Pursuant to Regulation (EU) 2016/679, the General Data Protection Regulation (hereinafter, the “Regulation” or “GDPR”), we inform you that the personal data provided to the “EUGEN – EUROPEAN GENERATION Social Promotion Association” will be processed in accordance with the principles of lawfulness, fairness, and transparency, in order to safeguard the rights and fundamental freedoms of natural persons, with particular regard to privacy and personal identity.

CLARIFICATIONS
In light of the definitions provided in Article 4(7) and (8) and the obligations set forth in Chapter IV of the Regulation, and taking into account Guidelines 07/2020 of the European Data Protection Board (“EDPB”) on the concepts of controller and processor, it is hereby clarified that no contractual or legal relationship exists between EuGen (the “Controller”) and the Company that would qualify the latter as a data processor pursuant to Article 28 of the GDPR.
By collecting the trainee’s personal data, the Company determines the purposes and means of the processing independently and therefore acts as an independent Data Controller. As such, it undertakes to ensure full compliance with EU data protection law and the safeguards provided by the GDPR.

1. OWNER OF THE PROCESSING OF PERSONAL DATA
The Data Controller (hereinafter "Owner") is EUGEN - EUROPEAN GENERATION Social Promotion Association - APS, tax code 97834840585, registered office in Piazza Albania 35 - 00153 Rome.
Phone: +39 3518770536; E-mail: info@eu-gen.org; PEC: eugen-europeangeneration@pec.it;

2. RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA
Pursuant to art. 37 of the Regulation, the Data Controller has designated the Personal Data Protection Officer (RPD/DPO) in the person of Massimo Corinti.
Contact details: E-mail: dpo@corinti.eu - PEC: dpo@pec.corinti.eu

3. CATEGORIES OF PERSONAL DATA PROCESSED
Within the scope of the purposes and methods described in this Privacy Notice, the personal data processed may include:
a) identification data such as the name, surname, email address, and telephone number of the company representative.
b) information related to the use of the Restricted Area: chronological and sequential records of operations performed (Logs), for the purpose of detecting any irregularities. The provision of such data is mandatory; failure to provide it will result in denial of access.
c) any other information relevant and necessary for the use of the services provided through the portal www.eu4eu.org.
d) image data, photographs, and any audio-video recordings intended to document the activities of the Controller and to be published on the institutional website. The processing of such data requires the data subject’s explicit consent pursuant to Article 6(1)(a) of the GDPR.

4. PURPOSES AND LEGAL BASES FOR PROCESSING
The personal data provided by the data subject are processed for the following purposes and corresponding legal bases:

• Data referred to under point a): for activities necessary to participate in the Erasmus programme. The legal basis for this processing is the performance of a contract to which the data subject is a party, or the implementation of pre-contractual measures taken at the request of the data subject, pursuant to Article 6(1)(b) of the GDPR.
  With regard to the use of the email address for sending communications offering companies in the EU4EU network the opportunity to host trainees and be connected with European universities, such processing is a necessary condition and a required purpose for the Controller to fulfil its obligations in implementing the programme. The acquisition and processing of such data do not require the data subject’s consent.
• Data referred to under point b): ensuring the security of the portal, as well as implementing internal compliance and risk management procedures. The legal basis for this processing is the legitimate interest of the Association in safeguarding its operational continuity and assets against potential external threats, pursuant to Article 6(1)(f) of the GDPR. The acquisition and processing of such data do not require the data subject’s consent.
• Data referred to under point b): ensuring the security of the portal, as well as implementing internal compliance and risk management procedures. The legal basis for this processing is the legitimate interest of the Association in safeguarding its operational continuity and assets against potential external threats, pursuant to Article 6(1)(f) of the GDPR. The acquisition and processing of such data do not require the data subject's consent.
• Data referred to under point d): promoting and documenting the project. The legal basis for this processing is the data subject’s freely given consent.

5. METHOD OF TREATMENT
Your data are processed using tools and procedures designed to ensure a high level of security and confidentiality, through electronic means and/or with the support of paper-based documentation.

6. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The personal data provided may be disclosed to recipients who will process the data either as external processors (pursuant to Article 28 of the Regulation) and/or as natural persons acting under the authority of the Controller or the Processor (pursuant to Article 29 of the Regulation), for the purposes outlined above, specifically:

• to third parties who are required to carry out specific activities in relation to the Data, in accordance with the purposes of the processing.
• to companies and self-employed professionals, including those operating in associated professional practices.

The list of Data Processors is constantly updated and is available upon request.

7. DATA TRANSFER OUTSIDE THE EU AREA AND AUTOMATED PROCESSING
Personal data is not processed outside the EU Area (EEA). There are no automated decision-making processes, and no data profiling is implemented.

8. RETENTION PERIOD OR POLICIES
Personal data will be retained only for as long as necessary for the purposes for which they were collected, in accordance with the principles of storage limitation and data minimisation set out in Article 5(1)(c) and (e) of the GDPR. In any case, the data will be stored to comply with regulatory obligations and to pursue the purposes in accordance with the principles of necessity, minimisation, and adequacy.
The Controller may retain the data after the termination of the contractual relationship in order to fulfil obligations arising from applicable legal, contractual and/or tax regulations, for a period of five (5) years, or in the event of legal action.
If the personal data are no longer necessary for any purpose and there is no legal obligation to retain them, we will take all reasonable steps to delete, destroy, or anonymise them.

9. RIGHTS OF THE INTERESTED, ART. FROM 15 TO 22 OF THE REGULATION
The data subject shall always have the right to request from the Controller or the DPO, using the contact details provided above, access to their personal data, as well as the rectification or erasure thereof, restriction of processing, the right to object to processing, the right to data portability, and the right to withdraw consent at any time. These and other rights granted under the Regulation may be exercised by submitting a reasoned request via email to the Controller.
Furthermore, the data subject shall always have the right to lodge a complaint with the Italian Data Protection Authority (Garante), using the contact details available on the website www.garanteprivacy.it, pursuant to Article 77 of the Regulation, or to seek judicial remedy pursuant to Article 79 of the Regulation.