the Association (e-mail, telephone, website contact area and other electronic means – e.g. messaging services).
2) PURPOSES AND LEGAL BASES OF THE PROCESSING
The purpose of the processing is to follow up the request for contact by the data subject and to respond to specific requests, on the basis of the need to process the request (Art. 6 § 1.b GDPR).
3) CATEGORIES OF PERSONAL DATA
The Data Controller will process personal data such as first name and surname, e-mail addresses. The data subject is requested not to send information on “sensitive” aspects of his/her person (e.g. racial and ethnic origin, religious beliefs, political opinions, data disclosing health, sexual life, etc. and/or judicial data). Where this is indispensable, it is understood that the data subject gives consent to the processing of the data communicated (ex art. 9 § 2.a GDPR).
4) NATURE OF THE PROVISION OF PERSONAL DATA AND CONSEQUENCES OF FAILURE TO PROVIDE THEM
Although the provision of the data subject’s personal data for contact purposes is not mandatory, failure to provide such data will not allow the data subject to receive the information requested. Any refusal to provide personal data will not have any consequence for the User as regards the possibility of obtaining generic information on the Association’s activities. In the event that the documentation (CV and other) sent contains more “sensitive” information than is strictly necessary, the documentation will be destroyed.
5) CATEGORIES OF DATA RECIPIENTS
For the pursuit of the purposes described above, the personal data may be disclosed not only to subjects to whom communication is required by law, but also to subjects involved in the processing and/or storage of data, as well as to providers of e-mail services used by the Association. These subjects act as autonomous data controllers, or, in some cases, have been designated by the Association as data processors.
For some internal document management activities we use IT services provided by companies established outside the European Economic Area (e.g. USA. In this case, the transfer is carried out on the basis of standard contractual clauses and additional measures to ensure data protection). please note that the use of Google services entails the transfer of personal data outside the European Union, which may take place on the basis that this company adheres to the Data Privacy Framework: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
In any case, we ensure that data transfers are only made to countries that guarantee an adequate level of protection, for which there is an adequacy decision by the European Commission, or on the basis of one of the other guarantees provided for in Chapter V of the GDPR. Further information on transfers of personal data outside the European Economic Area is available by writing to the Data Controller.
6) RETENTION PERIOD
The data provided will be stored for the period necessary to respond to each individual request for information and in any case for no longer than two years from the collection of the data. Once the aforementioned period has elapsed or the current requests have been dealt with, your data will be destroyed or rendered anonymous.
7) DATA SUBJECT’S RIGHTS
The data subject has the right to: a) access the data in our possession, and to request a copy of it (except, in the latter case, where the exercise of the right infringes the rights and freedoms of other natural persons); b) request the rectification of any incomplete or inaccurate personal data; c) request the deletion of the data; d) request the restriction of processing, subject to the exclusions set out in Art. 18 § 2 Reg. EU 2016/679; e) lodge a complaint with the Garante per la Protezione dei Dati Personali (in Italy, www.garanteprivacy.it), or of the place where the alleged violation occurred.
Right to object: the data subject may object to the processing of ‘special’ categories of data by not sending them initially or by withdrawing the consent given at any time (by sending an e-mail to firstname.lastname@example.org with the subject ‘WITHDRAWAL OF CONSENT FOR DATA SUBMITTED WITH THE CONTACT FORM’), but the withdrawal will not affect the lawfulness of the data processing carried out in the period prior to such withdrawal.
The exercise of the above rights may also be delayed, limited or excluded in the cases provided for in Article 2-undecies of Legislative Decree 196/2003.
8) CONTACT DETAILS FOR QUESTIONS OR TO EXERCISE RIGHTS
To exercise his/her rights or for any other matter concerning the processing of personal data, the data subject may write, without formalities, to the e-mail address email@example.com.