(pursuant to EU Regulation 679/2016 and current national legislation on the protection of personal data)
(ver. 2/08/2022)

Pursuant to EU Regulation 679/2016 (hereinafter referred to as “GDPR”) and to the national legislation in force regarding the protection of personal data, Fondazione Milan ONLUS (hereinafter referred to as “Foundation”), with its registered office in Via Aldo Rossi n. 8, 20149 Milan, Italy, provides you with a series of information regarding the way in which your data, acquired through our website or communicated by other third parties, including Milan Group companies, entities, and associations about auctions and charitable or solidarity initiatives, is “used”.


1. Types of data collected

Common data: personal data processed by the Foundation in the context of navigation on the site following registration, such as, for example, first name, last name, gender, place/country and date of birth, contact language, e-mail address, and password, physical address (domicile and/or residence), photographic images, audio video, provided directly by the user or through third parties, if authorized by the user, through their authentication service (social login, etc.), or additional data (such as tax code, method of payment and amount paid);

Browsing data: information that, acquired by the computer systems and software procedures used to operate the site during their normal operation, is not collected to be associated with identified interested parties, but which could, through processing and association with data held by third parties, allow users to be identified; This category of data includes the IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system. ) and other parameters relating to the user’s operating system and computer environment.


2. Purposes and legal bases of the processing

The data collected are processed by the Foundation as data controller, without your necessary consent, for the following purposes and legal bases

a) fulfillment of contractual obligations or the need to execute your requests such as obligations arising from charitable or solidarity initiatives and auctions organized by entities or associations cooperating with the Foundation, participation in social solidarity campaigns also during crowdfunding activities, management of donations, the sending of the information you requested

b) the fulfillment of legal obligations such as the management of fulfilments deriving from legal obligations and regulations to which the Foundation is subject.

c) the pursuit of legitimate interests of the Foundation such as the need to identify the donor and the defense in legal proceedings and the purpose of statistical analysis for which the personal data collected may be used for analysis in a manner that is not totally automated, resulting in an analysis that does not concern personal data, but only aggregate data, which is not used to support measures or decisions concerning physical persons (e.g. for predictive and behavioral models).

The data collected are processed by the Foundation with your consent for:

d) communications: i.e. sending, by automated contact methods (such as SMS, e-mail, social networks, instant messaging apps, push notifications) and traditional methods (such as telephone calls with the operator and traditional mail), institutional communications, informative material and/or newsletters relating to our activities, as well as surveying the degree of satisfaction of our contacts, conducting surveys and statistical analyses.

3. Processing methods

The data may be processed in the paper, computerized and telematic form and entered into the relevant databasing of the operations of collection, registration, organization, storage, consultation, use, processing, comparison, and any other appropriate operation, including automated operations, in compliance with the provisions of the law necessary to guarantee, among other things, the confidentiality and security of the data as well as their accuracy, updating, and relevance to the stated purposes.


4. Data retention

Data are retained for the time necessary to fulfill the purposes stated above and, in particular

for purposes sub 2, letters a), b) and c), for no longer than 10 years from the end of the specific activity. For any handling of contact requests, until the request is closed. In the case of litigation, for the duration of the litigation itself, until the time limit for appeals has been exhausted. In the case of statistical analysis, the data are kept for 5 years after collection;

for the purpose sub 2, letter d) of communication, the data are kept for 24 months after collection and in any case until consent is revoked.


5. Provision of data

The provision of the data for the purposes sub 2, lett. a), b) and c) are necessary to guarantee the activities and the service requested; any refusal to provide the data or their incompleteness may determine the impossibility of issuing a receipt for the donation made and of carrying out the services in their entirety and the obligations of the law.

The provision of data for the purpose sub 2, letter d) is optional and failure to provide such data will have no consequences except for the impossibility on the part of the Foundation to carry out the communication activities envisaged above.


6. Recipients of data

The data may be communicated to subjects acting as data controllers, including authorities and supervisory and control bodies, lawyers, accountants, auditors, and, in general, subjects, public or private, entitled to request the data.


7. Persons authorized to process data

The data may be processed by the employees of the company functions assigned to the pursuit of the purposes indicated above who have been expressly authorized to process the data and who have received adequate operating instructions.

The data may be processed, on behalf of Fondazione to allow the activities described above, by subjects (including companies of the Milan group), designated as data processors, who provide services to Fondazione itself.


8. Transfer of data

The data may be transferred to subjects in countries outside the EU that ensure an adequate level of data protection. The transfer will be made only based on the adequacy decisions approved by the European Commission or the adoption by the Foundation of the Standard Contractual Clauses prepared by the European Commission.


9. Rights of the Data Subject – Complaint to the Supervisory Authority

By contacting Fondazione Milan by e-mail at, you may:

request confirmation from the data controller as to whether or not data relating to you is being processed and, if so, obtain access to the data relating to you and to the information relating to the processing, such as the purposes, the categories of personal data, the recipients or categories of recipients to whom the data is disclosed, the storage period, the existence of an automated decision-making process and the logics used, as well as the existence of adequate guarantees in the event of data being transferred to a country outside the EU

obtain the updating of the data, their rectification, integration, or deletion, as well as the restriction of their processing;

object in whole or in part: a) on grounds relating to their particular situation, to the processing of data for the Foundation’s legitimate interests; b) to the processing of personal data relating to them for personalized communication and communication carried out by automated contact methods (such as SMS, email, social networks, instant messaging apps, push notifications) and traditional methods (such as telephone calls with the operator and traditional mail)

receive the data in a structured, commonly used, and machine-readable format, as well as, if technically feasible, transmit them to another data controller without hindrance (‘right to data portability)

withdraw the consent given at any time.

You also have the right to complain to the competent supervisory authority.


10. Data Controller, Data Processors, and Data Protection Officer

For all the processing purposes indicated in this information notice, the Data Controller is Fondazione Milan ONLUS with a registered office in Milan, Via Aldo Rossi n. 8 – 20149, whom you can contact for the complete list of data processors.

Furthermore, Fondazione has appointed a Data Protection Officer (DPO), a specialized figure who will supervise the methods adopted by Fondazione to protect your data. To contact the DPO, please write to