ai sensi degli artt. 13 e 14 del Regolamento (UE) 2016/679 (General Data Protection Regulation)


Fondazione Cassa di Risparmio di Padova e Rovigo undertakes to process your personal data in compliance with Regulation (EU) 2016/679.

Who is the Data Controller?
The Data Controller is Fondazione Cassa di Risparmio di Padova e Rovigo – with registered offices in Piazza Duomo 15, 35141 Padova – a foundation pursuing social utility and promoting economic development, in accordance with Leg. Decree No. 153/1999.
Any request for information concerning the processing of personal data should be forwarded to the above mailing address or to the email address privacy@fondazionecariparo.it.

Why does the Foundation use personal data?
Data acquired, verbally or otherwise, either directly from the data subject or from third parties, is processed by the Foundation’s staff or collaborators entrusted with carrying out operations or activities related, instrumental or functional to, or providing said Foundation with specific administrative, evaluative, communication and/or support services.
The Foundation does not use the personal data collected for any purposes other than those described in the privacy policy provided to the data subject, except with prior notice and, where necessary, with his or her explicit consent.

What is the legal basis for the Foundation processing personal data?
Depending on the specific case, the Foundation may process personal data based on:

  • the data subject’s consent;
  • the execution of a contractual relationship;
  • the fulfilment of a legal obligation;
  • the execution of an assignment in the public interest;
  • the pursuit of a legitimate interest.

How does the Foundation process data?
Personal data is stored and processed by means of the operations specified in art. 4, para. 2, of Regulation (EU) 2016/679, such as the collection, recording, organisation, conservation, consultation, elaboration, modification, selection, retrieval, comparison, use, interconnection, blocking, communication, erasure or destruction of data.
Said data is stored and processed lawfully and fairly, by manual, automated and electronic means, in compliance with the safety requirements prescribed by law and in accordance with the principles and rules of conduct defined by the Foundation.

For how long does the Foundation store the data it collects?
Data acquired to fulfil a contractual or legal obligation will be stored in line with the statutory limitation period.
In the presence of historical and institutional needs, the Foundation is not required to erase data.

Will the Foundation communicate and disseminate data?
Your personal data may be communicated, solely within the European Union:

  • to parties (e.g. hardware and software service technicians, professional firms, etc.) who carry out activities on behalf of the Foundation, in their capacity as Data Protection Officers;
  • in the presence of a legal obligation, to third parties (e.g. supervisory authorities, judicial authorities, etc.) which will process the data in their capacity as Data Controllers.

Moreover, personal data may sometimes also be communicated to other parties or disseminated whenever necessary either for institutional reporting requirements (e.g. to ACRI, the Italian association of banking foundations and savings banks) or for representation purposes (e.g. to event organisers).

What rights may be exercised for the protection of personal data?
Any data subject may contact the Foundation to exercise the following rights:

  • right of access to personal data and to certain pieces of information regarding its processing (art. 15);
  • right to rectification of personal data without undue delay (art. 16);
  • right to erasure, where certain circumstances permit (art. 17);
  • right to restriction of processing, where certain circumstances permit (art. 18);
  • right to transmit data (data portability) to another controller (art. 20);
  • right to object to the processing of personal data, where certain circumstances permit (art. 21);
  • right to lodge a complaint with the Data Protection Authority, whenever the data subject considers his or her personal data has been processed in breach of the provisions of the Regulation.

Whenever data processing is based on consent, the data subject may revoke his or her consent at any time, without affecting the lawfulness of data processing before the revocation.