Privacy

pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR)

1. Data Controller

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter “GDPR”), FONDAZIONE ROMUALDO DEL BIANCO – LIFE BEYOND TOURISM (hereinafter the “Foundation” or “FRDB-LBT”), with registered office in Florence, Via del Giglio no. 10, 50123, fiscal code 94072060489, in its capacity as Data Controller, informs you that personal data will be processed in accordance with the principles of lawfulness, fairness and transparency, and in full compliance with applicable data protection legislation.

The Foundation ensures the protection of the rights and fundamental freedoms of natural persons, with particular regard to confidentiality, personal identity and data security.

2. Categories of data processed

The Foundation may process the following categories of personal data:

• identification and contact data (such as name, surname, email address, telephone number);
• data relating to participation in events, initiatives, projects or activities promoted by the Foundation;
• data provided voluntarily through forms, registrations, requests for information or communications;
• data relating to memberships, collaborations, partnerships or institutional relationships.

No special categories of personal data are processed unless explicitly required and lawfully justified.

3. Data relating to third parties

The processing of personal data relating to third parties communicated to the Foundation by users, participants, members, partners or collaborators may also occur.

In such cases, the person providing the data acts as an independent data controller or is otherwise responsible for ensuring that the Data Subjects concerned have been duly informed in accordance with applicable data protection legislation and that the data is lawfully communicated to the Foundation.

The person providing such data undertakes to hold the Foundation harmless from any dispute, claim and/or request for compensation arising from unlawful processing.

 

4. Purposes of processing

Personal data is collected and processed by the Foundation for the following purposes:

1. a) pursuit of the institutional, statutory and non-profit purposes of the Foundation, including the planning, organization, management and promotion of cultural, educational, scientific and social initiatives, projects and events;
2. b) management of relationships with members, participants, partners, collaborators, institutions and stakeholders, including registrations, participation requests, communications and organizational activities;
3. c) fulfillment of legal, regulatory and administrative obligations to which the Foundation is subject, including accounting, reporting and organizational obligations related to its non-profit activities;
4. d) sending newsletters and institutional communications relating to the Foundation’s activities, initiatives and events, through electronic means, subject to the Data Subject’s consent where required;
5. e) communication of data to third parties strictly connected to the Foundation’s activities (such as technical, organizational or communication service providers), exclusively for purposes consistent with the Foundation’s institutional mission.

5. Legal basis of processing

The legal bases for processing personal data for purposes a), b) and c) are:

• Article 6(1)(b) GDPR, as processing is necessary for activities related to participation in the Foundation’s initiatives;
• Article 6(1)(c) GDPR, as processing is necessary to comply with legal obligations.

The provision of personal data for these purposes is voluntary; however, failure to provide such data may prevent the Foundation from carrying out certain activities or responding to requests.

The legal basis for processing personal data for purposes d) and e) is Article 6(1)(a) GDPR, as processing is based on the Data Subject’s consent.

Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

All communications sent by the Foundation are consistent with its ethical, cultural and non-profit principles.

 

6. Methods of processing and security measures

Personal data is processed using manual, digital and telematic tools, in accordance with Article 5 of the GDPR, adopting appropriate technical and organizational security measures to ensure confidentiality, integrity and availability of data and to prevent unauthorized access, loss or misuse.

Processing is strictly limited to the purposes for which the data is collected.

7. Communication of data

Personal data may be communicated to third parties appointed as Data Processors pursuant to Article 28 of the GDPR, including service providers necessary for the organization and management of the Foundation’s activities (such as IT service providers, communication platforms, event organization services or professional consultants).

All persons authorized to process personal data under the authority of the Foundation act in accordance with Article 29 of the GDPR and receive appropriate instructions, particularly regarding confidentiality and security.

Personal data will not be disseminated.

The Foundation remains obliged to communicate data to Public Authorities where required by law or upon legitimate request.

8. Data breach notification

In accordance with Article 33 of the GDPR, any person who becomes aware of events or circumstances that may give rise to a potential personal data breach is invited to promptly inform the Foundation, in order to allow an immediate assessment and the adoption of appropriate remedial measures.

Notifications may be sent to the contact details provided below.

9. Transfer of personal data outside the European Union

Personal data may be transferred outside the European Economic Area (EEA) where necessary for the management of the Foundation’s institutional activities, including international cooperation projects.

In such cases, the Foundation ensures an adequate level of data protection, in compliance with Chapter V of the GDPR, through:

• adequacy decisions of the European Commission (Article 45 GDPR);
• standard contractual clauses adopted by the European Commission (Article 46 GDPR);
• other appropriate safeguards provided by applicable law.

Transfers are limited to data strictly necessary for the stated purposes.

10. Data retention period

Personal data will be retained for the period strictly necessary to:

• pursue the Foundation’s institutional purposes;
• comply with legal, administrative and reporting obligations;
• protect or defend the Foundation’s rights.

Once these purposes have been fulfilled, data will be deleted or anonymized in accordance with applicable law.

11. Rights of the Data Subject

In accordance with the GDPR, Data Subjects have the right to:

• obtain confirmation as to whether personal data concerning them is being processed;
• access their personal data and receive a copy;
• request rectification or erasure where applicable;
• request restriction of processing (Article 18 GDPR);
• exercise the right to data portability (Article 20 GDPR);
• object to processing based on legitimate interest (Article 21 GDPR);
• not be subject to automated decision-making as provided for in Article 22 GDPR.

Data Subjects also have the right to lodge a complaint with the competent Supervisory Authority pursuant to Article 77 of the GDPR.

Requests may be addressed to:
secretarygeneral@fondazione-delbianco.org

12. Contact details of the Data Controller

The Data Controller is:
FONDAZIONE ROMUALDO DEL BIANCO – LIFE BEYOND TOURISM
Via del Giglio no. 10, 50123 – Florence (Italy)

 

Fondazione Romualdo Del Bianco – Life Beyond Tourism
Florence, 21 January 2026