Privacy Policy Page 1 of 4 Alumni Farnesina – Privacy Policy (GDPR (EU) 2016/679, art. 13) This privacy policy provides to users of the platform Alumni Farnesina (hereafter, the “Platform”) the information on personal data processing required by art. 13 of the EU General Regulation on Personal Data (GDPR) 2016/679. The users are the natural persons, which have subscribed on the Platform and as such have a user account (hereafter, the “User” or “Users”). The Platform is available at the following URL address [www.alumnifarnesina.it]. The applicable Data Protection Law is the GDPR and the Italian implementing Regulation (D.lgs. 196/2003 e ss.mm.ii.). 1. COLLECTED PERSONAL DATA 1.1. Account creation When subscribing to the Platform, the following User’s personal data are collected: Mandatory data: - First name; - Last name; - Citizenship; - Residence address; - Email address; - Information regarding university education Optional data: - Information regarding professional experience and Resume. It is not possible to access the Platform without providing the mandatory data, which are necessary to create an account and authenticate the User. 3.2. Use of the Platform The User may validly publish, at their own initiative, any content on the Platform: - Posts; - Pictures; - Videos; - Events. The User is aware that when using the Platform, he/she may decide to provide ‘sensitive data’ within the meaning of Data Protection Law, for example, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, concerning sexual orientation, etc. By providing such sensitive data, the User agrees to their processing by the Platform in the conditions set forth in this Privacy Policy. 3.3. Cookies The Platform is provided with tracking technology such as cookies. The cookie policy is available at the following link: https://drive.google.com/file/d/15TGUGpLckG24-2lnEinYIaR-NSuMw4J8/view. 2. PURPOSES OF DATA PROCESSING Personal data are only processed for the following purposes: - Creation and management of a User account - Providing the User with all functionalities of the Platform, meaning: o Sending invitations for events organized by a Data Controller or other Users, if the User has accepted to receive such invitations Privacy Policy Page 2 of 4 o Sending offers of opportunities from a Data Controller or its partners if the User has accepted to receive such offers o Invite the User to events organized by the Platform - Management of prospection operations: o Sending email prospect campaigns in the name of a Data Controller and/or its partners o Sending newsletters in the name of a Data Controller and/or its partners - Making statistics in order to: o improve the quality of the services proposed by the Platform o improve the usage functionalities of the Platform o assess the effective use of the Platform o assess the different levels of activity on the Platform - Enable the synchronization of the User’s LinkedIn profile - Management of Users’ rights - Storage of Users’ personal data. 3. LEGAL BASIS OF DATA PROCESSING The processing of the provided data is based on the consent of the User, who has the right, at any moment, to withdraw the consent and to cancel the subscription to the Platform. 4. PROCESSING METHODS Data processing is carried out through manual and automated procedures. Only especially authorized and trained persons can access personal data. The Joint Data Controllers and the Data Processors make their best effort to ensure that the number of these persons remains as low as possible and that they are committed to respecting the confidentiality and security of Users’ personal data. The Platform uses a solution called “Hivebrite”, which enables the import and export of Users’ lists and data, the management of content and events, the organization of emailing campaigns, the opportunity research and sharing as well as the management of funds and contributions of any kind. 5. DATA COMMUNICATION TO THIRD PARTIES The Joint Data Controllers may disclose the Users’ personal data to a third party if required by law or if it necessary to enforce or apply the terms of use of the Platform or any other conditions the User has accepted or to protect their rights, safety or property and those of their employees. 6. DATA RETENTION PERIOD Users’ data are retained only during the length of the Users’ subscription on the Platform. Following the termination of said subscription, the data collected upon the subscription as well as the content published by the Users on the Platform will be deleted within 90 days. 7. DATA TRANSFERS TO THIRD COUNTRIES The Users’ data are processed in the European Economic Area (EEA) by the Joint Data Controllers and some of the Data Processors. However, depending on the processing, the Users’ data may be transferred to Data Processors, listed under point 12, operating in a country outside the EEA. When transferring data outside the EEA, the Joint Data Controllers ensure that this takes place in compliance with the applicable Data Protection Law. When the receiving country does not provide, according to the EU Commission, a personal data protection comparable to that of the EU, the Joint Data Controllers use appropriate organizational and technical safeguards as well as the standard data protection clauses adopted by the EU Commission. Privacy Policy Page 3 of 4 8. COMMITMENT OF THE JOINT DATA CONTROLLERS The Joint Data Controllers commit to process Users’ personal data in compliance the applicable Data Protection Law and undertake to, notably, respect the following principles: - Process Users’ personal data lawfully, fairly, and in a transparent manner; - Process the Users’ data only for the purposes described under point 4 of the present privacy policy; - Ensure that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; - Do the best efforts to ensure that the personal data processed are accurate, kept up to date and, if inaccurate, erased or rectified without delay; - Keep User’s personal data for no longer than necessary provided the purposes for which they are processed; - Put in place all appropriate technical and organizational measures in order to ensure the security, confidentiality, integrity, availability and the resilience of the process systems and services; - Limit the access to the Users’ data to the persons duly authorized to this effect; - Guarantee to the Users their rights under the Data Protection Law in relation to the processing of their data. 9. USERS’ RIGHTS The Users have the following rights: to access, to rectification, to erasure, to restriction of processing, to data portability and to object. When processing is based on Users’ consent, the Users dispose the right to withdraw their consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal. The Users can exercise their rights, provided that they prove their identity, by sending an email to one of the Data Controllers listed under point 1 and by notifying the appropriate DPO. In addition, in the event the Users considers that their rights have not been respected, they can lodge a complaint before the appropriate DPO. If the Users are not satisfied with the response, they can submit a complaint to the Italian Supervisory Authority on data protection (Garante per la Protezione dei Dati Personali): Piazza Venezia 11, 00187 Roma; phone number 0039 06 696771 (switchboard); e-mail: [email protected]; certified e-mail: [email protected]. 10. DATA PROCESSORS The Joint Data Controllers use Data Processors to carry out a set of operations on their behalf for hosting the data and for managing specific tools integrated in the Platform. The Joint Data Controllers only provide Data Processors with the information they need to perform the service and ask them not to process the Users’ personal data for any other purpose. The Joint Data Controllers do their best to ensure that the selected Data Processors only process the personal data on their documented instructions and provide adequate evidences of the implementation of the technical and organizational measures which will meet the requirements of the applicable Data Protection Law, in particular in terms of confidentiality, security, expert knowledge, reliability and resources. Privacy Policy Page 4 of 4 List of the current Data Processors: Service Provider Service You can consult the privacy policy by clicking on the following link: KIT UNITED 44 rue la fayette 75009 Paris France HIVEBRITE solution https://hivebrite.com/privacypolicy Google Cloud Platform Gordon House, 4 Barrow St, Dublin, Ireland Hosting of all data and content produced / provided by the User, as well as images, profile pictures and backups https://cloud.google.com/secur ity/privacy/ Amazon AWS 38 avenue John F. Kennedy, L-1855, Luxembourg https://aws.amazon.com/compl iance/gdpr-center/ Sentry 132 Hawthorne Street San Francisco, CA 94107 USA Production and storage of error logs enabling our developers to correct the code https://sentry.io/privacy/ Sendgrid 375 Beale Street, Suite 300, San Francisco, CA 94105 Sending of emails from the Platform https://api.sendgrid.com/privac y.html Hivebrite, Inc. 16 Nassau St, New York, NY 10038, USA Customer support for the Platform https://hivebrite.com/privacypolicy Date of last update: 08/11/2022.