PRIVACY POLICY

UNEP/MAP InfoMAPsystem Platforms
Last updated: January 2026

1. Introduction
This Privacy Policy sets forth how UNEP/Mediterranean Action Plan (UNEP/MAP) InfoMAPsystem platforms collect, process, and protect personal data in compliance with the UN Data Privacy Principles and in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
We are committed to ensuring that personal data is handled with the utmost respect for privacy and in compliance with applicable legal frameworks.

2. Data Controller
The Regional Activity Centre for Information and Communication (INFO/RAC), hosted by the Italian National Institute for Environmental Protection and Research (ISPRA), is the Data Controller for personal data processed through the InfoMAPsystem platforms.
Address:
Via Vitaliano Brancati 48, 00144 Rome, Italy

INFO/RAC is responsible for ensuring that personal data processing is conducted in compliance with all relevant regulations and principles.

3. Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, ISPRA has appointed a Data Protection Officer (DPO), who is responsible for overseeing data protection compliance across INFO/RAC’s activities.

DPO Contact:
Carlo Zaupa

Contact details:
• Registered mail: ISPRA – Via Vitaliano Brancati 48, 00144 Rome, Italy (for the attention of the Data Protection Officer)
• Certified email (PEC): protocollo.ispra@ispra.legalmail.it
• Email: rpd@isprambiente.it

The Data Protection Officer may be contacted for inquiries concerning the processing of personal data or for exercising data subject rights.

4. Purpose and Legal Basis for Processing
INFO/RAC processes personal data for purposes consistent with its mandate to provide information, data management, and services within the UNEP/MAP framework. The processing of personal data is conducted in accordance with the following principles:

Legitimacy, Fairness, and Transparency
We will process your personal data only for specified, legitimate purposes and in a transparent manner, ensuring that individuals are informed about how their data will be used.

Purpose Limitation
Personal data will be collected only for legitimate purposes directly related to the functioning of the InfoMAPsystem platforms, and will not be further processed in a manner incompatible with these purposes.

Data Minimization
We only collect and process personal data that is necessary for the purposes of the service being provided.

Purpose of Processing

Legal Basis (Article 6 GDPR)

User registration and authentication

Performance of a task carried out in the public interest (Art. 6(1)(e))

Management of access rights to platform data

Performance of a task carried out in the public interest (Art. 6(1)(e))

Data dissemination, environmental reporting

Performance of a task carried out in the public interest (Art. 6(1)(e))

Technical operation, security, and monitoring

Legitimate interest (Art. 6(1)(f))

Publication of personal data (where applicable)

Consent (Art. 6(1)(a))

5. Categories of Personal Data Processed
We may collect and process the following categories of personal data:
Identification data (name, surname)
Contact details (email address, phone number, physical address)
Professional data (organization, department, role, qualifications)
Technical data (IP address, browser information, system logs)
Platform usage data (access logs, account credentials)

We ensure that the data collected is relevant and limited to what is necessary for the intended purposes.

6. Data Processing During Platform Use
The InfoMAPsystem platforms automatically collect certain technical information during user visits, including:
• Web pages visited
• Time of access
• IP address

These data are used for technical, statistical, and security purposes and are retained for no longer than seven (7) days. The information is stored in a manner that prevents the identification of specific individuals.

7. Data Recipients
Personal data may be accessed by:
• Authorized personnel of INFO/RAC and ISPRA
• Data processors acting on behalf of INFO/RAC under contractual obligations in accordance with Article 28 of the GDPR
• Public authorities, only when required by law or court order

Data is never transferred for commercial purposes or shared with third parties without a legal obligation or explicit consent.

8. Data Transfers Outside the EU
Personal data is stored and processed exclusively within the European Union (EU).
No transfers of personal data to third countries or international organizations occur without ensuring appropriate safeguards in compliance with GDPR and applicable UN policies.

9. Data Retention
Personal data will be retained only for the duration necessary to fulfill the purposes for which they were collected, in compliance with applicable legal obligations, institutional policies, and data protection standards.

10. Data Subject Rights
In line with the UN Data Privacy Principles and the GDPR, you have the right to:
Access: Request access to personal data held about you
Rectification: Request corrections or updates to your personal data
Erasure: Request deletion of your personal data where appropriate
Restriction of Processing: Request restriction of processing under certain circumstances
Data Portability: Request the transfer of your data to another service provider
Objection: Object to certain types of data processing
Withdrawal of Consent: Withdraw consent, where processing is based on consent
Right to Lodge a Complaint: Submit a complaint to the relevant supervisory authority

11. Right to Lodge a Complaint
Data subjects have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) or any other competent supervisory authority, should they believe that the processing of their personal data violates the GDPR.

12. Exercising Your Rights
To exercise your rights or for any inquiries regarding data protection, please contact us at:
info@info-rac.org

Please include sufficient details to identify yourself and specify your request.

13. Changes to This Policy
INFO/RAC reserves the right to amend this Privacy Policy. Any material changes to this Policy will be communicated through the platforms.
Please review this Policy regularly to stay informed about how we are safeguarding your personal data.