UkraineHelp is a project promoted by ActionAid International Italia Onlus (hereinafter referred to as “ACTIONAID”) carried out by a team of volunteers and supported by ActionAid staff and volunteers. UkraineHelp does not constitute a newspaper and is not an editorial product, it is not periodical and is updated according to the totally discretionary choices of the staff and volunteers involved, with the aim to collect and disseminate useful information and services to support the Ukraine emergency. ActionAid is aware of the importance of safeguarding personal data and is attentive to people’s rights and, since the Internet is a potentially risky tool for the circulation of personal data, it wanted to make a serious commitment to abide to rules of conduct - in line with the European Regulation 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) - that guarantee a safe, controlled and confidential navigation on the network.
With the exception of user-submitted material, the contents of the site - script code, graphics, text, tables, images, videos, and any other information available in any form - are protected under copyright law (Law No. 633/1941 as amended). Unless otherwise indicated, permission is granted to copy and distribute the content published by UkraineHelp under the terms of the CC-BY 3.0 license.
In no case ActionAid will be liable for any damages whatsoever caused directly or indirectly by access to the site, inability or impossibility of accessing it, or use of the information contained therein. ActionAid has no responsibility for the sites that can be accessed via links within the UkraineHelp site; in particular, ActionAid is not responsible for the information obtained by users through access to sites reached via hyperlinks. The publication of content and comments sent by users will take place only for those resources (photos, videos and testimonials) that do not contain recognizable subjects - and therefore do not require a release for their use - and in any case always after unquestionable evaluation of the staff. The user, by submitting content to the staff (via social channels or via email), grants ActionAid a free, irrevocable and universal license to use, reproduce, modify, publish, comment, translate, distribute, perform, and display such content individually or as part of other works in any form, media, communication vehicle, technology whether it is currently known or developed in the future, including the right to sublicense these rights to any person. By submitting any material to the staff, you warrant that you have the right to do so without infringing the rights of any third party. The staff of UkraineHelp will not publish offensive content and comments, comments that violate the laws in force or contain advertising messages. The staff also undertakes to remove as quickly as possible the content deemed unlawful in its sole discretion, following the report of users or, however, declared as such by order of the Judicial Authority. ActionAid reserves the right to modify the contents of the site and the legal notes without notice.
Perform processing (art. 4, paragraph 2, GDPR: “any operation or set of operations, carried out with or without the help of automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction”) of personal data (art. 4, paragraph 1, GDPR: “any information concerning an identified or identifiable natural person (“data subject”); is considered identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as name, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, psychic, economic, cultural or social identity”) exclusively for the purposes and in the manner described in the information to be provided that is presented to the user each time he accesses a section of the site in which the provision, direct or indirect, of personal data is expected;
use data that have been spontaneously released by the user;
use technical cookies to facilitate navigation in the site and analytical cookies for statistical purposes;
transmit the data to third parties (data controllers - art. 4, paragraph 8, GDPR: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”) exclusively for purposes instrumental to what has been expressly requested and carefully selected by us;
to communicate the data to third parties for activities related to what is of interest or where this is required by law, regulation or Community legislation;
where appropriate and subject to express consent (art. 4, paragraph 11, GDPR: “any manifestation of free, specific, informed and unambiguous will of the person concerned, by which the same expresses its consent, by means of a statement or unambiguous positive action, that personal data concerning him are processed”), communicate the data to third parties for their own processing;
respond to requests for access to personal data, rectification or cancellation of the same, the limitation of processing or the right to object to their processing. Ensure the exercise of the right to data portability, as well as, object to the processing of data for purposes of information communications on our initiatives, our projects and requests for financial contributions to support our institutional activities, surveys and research, make known the possibility of filing a complaint to the supervisory authority;
- to ensure the correct and lawful processing of your data, safeguarding your confidentiality, as well as applying appropriate security measures to protect the confidentiality, integrity and availability of the data. Purposes of data processing and methods of processing - legal basis of processing - data collection criteria Purposes of data processing As explained in more detail in the sections that allow you to join - by releasing your personal data - the services reserved for users, the data requested are used to respond to requests expressly made by the user. In particular, all the activities of collection - and subsequent processing - of data are aimed at the management of the reports that users make through the site and to pursue the institutional purposes of ACTIONAID and, in particular to:
- manage the report in all its phases, as expressly requested by the person concerned
- disseminate images - if any - in order to spread our initiatives and to make known the institutional activities of ACTIONAID
- to elaborate statistics on the use of the reporting service and on the reports.
Personal data are processed by the Owner with mainly electronic methods and are stored in its archives. Suitable security measures are observed to prevent loss or alteration of data - even accidental - illicit or incorrect use and unauthorized access.
The images may be reworked and adapted, as well as incorporated into other materials available to us to produce further communicational content.
The purposes referred to in point 3, “Source and purpose of data processing”, are pursued by means of electronic processing that separates the information that identifies the data subject from the rest and consists of anonymous reports: the combination with the person to whom the data refers will no longer be reconstructible.
Legal basis of processing
Depending on the purposes of processing referred to in the chapter “Source and purpose of processing”, the legal bases are as follows:
- for the purposes referred to in point 1., “Source and purpose of processing”, the legal basis is Article 6, paragraph 1, letter b), GDPR since the processing of personal data is aimed at fulfilling contractual obligations to which the data subject is party. In this case, to manage the reporting service and implement it;
- for the purposes referred to in point 2., “Source and purpose of processing”, the legal basis is the legitimate interest (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 09 April 2014, no. 6 of Working Party 29, par. III.3.1.) of ACTIONAID to disseminate illustrative material on its community support initiatives, including through the establishment of a historical archive to be used to expose to the public the evolution of its mission in favor of people in need, even temporary;
- for the purposes referred to in point 3., “Source and purpose of processing”, the legal basis is the legitimate interest (art. 6, paragraph 1, letter f), GDPR, recital C47, GDPR and Opinion 09 April 2014, no. 6 of Working Party 29, par. III.3.1.) of ACTIONAID to assess the characteristics of the reports and on the service in order to improve, integrate or modify the range of services made available.
Criteria of data collection
The forms to be filled in include both data that are strictly necessary to adhere to what is of interest and whose lack of indication does not allow the request to be carried out, and data of optional conferment. Therefore, the user is free to provide personal data contained in the request forms. In these cases of obligatory conferment of data, their absence may make it impossible to obtain what has been requested. In the absence of filling in the remaining fields, the interested party will, however, have the right to have his adhesion to the reporting service accepted. The necessity to request the above mentioned data has been considered in compliance with the requirements of Article 25, GDPR (“Data Protection by design and by default”), which impose to evaluate in advance the appropriate technical and organizational measures, aimed at implementing effectively the principles of data protection, such as minimization, and to integrate in the processing the necessary safeguards in order to meet the requirements of the GDPR and protect the rights of the data subjects. In addition, ACTIONAID has put in place adequate technical and organizational measures to ensure that only the personal data necessary to allow you to submit your reports and to process them at all stages are processed by default. In any case, the optional or compulsory provision of data is indicated, normally with an asterisk directly in correspondence of the field to be filled in, in the information provided pursuant to art. 13, GDPR in correspondence of each section where the direct or indirect collection of personal data is foreseen.
Criteria used to define the limit of data retention
The data will be kept in the archives (art. 4, paragraph 6, GDPR: “any structured set of personal data accessible according to determined criteria, regardless of whether this set is centralized, decentralized or distributed in a functional or geographical manner”) dedicated to the collection of data conferred by users, according to criteria that vary according to the category of the data, the nature of the processing and the purposes of the processing itself. The criteria or the precise limit of storage are described in the information to be provided pursuant to art. 13, GDPR when providing personal data. In principle, the following assessments by ACTIONAID apply to determine the data retention criterion:
- for the purposes referred to in point 1., “Source and purpose of processing”, the data will be stored for the period necessary to provide the expressly requested reporting service
- for the purposes of point 2, “Source and purpose of data processing”, the data will be kept in our archives for the period of time that is deemed adequate to disseminate our initiatives to the public and, therefore, as long as the phenomenon that we intend to represent has information significance for the community. In case of historical archives, used to disclose the evolution of our mission, also in the occasion of the anniversaries of the foundation of our association, the preservation will last as long as this activity - assimilable to the expression of thought in all its forms and according to what established by the “Deontological rules related to the treatment of personal data in the exercise of journalistic activity” of November 29, 2018 - produces adequate significance of representativeness of the progress made over time by ACTIONAID through its institutional projects
- for the purposes referred to in point 3., “Source and purpose of processing”, the data are kept in our archives for the period necessary for their transformation into anonymous form. After this period, the identification data are no longer identifiable and do not lead back to the person and, therefore, no longer subject to the requirements of the GDPR.
Place of data processing
The processing operations connected to the web services of this website take place at the headquarters of ACTIONAID and are carried out by authorized personnel. If necessary, the personal data collected through the site may be processed by the staff of third-party companies that maintain the technological part of the site (data controllers under Article 28, GDPR), at their offices.
Transfer of personal data to third countries or international organizations.
The processing of personal data is processed on servers owned by the owner and / or third party companies and duly appointed as data controllers, located within the European Union. It remains in any case understood that the owner, if necessary, will have the right to transfer the treatment, including storage, in countries outside the EU. In this case, the Data Controller assures as of now that the transfer of data will take place in compliance with the applicable legal provisions, stipulating - if necessary - agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses prescribed by the Decision 05/02/2010 of the European Commission (Articles 45, 46, 47 and 49, GDPR). With regard to the location of the server for the purpose of the reporting service, storage takes place at the company GitHub, located in San Francisco, California, United States and adhering to the mechanism of the “Privacy Shield”.
ActionAid International Italia Onlus (hereinafter: “ACTIONAID” or “the Owner”), with registered office in Via Carlo Tenca 14, 20124 Milan (MI) tel. 02742001- is the owner of the treatment (art. 4, paragraph 7, GDPR: “the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data of personal data”), pursuant to and for the purposes of the GDPR, since it decides in what manner and for what reasons, communicated in the information to be provided to interested parties, collect and use the personal data provided by the user, as well as with what tools to process them and what security procedures to activate to ensure their integrity, confidentiality and availability, subjecting itself to the obligations and responsibilities provided for by art. 24, GDPR.
Persons responsible for processing and persons authorized to process data
Your personal data can be processed, both manually and electronically or telematically, both directly by ACTIONAID and by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on our behalf, respecting the security and confidentiality of the information and constantly checked by us in their work. The data controller is “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller” (art. 4, paragraph 8, GDPR) and is contractually bound by ACTIONAID, with a definition of the limits of operations on the data, the data that it can process and the categories of data subjects to which they refer, the nature and purpose of the processing, the limits of data retention, the obligations and rights that ACTIONAID has towards the controller, and with the prohibition to use them in a different way than the task entrusted. It may, if formally authorized, either generally or specifically, by ACTIONAID, use other data processors, who are contractually bound by the initial data processor appointed directly by ACTIONAID: violations committed by such other data processors fall under the responsibility of the initial data processor and not ACTIONAID. The complete and updated list of the data controllers (and, if applicable, of the controllers appointed by the initial data controller, subject to our authorization) can be requested at firstname.lastname@example.org (alternatively, by writing to ActionAid International Italia Onlus - Via Carlo Tenca 14, 20124. The personal data collected will be made available to the persons authorized by ACTIONAID pursuant to art. 29, GDPR who carry out processing activities that are indispensable for the pursuit of the purposes indicated above; the categories of persons authorized to process data are, from time to time, specified in the information to be provided pursuant to art. 13, GDPR. In general, these are the people in charge of providing specific services, management of information services and data security, relations with users and institutional activities.
Scope of communication and dissemination of data
Users’ data may be communicated to third parties for various purposes. The following is a list of the various cases in which data may be communicated to third parties.
- For purposes related to the provision of the service to which the user has subscribed, the data could be made available to third parties, who will act as independent data controllers, and provide services instrumental to meet the user’s request. Such communication is allowed, as referred to in “Legal basis of the treatment”, without the consent of the person concerned (art. 6, paragraph 1, letter b), GDPR).
- The data must be communicated to third parties, independent data controllers, as necessary to comply with laws or regulations. Such communication is allowed without the consent of the data subject (art. 6, paragraph 1, letter c), GDPR).
- The data may also be communicated to supervisory bodies, police forces and the judiciary to enforce or defend their own rights or the rights of a third party in court. Such communication is permitted without the consent of the data subject pursuant to Article 6, paragraph 1, letter f), GDPR, i.e. by virtue of the legitimate interest of the Data Controller or a third party to safeguard their fundamental rights and freedoms provided that those of the data subject do not prevail.
- It is not excluded the possibility that personal data are subject to dissemination: this may occur if the service to which the user has subscribed contemplates such treatment: for example, they may be disseminated through our social channels, even in image format, if the person concerned intends to testify his experience with ACTIONAID. All these cases of data dissemination will take place with the prior consent of the data subject or, even without consent, where the data have been made manifestly public by the data subject, even in the case of special categories of personal data (Art. 9, paragraph 1, letter e, GDPR).
- At present ACTIONAID does not communicate the data of its users to other organizations, bodies or companies for their independent treatments having purposes of direct marketing and / or profiling.
The data of the users who adhere to the social media pages of ACTIONAID (fans of the page or members of a group of followers of a particular project or service or institutional activity of ACTIONAID), decide, with this action, to express their intention to follow news, comments, developments of ACTIONAID. These users, after their behavior, may legitimately receive promotional messages concerning the topics for which they have manifestly declared, implicitly by joining the page, to be interested. The sending of promotional messages concerning a specific project or an institutional activity in a broad sense, carried out by ACTIONAID to which the relevant page refers, must be considered lawfully conduct if, from the context and the mode of operation of the social network, even in function of the information provided spontaneously by the user, it can be inferred that, unequivocally, the user has somehow expressed his will to receive just that kind of messages, with a behavioral formula that is conclusive of an implicitly declared consent. Therefore, according to the provision of the Guarantor issuing guidelines on promotional activities and contrast to spam of July 4, 2013, register of measures No. 330, ACTIONAID may contact the active members of its social pages in order to send messages of an informative and promotional nature on initiatives, services, events and fundraising activities to support their institutional causes. When the user leaves the group or stops following ACTIONAID’s events or exercises the right to oppose the processing of data for promotional purposes, then this assumption will be null and void and, if ACTIONAID will continue to use the data for such promotional and institutional activities, it will require the user’s consent. Conversely, the primary user’s contact information will be used by ACTIONAID subject to the individual contact’s request for express, properly informed consent specific to ACTIONAID’s promotional messages and given in an unrestricted form.
Rights of data subjects with respect to their data
You may exercise, at any time, at email@example.com, the rights under Articles 15-22, GDPR below:
Right of access (Article 15, GDPR) The person has the right to request whether any processing of his personal data is taking place and, therefore, has the right to access information concerning him and to be informed about:
- purposes of the processing (e.g.: handling of a report);
- categories of personal data (e.g.: personal details, type of report)
- recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients from third countries or international organizations;
- when possible, the expected period of retention of personal data or, if this is not possible, the criteria used to determine this period;
- the existence of the right to request the rectification or erasure of personal data or the restriction of the processing of personal data or to object to their processing;
- the right to lodge a complaint with a supervisory authority;
- if the data are not collected directly from the person, all available information on their origin;
- existence of automated decision-making, including profiling, and meaningful information about the logic used, as well as the importance and expected consequences of such processing for the individual.
Right of rectification (Article 16, GDPR) The person has the right to obtain the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the person has the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration. Right to erasure (“right to be forgotten”; Article 17, GDPR) A person has the right to have personal data concerning him or her erased without undue delay for any of the following reasons:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the consent on which the processing is based is revoked and if there is no other legal basis for the processing (e.g.: your own legitimate interest, legal or contractual obligations);
- you object to the processing for marketing and profiling purposes and there is no overriding legitimate reason to proceed with the processing;
- personal data have been processed unlawfully;
- personal data must be erased in order to comply with a legal obligation under Union or Member State law to which you are subject. Right to restriction of processing (Article 18, GDPR) A person has the right to obtain the restriction of processing of their personal data when one of the following grounds exists:
- the person contests the accuracy of the personal data, for the period necessary to verify the accuracy of such personal data;
- the processing is unlawful and the person objects to the deletion of the personal data and requests instead that their use be restricted;
- although you no longer need the data for processing purposes, the personal data are necessary for the person to establish, exercise or defend a legal claim;
- the person has objected to the processing if the processing is based on his or her legitimate interests, pending verification as to whether his or her legitimate interests outweigh those of the person. Obligation to notify in case of rectification or erasure of personal data or restriction of processing (Article 19, GDPR) The person has the right to request that the rectification or erasure of data or restriction of processing be communicated by ACTIONAID to other parties to whom the data may have been disclosed.
ACTIONAID may not comply with the request, if the means to be employed are disproportionate to the right to privacy invoked by the person. Right to data portability (“data portability”) (Article 20, GDPR) This right allows an individual to receive in a structured, commonly used and machine-readable format personal data concerning him or her that he or she has provided to a party that subjects his or her data to processing, and has the right to want to transmit such data to a party for the latter’s use without hindrance from the party to whom he or she provided it. This right may be exercised in the following cases:
- the processing is based on consent or on a contract or pre-contractual measures requested by the same person and, at the same time
- the processing is carried out by automated means. The person has the right to have his or her data transferred directly from one entity to another (from the one to which he or she has provided it to the one to which he or she wants it transmitted), if technically possible. Right to object (Article 21, GDPR) The person has the right to object to the processing of his or her data for the purpose of pursuing the legitimate interest of ACTIONAID or a third party, provided that the interests or fundamental rights and freedoms of the person requiring the protection of personal data do not prevail, including for profiling purposes. If personal data are processed for marketing purposes, the person has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such marketing activity. Automated decision-making relating to natural persons, including profiling (Article 22, GDPR) A person has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way. In particular, you have the right to object to profiling to which you are subjected through automated processes. You may not exercise this right if the decision:
- is necessary for the conclusion or performance of a contract;
- is authorized by the law of the Union or of the Member State to which you are subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the individual;
- is based on explicit consent. The person has the right to express his or her opinion and to challenge ACTIONAID’s decision. Currently, ACTIONAID does not perform any profiling activities. Response Timeframe As set forth in the GDPR, ACTIONAID will respond to the individual within one month of the request, unless complex procedures must be put in place (or there are numerous requests) that do not allow for this timeframe. A full response within three months of the request is permissible, but we are obligated to notify you, however, within one month of the originally transmitted request (Art. 12(3) GDPR).
Complaint to the Control Authority
The interested party has the right to apply to the Control Authority to enforce their rights. For Italy this is the Guarantor for the Protection of Personal Data, Piazza Venezia 11, 00187 Rome (RM) - www.garanteprivacy.it, to which the complaint can be sent to the address firstname.lastname@example.org, using the model (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524&zx=e0yn0riezmmw) made available by the authority or in free form.
What cookies are and how they are used by ACTIONAID
Cookies are pieces of information that are saved on your PC’s hard disk and that are sent by your browser to a Web server and that refer to your use of the network. Consequently, they allow you to know the services, the sites you have visited and the options that, while surfing the net, have been expressed. This information is not, therefore, provided spontaneously and directly, but leaves a trace. The data collected through the cookies will be used for technical needs, in order to guarantee an easier, immediate and quicker access to the site and its services and an easier navigation to the single user. Profiling cookies may also be used, with the user’s consent, to create user profiles based on the sections of the site or the actions taken by the user on this site or surfing the net. The use of so-called session cookies (which are not permanently stored on the user’s computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to enable the safe and efficient exploration of the site. The c.d. session cookies that are used in this site avoid the use of other techniques potentially prejudicial to the privacy of the users and not allow the acquisition of personal identification data. Vice versa, the profiling cookies allow to know the user’s net surfing and to detect his interests, expressed needs and preferences and then allow to create advertising campaigns or to create profiles to better target, in a personalized way, promotional, institutional and awareness communications. In any case, you can configure your browser so that you are notified when a cookie is received and then decide whether to accept it. To know our cookies policy and third party cookies policies, we invite you to read the extended information by clicking HERE.
The computer systems and software procedures used to operate this site acquire, during their normal operation, some personal data whose transmission is implicit in the communication protocols of the Internet. This information is not collected to be associated with identified users, but by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of computers used by users who connect to the site, URI (Uniform Resource Identifier) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in reply, the numerical code indicating the status of the response from the server (successful, error or similar) and other parameters regarding the operating system and computer environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.
Security of your personal data
ACTIONAID adopts appropriate and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of your personal data. As established by the regulations governing the security of personal data, ACTIONAID has developed technical, logistic and organizational measures aimed at preventing damages, losses, alterations, improper and unauthorized use of your personal data. In particular, ACTIONAID has put in place technical and organizational measures aimed at ensuring a level of security appropriate to the risk that could affect the rights and freedoms of individuals, including the confidentiality and privacy of the information concerning them. ACTIONAID adopts security policies that include, among others:
“pseudonymization” (Art. 4(5) GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures designed to ensure that such personal data is not attributed to an identified or identifiable natural person”) and/or data encryption;
systems that permanently safeguard the confidentiality, integrity, availability and resilience of processing systems and services;
systems to promptly restore availability and access to personal data in the event of a physical or technical incident;
procedures to regularly test, verify and evaluate the effectiveness of technical and organizational measures to ensure the security of processing. Similar preventive security measures are adopted by third parties (data controllers) to whom we have entrusted processing operations of your data on our behalf. On the other hand, ACTIONAID is not responsible for untrue information sent directly by the user (example: correctness of personal data), as well as for the information concerning him that has been provided by a third party, even fraudulently.