Foreword

Habibi A.P.S. (hereafter, also “Habibi” or “the Association”) is aware of the importance of safeguarding personal data and attentive to the rights of individuals, and since the Internet is a potentially risky tool for the circulation of your personal data, it wanted to make a serious commitment to abide by rules of conduct – in line with European Regulation 679/2016 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter, “GDPR”) – that ensure safe, controlled and confidential surfing on the web.

This information privacy policy may change over time, including as a function of additions and changes in relevant laws and regulations or due to our institutional decisions, so please consult this section of our website periodically.

Basic principles of Habibi’s privacy policy

1. perform processing (Art. 4(2) GDPR: “any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction”) of personal data (Art. 4, comma 1, GDPR: “qualsiasi informazione riguardante una persona fisica identificata o identificabile («interessato»); si considera identificabile la persona fisica che può essere identificata, direttamente o indirettamente, con particolare riferimento a un identificativo come il nome, un numero di identificazione, dati relativi all’ubicazione, un identificativo online o a uno o più elementi caratteristici della sua identità fisica, fisiologica, genetica, psichica, economica, culturale o sociale”) esclusivamente per le finalità e secondo le modalità illustrate nelle informazioni da fornire che sono presentate all’utente di volta in volta che accede ad una sezione del sito nella quale è previsto il conferimento, diretto o indiretto, di dati personali;
2. Use data that have been voluntarily released by the user;
3. utilizzare cookies tecnici per agevolare la navigazione nel sito e cookies analitici per fini statistici;
4. Use profiling cookies only if the user has given consent for such use;
5. transmit the data to third parties (data controllers – art. 4, para. 8, GDPR: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”) exclusively for purposes instrumental to what is expressly requested and carefully selected by us;
6. Communicate the data to third parties for activities related to what is of interest or if this is required by law, regulation or EU legislation;
7. subject to explicit consent (Art. 4, para. 11, GDPR: “any manifestation of the free, specific, informed and unambiguous will of the data subject, by which the data subject indicates his or her assent, by means of an unambiguous statement or affirmative action, that personal data concerning him or her be subject to processing”), communicate the data to third parties for their autonomous processing;
8. respond to requests for access to personal data, rectification or deletion of personal data, exercise of the right to be forgotten, restriction of processing, or the right to object to processing. Ensure the exercise of the right to data portability and to object to the processing of data for purposes of informational communications about our projects and requests for financial contributions in support of our institutional activities;
9. Ensure proper and lawful processing of your data, safeguarding your confidentiality, as well as applying appropriate security measures to protect the confidentiality, integrity and availability of your data.

Purpose of processing and legal basis

As better explained in the sections that allow you to join – by releasing your personal data – the services reserved for users of our site, the requested data are used to respond to requests expressly made by the user. Specifically, all data collection – and subsequent processing – activities are aimed at the pursuit of Habibi’s institutional purposes and, in particular for:

1. regular and one-time donations made in various ways (credit card, bank transfer or other). The legal basis is Art. 6(1)(b) GDPR since the processing is necessary to fulfill the contractual obligations related to the donation that the data subject intended to activate
2. subscription to our newsletter. The legal basis is Art. 6(1)(b) GDPR since the processing is necessary to fulfill the data subject’s request, consisting of the request to receive Habibi’s newsletter
3. Request for cooperation with our organization. The legal basis is Art. 6(1)(b), GDPR since the processing is necessary to analyze the request for collaboration and provide feedback with respect to our interest in the submitted profile
4. signing petitions, initiatives or specific projects, The legal basis is Art. 6(1)(b) GDPR as the processing is necessary to manage the petition membership in all its stages
5. information request. The legal basis is Art. 6(1)(b) GDPR since the processing is necessary to fulfill the data subject’s request for information on the topics of interest that he or she has expressed through his or her contact with Habibi
6. purposes of “social advertising” and for direct marketing purposes, through various means of contact. To further clarify, the data will also be processed for the purpose of promotional, informational, and institutional contacts about our projects, fundraising activities and initiatives, surveys, and research reserved for adherents of our actions. This right and interest of information is acquired upon joining the individual Habibi outreach project. The legal basis for processing is the consent referred to in Art. 6(1)(a) GDPR, Recital 47 GDPR, Opinion 6/2014 WP29
7. purposes of “social advertising” and direct marketing with “profiling” (Art. 4(4) GDPR – “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of said natural person”), i.e., based on the interests and preferences demonstrated by browsing the site or filling in the forms presented therein, surveys and research. Specifically, data will be processed for these purposes in a personalized manner based on behavioral characteristics (e.g., actions joined, area of residence, age), interests and preferences with respect to our actions (“profiling,” as defined above). Profiling will involve the selection of stored information with respect to the data subject so that he or she receives communications that are of interest to him or her and in line with his or her preferences, avoiding being disturbed by unwelcome or uninteresting contacts. The legal basis for processing is the consent of the data subject (Art. 6(1)(a), GDPR) given through similar unequivocal formula manifesting acceptance to such processing statistical processing on the consistency of supporters, donors and users of the site.

Methods of data processing and criteria for data collection

1. The forms to be filled out – either online or downloadable – include both data that are strictly necessary to adhere to what is of interest and failure to provide them does not allow the request to be acted upon, and data of optional provision. Therefore, the user is free to provide the personal data contained in the request forms or otherwise indicated in contacts with the Organization to request information or for the other purposes first listed. In these cases of mandatory provision of data, their absence may result in the impossibility of obtaining what has been requested. The need to request data as mandatory for joining individual projects or initiatives or making requests was considered in compliance with the requirements of Art. 25, GDPR (“Data Protection by Design and by Default” – “Data Protection by Design and by Default”), which require that appropriate technical and organizational measures, such as “pseudonymization” (Art. 4(5), GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable natural person”), designed to effectively implement data protection principles, such as minimization, and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. In addition, Habibi has put in place appropriate technical and organizational measures to ensure that only personal data necessary for the specific purpose of processing arising from the project to which the data subject has voluntarily subscribed are processed by default.
2. All processing carried out within the framework of this site will be carried out with both paper and electronic or telematic tools, with logics related to the purposes for which the data were collected and in compliance with current security regulations, for the purposes specified from time to time in the information to be provided ex art. 13, GDPR.
3. Habibi will not use the data provided for purposes other than those related to the service to which you have subscribed, and, in any case, only within the limits indicated from time to time in the information to be provided under Art. 13, GDPR. In case of different treatment and for which the information to be provided under Art. 13, GDPR, communication to third parties for their promotional and informational purposes will also be possible with the consent of the person concerned.

Place of data processing

Processing related to the web services of this site takes place at the headquarters of the Organization and is carried out by technical personnel authorized to do so. If necessary, related data may be processed by the staff of third-party companies that maintain the technological part of the site (data controller under Art. 28, GDPR), at their offices.

Data controller

Habibi A.P.S. – based in Sansepolcro (AR), Via XX Settembre, 127 – is the data controller (art. 4, para. 7, GDPR: “the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data”), pursuant to and for the purposes of the GDPR, since it decides how and for what reasons, communicated in the information to be provided to data subjects, to collect and use the personal data conferred by the user, as well as with what tools to process them and what security procedures to activate to ensure their integrity, confidentiality and availability, in compliance with the obligations and responsibilities provided for in Art. 24, GDPR.

Rights of data subjects with respect to data concerning them

The rights are guaranteed to delete, modify or supplement the data already voluntarily provided, as well as to request their blocking, transformation into anonymous form or to oppose their processing for legitimate reasons or if you do not wish to receive “social advertising” including with “profiling,” as well as to restrict processing and exercise the right to data portability. In addition, it is possible to appeal to the supervisory authority. By exercising these rights you will be able to control the use of your data even after it has been provided.

You may exercise, at any time, at info@associazionehabibi.org (alternatively, by writing to Habibi A.P.S. – headquartered in Sansepolcro (AR) – 52037 – Via XX Settembre, 127) your rights under Articles 15-22, GDPR below:

Right of Access (Article 15, GDPR)

A person has the right to request whether any processing of his or her personal data is taking place and, therefore, has the right to access information about him or her and to hear about:

• purpose of processing (e.g., managing a donation);
• categories of personal data (e.g., biographical data, behavioral data);
• Recipients or categories of recipients to whom personal data have been or will be disclosed, particularly if recipients in third countries or international organizations;
• when possible, the intended retention period of personal data or, if not possible, the criteria used to determine this period;
• existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to their processing;
• Right to file a complaint with a supervisory authority;
• if the data are not collected directly from the person, all available information about their origin;
• existence of automated decision-making, including profiling, and meaningful information about the logic used, as well as the importance and expected consequences of such processing for the individual. (e.g., whether the person has associated a profile of giving habits by cross-referencing donation amount with frequency and campaign).

Right of rectification (Article 16, GDPR)

A person has the right to have inaccurate personal data concerning him or her corrected without undue delay. Taking into account the purposes of processing, the person has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.

Right to erasure (“right to be forgotten”) (Article 17, GDPR)

A person has the right to obtain the deletion of personal data concerning him or her, and Habibi is obligated to delete personal data without undue delay, for any of the following reasons:

personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• consent on which the processing is based is withdrawn and if there is no other legal basis for the processing (e.g., own legitimate interest, regulatory or contractual fulfillment);
• you object to processing for marketing and profiling purposes and there is no overriding legitimate reason for processing;
• personal data have been unlawfully processed;
• personal data must be deleted in order to comply with a legal obligation under Union or member state law to which you are subject.

Right to restriction of processing (Article 18, GDPR)

A person has the right to obtain the restriction of the processing of his or her personal data when one of the following grounds exists:

• the person disputes the accuracy of personal data, for as long as it takes to verify the accuracy of such personal data;
• the processing is unlawful and the person objects to the deletion of personal data and instead requests that their use be restricted (e.g., does not intend for the processing to be carried out for marketing purposes but only for management and administrative purposes)
• although the data are no longer needed for processing purposes, personal data are necessary for the person to establish, exercise, or defend a right in court;
• the person has objected to the processing if the processing is based on his or her own legitimate interests, pending verification as to whether his or her own legitimate interests outweigh those of the controller.

Obligation to notify in case of rectification or erasure of personal data or restriction of processing (Article 19, GDPR)

The individual has the right to request that rectification or erasure of data or restriction of processing be communicated by Habibi to other parties to whom the data may have been disclosed. Habibi may not comply with the request if the means to be employed are disproportionate to the right to privacy invoked by the person.

Right to data portability (“data portability”) (Article 20, GDPR)

This right enables an individual to receive in a structured, commonly used, machine-readable format personal data concerning him or her that is provided to a party that subjects his or her data to processing, and has the right to transmit such data to a party for the latter’s use without hindrance from the party to whom he or she provided it. This right can be exercised in the following cases:

• the processing is based on consent or on a contract or pre-contractual measures requested by the same person and, at the same time
• the processing is carried out by automated means.

The person has the right to have his or her data transferred directly from one entity to another (from the one to which he or she gave it to the one to which he or she wants it transferred), if technically possible.

Right to Oppose (Article 21, GDPR)

The person has the right to object to the processing of his or her data for the pursuit of the legitimate interest of Habibi or third parties. If personal data are processed for marketing purposes, the individual has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such marketing activity.

Automated decision-making related to natural persons, including profiling (Article 22, GDPR)

Individuals have the right not to be subjected to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or significantly affects them in a similar way. In particular, he has the right to object to profiling to which he is subjected through automated processes.

This right cannot be exercised if the decision:

• Is necessary for the conclusion or performance of a contract;
• is authorized by the law of the Union or the Member State to which one is subject, which also specifies appropriate measures to protect the person’s rights, freedoms and legitimate interests;
• Is based on explicit consent.

People have the right to express their opinion and challenge Habibi’s decision.

Response time

As stipulated in the GDPR, Habibi will respond to the person within one month of the request, unless complex procedures have to be put in place (or the requests are numerous) that do not allow this time to be met. Full acknowledgement is permissible within three months of the request, but we are obliged to notify you, however, within one month of the originally transmitted request (Art. 12(3) GDPR).

Complaint to the Regulatory Authority

Data subjects have the right to apply to the Supervisory Authority to enforce their rights.

For Italy it is the Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Rome (RM) – www.garanteprivacy.it, to which the complaint can be sent to protocollo@pec.gpdp.it, using the form made available by the authority or in free form.

Criteria used to define the limit of data retention

The data will be maintained in our archives (GDPR Art. 4(6): “any structured set of personal data accessible according to specified criteria, regardless of whether that set is centralized, decentralized, or functionally or geographically distributed”) according to criteria that vary according to the category of the data, the nature of the processing, and the purpose of the processing. The exact criteria or limit of retention is described in the information to be provided under Art. 13, GDPR when providing personal data.

In principle, the following Habibi assessments apply to determine the data retention criterion:

1. all data with respect to the donation are retained as long as the relationship remains active and for as many years as laws, regulations, including community regulations, require for administrative and accounting purposes
2. all data of supporters or interested in our mission used for marketing purposes are retained for the time period necessary to deliver the information services reserved for such persons. This right and interest of information are acquired upon joining the project involving donation. This period is also justified by Habibi’s legitimate interest in maintaining an ongoing relationship with the individual to keep him or her informed about what projects could be funded with the donor’s own contribution or about outreach efforts that Habibi believes would be useful to publicize to demonstrate its ongoing commitment to fulfilling its mission. This legitimate interest is allowed under Art. 6(1)(f) GDPR as an alternative mechanism to explicit consent of the data subject. Obviously, this retention period is extended as long as the person’s interest in remaining in contact with Habibi lasts: if he or she no longer has an interest, it is sufficient to be communicated through the means set forth in the section “Rights of Data Subjects with Respect to Data About Them,” and Habibi will take appropriate technical and organizational measures to stop bothering the person
3. all data used for marketing activities with profiling, the processing of which is supported by the person’s explicit consent, are retained as long as the data subject’s profile is in line with the personalized communications created through the cross-referencing of the information available to us and, therefore, as long as Habibi continues its mission with projects, initiatives, actions and activities that require economic contributions or that spur awareness (ex.: petitions, emergency appeals, opinion requests and surveys) that are of interest to the person who has given consent to receive information of this tenor and that reflect the person’s characteristics and behaviors and are, therefore, of his or her specific interest and not disruptive. Again, such retention will cease if the data subject objects at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.

After the periods stated above have elapsed, identifying data are transformed into anonymous form and used only for statistical reports that do not allow the identity of the person to be traced but are useful for adjusting projects, initiatives and actions for the realization and achievement of Habibi’s statutory and institutional objectives. Personal data will, therefore, be destroyed.

Data processors and authorized persons, autonomous data controllers

1. Your personal data may be processed, either manually or electronically or telematically, either directly by Habibi or by third parties who, endowed with experience, technical skills, professionalism and reliability, carry out processing operations on behalf of our association, respecting the security and confidentiality of the information and constantly monitored by us in their work. The data controller is “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller” (Art. 4, para. 8, GDPR) and is contractually bound by Habibi, with a definition of the limits of operation on the data, with respect to the data it may process and the categories of data subjects to which it relates, and with a prohibition on any use of the data other than the task entrusted. It may, if formally authorized by Habibi, make use of other managers, who are contractually bound by the manager appointed directly by Habibi: violations committed by such other managers fall under the responsibility of the first manager and not Habibi.

The complete and up-to-date list of data processors (and, if applicable, of the data processors appointed by the first person in charge, subject to Habibi’s authorization) may be requested by e-mailing info@associazionehabibi.org (alternatively, by writing to Habibi A.P.S. – headquartered in Sansepolcro (AR) – 52037 – Via XX Settembre, 127).

• Authorized persons, identified in the information provided in the data provision sections, are in charge of individual site services, institutional activities and fundraising, organization of outreach events, communication, information and data security services.
• The data of users of the site may also be processed by autonomous data controllers who provide technical services for its functionality or to ensure telematic connection (e.g.: Internet Provider) or public bodies, judiciary or law enforcement agencies for their institutional purposes or where expressly requested to communicate them by Habibi.

Third parties to whom your data are disclosed and dissemination of data

1. Your data may be made available to third parties, autonomous data controllers, for purposes related to the provision of services of interest or in compliance with laws and regulations requiring their disclosure, as well as to supervisory bodies. For example, credit or credit card issuing institutions will be made available to enable the necessary transactions for donation, as well as PayPal. The communication of the data to third parties for marketing and/or profiling purposes, as well as any dissemination may take place, subject to the consent of the data subject, as stated in the chapter “Information to be provided under Article 13, GDPR” of this privacy policy
2. In particular, donor data and donation details must, by legal requirement, be passed on to the Internal Revenue Service. The data reported to the Internal Revenue Service will be those for the year prior to the activation of the donation
3. In addition, data may be communicated to third nonprofit organizations, project partner companies, entities, for autonomous uses (as autonomous data controllers) for their own institutional purposes: such “communication” will take place only if the data subject has given his or her explicit consent.
4. The transfer of personal data to third countries may take place only with the user’s consent: primarily, these are activities related to the user’s adherence of the long-distance adoption project, to enable the creation of a match between beneficiary and supporter. These third parties are members of the international network to which the Organization is a member or has partnership relationships
5. They may be communicated to third parties, subject to express and specific informed consent, as first described, for their autonomous uses having primarily promotional contact purposes.
6. The possibility that personal data may be disseminated is not ruled out: this may occur if the service to which the user has subscribed contemplates such processing: for example, it may be disseminated through our social channels, including in image format, if the data subject wishes to testify about his or her experience with Habibi or to relate to Habibi through social channels. All such cases of data dissemination will take place with the consent of the data subject.

Social media

The data of users who join Habibi’s social media pages (fans of the page or subscribers to a group of followers of a certain promotional initiative or incentive of sales of products or new products in Habibi’s catalog), decide, by this action, to make explicit their intention to want to follow Habibi’s news, comments, developments. Such users, subsequent to their behavior, may lawfully receive promotional messages concerning the topics for which they have manifestly declared, by implication by joining the page, that they are interested. The sending of promotional communications regarding a specific project or initiative or an institutional activity in the broadest sense, carried out by Habibi referred to on the relevant page must be considered to be lawfully conductible if, from the context and mode of operation of the social network, also depending on the information provided spontaneously by the user, it can be inferred that, unequivocally, the user has in some way expressed his or her willingness to receive precisely that type of message, with a behavioral formula that is conclusive of an implicitly declared consent. Therefore, pursuant to the order of the Guarantor issuing guidelines on promotional activities and countering spam dated July 04, 2013, Register of Orders no. 330, Habibi may contact active members of its social pages in order to send messages of an informative and promotional nature about initiatives, services, events and fundraising activities to develop its charitable activities.

The moment the user leaves the group or stops following Habibi’s affairs or exercises the right to object to the processing of data for promotional purposes, then this assumption lapses and, if Habibi intends to continue using the data for such promotional and institutional activities, it will require the user’s consent.

Conversely, the primary user’s contact data will be used by Habibi upon request to the individual contact of an express consent adequately and previously informed, specific to Habibi’s promotional messages and issued in free form.

What cookies are and how they are used by Habibi

Cookies are information stored on your PC’s hard drive that are sent by your browser to a Web server and relate to your network usage. As a result, they allow us to know the services, sites frequented, and options manifested by surfing the Web.

This information is, therefore, not provided spontaneously and directly, but leaves a trace. The data collected through cookies will be used for technical needs to ensure easier, more immediate and faster access to the site and its services and easier navigation for the individual user.

Profiling cookies may also be used, with the user’s consent, to create profiles of the user based on sections of the site or actions taken by the user on this site or by browsing the web.

The use of so-called session cookies (which are not stored persistently on the user’s computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to enable the safe and efficient exploration of the site. The so-called session cookies that are used on this site avoid the use of other computer techniques potentially prejudicial to the privacy of users’ browsing and do not allow the acquisition of personal data identifying the user. In any case, you can configure your browser so that you are notified when a cookie is received and then decide whether to accept it.

To learn about our cookie policy and third-party cookie policies, we encourage you to read the related extended policy by clicking HERE.

Navigation data

The computer systems and software procedures used to operate this site acquire, in the course of their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected in order to be associated with identified users but which by its very nature could, through processing and association with data held by third parties, allow the users themselves to be identified. This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error or the like) and other parameters related to the user’s operating system and computer environment. This data is used only to obtain anonymous statistical information about the use of the site and to check its proper functioning and is deleted immediately after processing. The data could be used to ascertain liability in case of hypothetical computer crimes against the site.

The security of your personal data

Habibi A.P.S. takes appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness, and availability of your personal data. As stipulated by the regulatory provisions governing the security of personal data, technical, logistical and organizational arrangements are put in place that aim to prevent damage, even accidental loss, alteration, improper and unauthorized use of the data concerning you.

In particular, Habibi has put in place adequate technical and organizational measures to ensure a level of security appropriate to the risk that could affect your rights and freedoms, including the privacy and confidentiality, of individuals. Habibi adopts security criteria that include, among others:

• “pseudonymization” (Art. 4(5) GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable natural person”) and data encryption
• Systems that permanently safeguard the confidentiality, integrity, availability and resilience of processing systems and services
• Systems to promptly restore the availability and access of personal data in the event of a physical or technical incident
• Procedures for regularly testing, verifying and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Similar preventive security measures are taken by third parties (data controllers) to whom the Organization has entrusted processing operations of your data on its own behalf.

On the other hand, the Organization is not responsible about untrue information sent directly by the user (example: correctness of e-mail address or postal address or other personal data), as well as information about him/her that was provided by a third party, even fraudulently.

Credit card and financial information required for donation

In the case of a donation made through a credit card, Habibi guarantees its confidentiality and security. The financial information of the credit card (number, expiration date, owner’s details) may be known only by the issuing institution. Habibi will only become aware of a code (“token”) that has no way of tracing it back to the cardholder’s identity or credit card details, barring exceptions.

Similarly, the same criteria of confidentiality and privacy will be maintained in the case of a donation made by bank transfer, for which it is only required to include a “reason code” when making the transfer.

If the donation is made through PayPal, you will be redirected to PayPal’s site and, therefore, the confidentiality and security criteria are the sole responsibility of PayPal, excluding any responsibility on Habibi’s part.

Finally, in general, Habibi assumes no responsibility with reference to unauthorized or fraudulent use by third parties of the information pertaining to the instruments used for the donation-related transaction.