This policy provides a framework for ensuring that Fondazione Europelago (EP) meets its obligations under the General Data Protection Regulation (GDPR) and associated legislation .
It applies to all processing of personal data carried out for a EP purpose, irrespective of whether the data is processed directly or by third parties.
‘Personal data’ means any information relating to an identifiable living individual who can be identified from that data or from that data and other data. ‘Processing’ means anything that is done with personal data, including collection, storage, use, disclosure and deletion.
More stringent conditions apply to the processing of special category personal data (sensitive data under Italian legislation 196/2003).
‘Special category’ means personal data revealing racial or ethnic origin, political opinions, religious or philoso-phical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
This policy does not cover the use of personal data by staff of Fondazione Europelago when acting in a private or non-EP capacity.
The processing of personal data must comply with data privacy legislation and, in particular, the six data priva-cy principles of GDPR.
In summary, they require that personal data is:
- processed fairly, lawfully and in a transparent manner;
- used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, up-to-date;
- not kept for longer than necessary; and
- kept safe and secure.
In addition, a new accountability principle requires EP to be able to evidence compliance with these principles.
Aims and commitments
EP handles a considerable amount of personal data and takes seriously its responsibilities under data privacy legislation. It recognizes that the mishandling of an individual’s personal data may cause them distress or put them at risk of identity fraud. As a result, it is committed to:
- complying fully with data privacy legislation;
- adhering to good practice, as issued by the Italian Data Protection Authority and any other appropriate bodies;
- handling an individual’s personal data in a careful and considerate manner that recognizes the importance of such information to their privacy and welfare.
EP seeks to achieve these aims by:
- ensuring that staff who process data for EP purposes are made aware of their individual responsibilities under data privacy legislation and how these apply to their areas of work.
- providing suitable training, guidance and advice.
- incorporating data privacy requirements into administrative procedures where these involve the processing of personal data, particularly in relation to major information systems (the principle of ‘privacy by design’);
- operating a centrally coordinated procedure (in order to ensure consistency) for the processing rights based requests made by individuals (eg. right of erasure);
- investigating promptly any suspected breach of data privacy legislation; reporting it, where necessary, to the Italian Data Protection Authority; and seeking to learn any lessons from the incident in order to reduce the risk of reoccurrence.
- data privacy risks and responsibilities are included in the EP Organizational, Management and Control Model, pursuant to Legislative Decree no. 231 of June 8, 2001, which sets out the rules for the administrative liability of Bodies, Companies and Associations and which was signed by the EP President Directors on April 26, 2014.
- The EP Code of Ethics, also signed on April 26, 2014 is an integral and complementary part of the 231/2001 Model, and includes principles of business ethics and rules of conduct that EP recognizes as its own and that its corporate bodies and employees must observe.
Roles and responsibilities
The President has executive responsibility for ensuring that EP complies with data privacy legislation.
The Information Compliance Team is responsible for:
- establishing and maintaining policies and procedures at a central level to facilitate the EP’s compliance with data privacy legislation;
- establishing and maintaining guidance and training materials on data privacy legislation and specific compli-ance issues;
- supporting privacy by design and privacy impact assessments;
- responding to requests for advice from departments;
- coordinating a register to track the full range of processing that is carried out;
- complying with rights-based requests made by individuals;
- investigating and responding to complaints regarding data protection (including requests to cease the pro-cessing of personal data); and
- keeping records of personal data breaches, notifying the Data Protection Authority of any significant breaches and responding to any requests that it may make for further information.
Executive Directors of Programs are responsible for ensuring that the processing of personal data in their de-partment conforms to the requirements of data privacy legislation and this policy. In particular, they must en-sure that:
- new and existing staff, visitors or third parties associated with the Department who are likely to process per-sonal data are aware of their responsibilities under data privacy legislation. This includes drawing the attention of staff to the requirements of this policy, ensuring that staff who have responsibility for handling personal data are provided with adequate training and, where appropriate, ensuring that job descriptions for members of staff or agreements with relevant third parties reference data privacy responsibilities;
- adequate records of processing activities are kept (for example, by undertaking register exercises);
- data protection requirements are embedded into systems and processes by adopting a ‘privacy by design’ ap-proach and undertaking privacy impact assessments where appropriate;
- privacy notices are provided where data is collected directly from individuals or where data is used in non-standard ways;
- data sharing is conducted in accordance with EP guidance;
- requests from the Information Compliance Team for information are complied with promptly.
Anyone who processes personal data for a EP purpose is individually responsible for complying with data priva-cy legislation, this policy and any other policy, guidance, procedures, and/or training introduced by EP to com-ply with data privacy legislation. In summary, they must ensure that they:
- only use personal data in ways people would expect and for the purposes for which it was collected;
- use a minimum amount of personal data and only hold it for as long as is strictly necessary;
- keep personal data up-to-date;
- keep personal data secure, in accordance with the EP’s Information Technology Security Measures;
- do not disclose personal data to unauthorized persons, whether inside or outside EP;
- complete relevant training as required;
- report promptly any suspected breaches of data privacy legislation, in accordance with the procedure in sec-tion 6 below, and following any recommended next steps;
- seek advice from the Information Compliance Team where they are unsure how to comply with data privacy legislation; and
- promptly respond to any requests from the Information Compliance Team in connection with subject access and other rights based requests and complaints (and forward any such requests that are received directly to the Information Compliance Team promptly).
Breaches of data privacy legislation
EP will investigate incidents involving a possible breach of data privacy legislation in order to ensure that, where necessary, appropriate action is taken to mitigate the consequences and prevent a repetition of similar incidents in future. Depending on the nature and severity of the incident, it may also be necessary to notify the individuals affected and/or the Data Protection Agency. A breach will occur where, for example, personal data is disclosed or made available to unauthorized persons or personal data is used in a way that the individual does not expect.
Incidents involving failures of IT systems or processes must be reported the Information Security Team as soon as they are discovered (firstname.lastname@example.org).
All other incidents must be reported directly to the Information Compliance Team at the earliest possible oppor-tunity (email@example.com).
EP regards any breach of data privacy legislation, this policy or any other policy and/or training introduced by EP from time to time to comply with data privacy legislation as a serious matter, which may result in discipli-nary action. Depending on the nature of the breach, an individual may also find that they are personally liable (for example, it can be a criminal offence for a member of EP to disclose personal information unlawfully).
Questions about this policy and data privacy matters in general should be directed to the Information Compli-ance Team at: firstname.lastname@example.org
Questions about information security should be directed to the Information Security Team at: email@example.com
Review and development
This policy, and supporting guidance, will apply with effect from 25 May 2018. Any revisions or updates will be published on the EP website.