Child Safeguarding Policy — Vestibolo APS-ETS
Version 2.0 — 6 April 2026
Page under construction — document in final compilation
Download the full document as PDF (CPP v2.0 with appendices — PDF signed by the Board, available after approval)
This English version is provided for the convenience of the transnational partner and of the CERV evaluators. In the event of any discrepancy between this translation and the Italian original, the Italian text shall prevail. All references to Italian legislation retain their original citations.
Vestibolo APS-ETS operates in compliance with:
This policy is a mandatory annex to the application for the CERV-2026-CITIZENS-CIV-ENGAGEMENT-BEYOND-ELECTIONS call (call document V1.0, 02.03.2026).
The welfare of every child participating in our activities is non-negotiable. This policy is not a compliance document: it is the operational translation of a real commitment.
Data Controller: Vestibolo APS-ETS — Tax Code 92184940903 — Via Nicolò Ferracciu 1, 07100 Sassari, Italy — info@vestibolo.org — Legal representative: Giuseppe Tavera (President).
Data Protection Officer (DPO): Vestibolo will voluntarily appoint a DPO before the start of activities involving minors (planned February 2027), even though it is not legally required to do so (Art. 37 GDPR — processing not on a large scale). See Section 7quater for requirements and incompatibilities.
Pursuant to Art. 35 GDPR and the list of processing types subject to DPIA published by the Italian Data Protection Authority (Garante, Provision of 11 October 2018), Vestibolo is required to carry out a DPIA before commencing any activity involving minors in the Occhi di Quartiere project.
This obligation arises because the processing meets at least three of the criteria set out in the EDPB Guidelines WP248 rev.01:
The DPIA is drafted by the Data Controller (Vestibolo) with the support of the Training Coordinator and the technical lead. Once appointed, the DPO provides an independent opinion on the DPIA but is not its author (principle of separation — Garante Provision No. 202/2025).
The DPIA will be completed and signed before the launch of the Carbonazzi pilot (October 2026).
This policy applies to all persons who, in the context of the activities of Vestibolo APS-ETS, have direct contact with children under 18:
It applies at all stages of the "Occhi di Quartiere" project and in any future Vestibolo activity involving minors.
Anyone who has direct contact with children must be vetted before activities begin. There are no exceptions, regardless of role, length of membership, or level of personal trust.
Not older than 90 days from the activity start date:
Documents are stored on Nextcloud with authenticated access and access logs, restricted to the President and the Training Coordinator, for the duration of the association relationship plus 5 years. The processing is recorded in the Record of Processing Activities (see Section 7bis).
Renewal: every 24 months, or immediately in the event of relevant changes declared by the individual.
Anyone working with children in Vestibolo's activities must always act in the best interest of the child, maintain clear and professional boundaries, and never exploit the relationship of authority or trust for personal purposes.
Tablets are provided by the school or by Vestibolo. Personal devices belonging to adults are not permitted during outings with children. The mapping apps do not require personal accounts for children and do not transmit data to non-EU servers without assessment in the DPIA.
The use of AI (OpenClaw v5.1) in the ODQ project is limited to:
The following are strictly prohibited, in compliance with the MIM/Garante Guidelines of August 2025:
OpenClaw v5.1 operates in read-only mode with a human kill switch and zero automated decisions — classified as a minimal-risk system under Reg. EU 2024/1689 (AI Act), with no direct interaction with minors.
No photograph showing an identifiable child's face is uploaded to public platforms, internal communication platforms not certified for GDPR compliance, or transmitted to the transnational partner without a specific legal basis.
Any person involved in Vestibolo's activities with minors is required to report immediately:
| Situation | Report to | Deadline |
|---|---|---|
| Inappropriate behaviour by an adult | Training Coordinator | Immediately |
| Signs of distress in a child | Training Coordinator + School Head Teacher | By end of day |
| Physical incident | Training Coordinator + Treasurer (parent notification and insurance) | Immediately |
| GDPR violation | Training Coordinator + DPO | Within 4 hours |
| Reports involving the Coordinator | President | Immediately |
Contact: info@vestibolo.org
If elements emerge that may constitute criminal offences or immediate danger: Social Services of the Municipality of Sassari, Police or Carabinieri, Public Prosecutor's Office at the Juvenile Court of Sassari. The best interest of the child takes precedence over any other consideration.
Confidentiality: all reports are treated with the strictest confidentiality. Information is shared only with those strictly necessary to manage the situation.
Whistleblower protection: Vestibolo guarantees that no person who makes a report in good faith will suffer negative consequences, even if the report turns out to be unfounded.
Before starting any activity with minors, every person completes a training course of at least 7 hours, structured as follows:
The information notice for children aged 9–11 is provided in a form appropriate to their age, pursuant to Art. 12 GDPR: simple, direct language, free of jargon, with visual support (comics and pictograms). The children's information notice is separate from the one intended for parents.
Annual refresher of at least 2 hours for all active personnel, before the start of each school year.
Vestibolo maintains a record of training sessions, including participants, dates, and content, documented in the Record of Processing Activities (see Section 7bis).
Consent to the collection and processing of personal data of participating minors requires the signature of both parents exercising parental responsibility. Consent signed by only one parent is not sufficient.
The legal basis for this rule is twofold:
The legal basis for data processing in the ODQ project is Art. 6(1)(a) GDPR (consent). For the digital components of the project that qualify as information society services (mapping app, DGA platform), Art. 8 GDPR and Art. 2-quinquies D.Lgs. 196/2003 also apply (threshold 14 years in Italy for a minor's autonomous digital consent — ODQ children are 9–11 years old, so parental consent is always required).
Consents are collected separately for each distinct purpose, in accordance with the principle of granularity (Art. 7(1) and (4) GDPR; EDPB Guidelines 05/2020). Consent for one purpose is not conditional on participation in the activity or on consent for other purposes:
Operational rule: in public versions of the project (public map, CERV communications, dissemination) images with identifiable faces of minors are never published, regardless of whether consent has been given. This choice is motivated by the principle of data minimisation (Art. 5(1)(c) GDPR) — the communicative purpose can be achieved without resorting to identifying data (Garante Provision No. 446/2025).
Parents have the right to withdraw consent at any time: withdrawal does not affect the lawfulness of processing already carried out, but entails the cessation of future processing activities.
The consent forms specify the rights of data subjects under Arts. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection) and the means by which they may be exercised.
Training Coordinator (Nadia Madeddu): implementation of the policy, staff training, record-keeping.
President (Giuseppe Tavera): external communications, signing the DPIA as Data Controller, notifications to the Garante.
The policy is reviewed annually by the Board of Directors and updated in the event of relevant regulatory changes. Previous versions are archived with version number and date.
Pursuant to Art. 30 GDPR, Vestibolo maintains a written Record of Processing Activities involving minors' data. The Record documents, for each processing operation: purposes, categories of data subjects and personal data, recipients, any transfers, retention periods, and security measures adopted.
The Record is stored on Nextcloud, maintained by the Training Coordinator and approved by the President. It is not public — it is made available to the Garante upon request pursuant to Art. 30(4) GDPR.
In the event of a personal data breach involving minors' data (unauthorised access, loss, destruction, disclosure), Vestibolo applies the following procedure:
Internal assessment — within 4 hours of discovery (Vestibolo internal policy), the DPO and the Training Coordinator assess: the nature of the breach, categories and volume of data involved, number of affected minors, likelihood and severity of consequences.
Notification to the Garante — if the breach poses a risk to the rights and freedoms of data subjects, Vestibolo notifies the Garante within 72 hours of discovery via the dedicated portal (Art. 33 GDPR). Notification to the Garante is not discretionary: when in doubt, notify.
Communication to parents — if the breach poses a high risk, Vestibolo communicates the breach to parents (or legal guardians) without undue delay, in clear and plain language (Art. 34 GDPR).
Documentation — every breach, even if not notified to the Garante, is documented in the Breach Register with date, nature, effects, and corrective measures (Art. 33(5) GDPR).
Vestibolo voluntarily adopts the DPO role even though it is not legally required — the ODQ processing (60–80 children in a single school) does not reach the "large scale" threshold set by Art. 37(1)(c) GDPR. The appointment is an organisational choice to ensure GDPR compliance and alignment with the Keeping Children Safe Standards.
The DPO may not hold operational decision-making roles regarding the processing (Art. 38(6) GDPR — absence of conflict of interest; cf. also Garante Provision No. 202/2025). Accordingly, neither the President, the Training Coordinator, nor the Treasurer may serve as DPO.
Functions of the DPO in the project:
The appointment will take place before the start of activities with minors.
The relationship between Vestibolo (Data Controller for the purposes of the ODQ project) and ICS San Donato (Data Controller for institutional school purposes) will be formalised under the GDPR before activities commence:
The correct qualification will be determined with the DPOs of Vestibolo and of ICS San Donato, based on the criteria of the EDPB Guidelines 07/2020 (concepts of controller and processor).
The transnational partner of the CERV project — established in the European Union (intra-EU transfer, no restrictions) — receives exclusively aggregated and anonymous data relating to the reports. Never individual data of children, families, or personnel.
Validation note (5 April 2026): the content of this Child Protection Policy has been reviewed by Nadia Madeddu, Training Coordinator of Vestibolo APS-ETS and primary school teacher in the Municipality of Sassari, who verified its consistency with the applicable legislation on the protection of minors and with the relevant school regulations.
