Information on the protection of personal data pursuant to art. 13 and ss. Of the EU regulation no. 679/2016 of 27 April 2016


(General Data Protection Regulation – G.D.P.R.) “On the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)”

We thank you for your interest in the activities and initiatives of Kala Onlus.

Kala Onlus is aware of the importance of safeguarding privacy and people’s rights and since the Internet is a potentially powerful tool for the circulation of your personal data, it wanted to seriously commit to respect rules of conduct – in line with the European Regulation 679 / 2016 of the European Parliament and of the Council, of 27 April 2016, “concerning the protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data (hereinafter “GDPR”)” – that guarantee a secure, controlled and reserved surfing the net.

This policy to protect the confidentiality of information may change over time, also depending on the additions and changes in laws or regulations in this regard or for our institutional decisions, therefore, we invite you to periodically consult this section of our site. We also invite you to read the rules that our Association has set itself in collecting and processing personal data and always providing a satisfactory service to users of its site.


Privacy policy basic principle

Kala Onlus undertakes to:

  • perform the processing (article 4, paragraph 2, GDPR: “any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, the organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, the limitation, deletion or destruction “of personal data (Article 4, paragraph 1, GDPR:” any information concerning an identified or identifiable natural person, “concerned”, identifying the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristics of its physical, physiological, genetic, psychological, economic, cultural or social identity “) exclusively for the purposes and according to the methods illustrated in the information to be provided which are presented to the user from time to time accessing a section of the site in which the provision, directly or indirectly, of personal data is provided;
  • use the data that were released spontaneously by the user;
  • use technical cookies to facilitate navigation on the site and analytical cookies for statistical purposes;
  • use profiling cookies only if the user has given consent to such use;
  • transmit the data to third parties (data processors – article 4, paragraph 8, GDPR: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”) exclusively for instrumental purposes as expressly requested and carefully selected by us;
  • communicate the data to third parties for activities related to what is of interest or if this is required by law, regulation or community legislation;
  • subject to explicit consent (Article 4, paragraph 11, GDPR: “any manifestation of free will, specific, informed and unequivocal of the interested party, with which he expresses his assent, by declaration or positive action unequivocal, that the data personal data concerning him / her be processed “), communicate the data to third parties for their autonomous treatment;
  • respond to requests for access to personal data, rectify or cancel them, exercise the right to be forgotten, limit the processing or the right to object to their treatment. Ensure the exercise of the right to data portability as well as to oppose the processing of data for purposes of informative communications on our projects and requests for financial contributions to support our institutional activities;
  • ensure correct and lawful processing of your data, safeguarding your privacy, and apply appropriate security measures to protect the confidentiality, integrity and availability of data.



As best explained in the sections that allow you to join – by releasing your personal data – to the services reserved for users of our site, the required data are used to respond to requests expressly advanced by the user. In particular, all data collection and subsequent processing activities are aimed at pursuing the institutional purposes of Kala Onlus and, in particular, for: regular and one-off donations, made in various ways (credit card, bank transfer, PayPal or other); subscription to our newsletter; request for collaboration with our organization; signing of initiatives or specific projects; request for information; all the various forms of support for Kala Onlus initiatives.

The forms to be completed – on-line or to be downloaded – includes both data that are strictly necessary to comply with what is of interest and whose non-disclosure does not allow to process the request, and optional conferral data. Therefore, the user is free to provide personal data contained in the application forms or indicated in contacts with Kala Onlus to request information or for other purposes listed above. In these cases of mandatory data conferment, their absence may make it impossible to obtain what has been requested. The need to request data as mandatory for joining individual projects or individual initiatives or to make requests has been considered in compliance with the provisions of art. 25, GDPR (“Data protection by design and protection by default” – “Data protection by design and by default”), which require prior assessment of appropriate technical and organizational measures, such as “pseudonymisation” (Article 4 , paragraph 5, GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is stored separately and subject to technical measures and organizational arrangements to ensure that such personal data are not attributed to an identified or identifiable natural person “), to effectively implement data protection principles, such as minimization, and to incorporate the necessary safeguards into the processing in order to comply the requirements of the GDPR and protect the rights of data subjects. Furthermore, Kala Onlus has implemented appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the specific purpose of the processing deriving from the project to which the data subject has voluntarily agreed are processed.

Personal data will be processed, mainly electronically and with statistical analysis tools, by Kala Onlus – owner of the treatment – Via Saladino 3/5, 90134, Palermo – for the completion of all phases related to the management of the donation, of the adhesion to our projects and, in general, of the actions of support to the initiatives of Kala Onlus, as well as of the relative instrumental activities (ex .: donation summaries), as well as to comply with administrative and other norms obligatory law in force in our country or by virtue of EU decisions.

For the aforementioned purposes the data will be stored until the conclusion of all the related phases of the relationship established and within the terms and limits of the applicable rules, in particular administrative, civil and fiscal.

Furthermore, if desired, the data acquired by Kala Onlus and those acquired during the relationship with the interested party will be processed for promotional, informative and institutional contacts on our projects, fundraising activities and initiatives, surveys and confidential research. to supporters, through actions designed in a personalized manner based on behavioural characteristics (eg: donated amount, donation frequency, area of ​​residence), interests and preferences with respect to our actions, with the consequence of identifying the person concerned as a potential subject interested in our initiatives with certain characteristics (eg projects, access to petitions, etc.) and to direct only content in line with their needs (“profiling”). It is emphasized that the contact actions conducted by Kala Onlus are uniquely personalized as described (“profiled marketing”), so as to avoid contacts not appreciated or not of interest to the interested party: consequently, the profiling is instrumentally connected in a way Structural to any promotional action by Kala Onlus, a single consensus is required for such contacts.

The aforementioned activities may take place through both traditional contact methods (paper mail) and automated and assimilable (specifically via email).

For this purpose, the data (including profiling data) will be retained until the possible revocation of the consent by the interested party or the exercise of the right of opposition due to it; failing that, they will be retained as long as Kala Onlus continues its mission with projects, initiatives, actions and activities that require economic contributions or that spur to raise awareness (eg: adhesion to projects to support risk categories etc.) consistent with the profile of the interested party. Later, they will be anonymised for statistical purposes. The data will also be processed by external managers in charge of services related to the above.

Pursuant to articles 15-22, GDPR, writing to the holder at the relevant postal address or e-mail [email protected], you can exercise the rights of access, consultation, rectification, cancellation and oblivion, limitation of data processing and – if appropriate – obtain transmission to another holder (data portability), as well as oppose their processing for legitimate reasons or withdraw consent.

With particular reference to processing for profiled marketing purposes, it is specified that the interested party has the right to oppose at any time, and without giving any reasons, to the processing of his data for such purposes, and which may exercise the right to object even separately for traditional and automated contact activities: if it is not specified which contact methods it refers to, the opposition to the processing of data for profiled marketing will be extended to all contact tools.

It is also known that the person concerned has the right to complain to the supervisory authority to assert his rights. Always writing to the postal address indicated above or sending an e-mail to [email protected], you can request a complete and updated list of data processors.

The Data Protection Officer can be contacted by e-mail [email protected], for information on the processing of data.



You can exercise, at any time, at [email protected] (alternatively, by writing to Kala Onlus – Via Saladino 3-5, 90134 Palermo) the rights ex artt.15-22, GDPR hereinafter reported:


Right of access (art. 15 GDPR)

The person has the right to request if his personal data is being processed and, therefore, has the right to access information concerning him and to have news on:

  • purpose of the processing (eg: management of a donation);
  • categories of personal data; (ex .: personal data, behavioural data)
  • recipients or categories of recipients to whom personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
  • when possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
  • existence of the right to request the correction or deletion of personal data or the limitation of the processing of personal data or to oppose their treatment;
  • the right to lodge a complaint with a supervisory authority;
  • if the data are not collected directly by the person, all information available on their origin;
  • existence of an automated decision-making process, including profiling and significant information on the logic used, as well as the importance and expected consequences of this treatment for the person (eg: if the person has associated a donation habits profile by crossing the donation amount frequently and countryside).


Right of rectification (Article 16, GDPR)

The person has the right to obtain the correction of inaccurate personal data concerning him without unjustified delay. Taking into account the purposes of the processing, the person has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.


Right to cancel (“right to be forgotten”) (Article 17, GDPR)

The person has the right to obtain the deletion of personal data concerning him / her / it has the obligation to cancel without personal unjustified delay for one of the following reasons:

  • personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
  • the consent on which the treatment is based is revoked and if there is no other legal basis for the processing (eg: legitimate interest, regulatory or contractual obligations);
  • we oppose the processing for marketing and profiling purposes and there is no legitimate overriding reason to proceed with the processing;
  • personal data have been processed unlawfully;
  • personal data must be deleted to fulfil a legal obligation under Union law or the law of the Member State to which it is subject.


Right of limitation of processing (Article 18, GDPR)

The person has the right to obtain the limitation of the processing of his personal data when there is one of the following reasons:

  • the person disputes the accuracy of personal data, for the period necessary to verify the accuracy of such personal data;
  • the processing is illegal and the person opposes the cancellation of personal data and asks instead that its use is limited (eg: does not mean that the processing is carried out for marketing purposes but only for management and administrative purposes);
  • although data for processing purposes are no longer required, personal data are necessary for the person to ascertain, exercise or defend a right in court;
  • the person has opposed the treatment if the treatment is based on its own legitimate interests, pending verification of the possible prevalence of its legitimate reasons with respect to those of the person.


Obligation to notify in case of rectification or cancellation of personal data or limitation of processing (Article 19, GDPR)

The person has the right to request that the correction or deletion of data or limitation of processing is communicated by Kala Onlus to other subjects to whom the data have been communicated. Kala Onlus may not comply with the request, if the means to be used are disproportionate to the right to privacy invoked by the person.


Right to data portability (“data portability”) (Article 20, GDPR)

This right allows the person to receive, in a structured, commonly used and automatically readable form, personal data concerning him provided to a subject who submits his data to treatment and has the right to transmit such data to a subject for use of the latter without impediments by the subject to whom he has provided them. This right can be exercised in the following cases:

  • processing is based on consent or on a contract or on pre-contractual measures requested by the same person and simultaneously
  • the treatment is carried out by automated means.

The person has the right to obtain that his / her data are transferred directly from one subject to another (from the one to which he / she has conferred them to what he / she wants to be transmitted), if technically possible.


Opposition right (Article 21, GDPR)

The person has the right to object to the processing of his data for the pursuit of the legitimate interest of Kala Onlus or third parties, provided that the interests or rights and fundamental freedoms of the person requesting the protection of personal data do not prevail, even at profiling purposes.

If personal data are processed for marketing purposes, the person has the right to object at any time to the processing of personal data concerning him for such purposes, including profiling in so far as it is connected to such marketing activity.


Automated decision-making process concerning natural persons, including profiling (Article 22, GDPR)

The person has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects that affect it or which significantly affects his person. In particular, it has the right to oppose the profiling it is subjected to through automated processes.

You can not exercise this right if the decision:

  • it is necessary for the conclusion or execution of a contract;
  • is authorized by the law of the Union or of the Member State to which it is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the person;
  • is based on explicit consent.

The person has the right to express his opinion and to challenge the decision of Kala Onlus.



The data will be kept in our archives (article 4, paragraph 6, GDPR: “any structured set of personal data accessible according to certain criteria, regardless of whether this set is centralized, decentralized or broken down in a functional or geographical way”) according to criteria variables depending on the category of the data, the nature of the processing and the purposes of the processing itself. The criteria or precise retention limits are described in the information to be provided pursuant to art. 13, GDPR at the time of the provision of personal data.

In principle, the following evaluations of Kala Onlus are valid for establishing the data retention criterion:

  • all data regarding the various forms of support for Kala Onlus’ initiatives are kept as long as the relationship remains active and for a number of years equal to that which laws, regulations, even Community legislation, impose for administrative and accounting purposes;
  • all the data used for marketing activities with profiling, whose treatment is supported by a positive action of the person to such treatment, explicitly declaring to wish it, are kept as long as the profile of the interested party is in line with the personalized communications created through the intersection of the information at our disposal and, therefore, as long as Kala Onlus continues its mission with projects, initiatives, actions and activities that require economic contributions or that spur to the sensitization (eg: petitions, emergency appeals, requests for opinion and opinion) that are of interest to the person who has expressed the desire to receive information of this content and that reflects the characteristics and behaviour of the person and are, therefore, of his specific interest and not of disturbance. Also in this case, such preservation will cease if the interested party expresses opposition at any time to the processing of personal data concerning him for such purposes, including profiling in so far as it is connected to such direct marketing.


Once the periods set out above have elapsed, the identification data are transformed into an anonymous form and used only for statistical reports that do not allow to trace the identity of the person but which are useful for adapting the projects, initiatives and actions for the realization and achievement of the statutory and institutional objectives of Kala Onlus. Personal data will therefore be destroyed.



Your personal data may be processed either manually or electronically or telematically, either directly by Kala Onlus or by third parties who, with experience, technical skills, professionalism and reliability, carry out processing operations on behalf of our Association, in compliance with the security and confidentiality of information and we are constantly monitored in their work. The controller is “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller” (Article 4, paragraph 8, GDPR) and is bound by Kala Onlus contractually , with the definition of the limits of operation on the data, of the data that can be processed and of the categories of subjects to which they refer, and with the prohibition to use them differently from the entrusted task. It can, if formally authorized by Kala Onlus, make use of other managers, who are contractually bound by the manager appointed directly by Kala Onlus: violations committed by these other managers fall under the responsibility of the first manager and not Kala Onlus.

The complete and updated list of the data processors (and, where appropriate, of the managers appointed by the first manager, with the prior authorization of Kala Onlus) can be requested by e-mail [email protected] (alternatively, by writing to Kala Onlus – Via Saladino 3-5, 90134, Palermo).



Your data may be made available to third parties, independent data controllers, for purposes related to the provision of services of interest or in compliance with the laws and regulations that have the communication, as well as to control bodies. For example, they will be made available to credit institutions or credit card issuers to allow the transactions necessary for the donation, as well as PayPal.



Cookies are information saved on your PC’s hard drive and sent from your browser to a web server and referring to your use of the network. Consequently, they allow to know the services, the sites frequented and the options that, surfing the net, have been manifested.

This information is not, therefore, provided spontaneously and directly, but leaves a trace. The data collected through cookies will be used for technical needs, in order to ensure easier, quicker and quicker access to the site and its services and easier navigation to the individual user.

User profiling cookies may also be used, with the prior consent of the user, to create user profiles based on site sections or actions performed by the user on this site or by browsing the web.

The use of c.d. session cookies (which are not stored permanently on the user’s computer and are automatically deleted when the browser is closed) is strictly limited to the transmission of session identifiers (consisting of random numbers generated by the server) necessary to allow the safe and efficient exploration of the site. I c.d. session cookies that are used on this site avoid the use of other technologies that could compromise the privacy of users’ browsing and do not allow the acquisition of personal identification data. In any case, you can configure the browser to be notified when a cookie is received and then decide whether to accept it.

To learn about our policy on cookies and third-party cookies policies, please read the relevant information on clicking here



The computer systems and software procedures used to operate this site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified users, but by their very nature could, through processing and association with data held by third parties, allow to identify the users themselves. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error or similar) and other parameters related to the operating system and the user’s computer environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing. The data could be used to ascertain responsibility in case of hypothetical computer crimes against the site.



Kala Onlus adopts suitable and preventive security measures to safeguard the confidentiality, integrity, completeness and availability of your personal data. As established by the regulatory provisions governing the security of personal data, technical, logistical and organizational measures are developed to prevent damage, even accidental losses, alterations, improper and unauthorized use of data concerning you.

In particular, Kala Onlus has implemented appropriate technical and organizational measures to guarantee a level of security appropriate to the risk that could affect the rights and freedoms, including the confidentiality and confidentiality of people. Adopt security criteria that include, among others:

  • “pseudonymisation” (Article 4, paragraph 5, GDPR: “the processing of personal data in such a way that personal data can no longer be attributed to a specific individual without the use of additional information, provided that such information additional data is stored separately and subject to technical and organizational measures to ensure that such personal data are not attributed to an identified or identifiable natural person “) and the encryption of data;
  • systems that permanently safeguard the confidentiality, integrity, availability and resilience of treatment systems and services;
  • systems for promptly restoring the availability and access of personal data in the event of a physical or technical incident;
  • procedures for regularly testing, verifying and evaluating the effectiveness of technical and organizational measures in order to guarantee the safety of the treatment.

Similar preventive security measures are taken by third parties (data processors) to whom Kala Onlus has entrusted operations to process your data on your behalf.

On the other hand, Kala Onlus is not responsible for any false information sent directly by the user (example: correctness of the e-mail address or postal address or other personal data), as well as information concerning him and that are been provided by a third party, even fraudulently.



In the case of donations made by credit card, Kala Onlus guarantees maximum privacy and security. The financial information of the credit card (number, expiry date, generality of the holder) may only be known by the issuing institution. Kala Onlus will only become aware of a code (“token”) that has no possibility to lead back to the credit card.

Similarly, the same criteria of confidentiality and confidentiality will be maintained in case of donation made by bank transfer, for which it is only required to enter a “causal code” at the time of the transfer.

If the donation is made through PayPal, you will be redirected to the PayPal site and, therefore, the criteria of confidentiality and security compete exclusively with PayPal, excluding any liability on the part of Kala Onlus.

In general, Kala Onlus assumes no responsibility with regard to unauthorized or fraudulent use by third parties of information pertaining to the tools used for the transaction related to the donation.



This privacy policy can be consulted automatically by the most recent browsers implementing the P3P standard (“Platform for Privacy Preferences Project”) proposed by the World Wide Web Consortium (

Every effort will be made to make the functionality of this site as interoperable as possible with the automatic privacy control mechanisms available in some products used by users.

Considering that the state of improvement of automatic control mechanisms does not make them currently free from errors and malfunctions, it is hereby specified that this document constitutes the “Privacy Policy” of this site which will be subject to updates.