Privacy

Last updated: 29 May 2026

This Privacy Policy describes how personal data is collected and processed through the website hlm4rare.eu in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — “GDPR”) and Italian Legislative Decree 196/2003 as amended.

1. Data Controller

The Data Controller is Fondazione Brains for Brain ETS (hereinafter “the Foundation”), with registered office at:

  • Corso Milano 106, 35139 Padova (PD), Italy
  • Tax Code (Codice Fiscale): 92212200288
  • VAT Number: IT 04731710283
  • Contact email: info@hlm4rare.eu

HLM4Rare is a strategic initiative operated by the Foundation through the website hlm4rare.eu.

2. Personal data we collect and process

2.1 Browsing data (automatic)

When you visit this website, our web server automatically records technical information for operational and security purposes. This includes:

  • IP address (in server access logs)
  • Browser type, version and language
  • Operating system
  • Date and time of access
  • Pages visited and referrer URL

This data is used solely for technical purposes (ensuring proper functioning of the service, troubleshooting, security against attacks) and is not associated with directly identifying user profiles.

2.2 Website analytics (Matomo)

This website uses Matomo, a privacy-friendly web analytics platform, to understand how visitors interact with the content. The service is provided by Matomo SAS (France) and hosted on EU-based infrastructure (Germany). The following measures are in place:

  • IP addresses are anonymized prior to storage
  • No cookies are used for tracking
  • Data is not shared with any third party

Because of these measures, our use of Matomo does not require your prior consent under the European Data Protection Board (“EDPB”) guidelines and the Italian Data Protection Authority (“Garante”) recommendations on cookieless analytics.

2.3 Event registration data

When you register for an event organized by the Foundation through this website (e.g., “Health without Postcodes”), we collect the data you voluntarily provide in the registration form.

For all attendees, the following data is collected:

  • First name and last name
  • Email address
  • Job title / role
  • Organization / affiliation
  • Type of organization
  • Country of residence
  • Mode of attendance (in-person or remote)
  • Any additional comments you may provide

For in-person attendees at the European Parliament without prior accreditation badge, the European Parliament’s security services require identification data in order to grant building access. The following additional data is therefore requested:

  • Nationality
  • Date of birth
  • Type of identification document (passport or identity card)
  • Document number
  • Document expiration date

These identification data are required by the European Parliament and are transmitted to its security services for the sole purpose of granting access to the building on the day of the event.

2.4 Photo and video consent

If you provide consent in the registration form, photographs and/or videos taken at the event in which you may appear may be used by the Foundation for promotional, educational, or informational purposes. This consent is entirely optional and can be withdrawn at any time without affecting your participation in the event.

2.5 Contact correspondence

If you contact us by email (e.g., at info@hlm4rare.eu), we will process the data you provide in your communication for the sole purpose of responding to your enquiry.

2.6 Newsletter

If you subscribe to the HLM4Rare newsletter, we collect and process your email address to send you information about the Foundation’s initiatives, events, and updates. The newsletter is managed on our behalf through Mailchimp (Intuit Inc., United States). You may unsubscribe at any time using the link provided in every newsletter email, or by contacting us at info@hlm4rare.eu.

3. Legal basis for processing

PurposeLegal basis (GDPR Art. 6)
Event registrationConsent — Art. 6(1)(a)
Transmission of ID data to European Parliament securityPerformance of a task in the public interest / legitimate interest of event organisation — Art. 6(1)(f), enabled by your consent to registration
Photo/video useConsent — Art. 6(1)(a)
Server logs (technical/security)Legitimate interest — Art. 6(1)(f)
Anonymous analytics (Matomo)Legitimate interest — Art. 6(1)(f)
Responding to email enquiriesLegitimate interest / consent — Art. 6(1)(a) or (f)
Newsletter subscriptionConsent — Art. 6(1)(a)

Providing registration data is necessary to process your registration. If you do not provide the required data, we will not be able to confirm your participation.

4. Data recipients and processors

Your personal data may be processed by, or shared with, the following categories of recipients, all bound by appropriate confidentiality and data protection obligations:

  • Authorized personnel of the Foundation involved in the organization and management of the event
  • The European Parliament’s security services: only for in-person attendees without prior accreditation, and only with respect to the identification data listed in section 2.3, for the specific purpose of building access
  • Hosting providers (data processors):
    • Contabo GmbH (Germany) — hosts the website
    • OVH SAS (France) — hosts the email infrastructure (Mailcow server)
  • Analytics platform (data processor):
    • Matomo SAS (France, with infrastructure in Germany) — provides the privacy-friendly web analytics described in section 2.2
  • Email marketing platform (data processor):
    • Intuit Mailchimp (United States) — manages the HLM4Rare newsletter, where you have subscribed to it

We do not sell your personal data to third parties under any circumstances.

5. Transfers of data outside the European Union

The technical infrastructure of the website is hosted within the European Union:

  • Website: Germany (Contabo GmbH)
  • Analytics: Germany (Matomo SAS, with infrastructure in Germany)
  • Email infrastructure: France (OVH SAS)

If you have subscribed to the HLM4Rare newsletter, your email address is processed by Intuit Mailchimp in the United States. This transfer is governed by the European Commission’s Standard Contractual Clauses and the additional contractual safeguards provided by Mailchimp, ensuring that your data benefits from a level of protection equivalent to that guaranteed within the European Union. Further information is available in Mailchimp’s Data Processing Addendum.

6. Data retention

We retain personal data only for the time necessary to fulfil the purposes described in this Privacy Policy:

Data categoryRetention period
Event registration data (name, email, organisation, etc.)Deleted within 60 days after the event date
Identification data for European Parliament access (passport/ID details)Deleted within 30 days after the event date, or earlier upon European Parliament security request
Photographs/videos (with consent)Used for as long as necessary for promotional/educational purposes by the Foundation; you may request removal at any time
Server access logsMaximum 12 months, then automatically deleted
Aggregated analytics (Matomo)Indefinitely, in aggregated and anonymous form (no individual identification possible)
Email correspondenceRetained for as long as necessary to manage the enquiry and for legitimate record-keeping (typically up to 24 months)
Newsletter subscription (email address)Retained until you unsubscribe or request removal

7. Your rights

Under Articles 15–22 of the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15) — obtain confirmation of whether your data is being processed and a copy of it
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure / “right to be forgotten” (Art. 17) — request deletion of your data in the cases provided by law
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — in particular to processing based on legitimate interest
  • Right to withdraw consent at any time (Art. 7(3)) — for any processing based on your consent; this does not affect the lawfulness of processing carried out before withdrawal
  • Right to lodge a complaint with the supervisory authority — in Italy, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it)

To exercise these rights, please contact us at info@hlm4rare.eu. We will respond without undue delay and, in any event, within one month of receipt of your request.

8. Cookies

This website uses only strictly necessary technical cookies, which are essential for the functioning of the website. These include, for example, cookies that maintain the session of administrators logged into the website backend, or cookies that preserve form data during submission.

We do not use:

  • Profiling or behavioural cookies
  • Third-party tracking cookies
  • Advertising cookies

Because only strictly necessary technical cookies are used, no cookie banner is displayed, in accordance with the guidelines of the Italian Data Protection Authority.

9. Security measures

The Foundation has implemented appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encrypted connections via HTTPS/TLS
  • Authenticated email infrastructure with SPF, DKIM and DMARC alignment
  • Mandatory two-factor authentication for administrative access
  • Anti-spam and anti-bot protection on public forms
  • Regular automated backups stored securely
  • Access to personal data restricted to authorized personnel on a need-to-know basis
  • Prompt deletion of identification data after the event (see retention table)

10. Changes to this Privacy Policy

The Foundation may update this Privacy Policy from time to time, in particular to reflect changes in applicable law, in the services offered, or in the technical infrastructure used. The “Last updated” date at the top of this page indicates the most recent revision. Significant changes will be communicated through prominent notices on the website.

11. Contact

For any question concerning this Privacy Policy or the processing of your personal data, please contact:

Fondazione Brains for Brain ETS
Corso Milano 106, 35139 Padova (PD), Italy
Email: info@hlm4rare.eu