The Congregation of the Sisters of Our Lady of Sion has always considered the protection of personal data of its users to be of utmost importance. It ensures that the processing of personal data, carried out both electronically (i.e., through web tools and applications) and manually, is conducted in full compliance with the principles, safeguards, and rights recognised by Regulation (EU) 2016/679 of the European Parliament and Council, dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Regulation”), Legislative Decree No. 196 of 2003 as amended by Legislative Decree No. 101 of August 10, 2018 (“Privacy Code”), and other applicable laws on personal data protection.
Introduction
This document is part of the information provided pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council, dated April 27, 2016, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”), Legislative Decree No. 196 of 2003 as amended by Legislative Decree No. 101 of August 10, 2018 (“Privacy Code”), and other applicable laws on personal data protection.
For the purposes of this information, the Data Controller is: The Congregation of the Sisters of Our Lady of Sion, whose headquarters are at Via Ambrogio Traversari 21, 00152 Rome, Italy.
To contact the Data Controller, users can use the following email address: dpocommunication@esafimconsulting.eu
Pursuant to Article 37, paragraph 1(a) of the Regulation, the Congregation has appointed a Data Protection Officer (DPO). You can directly contact our DPO at the following email address: dpondsion@esafimconsulting.eu
The Data Protection Officer (DPO) is a highly specialised and independent professional with monitoring and control powers over the organisation’s compliance status. The DPO informs and advises the Data Controller, the Data Processor, and Authorised Persons on matters concerning the protection of Personal Data and acts as a point of contact between our organisation and the “external world” (including the Supervisory Authority), and is therefore also responsible for addressing your requests.
The Regulation specifies the tasks that the DPO is required to perform. The most relevant ones for you as the Data Subject are:
i. ”To inform and advise the Data Controller or the Data Processor as well as the employees who carry out processing operations of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions” (see Article 39, paragraph 1(a) of the Regulation) This ensures that within our organisation, there is an expert with a high level of specialist knowledge who advises the Data Controller, the Data Processors, and Authorised Persons and constantly informs us about the obligations we must comply with concerning the Processing of your Personal Data.
ii. “To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the Data Controller or Data Processor in relation to the protection of Personal Data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations and the related audits” (see Article 39, paragraph 1(b) of the Regulation) This ensures that within our organisation, there is an individual who constantly monitors not only the compliance with the Regulation by the Data Controller, the Data Processor, and Authorised Persons but also the adherence of the processing policies adopted to the Regulation and other applicable laws. These must always comply with legal provisions, and the DPO has, among other things, the function of ensuring that this happens in practice.
iii. “Data Subjects may contact the Data Protection Officer with regard to all issues related to the processing of their Personal Data and to the exercise of their rights under this Regulation” (see Article 38, paragraph 4 of the Regulation) This ensures that there will be a specialised person who will handle your requests and help clarify your doubts and uncertainties or simply provide you with the information you need. The exercise of your rights will also be facilitated, and you will be assured that when your requests are examined, such examination will be conducted by a dedicated expert.
The Congregation processes various types of Personal Data. Generally, this includes:
“Identifying Data”: This category of Personal Data includes information such as your name, surname, email address, etc. To collect such Data, we ask you to fill out our contact form available on our website. The data requested corresponds to the fields present in the respective online form. In these cases, the data marked with the symbol (*) are mandatory, meaning that without providing them, we will not be able to offer you the service you desire. If the symbol (*) is not present, you can choose freely whether to provide the data or not, knowing that this choice will not impact the availability of the service, which will be regularly provided to you.
“Data Automatically Collected During Your Navigation on Our Sites and/or Applications”: This includes information such as IP addresses (both static and dynamic) or domain names of the devices used by those who connect, addresses in URI (Uniform Resource Identifier) notation, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the server’s response (successful, error, etc.), the country of origin, the characteristics of the browser and the operating system used, etc. These Data are not used to trace your identity, but your identification could still be possible through further processing and association of such Data with other information, also held by third parties.
Although we retain this information for the purpose of responding to you, it is never used for analytical or marketing purposes, nor is it shared with third parties.
The term “purpose of Processing” refers to the reason why we process your Data. The Regulation states that anyone processing your Personal Data must have a legitimate reason to do so, and these reasons are known as “legal bases for processing” (see Article 6 of the Regulation).
When there is no other legal basis, we will ask for your consent before starting the Processing and will explain to you, at the time of collecting your consent, why we are asking for it and the consequences that may result from the Processing you have authorised.
Our organisation collects your data:
– For functional purposes: To present the content of our multilingual website in the preferred language, where possible, without requiring manual input.
– To respond to a question you have sent us.
You have the right to request from the Data Controller access to your personal data, and rectification or deletion of the same, or the restriction of Processing that concerns you, and to OBJECT to the Processing itself (Articles 15 and following of the GDPR).
The Congregation of Notre Dame de Sion (hereinafter, for brevity, referred to simply as the Congregation) provides this information on the processing of personal data (hereinafter also referred to as the privacy policy) in compliance with applicable Italian and European personal data protection regulations, and in particular, the provisions of:
1. The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the European Council, dated April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data);
2. The Code concerning the protection of personal data (Legislative Decree June 30, 1993, No. 196, in its currently applicable text, as amended, in particular, by Legislative Decree August 10, 2018, No. 101).
Through this information, we intend to provide users with some guidance on the technologies adopted and how they are used on the Congregation’s website. This information is specifically aimed at enabling the User to best protect their personal data against the use of cookies and similar technologies by the Congregation and third parties (which will be discussed further below).
Cookies are small text strings that:
– Websites visited by the User place in their browser when visiting a site or using a social network with their personal computer, smartphone, or tablet;
– Are stored by the User’s browser to be then retransmitted to the same sites that sent them when the same User visits them again.
Cookies contain various data related to the User, such as the name of the server from which they originate or a numeric identifier, and they can contain an identifier code of the User. Cookies can remain in the User’s browser for the duration of a session (i.e., until the browser used for web navigation is closed) or for indefinite periods.
While browsing a site, the User may also receive cookies sent from websites or web servers of other companies (so-called “third parties”). For instance, a web page may contain cookies from other sites and/or elements (images, maps, sounds, specific links to web pages of other domains, etc.) that reside on servers different from the one of the visited site. Therefore, cookies can be classified as “first-party” or “third-party” based on the website or domain from which they originate. First-party cookies are, essentially, cookies set and/or managed by the site owner. Third-party cookies are cookies set by a domain other than the one visited by the User.
Similar technologies are tools that store data in the User’s browser or device using local shared objects (or local storage), such as flash cookies, HTML5 cookies, and other web application software methods. Another example of similar technology is SDKs (Software Development Kits), which are third-party software applications that publishers embed in their properties and that send the relevant usage data to the party managing the survey.
a. Technical Cookies
Technical cookies are necessary to enable Internet navigation and the transmission of communication over an electronic communication network, as well as to provide the User with certain functionalities available on the site. Without these cookies, some operations would not be possible or would be more complex and/or less secure. These cookies, which allow the identification of the User during an online navigation session, are indispensable. Technical cookies, typically installed directly by the site owner or manager, can be classified into:
– Navigation or Session Cookies: These ensure the normal navigation and use of the website (e.g., allowing users to log in to access restricted areas).
– Analytics Cookies: These are legally treated as technical cookies when used directly by the site owner to collect aggregated information about the number of users and how they visit the site.
– Functionality Cookies: These allow the site to remember information that changes the behaviour or appearance of the site (e.g., preferred language, text, and font sizes, location). Blocking these cookies makes the browsing experience less functional but not compromised.
b. Profiling Cookies
Profiling cookies are used to track the User’s navigation on the web, study their movements and web consultation habits, create profiles on their tastes, habits, choices, etc., including consumer preferences. These cookies also allow the transmission of advertising messages to the User’s device in line with the preferences already expressed by the User during online navigation tracked by the cookie sender. For example, this happens when a User, after accessing a service site, becomes the recipient of advertisements for products related to the type of site visited.
c. Third-Party Cookies
Third-party cookies are installed, through the site being visited by the User, by another site (the so-called third party). These cookies can be sent to the User’s browser from third- party companies directly from their sites for their own purposes, possibly including profiling.
d. How to Express or Deny Consent to Cookie Installation
On the Congregation’s website, only technical cookies and third-party tracking cookies are used: for the former, the User’s consent to processing is not required, while for the latter, the obligations of information and consent acquisition lie with the third parties.
Detailed information about the cookies used by the Congregation for presenting the default language can be found on the WPML page about browser cookies stored: https:// wpml.org/documentation/support/browser-cookies-stored-wpml/
Without prejudice to any specific information provided to you within this document regarding each processing activity, we inform you that, in compliance with this principle, we will process your Data only for the time necessary to pursue the processing purposes listed in section D of this document, notwithstanding any time periods that may be provided for by relevant sector regulations.
Regarding the Processing activities we carry out based on your consent, please remember that you can always withdraw your consent, requiring us to cease the related Processing activities immediately.
For further information on consent withdrawal, please refer to section D of this document.
Your Personal Data will be processed by the Congregation mainly within the European Economic Area (EEA). Should it be necessary for technical/operational reasons to use the services of third parties located outside the European territory, we inform you now that:
– We have appointed such entities as Data Processors in accordance with Article 28 of the Regulation, and
– The transfer of your Personal Data to these entities will be carried out in strict compliance with the provisions of Articles 44 and following of the Regulation.
This ensures that all necessary measures will be taken to guarantee the utmost protection of your Personal Data, as such transfers will be based on contractual agreements or other appropriate legal bases designed to safeguard your rights and interests. Specifically, transfers will be based on one of the following measures:
– Adequacy decisions of the recipient third countries expressed by the European Commission.
– For transfers to the United States of America, our partner’s adherence to the Standard Contractual Clauses (SCC) issued by the European Commission.
– Appropriate safeguards provided by the recipient third party in accordance with Article 46 of the Regulation.
– Adoption of binding corporate rules, so-called “binding corporate rules.”
If your Personal Data has been processed outside the European Union, you may request more information from the Data Controller and/or the DPO, asking for evidence of the specific safeguards adopted.