Privacy Policy

 Excerpt of “Privacy Policy for the Processing of Personal Data – Effective as of July 15, 2019”

Introduction
AMREF HEALTH AFRICA Foundation ONLUS (hereinafter referred to as “AMREF”), headquartered at Via Aniene 30 – 00198 Rome, Italy, and reachable at the following email address: privacy@amref.it, as data controller, will process the personal data of users (hereinafter the “Users”) collected through the websites: (i) www.amref.it; (ii) occasionidelcuore.amref.it (collectively referred to as the “Websites”) in accordance with this privacy policy.

Implementation of the policy on the website sublime-sdgs.eu

The same policy, only where applicable in accordance with the browsing methods and interaction with the website, regulates the processing of users’ personal data collected through the website sublime-sdgs.eu.

1 – What categories of personal data does AMREF collect?

AMREF collects the following categories of personal data from Users:

  1. personal identification and contact details provided by Users upon registration on the Websites (not applicable on the website sublime-sdgs.eu);
  2. data related to donations, purchases, or adoptions made through the Websites (not applicable on the website sublime-sdgs.eu);
  3. data provided when requesting information or assistance;
  4. browsing data related to the use of services offered through the Websites, collected via cookies in accordance with the cookie policy (hereinafter collectively referred to as “Personal Data”). The types of cookies used can be viewed at this link.

2 – For what purposes are the data processed?

AMREF processes Users’ personal data for the following purposes:

  1. to enable the User to register on the Websites by creating a personal account and to access the services and functionalities, including customer support (not applicable on the website sublime-sdgs.eu);
  2. to allow the User to make donations, purchases, adoptions, or participate in other AMREF charitable activities and initiatives (not applicable on the website sublime-sdgs.eu);
  3. to comply with applicable national and European legislation and/or respond to requests from public authorities;
    (jointly referred to as “Contractual Purposes”);
  4. to perform activities related to company or branch transfers, mergers, acquisitions, spin-offs, or other business transformations and the execution of such transactions (“Legitimate Business Interest Purposes”). (Not applicable on the website sublime-sdgs.eu);
  5. to send the User, pursuant to Article 130 of Legislative Decree No. 196/2003 (the “Privacy Code”), email communications regarding services similar to those already provided by AMREF, with the option to opt out at any time (not applicable on the website sublime-sdgs.eu);
  6. with the User’s prior consent, to send communications via traditional and remote means, including SMS, MMS, social networks, instant messaging, WhatsApp, mobile apps, banners, fax, mail, and phone, for the promotion of AMREF activities and initiatives (not applicable on the website sublime-sdgs.eu);
  7. with the User’s prior consent, to carry out profiling activities aimed at customizing fundraising and informational communications based on the User’s past donation preferences (“Marketing Purposes”). (Not applicable on the website sublime-sdgs.eu);

3 – What are the legal bases for processing?

Processing of Personal Data for Contractual Purposes is necessary to:

  • Provide the services requested by the User as described in Section 2, points a) and b) (not applicable on the website sublime-sdgs.eu);
  • Comply with legal obligations as per Section 2, point c).

If the User does not provide the personal data necessary for the Contractual Purposes, the requested services via the Websites cannot be delivered.

4 – How are the data processed?

Users’ Personal Data are processed using electronic and/or paper-based tools and protected by appropriate security measures to ensure their confidentiality and integrity. AMREF implements organizational and technical measures to safeguard the data against loss, theft, unauthorized use, disclosure, or alteration.

5 – Who has access to Users’ personal data?

For the Contractual Purposes, Users’ personal data may be disclosed to the following categories of recipients, both inside and, where permitted, outside the EU:

  1. third-party service providers offering technical, administrative, legal, or IT assistance to AMREF;
  2. postal services/shippers/couriers for delivering purchased products or materials (not applicable on the website sublime-sdgs.eu);
  3. entities and authorities entitled by law or regulation to access such data.

A full list of data processors is available upon request as indicated in this policy.

6 – Are personal data transferred abroad?

Users’ Personal Data may be transferred within the EU and, where necessary, outside the EU.
Any such transfer will comply with applicable legal safeguards, particularly Articles 45 and 46 of the GDPR.
Users may request copies of their data stored abroad, information on storage locations, and the security measures in place by contacting the data controller as specified in Section 9.

7 – How long are the data retained?

Personal Data will be stored only as long as necessary for the purposes for which they were collected:

  1. For Contractual Purposes, data will be retained for the duration of the contract and for 10 years thereafter, unless required for legal claims or regulatory obligations;
  2. For Marketing Purposes, data will be stored for 24 months after collection. Data used for profiling will be stored for 12 months after collection. After these periods, data may be deleted, anonymized, or aggregated (not applicable on the website sublime-sdgs.eu).

8 – What are Users’ rights regarding their personal data?

Users may exercise the following rights at any time, free of charge:

  1. request confirmation of the existence of their data and access content, source, and accuracy;
  2. request deletion, anonymization, or blocking of data processed unlawfully;
  3. object to processing for legitimate reasons;
  4. withdraw consent at any time without affecting prior lawful processing.

Additionally, Users may:

  1. request processing limitation under specific conditions;
  2. object to data processing;
  3. request deletion without undue delay;
  4. obtain data portability;
  5. file a complaint with the relevant supervisory authority.

According to Article 2-terdecies of the Privacy Code, in case of a User’s death, these rights may be exercised by an interested party or for family-related reasons, unless expressly denied in writing by the User.

9 – Data Protection Officer Contact

AMREF’s Data Protection Officer (DPO), appointed under Article 37 of the GDPR, may be contacted at: dpo@amref.it.

10 – Contact

For any questions about this privacy policy or to exercise your rights, please contact the data controller at: privacy@amref.it.

11 – Changes and Updates

This policy is effective as of the date indicated above. AMREF may update or amend this policy in light of regulatory changes. Users will be notified of any updates, and the current version will always be available on the Websites.