Pursuant to articles 13 and 14 of EU REGULATION N. 2016/679 (GDPR)

This information is provided in compliance with the legislation on the protection of natural persons with regard to the processing of personal data pursuant to EU Regulation 2016/679 (GDPR) “General Data Protection Regulation” and intends to inform you about the processing of personal data provided by you and acquired by Still I Rise APS.

The Data Controller is Still I Rise APS, (PI 91015070633), with registered office in Via Adelaide Ristori, n. 44 – 00197 ROME.

1.  DEFINITIONS.

Treatment : means any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction.

Personal Data : is any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Holder : the entity that determines the purposes and means of processing the interested party’s data. Responsible : is the natural or legal person, public authority, service or other body that processes data on behalf of the Owner.

Interested : donors and/or supporters of Still I Rise activities.

2.  PURPOSE, LEGAL BASIS AND RETENTION PERIODS.

Personal data will be processed for the following purposes indicated together with the legal bases of reference. The data retention terms indicated are intended in addition to the time necessary for the maturation of the limitation periods in relation to the reciprocal rights and the time of conservation of the backups.

• Collect, manage and track donations and other forms of contributions to support the institutional activities of Still I Rise, a legitimate purpose due to the need to execute a contract or a pre-contractual measure, pursuant to 6, par. 1, letter b) GDPR as well as to fulfill legal obligations to which the Data Controller is subject pursuant to art. 6, par. 1, letter c) GDPR. In this case, the data will be retained by the Data Controller for 10 years from the year of the donation or other form of contribution.
• Take charge of and respond to any requests, legitimate purposes due to the need to execute a contract or a pre-

contractual measure, pursuant to art. 6, par. 1, letter b) GDPR. In this case, the data will be retained by the Data Controller for 1 year from the year of the request.

• Detect the level of satisfaction and carry out assistance activities, legitimate purposes based on the need to

execute a contract or a pre-contractual measure, pursuant to art. 6, par. 1, letter b) GDPR.

In this case, the data will be retained by the Data Controller for 10 years from the year of termination of the effects of the last contract.

• Process data for advocacy campaigns necessary to draw up detailed reports on the activities carried out, the

impact of advocacy campaigns and the use of financial resources, in order to ensure transparency, a legitimate purpose based on the legitimate interest of the Data Controller to pursue its institutional purposes, pursuant to art. 6, par. 1, letter f) GDPR as well as, in relation to transparency activities, to fulfill legal obligations to which the Data Controller is subject pursuant to art. 6, par. 1, letter c) GDPR. In this case, the data will be retained by the Data Controller for 1 year from the year in which the material was processed.

• Keep accounting records and manage tax obligations, legitimate purposes due to the need to fulfill the legal

obligations to which the Data Controller is subject pursuant to art. 6, par. 1, letter c) GDPR. In this case, the data will be retained for 10 years from the year of termination of the effects of the last contract.

• Carry out internal management control and plan activities, legitimate purposes based on the legitimate interest of

the Data Controller in carrying out the statutory activity, pursuant to art. 6, par. 1, letter f) GDPR. In this case, the data will be retained for 10 years from the year of competence or from the year of data acquisition.

• Carry out information and promotional activities related to Still I Rise activities (sale of products or services such as initiatives, projects, events) similar to those purchased, requested or participated in, a lawful purpose based on the legitimate interest of the Data Controller in promoting its activities, pursuant to 6, par. 1, letter f) GDPR. In this case, the data will be retained by the Data Controller for 2 years starting from the year of the last interaction.
• Carry out information and promotional activities related to Still I Rise activities (sale of products or services such as initiatives, projects, events) or carry out market analyses and surveys, a lawful purpose based on the consent of the interested party, pursuant to 6, par. 1, letter a) GDPR. In this case, the data will be stored by the Data Controller for up to 2 years starting from the year of the last interaction.

In addition to the above, within the scope of the activities functional to the good management of the organization, your personal data will also be processed by internal or external personnel duly authorized for 1) the management and maintenance of the network and IT systems, when the processing occurs through even partially automated methods (for example when the data passes through the IT systems of Still I Rise), on the basis of the legitimate interest in protecting them and for the obligations inherent to information security, the data are stored in compliance with the security implementations and with what is provided for the main processing of reference among those described above;

2) manage compliance and governance activities, as required by law or on the basis of the legitimate interest of the owner to pursue control and efficiency in the Organization, in accordance with the retention periods provided for the main processing of reference or according to applicable regulations; 3) to prevent and detect abuse and to defend the rights and interests of the Owner, retaining them until the expiration of the limitation periods, except in the event of litigation (in which case, the data will be retained until the definitive cessation of the matter of the dispute), on the basis of the legitimate interest of the Owner to protect its rights and interests.

3.  TYPE OF DATA PROCESSED.

The Data Controller mainly processes the following categories of personal data (hereinafter the “Data”): Personal data, Address data, Contact data, Payment data, Donation data, Tax data, Data relating to identification codes, Data relating to identification/recognition documents, Educational and socio-demographic data, Data relating to work activity, Data relating to other existing and/or past relationships with Still I Rise, Data relating to purchases or use of services, Access and identification data, Data provided voluntarily.

4.  SOURCES OF DATA COLLECTION.

The data is collected by the Owner directly from the interested party, from the subject representing a legal person or communicated by third parties who register the donation or other form of support. These sources are not accessible to the public.

5.  DATA PROVISION

Data whose provision is necessary due to legal or contractual obligations are indicated during the collection phase (e.g. marked with an asterisk). Failure to provide such data could lead to legal or contractual consequences. Failure to provide optional data does not lead to consequences except the impossibility of proceeding with the processing for which the data is requested.

6.  DATA TRANSFER OUTSIDE THE EU.

The servers on which the above Data are stored are located in Italy and within the European Union. In any case, it is understood that the Data Controller, if necessary, will have the right to move the location of the archives and servers to Italy and/or the European Union and/or to countries outside the European Economic Area. In this case, the Data Controller hereby ensures that the aforementioned transfer outside the EU will take place in accordance with the applicable legal provisions, stipulating, if necessary, agreements that guarantee an adequate level of protection and/ or adopting the standard contractual clauses provided by the European Commission.

7.  DATA RECIPIENTS.

The personal data processed will be communicated, where necessary and/or functional to the management of the relationship established and in order to pursue the purposes described above, to the following subjects:

• persons in charge of processing personal data by the Data Controller and regularly appointed pursuant to the

provisions of Articles 29 of the GDPR (such as, for example, employees and collaborators of the association);

• software system manager and other persons duly appointed as data controllers pursuant to the provisions of 28 of the GDPR;
• other subjects to whom it is necessary to communicate the data in accordance with legal obligations, by way of example and not limited to public authorities.

8. RIGHTS OF INTERESTED

The subjects to whom the above-mentioned personal data refer (so-called “interested parties”), have the right to exercise their rights according to the methods and within the limits established by the current legislation on privacy. In relation to the processing of their personal data, the interested party has the right to request from Still I Rise APS:

• theaccess : that is, to confirm whether or not data concerning him or her is being processed, in addition to

obtaining further clarifications regarding the information in this Notice, as well as receiving the data itself, within the limits of what can be considered reasonable according to the common sense of a man of average diligence;

• therectification : the rectification or integration of the data you have provided or in any case in possession of the Data Controller, where they are inaccurate;
• thecancellation : that is, that your data, acquired or processed by Still I Rise APS, be deleted, where they are no

longer necessary for the purposes of the association or where there are no ongoing disputes or controversies; again, in the event of revocation of consent or your opposition to the processing, of unlawful processing, or where there is a legal obligation to delete;

• thelimitation : the limitation of the processing of your personal data when one of the conditions set out in art. 18 of the GDPR occurs; in this case, the data will not be processed, except for storage purposes, without the consent of the interested party, except as explicitly stated in the same article in paragraph 2;
• Theopposition : that is, you may object at any time to the processing of your data based on a legitimate interest of the association, unless there are legitimate reasons for Still I Rise APS to proceed with the processing that prevail over those of the interested party, such as for example the exercise or defense of the rights of the association in court; the opposition of the interested party will always prevail over the legitimate interest of the APS in the processing of your data for promotional purposes;
• theportability : that is, request to receive your data, or to have them transmitted to another owner indicated by the interested party, in a structured, commonly used and machine-readable medium.

Finally, pursuant to art. 7, par. 3, GDPR, the interested party may exercise at any time his right to withdraw consent, without prejudice to the lawfulness of the processing based on the consent previously given.

The interested party also has the right to lodge a complaint with the Supervisory Authority, which in Italy is the Guarantor for the Protection of Personal Data, with headquarters in Piazza Venezia 11, 00187 – Rome – https:// www.garanteprivacy.it/.

9.  HOW TO EXERCISE YOUR RIGHTS.

In order to exercise the rights referred to in the previous point 9, or to report any problems or request clarifications regarding the processing of your personal data, the interested party may forward his/her request by post by writing to the Data Controller, Still I Rise – Via Adelaide Ristori, 44 – 00197 Rome, specifying the subject of the request, or, by email to the following email addresses:[email protected] .

The deadline for responding to the Interested Party is one (1) month, extendable by two (2) months in cases of particular complexity; in these cases, the Data Controller provides at least one interlocutory communication to the interested party within the term of one (1) month. The exercise of the rights is, in principle, free of charge; the Data Controller reserves, however, the right to request a contribution in the event of manifestly unfounded or excessive requests (even repetitive), also in light of the indications that may be provided by the Privacy Guarantor.

10. CHANGES TO THE INFORMATION

Changes to the personal data processing described or the possible entry into force of new legislative and regulatory provisions, national and international, including special legislation on the matter, with regard to third sector entities, could lead to the need to modify the methods and terms described in this Policy. It is therefore possible that this document may undergo changes over time in order to ensure its correct updating.

The date at the bottom will be updated with each change. We recommend that you periodically consult the information on the processing of personal data, also by requesting a copy from the Data Controller.

Rome, 26/11/2024 Still I Rise APS