This information notice is provided pursuant to Article 13 of EU Regulation 679/2016 – “General Data Protection Regulation” (GDPR) to persons who visit the premises of Aps Vajne, or of any of the entities listed below as joint controllers (Article 26 GDPR), or of any of the entities that have appointed Aps Vajne as data processor (Article 28 GDPR).

Identity of the Joint Controllers
The joint controllers for the purposes set out below are:
• Dhora srl Impresa Sociale, represented by its legal representative pro tempore, with registered office at Via Baldissero 21, Vidracco (TO), together with:
• Aps Talej net, represented by its legal representative pro tempore, with registered office at Via Baldissero 21, Vidracco (TO);
• Associazione Damanhur Alchemy School, represented by its legal representative pro tempore, with registered office at Via Baldissero 21, Vidracco (TO);
• Associazione Templi dell’Umanità, represented by its legal representative pro tempore, with registered office at Via Baldissero 21, Vidracco (TO);
• Selet srl, represented by its legal representative pro tempore, with registered office at Via Baldissero 21, Vidracco (TO);
• and the entities listed at www.damanhur.org/it/privacy.

Under the internal agreement concluded among the Joint Controllers pursuant to Article 26 GDPR, each Joint Controller, at the time of first contact with the data subject, is responsible for providing—directly or through Dhora srl Impresa Sociale or another joint controller—an information notice on the processing of personal data, therefore to visitors who, for various reasons, access the premises of the Joint Controllers.
Dhora srl Impresa Sociale coordinates compliance with the personal data processing obligations for which it is joint controller, as it has the human, technological and organizational resources of a social enterprise managing several heterogeneous operational units.
Dhora srl Impresa Sociale has also been appointed as data processor pursuant to Article 28 GDPR by the autonomous controllers listed at www.damanhur.org/it/privacy. The processing for which Dhora srl Impresa Sociale has been appointed as processor is the same processing carried out in its capacity as joint controller.
Furthermore, another processing entrusted to Dhora srl Impresa Sociale in its capacity as processor is the provision of the information notice on personal-data processing to the data subjects of the individual autonomous controllers.
Finally, Dhora srl Impresa Sociale is responsible for responding to data subjects in case they exercise their rights.
The Joint Controllers ensure the security, confidentiality, and protection of the personal data in their possession at every stage of the processing.

Data Protection Officer
A Data Protection Officer has been appointed by Dhora srl Impresa Sociale and is domiciled for this function at the registered office of Dhora srl Impresa Sociale, Via Baldissero 21, Vidracco (TO).

Source of the Data
The personal data processed are those provided by the data subject on the occasion of:
• visits or interventions at the premises;
• meetings or work sessions at the premises;
• delivery or collection of goods, parcels, correspondence;
• direct contacts;
• requests for information;
at the points of sale or front offices of any of the entities listed at http://www.damanhur.org/it/privacy, or through a website attributable to them.

Purpose of the Processing
The personal data of data subjects may be processed by Dhora srl Impresa Sociale, by the Joint Controllers listed at http://www.damanhur.org/it/privacy, and by the autonomous controllers that have appointed Dhora srl Impresa Sociale as data processor, listed at http://www.damanhur.org/it/privacy, to pursue the following purposes:
1. control of access to the premises;
2. recording of presence within the premises;
3. identification of persons present for the management of emergency situations.

Legal Basis of the Processing
The personal data of visitors are lawfully processed for:
• compliance with a legal obligation (Emergency management);
• the legitimate interest of the Joint Controllers (access control and recording of presence within the premises).

Recipients of the Data
The personal data processed by the Joint Controllers will not be disseminated, nor made known to unspecified parties in any form, including by making them available or merely consultable. They may, however, be communicated to employees and collaborators, including volunteers, authorized to process data by the Joint Controllers; to consultants; and to other entities or companies related to Dhora srl Impresa Sociale or to the Joint Controllers, always for the purposes indicated. They may also be communicated to parties entitled to access them under laws, regulations, or EU provisions and, within the limits strictly necessary, to parties who, for the same purposes as above, must supply goods or perform services for the Joint Controller, such as:
• professionals or service companies for the administration and management of the organization, to whom a mandate or appointment has been given;
• insurance companies and credit institutions;
• furthermore, upon specific request, or with the consent of the data subjects, certain personal data of the data subjects (personal details, photographs, opinions) may be disclosed through publication on websites, newsletters, brochures, publications and periodicals, or press releases prepared or published by Dhora srl Impresa Sociale or by the Joint Controllers.
External parties to whom the Controller has entrusted a personal data processing activity have been appointed as data processors.

Data Transfer
Should the Joint Controller transfer personal data to third countries or international organizations for the purposes indicated above, you will be informed whether or not an adequacy decision by the European Commission exists.
The Joint Controller reserves the right to use cloud-based services; in such case, service providers will be selected among those offering adequate safeguards, as required by Article 46 GDPR 679/16.

Rights of the Data Subject
With reference to Articles 15 (right of access), 16 (rectification), 17 (erasure), 18 (restriction of processing), 20 (portability), 21 (objection), and 22 (objection to automated decision-making) of GDPR 679/16, data subjects exercise their rights by writing exclusively to Dhora srl Impresa Sociale at the address indicated above, including by email to dpo@dhora.it, specifying the subject of the request, the right they intend to exercise, and attaching a copy of an identity document proving the legitimacy of the request.

Data Retention
The Joint Controller retains and processes personal data for the time necessary to achieve the purposes indicated. Subsequently, recorded data are retained only for the possible pursuit of legitimate interests and are not further processed; they are then deleted one year after access.

Withdrawal of Consent
Pursuant to Article 7 GDPR 679/16, the data subject may withdraw consent at any time, if previously given. It should be noted, however, that, unless otherwise specified, the processing covered by this information notice is lawful and permitted even in the absence of consent, as it is carried out for a legal obligation (Emergency management) or a legitimate interest of the Joint Controllers (access control and recording of presence within the premises).

Refusal to Provide Data
Providing the personal data in question is mandatory in order to access premises where presence control is required for safety and insurance reasons; therefore, if the data in question are not provided, the staff in charge of access control may deny access.

Automated Decision-Making
In no case, with regard to the processing indicated below, does the Controller carry out processing consisting of automated decision-making on the data of natural persons.

Processing of Special Categories of Data
In relation to the execution and management of certain relationships, the Joint Controller may need to process data that GDPR 679/16 defines as “special,” as they may reveal aspects falling under Article 9 of the same GDPR 679/16, for example health status, certified by medical personnel, following any procedure for an insurance reimbursement claim for an accident occurring in the context of insured activities. Consent is not required even when the Joint Controller processes special data in an associative context, provided they are not disclosed in any way outside said context and always for the above-mentioned purposes. If the Controller is not a Third Sector Entity, however, the data subject’s consent is required.

Right to Lodge a Complaint
The data subject has the right to lodge a complaint with the supervisory authority of their country of residence.

Automated Decision-Making
The Controller does not carry out processing consisting of automated decision-making on the data in question.