*privacy policy English - Hip Hop Protection

INFORMATION ON THE PROCESSING OF PERSONAL DATA pursuant to Article 13 of EU Regulation 2016/679 (GDPR) PROMOTING COMMITTEE “HIP HOP PROTECTION”

Dear Member/Subscriber,

In compliance with the obligations arising from the European Regulation for the management of personal data No. 2016/679 (GDPR), the “Hip Hop Protection” Committee hereby provides you with the following information regarding the processing of your personal data.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is the Promoting Committee “HIP HOP PROTECTION”, with registered office at Via Cavour n. 18/C – 00061 Anguillara Sabazia (RM), Website: https://hiphoprotection.com/, e-mail: comitatopromotore@hiphoprotection.com, Legal Representative: Veronica Benanti (President).

Pursuant to Article 37 et seq. of EU Regulation 2016/679, the Committee has appointed a Data Protection Officer (DPO), domiciled for this function at the Committee’s headquarters and reachable at the following e-mail address: privacy@hiphoprotection.com.

2. SOURCE OF PERSONAL DATA

Personal data are collected directly from the Data Subject through the completion of the contact form available on the website: https://hiphoprotection.com/.

3. PURPOSES AND LEGAL BASIS OF PROCESSING

Personal data collected via the contact form will be processed for the following purposes:

a) Primary Purposes:

3.1 Management of the Membership/Affiliation Request

Registration as a supporter/signatory of the Committee.
Management of membership status (ordinary, benefactor, honorary member).
Communications regarding membership status.

Legal basis: Art. 6, par. 1, letter b) of the GDPR (processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract).

3.2 UNESCO Candidacy

Inclusion of data in the candidacy file for the inscription of Hip Hop culture on the UNESCO Representative List of the Intangible Cultural Heritage of Humanity.
Transmission of the file to the competent bodies (UNESCO, Italian National Commission for UNESCO, Ministry of Culture).
Documentation of support for the candidacy.

Legal basis: Art. 6, par. 1, letter f) of the GDPR (legitimate interest of the Data Controller in pursuing the statutory purposes of the Committee).

3.3 Institutional Communications

Sending updates on the progress of the UNESCO candidacy.
Communications regarding the Committee’s statutory activities.
Notice of meetings/Assembly summons (for members entitled to attend).

Legal basis: Art. 6, par. 1, letters b) and f) of the GDPR.

3.4 Legal Compliance

Accounting, tax, and administrative obligations.
Maintenance of membership registers / association records.

Legal basis: Art. 6, par. 1, letter c) of the GDPR (compliance with a legal obligation to which the controller is subject).

b) Secondary Purposes (subject to specific consent):

3.5 Marketing and Promotion

Sending informative newsletters regarding the Committee’s activities.
Communications related to events, cultural initiatives, training courses, battles, and jams organized or sponsored by the Committee.
Sending promotional material regarding Hip Hop culture.

Legal basis: Art. 6, par. 1, letter a) of the GDPR (consent of the data subject) – Optional.

3.6 Public Publication

Publication of the name as a supporter/signatory on the Committee’s website.
Mention on the Committee’s social media channels (Facebook, Instagram, etc.).
Inclusion in public lists attached to the UNESCO candidacy file.

Legal basis: Art. 6, par. 1, letter a) of the GDPR (consent of the data subject) – Optional.

3.7 Event Documentation

Use of photographs or video recordings portraying the data subject during events, demonstrations, or conferences organized by the Committee.
Publication of such content on the Committee’s communication channels.

Legal basis: Art. 6, par. 1, letter a) of the GDPR (consent of the data subject) – Optional.

4. CATEGORIES OF PERSONAL DATA PROCESSED

The Committee processes the following categories of personal data collected via the contact form:

Common Data:

Identification data: First name, last name.
Contact data: E-mail address, telephone number (if provided).
Personal details: Date and place of birth (if required for full registration).
Residential address: Street, house number, postal code, city, province/state (if required).
Professional/Artistic information: Any activity within the Hip Hop field, professional qualification (if relevant and voluntarily communicated).
Message/Notes: Content of the message entered into the contact form.

Browsing Data:

Technical data: IP address, browser type, operating system, timestamp of the form submission (automatically collected by the web server for security purposes and the technical functioning of the website).

Legal basis for browsing data: Art. 6, par. 1, letter f) of the GDPR (legitimate interest in cybersecurity and fraud prevention).

Special Categories of Data (Art. 9 GDPR):

The form DOES NOT require the submission of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or sexual orientation).

Should the data subject spontaneously provide such data within the free-text message field, these data will not be processed unless strictly necessary and subject to specific, explicit consent.

5. NATURE OF DATA PROVISION

Mandatory Data:

The provision of the following data is necessary to:

Respond to the contact/membership request.
Proceed with registration as a supporter/signatory.
Include the data subject in the UNESCO candidacy file.

Mandatory fields: first name, last name, e-mail, date and place of birth, residence (for formal membership).

Refusal to provide mandatory data will result in:

The impossibility of processing the contact request.
The impossibility of joining the Committee as a supporter/signatory.
The impossibility of being included in the UNESCO documentation.

Optional Data:

The provision of data for secondary purposes (marketing, publication, events) is optional and requires specific consent. Refusal to provide such data does not affect the possibility of joining the Committee.

6. METHODS OF PROCESSING

Personal data will be processed using paper-based, IT, and electronic tools, through:

Collection: Online forms on the website.
Storage: Protected digital databases and paper archives at the registered office.
Communication: E-mail, PEC (Certified e-mail), and membership management platforms.
Processing: Preparation of the UNESCO file, lists of supporters, and membership registers.

Processing is carried out by specifically authorized and trained individuals, in compliance with the principles of lawfulness, fairness, transparency, data minimization, and integrity.

7. RECIPIENTS AND DISCLOSURE OF DATA

Personal data may be disclosed to the following categories of recipients:

a) Institutional Bodies (consent not required):

UNESCO – United Nations Educational, Scientific and Cultural Organization (Paris, France).
Italian National Commission for UNESCO (Rome).
Ministry of Culture (MiC) – Directorate-General for Education, Research, and Cultural Institutes.
Other public authorities competent in the protection of intangible cultural heritage.

b) Parties involved in the management of the Committee:

Members of the Board of Directors and the Assembly of Promoters.
Secretary and Treasurer of the Committee.
External collaborators and consultants (legal, accounting, IT consultants) bound by confidentiality obligations or appointed as Data Processors pursuant to Art. 28 of the GDPR.

c) Service Providers (Data Processors):

Hosting providers and website managers.
E-mail service providers (for institutional communications).
Management software for association administration.
Video conferencing platforms (for online assemblies).

d) Other parties (subject to consent):

Other supporters/signatories (via the public list on the website or in UNESCO documents).
Partners and sponsors of the Committee’s events and initiatives.
Media and press for promotional activities related to the candidacy.

Your data will not be subject to indiscriminate dissemination, except for the publication of the list of supporters subject to specific consent.

8. TRANSFER OF DATA TO NON-EU COUNTRIES

Given the international nature of the UNESCO candidacy, the personal data contained in the file will be transferred to:

Main recipient:

UNESCO – 7, Place de Fontenoy, 75352 Paris 07 SP, France

Data transfer to France takes place within the European Union; therefore, no additional safeguards are required.

Potential further transfers outside the EU:

The UNESCO file may subsequently be accessible by:

UNESCO Member States worldwide;
UNESCO Technical Committees located in third countries.

Safeguards adopted:

UNESCO is an international organization that applies its own data protection policies in compliance with international standards.
The transfer is necessary for the performance of the Committee’s statutory purposes (Art. 49, par. 1, point (b) of the GDPR).
By joining the Committee, the data subject provides explicit consent to the international transfer of their personal data (Art. 49, par. 1, point (a) of the GDPR).

The data subject may request further information regarding the specific safeguards adopted by contacting the Data Controller.

9. DATA RETENTION PERIOD

Personal data will be stored for the following periods:

9.1 Data for the UNESCO candidacy:

For the entire duration of the Committee until the objective is achieved (inclusion in the UNESCO list) or the dissolution of the Committee
An additional 10 years thereafter for historical and documentary preservation purposes of the candidacy

9.2 Membership data:

For the duration of the membership as a member/supporter
10 years from the termination of the membership relationship for fiscal and accounting compliance (D.P.R. 600/1973)

9.3 Data for marketing communications:

Until the data subject withdraws consent
24 months of inactivity (failure to open newsletters/emails) followed by a request for confirmation of interest

9.4 Browsing data:

Web server logs: maximum 12 months for IT security purposes

Upon expiry of these terms, the data will be deleted or irreversibly anonymized, unless further storage is necessary for the establishment, exercise, or defense of legal claims or for legal obligations.

10. RIGHTS OF THE DATA SUBJECT

The data subject has the right to obtain from the Data Controller, pursuant to articles 15-22 of the GDPR:

Right of ACCESS (art. 15)

To obtain confirmation as to whether or not personal data are being processed, information on the purposes, categories of data, recipients, retention period, and a copy of the data processed.

Right to RECTIFICATION (art. 16)

To obtain the correction of inaccurate personal data or the integration of incomplete data.

Right to ERASURE – “right to be forgotten” (art. 17)

To obtain the erasure of personal data when:

They are no longer necessary for the purposes
Consent is withdrawn and there is no other legal basis
The data subject objects to the processing
The data have been processed unlawfully
There is a legal obligation for erasure

LIMITATIONS: the right cannot be exercised if storage is necessary for:

Compliance with a legal obligation
The establishment, exercise, or defense of legal claims
Reasons of public interest (UNESCO candidacy)

Right to RESTRICTION of processing (art. 18)

To obtain the suspension of processing when:

The data subject contests the accuracy of the data
The processing is unlawful but the data subject opposes erasure
The data are necessary for the establishment of legal claim
An objection to the processing has been filed, pending verification

Right to DATA PORTABILITY (art. 20)

To receive the provided data in a structured, readable, and interoperable format, and to transmit them to another Data Controller, limited to processing based on consent or contract and carried out by automated means.

Right to OBJECT (art. 21)

To object to the processing of one’s personal data when:

The processing is based on the legitimate interest of the Data Controller (Art. 6, par. 1, point (f))
The data are processed for direct marketing purposes

The Data Controller shall cease processing unless they demonstrate compelling legitimate grounds which override the interests of the data subject.

Right to WITHDRAW CONSENT (art. 7, par. 3)

To withdraw at any time the consent provided for optional purposes, without affecting the lawfulness of processing based on consent before its withdrawal.

11. PROCEDURES FOR EXERCISING RIGHTS

Per To exercise the rights mentioned above, the data subject may contact the Data Controller by means of:

E-mail: comitatopromotore@hiphoprotection.com
Certified E-mail (PEC): veronica.benanti@timpec.it
Ordinary mail: Comitato Promotore “HIP HOP PROTECTION” – Via Cavour n. 18/C – 00061 Anguillara Sabazia (RM)

The request must contain:

Full personal details of the data subject
Specification of the right intended to be exercised
Copy of an identity document for identity verification

Response times: The Data Controller will provide a response without undue delay and in any case within 30 days of receipt of the request. This period may be extended by a further 60 days in cases of particular complexity of the request, with notification provided to the data subject within the first month.

Fees: Exercising these rights is free of charge. The Controller may charge a reasonable fee only in the case of requests that are manifestly unfounded, excessive, or repetitive.

12. RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

The data subject, if they believe that the processing of their personal data occurs in violation of the GDPR, has the right to lodge a complaint with the Data Protection Authority (Garante per la protezione dei dati personali):

Garante per la protezione dei dati personali

Piazza Venezia n. 11 – 00187 Roma

E-mail: garante@gpdp.it

PEC: protocollo@pec.gpdp.it

Telephone: +39 06.696771

Website: www.garanteprivacy.it

or with the supervisory authority of the EU Member State of their habitual residence, place of work, or the place where the alleged violation occurred.

13. AUTOMATED DECISION-MAKING AND PROFILING

The Data Controller does NOT carry out any automated decision-making, including profiling, pursuant to Art. 22 of the GDPR. Decisions regarding the admission of members and the management of the Committee’s activities are adopted exclusively by natural persons (President, Board of Directors, Assembly).

14. SECURITY MEASURES

The Data Controller adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 of the GDPR, including:

Technical measures:

HTTPS protocol for the secure transmission of data via the contact form
Firewalls and antivirus systems on the servers and devices used
Periodic data backups with storage in a secure environment
Encryption of sensitive data in archives
Protection against unauthorized access through authentication credentials

Organizational measures:

Restricting data access only to authorized and trained personnel
Appointment of Data Processors for external service providers (Art. 28 GDPR)
Procedures for managing personal data breaches (data breach) with notification to the Authority within 72 hours where applicable (Art. 33 GDPR)
Periodic training of staff and collaborators on data protection principles

15. COOKIES AND TRACKING TECHNOLOGIES

The website https://hiphoprotection.com/ uses cookies and similar technologies. For detailed information, please refer to the specific Cookie Policy available on the site.

In summary:

Technical cookies: used for the functioning of the contact form (strictly necessary, do not require consent)
Analytical cookies: possibly used for aggregate statistics (subject to consent via banner)
Third-party cookies: any integrated services (Google Maps, social plugins) with their own policies

The data subject can manage cookie preferences through the banner present upon the first visit to the site.

16. AMENDMENTS TO THIS POLICY

This privacy policy may be modified or updated periodically, also due to future regulatory changes.

The data subject is invited to regularly consult this section to check for the publication of the most recent version of the policy.

Date of first publication: June 2022

Last update: January 2026

Version: 1.0