PRIVACY POLICY

UNEP/MAP InfoMAPsystem Platforms
Last updated: January 2026

1. Introduction
This Privacy Policy sets forth how UNEP/Mediterranean Action Plan (UNEP/MAP) InfoMAPsystem platforms collect, process, and protect personal data in compliance with the UN Data Privacy Principles and in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
We are committed to ensuring that personal data is handled with the utmost respect for privacy and in compliance with applicable legal frameworks.

2. Data Controller
The Regional Activity Centre for Information and Communication (INFO/RAC), hosted by the Italian National Institute for Environmental Protection and Research (ISPRA), is the Data Controller for personal data processed through the InfoMAPsystem platforms.
Address:
Via Vitaliano Brancati 48, 00144 Rome, Italy

INFO/RAC is responsible for ensuring that personal data processing is conducted in compliance with all relevant regulations and principles.

3. Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, ISPRA has appointed a Data Protection Officer (DPO), who is responsible for overseeing data protection compliance across INFO/RAC’s activities.

DPO Contact:
Carlo Zaupa

Contact details:
• Registered mail: ISPRA – Via Vitaliano Brancati 48, 00144 Rome, Italy (for the attention of the Data Protection Officer)
• Certified email (PEC): protocollo.ispra@ispra.legalmail.it
• Email: rpd@isprambiente.it

The Data Protection Officer may be contacted for inquiries concerning the processing of personal data or for exercising data subject rights.

4. Purpose and Legal Basis for Processing
INFO/RAC processes personal data for purposes consistent with its mandate to provide information, data management, and services within the UNEP/MAP framework. The processing of personal data is conducted in accordance with the following principles:

Legitimacy, Fairness, and Transparency
We will process your personal data only for specified, legitimate purposes and in a transparent manner, ensuring that individuals are informed about how their data will be used.

Purpose Limitation
Personal data will be collected only for legitimate purposes directly related to the functioning of the InfoMAPsystem platforms, and will not be further processed in a manner incompatible with these purposes.

Data Minimization
We only collect and process personal data that is necessary for the purposes of the service being provided.

Purpose of Processing

Legal Basis (Article 6 GDPR)

User registration and authentication

Performance of a task carried out in the public interest (Art. 6(1)(e))

Management of access rights to platform data

Performance of a task carried out in the public interest (Art. 6(1)(e))

Data dissemination, environmental reporting

Performance of a task carried out in the public interest (Art. 6(1)(e))

Technical operation, security, and monitoring

Legitimate interest (Art. 6(1)(f))

Publication of personal data (where applicable)

Consent (Art. 6(1)(a))

5. Categories of Personal Data Processed
We may collect and process the following categories of personal data:
Identification data (name, surname)
Contact details (email address, phone number, physical address)
Professional data (organization, department, role, qualifications)
Technical data (IP address, browser information, system logs)
Platform usage data (access logs, account credentials)

We ensure that the data collected is relevant and limited to what is necessary for the intended purposes.

6. Data Processing During Platform Use
The InfoMAPsystem platforms automatically collect certain technical information during user visits, including:
• Web pages visited
• Time of access
• IP address

These data are used for technical, statistical, and security purposes and are retained for no longer than seven (7) days. The information is stored in a manner that prevents the identification of specific individuals.

7. Data Recipients
Personal data may be accessed by:
• Authorized personnel of INFO/RAC and ISPRA
• Data processors acting on behalf of INFO/RAC under contractual obligations in accordance with Article 28 of the GDPR
• Public authorities, only when required by law or court order

Data is never transferred for commercial purposes or shared with third parties without a legal obligation or explicit consent.

8. Data Transfers Outside the EU
Personal data is stored and processed exclusively within the European Union (EU).
No transfers of personal data to third countries or international organizations occur without ensuring appropriate safeguards in compliance with GDPR and applicable UN policies.

9. Data Retention
Personal data will be retained only for the duration necessary to fulfill the purposes for which they were collected, in compliance with applicable legal obligations, institutional policies, and data protection standards.

10. Data Subject Rights
In line with the UN Data Privacy Principles and the GDPR, you have the right to:
Access: Request access to personal data held about you
Rectification: Request corrections or updates to your personal data
Erasure: Request deletion of your personal data where appropriate
Restriction of Processing: Request restriction of processing under certain circumstances
Data Portability: Request the transfer of your data to another service provider
Objection: Object to certain types of data processing
Withdrawal of Consent: Withdraw consent, where processing is based on consent
Right to Lodge a Complaint: Submit a complaint to the relevant supervisory authority

11. Right to Lodge a Complaint
Data subjects have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or any other competent supervisory authority, should they believe that the processing of their personal data violates the GDPR.

12. Exercising Your Rights
To exercise your rights or for any inquiries regarding data protection, please contact us at:
info@info-rac.org

Please include sufficient details to identify yourself and specify your request.

13. Changes to This Policy
INFO/RAC reserves the right to amend this Privacy Policy. Any material changes to this Policy will be communicated through the platforms.
Please review this Policy regularly to stay informed about how we are safeguarding your personal data.

COOKIE POLICY

UNEP/MAP InfoMAPsystem Platforms

Last updated: January 2026

1. General Information

This Cookie Policy describes the use of cookies and similar technologies in accordance with applicable European data protection and electronic communications legislation on the InfoMAPsystem platforms, identified as:

2. Definition of Cookies

Cookies are small text files stored on the user’s device when accessing a website. Cookies allow websites to operate efficiently and support the provision of services.

3. Categories of Cookies Used

3.1 Strictly Necessary (Technical) Cookies

These cookies are essential for the correct functioning of the platforms and enable core functionalities such as:

  • User authentication and session management
  • Security and system integrity
  • Access to restricted areas

The use of strictly necessary cookies does not require user consent.

3.2 Analytical Cookies (Aggregated)

The platforms use analytical cookies exclusively in aggregated and anonymised form for the purpose of:

  • Producing statistical reports on platform usage
  • Improving system performance and services

These cookies do not permit the identification of individual users.

4. Cookies Not Used

The InfoMAPsystem platforms do not use:

  • Profiling cookies
  • Advertising or marketing cookies
  • Third-party tracking cookies

5. Cookie Retention

  • Session cookies are deleted automatically upon closure of the browser
  • Analytical cookies are retained for a limited duration consistent with their purpose

6. Cookie Management

Users may configure their browser settings to manage or disable cookies.
Disabling strictly necessary cookies may impair the proper functioning of the platforms.

7. Legal Basis

The use of strictly necessary cookies is based on the legitimate interest of the Data Controller and is indispensable for the provision of the requested services.
Aggregated analytical cookies are used in compliance with applicable data protection rules and do not require user consent.