Privacy Policy

Introduction

This platform has been created as part of the European project "LINKS Horizon 2020" promoted by Save the Children Italia ETS (hereinafter referred to as "SC" or "the Data Controller"), which aims to increase the resilience of minors through the competent and responsible use of digital technologies in order to reduce the risk of disasters and promote a culture of safety. SC is aware of the importance of safeguarding privacy and personal rights and, since the Internet is a potentially critical tool for the circulation of your personal data, it is committed to complying with rules of conduct that, in line with European Regulation 679/2016 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR"), guarantee safe, controlled, and confidential web browsing. This information privacy policy may change over time, depending on additions and amendments to relevant laws and regulations or our institutional decisions. We therefore invite you to consult this section of our website periodically. Basic principles of SC's privacy policy

  • to process (Art. 4, paragraph 2, GDPR: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction") of personal data (Art. 4, paragraph 1, GDPR: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person") exclusively for the purposes and in the manner described in the information to be provided to the user at the time of collection of their personal data or issued during direct contact (via email) with the SC project representatives
  • use data that has been voluntarily provided by the user;
  • use technical cookies to facilitate navigation on the website and analytical cookies for statistical purposes;
  • transmit data to third parties (data processors – Art. 4, paragraph 8, GDPR: "the natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller") exclusively for purposes instrumental to what is expressly requested and carefully selected and contractually bound by us in advance;
  • communicate the data to third parties for activities related to the use of the website's services or where required by law, regulation, or EU legislation;
  • respond to requests for access to personal data, rectification or erasure of the same, exercise of the right to be forgotten, restriction of processing or the right to object to their processing. Ensure the exercise of the right to data portability and, object to the processing of data, make known the possibility of lodging a complaint with the supervisory authority;
  • ensure the correct and lawful processing of your data, safeguarding your privacy, and apply appropriate security measures to protect the confidentiality, integrity, and availability of the data itself.

    • Types of data - Purposes and methods of data processing - Legal basis for processing - Data collection criteria

    Purpose of processing

    Personal data voluntarily provided by data subjects, minor students, and teachers are processed to respond to requests expressly made by the user through the use of the services made available on the website. Specifically, the personal data collected are processed for the following purposes:

    Section 1 - Contact us

    To request additional information or clarification regarding the resources and content available on the Feel Safe Platform, in order to better understand their use and application. To contact Save the Children Italia to evaluate the implementation of possible collaborations with the school or relevant institution in the planning and implementation of one or more workshops inspired by the Feel Safe platform to be carried out with students and minors involved. Provide feedback on your experience of browsing the site, suggesting any improvements or changes. Section 2 – Tell us about your experience

    Prepare and share with Save the Children feedback on your direct experience of the Feel Safe platform and its resources, sharing any graphic or narrative content resulting from the project activities implemented with minors and also providing general comments evaluating the interest shown by students

    Data processing methods

    1. Personal data is processed by the Data Controller mainly using electronic methods and is stored within its management system. Appropriate security measures are observed to prevent the loss or alteration of data—even accidental—illegal or incorrect use, and unauthorized access.
    2. The newsletter and educational information will be sent by email, using the address provided by the data subject
    3. If the data processed for the purposes referred to in point 3, "Source and purposes of processing," are used for statistical processing, this will be done electronically and will separate the information identifying the data subject from the rest, consisting of anonymous reports; therefore, it will no longer be possible to link the data to the person to whom it refers

    Legal basis for processing

    Depending on the purposes of processing referred to in the section "Source and purposes of processing," the legal bases are as follows:

    1. for the purposes referred to in points 1. and 2., "Purposes of processing," the legal basis is Article 6, paragraph 1, letters a) and b) of the GDPR, since the processing is based on the consent of the minor's parents and the consent of the teacher and based on contractual obligations to which the data subject is party for the purposes of the Project
    2. for the purposes referred to in points 3 and 4, "Source and purposes of processing," the legal basis is "legitimate interest" (Article 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion No. 6 of April 9, 2014, of Working Party 29, paragraph III.3.1.) of Save the Children to assess the popularity of constant updates on educational content aimed at children, parents, and educators and to improve its range of services aimed at these data subjects.

    Data collection criteria

    Users are free to provide personal data to request the service they are interested in and to which they have voluntarily subscribed. The need to request personal data has been considered in compliance with the provisions of Article 25 of the GDPR ("Data protection by design and by default"), which require prior assessment of appropriate technical and organizational measures, such as "pseudonymization" (Article 4, paragraph 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"), aimed at effectively implementing data protection principles, such as minimization, and integrating the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. In addition, the Data Controller has implemented appropriate technical and organizational measures to ensure that, by default, only personal data necessary for the specific purpose of the processing resulting from the service to which the user has voluntarily subscribed is processed. Criteria used to define the data retention limit

    The data will be kept in our archives (Article 4, paragraph 6, GDPR: "any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed in a functional or geographical manner") according to criteria that vary depending on the category of data, the nature of the processing, and the purposes of the processing itself. The criteria or precise storage limit are described in the information to be provided pursuant to Art. 13, GDPR when personal data is provided. Depending on the purposes of data processing, the storage period determined by the Data Controller is as follows:

    1. for the purposes referred to in point 1 of the "Purposes of processing," the data will be retained for as long as the user remains subscribed to the newsletter service and will be deleted when the data subject exercises their right to object, through the procedure presented in the body of each newsletter or the methods referred to in the paragraph "Rights of data subjects with regard to data concerning them."
    2. For the purposes referred to in point 2. "Purposes of processing," the data will be stored for as long as the user is interested in receiving communications on educational content offered by SC or third parties and will be deleted when the data subject exercises their right to object, using the methods described in the paragraph "Rights of data subjects with regard to data concerning them."
    3. For the purposes referred to in point 3, "Purposes of processing," personal data will be stored in our archives for the period necessary for their transformation into anonymous form. After this period, the identification data will no longer be identifiable and will not be traceable to the person and, therefore, will no longer be subject to the provisions of the GDPR
    4. For the purposes referred to in point 4, "Source and purposes of processing," the data is stored in our archives for the period necessary to carry out the individual stages of any legal proceedings or disputes that may arise until their conclusion, therefore, within a reasonable time frame as indicated by the competent bodies.

    Once the above periods have elapsed, the identification data is anonymized and used only for statistical reports that do not allow the identity of the person to be traced but are useful for adapting SC's services in general and refining its educational projects. Personal data (identifying the person) will therefore be destroyed, unless otherwise required by supervisory authorities, law enforcement agencies, and the judiciary

    Place of data processing Place of data processing

    The processing operations connected to the web services of this site take place at the SC headquarters and are carried out by personnel authorized to do so. Personal data may be processed by personnel of third-party companies that maintain the technological part of the site (data processors pursuant to Art. 28, GDPR or independent data controllers) at their own premises transfer of personal data to third countries or international organizations Although the processing of personal data normally takes place on servers owned by the Data Controller and/or third-party companies appointed and duly designated as data processors, located within the European Union, where necessary, SC shall have the right to transfer the processing to countries outside the EU. In this case, the Data Controller hereby guarantees that the transfer of data will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses prescribed by the European Commission's decision of February 5, 2010 (Articles 45, 46, 47, and 49, GDPR).

    Data Controller

    Save the Children Italia Onlus – Piazza San Francesco di Paola 9, 00184 Rome (RM), Tax ID 97227450158 - VAT number 07354071008 is the data controller (Article 4, paragraph 7, GDPR: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"), pursuant to and for the purposes of the GDPR, as it decides how and for what reasons, communicated in the information to be provided to data subjects, to collect and use the personal data provided by the user, as well as with what tools to process it and what security procedures to activate to ensure its integrity, confidentiality, and availability, subject to the obligations and responsibilities provided for in Art. 24, GDPR

    Data Protection Officer

    The Data Protection Officer of the Data Controller can be contacted at italy.dpo@savethechildren.org for information on the processing of personal data carried out on this website and, in general, for all processing carried out by the Data Controller

    Data processors and persons authorized to process data, independent data controllers

    • Your personal data may be processed, either manually or electronically or telematically, either directly by SC or by third parties who, equipped with experience, technical skills, professionalism, and reliability, carry out processing operations on our behalf, in compliance with the security and confidentiality of the information and under our constant supervision. The data processor is "the natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller" (Art. 4, paragraph 8, GDPR) and is contractually bound by SC, with a definition of the limits of data processing, the data that may be processed and the categories of data subjects to whom they refer, the nature and purpose of the processing, the limits of data storage, the obligations and rights that the Data Controller has towards the processor, and with the prohibition to use the data for purposes other than those for which it was entrusted. If formally authorized, in a general or specific manner, by SC, the processor may use other processors, who are contractually bound by the initial processor directly appointed by us: any violations committed by such other processors fall under the responsibility of the initial processor and not of SC. The complete and updated list of data processors (and, where applicable, processors appointed by the initial processor, subject to our authorization) can be requested at informativa.programmi@savethechildren.org (alternatively, by writing to Save the Children Italia Onlus – Piazza San Francesco di Paola 9, 00184 Rome (RM))
    • The personal data collected will be made available to persons authorized pursuant to Article 29 of the GDPR who carry out processing activities that are essential for the pursuit of the above-mentioned purposes. In general, these are persons responsible for organizing educational and awareness-raising projects instrumental to the cultural and socio-relational growth of young people, information services, and data security
    • At present, there are no plans to involve independent data controllers.

    Scope of communication and dissemination of data

    The personal data of data subjects may be disclosed to third parties for various purposes. For the sake of clarity, the various cases involving the disclosure of data to third parties are listed below.

    1. The data may be disclosed to supervisory bodies, police forces, and the judiciary in order to assert or defend a right of the Data Controller or a third party in court. Such disclosure is permitted without the consent of the data subject pursuant to Article 6, paragraph 1, letter f) of the GDPR, i.e. by virtue of the legitimate interest of the Data Controller or a third party in safeguarding their fundamental rights and freedoms, provided that those of the data subject do not prevail.
    2. Personal data is not and will not be disclosed.

    Rights of data subjects with regard to their data

    You have the right to delete, modify, or supplement data that you have already provided voluntarily, as well as to request that it be blocked, transformed into anonymous form, or to object to its processing for legitimate reasons, as well as to limit its processing and exercise your right to data portability.

    By exercising these rights, you will be able to control the use of your data even after it has been provided. To be precise, you can exercise these rights at any time by sending an email to informativa.programmi@savethechildren.org (alternatively, by writing to Save the Children Italia Onlus – Piazza San Francesco di Paola 9, 00184 Rome (RM)). In particular, you can exercise the rights under Articles 15-22 of the GDPR, as set out below:

    Right of access (Article 15, GDPR)

    The individual has the right to request whether their personal data is being processed and, therefore, has the right to access information concerning them and to receive information on:

    1. the purposes of the processing (e.g., sending documentation or reporting educational documentation);
    2. the categories of personal data (e.g., personal and contact details)
    3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients in third countries or international organizations;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. if the data are not collected directly from the individual, all available information on their origin;
    8. the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the individual.

    Right to rectification (Article 16, GDPR)

    The person has the right to obtain the rectification of inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the person has the right to obtain the completion of incomplete personal data, including by providing a supplementary statement.

    Right to erasure ("right to be forgotten") (Article 17, GDPR)

    The data subject has the right to obtain the erasure of personal data concerning him or her. The controller has the obligation to erase personal data without undue delay for one of the following reasons:

    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    2. the consent on which the processing is based has been withdrawn and there is no other legal basis for the processing (e.g., legitimate interest, contractual obligations);
    3. the processing is opposed for marketing and profiling purposes and there is no overriding legitimate reason to proceed with the processing; the personal data has been processed unlawfully;
    4. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which you are subject.

    Right to restriction of processing (Article 18, GDPR)

    The data subject has the right to obtain restriction of processing of their personal data where one of the following grounds applies:

    1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    2. processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
    3. although the data are no longer needed for the purposes of the processing, they are required by the individual for the establishment, exercise, or defense of legal claims;
    4. the person has objected to the processing if the processing is based on their legitimate interests, pending verification of whether their legitimate reasons prevail over those of the person.
    Notification obligation in case of rectification or erasure of personal data or restriction of processing (Article 19, GDPR)

    The individual has the right to request that SC notify other parties to whom the data may have been disclosed of any rectification or erasure of the data or restriction of processing. SC may not comply with the request if the means to be employed are disproportionate to the right to privacy invoked by the individual.

    Right to data portability (Article 20, GDPR)

    This right allows the person to receive, in a structured, commonly used and machine-readable format, personal data concerning him or her that he or she has provided to a data controller, and has the right to transmit those data to another controller for the use of the latter without hindrance from the controller to which the personal data have been provided. This right may be exercised in the following cases:

    1. the processing is based on consent or on a contract or on pre-contractual measures requested by the person themselves and, at the same time
    2. the processing is carried out by automated means.

    The person has the right to have their data transferred directly from one entity to another (from the one to which they provided it to the one to which they want it transferred), if technically possible.

    Right to object (Article 21, GDPR)

    The individual has the right to object to the processing of their data, provided that the interests or fundamental rights and freedoms of the individual requiring the protection of personal data do not prevail, including for profiling purposes.

    Automated decision-making relating to individuals, including profiling (Article 22, GDPR)

    The individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. In particular, they have the right to object to profiling to which they are subject through automated processes.

    This right cannot be exercised if the decision:

    1. is necessary for the conclusion or performance of a contract;
    2. is authorized by Union or Member State law to which the controller is subject, which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
    3. is based on the data subject's explicit consent.

    The individual has the right to express their opinion and to contest the decision of the Data Controller. For the purposes of this website, SC does not carry out any profiling activities.

    Response times

    As established by the GDPR, the Data Controller will respond within one month of the request, unless complex procedures must be implemented (or there are numerous requests) that do not allow this time frame to be met. A further deferral of two months from the request is permitted, but notification must still be given within one month of the original request (Art. 12, paragraph 3, GDPR).

    Complaint to the Supervisory Authority

    The data subject has the right to contact the Supervisory Authority to assert their rights. For Italy, this is the Garante per la Protezione dei Dati Personali (Personal Data Protection Authority), located at Piazza Venezia 11, 00187 Rome (RM) – www.garanteprivacy.it, to which the complaint can be sent to protocollo@pec.gpdp.it, using the form available at https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524&zx=e0yn0riezmmw.

    What are cookies and how are they used by SC

    Cookies are pieces of information saved on your PC's hard drive that are sent by your browser to a web server and refer to your use of the internet. As a result, they allow us to know the services, sites visited, and options that have been expressed while browsing the web. This information is not provided spontaneously and directly, but leaves a trace. The data collected through cookies will be used for technical purposes, in order to ensure easier, more immediate, and faster access to the site and its services, as well as easier navigation for the individual user. With the user's consent, profiling cookies may also be used to create user profiles based on the sections of the site or the actions performed by the user on this site or while browsing the web. The use of so-called session cookies (which are not permanently stored on the user's computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to enable the safe and efficient exploration of the site. The so-called session cookies used on this site avoid the use of other technologies that could compromise the privacy of users' browsing and do not allow the acquisition of personal identification data. Conversely, profiling cookies allow us to learn about the user's web browsing habits and detect their interests, expressed needs, and preferences, and then allow us to create advertising campaigns or create profiles to better target promotional, institutional, and commercial communications in a personalized way. In any case, you can configure your browser so that you are notified when a cookie is received and then decide whether to accept it. To learn about our cookie policy and third-party cookie policies, please read the detailed information by clicking HERE.

    Browsing data

    During normal operation, the IT systems and software procedures used to operate this website acquire some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users connecting to the site, URI (Uniform Resource Identifier) addresses of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, or similar) and other parameters relating to the user's operating system and IT environment. This data is used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and is deleted immediately after processing. The data could be used to ascertain responsibility in the event of hypothetical computer crimes against the site.

    The security of your personal data

    SC adopts appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness, and availability of your personal data. As established by the regulations governing the security of personal data, technical, logistical, and organizational measures are put in place to prevent damage, loss, even accidental, alteration, misuse, and unauthorized use of your data.

    In particular, SC has implemented, also with the help of third-party structures, technical and organizational measures aimed at ensuring a level of security appropriate to the risk that could affect the rights and freedoms of individuals, including the confidentiality and privacy of information concerning them. It adopts security criteria that include, among others:

    1. "pseudonymization" (Art. 4, paragraph 5, GDPR: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person") and/or data encryption
    2. systems that permanently safeguard the confidentiality, integrity, availability, and resilience of processing systems and services
    3. systems designed to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    4. procedures to regularly test, verify, and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

    Similar preventive security measures are adopted by third parties (processors) to whom the Data Controller has entrusted the processing of your data on its behalf. On the other hand, the Data Controller is not responsible for any untrue information sent directly by the user, or for information concerning the user (or third parties) that has been provided by a third party, even fraudulently.