Privacy Policy

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA
(pursuant to Article 13 of Regulation (EU) 2016/679)

This privacy notice describes the methods of processing personal data of users (hereinafter, "Users") who interact with the web services of the website shop.fondazioneluigirovati.org (hereinafter, "Website"). The processing is carried out by Fondazione Luigi Rovati ETS in accordance with Regulation (EU) 2016/679 ("GDPR").

1. DATA CONTROLLER

The Data Controller is Fondazione Luigi Rovati ETS, with registered office in Corso Venezia 52, 20121 Milan (MI), Tax Code 94634860152 (hereinafter, "Controller").

Contacts:

Email: rpd-fondazioneluigirovati@fidimholding.com
Address: Corso Venezia 52, 20121 Milan (MI)

2. DATA PROTECTION OFFICER (DPO)

The Data Protection Officer is Avv. Maria Rocca, with office in Via Fiasella 1/18, 16121 Genoa (GE).

Contacts:

Email: studiolegale@avvrocca.it
Certified email (PEC): maria.rocca@ordineavvgenova.it

3. PURPOSE AND LEGAL BASIS OF PROCESSING

Users' personal data are processed for the following purposes and corresponding legal bases:

Purpose of Processing	Legal Basis	Retention Period
A) Website navigation: Enable browsing and access to content.	Performance of pre-contractual and contractual measures.	For the duration of the session and in any case no longer than 24 months.
B) Contact requests: Respond to user inquiries.	Legitimate interest of the Controller to maintain user relations.	Up to 10 years from the last interaction.
C) Ticketing management: Manage registration, purchases, delivery, and refunds.	Performance of pre-contractual and contractual measures.	Up to 10 years from account deletion.
D) Fiscal obligations: Manage fiscal documentation related to purchases.	Legal obligation (accounting and tax).	10 years from purchase date.
E) Statistics and improvement: Analyze use of the website to improve functionality.	User’s consent or, in limited cases, legitimate interest of the Controller.	Until user ID expires or deletion/anonimization request.
F) Newsletter: Subscription and sending of informational and promotional communications.	User’s consent.	Until consent is withdrawn (unsubscribe).
G) Profiling: Analyze preferences and consumption habits for personalized offers.	User’s consent.	Up to 24 months from consent acquisition, unless extended or withdrawn.

4. CATEGORIES OF DATA PROCESSED

The Controller processes the following categories of data:

Browsing data: Online identifiers (e.g., IP addresses), device information.
Identification and contact data: Name, surname, email address.
Payment data: Information required to manage transactions.
Voluntarily provided data: Content made available through social media accounts.

5. NATURE OF PROVISION AND CONSEQUENCES OF REFUSAL

Providing data for contractual (A, C) and legal (D) purposes is necessary. Failure to provide such data will prevent completion of purchases and use of services. Provision of data for marketing purposes (F, G) is optional and does not affect contractual relationships, but will prevent the receipt of newsletters and personalized offers. Consent can be withdrawn at any time.

6. DATA DISCLOSURE SCOPE

Data may be disclosed to:

Personnel and collaborators of the Controller, authorized to process data.
Third parties appointed as Data Processors (e.g., technical service providers, hosting providers).
Judicial, administrative, and public security authorities, where required by law.
The updated list of recipients is available upon request from the Controller.

7. TRANSFER OF DATA OUTSIDE THE EU

Any transfers of personal data outside the European Economic Area will occur solely for technical needs, to countries deemed “adequate” by the European Commission or based on Standard Contractual Clauses.

8. DATA SUBJECT RIGHTS

Users may exercise their rights under Articles 15 et seq. of the GDPR at any time, including:

Access: Obtain confirmation of processing and access their data.
Rectification and erasure: Request correction of inaccurate data or erasure ("right to be forgotten").
Restriction and objection: Request restriction of processing or object to it for legitimate reasons.
Portability: Receive data in a structured format and transmit them to another controller.
Withdrawal of consent: Withdraw previously given consent.
Complaint: Lodge a complaint with the Data Protection Authority (www.gpdp.it).

Requests can be sent to the Controller’s contact addresses.

9. INFORMATION SECURITY AND ALIGNMENT WITH NIS 2 DIRECTIVE

Although the Foundation does not fall within the subjective scope of Directive (EU) 2022/2555 (the “NIS 2 Directive”), it recognizes the strategic importance of the principles it contains for a high common level of cybersecurity.

The NIS 2 Directive identifies categories of “essential entities” and “important entities” subject to specific cybersecurity requirements. As a Third Sector Entity, the Foundation is not classified as such under the national transposition legislation.

Nevertheless, with a view to maximum protection and resilience, and in line with the European legislator’s aspiration for entities outside the scope to also achieve a high level of cybersecurity, the Foundation voluntarily adopts a risk management approach inspired by the best practices promoted by the Directive.

This approach includes the adoption of adequate and proportionate technical, operational, and organizational measures, in line with Article 21 of the NIS 2 Directive, such as:

Risk analysis and IT security policies;

Security incident management procedures;

Business continuity measures, including backup management and disaster recovery;

Supply chain security assessments, with particular focus on digital service providers;

Adoption of cybersecurity hygiene practices and training programs for staff;

Use of encryption where appropriate.

This commitment to cybersecurity complements and integrates with the obligations arising from Regulation (EU) 2016/679 (GDPR), to ensure holistic protection of personal data and information systems managed by the Foundation.

Last updated: July 31, 2025