Admissions Privacy Information
Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deduced, even indirectly, from information provided by the data subject or by a third party.
John Cabot University uses the following subjects as Data Processors:
|Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18||Email service provider in Cloud|
|Blackbaud, 65 Fairchild Street Charleston, SC 29492||Information systems support and maintenance services provider|
|Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia||Information systems support and maintenance services provider|
|HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States||Software as Service provider in support of marketing activities|
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION PROCESSED
Information collected in the Admission form is gathered into 7 sections:
1) Biographical information
2) Contact information
3) Academic interests
4) Disciplinary measures
5) Course of studies
6) Information on the student's family and on any tutor
7) Financial information
8) Additional information
Some of this information is needed, others are optional, to distinguish them we have marked the necessary information with an asterisk.
Furthermore, some of the information relating to the data subject was previously collected (see specific notice https://www.johncabot.edu/privacy/marketing.aspx and will be included in the documentation relating to the interaction of the data subject with the JCU and his/her preferences (expressed on the occasion of the support services required, tutoring and orientation activities, housing, wellbeing, ...).
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:
a) proceed with the admission of the student (herein informed as data subject) to the JCU courses;
b) manage the student's position once admitted to the JCU;
c) direct marketing (promotion of events and initiatives similar to those in which the data subject participated).
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (II) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in the organization of academic activity, the undertaking of commitments with structures with which JCU has an agreement (outside Italy, for example) and the selection of students to be admitted to its structure and/or courses.
The data collected on this occasion are not subject to your consent as it is your free choice to give them to us starting and completing the Admission procedure for the Courses and Activities proposed by JCU.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Appropriate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected. If a request for enrollment is not accepted or not completed, the data of the data subject will be retained for a year and, subsequently, deleted. Otherwise, if the student enrolls in the JCU Courses, the data collected will be retained for the period of the Courses and, subsequently, deletion will take place within 10 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
1) National and international public bodies, such as Ministries and Offices of the Public Administration, in relation to the performance of the institutional tasks of the University, to the recognition of qualifications and other reasons always functional to the aims pursued and to the relative contractual and legal obligations towards the data subject in relation to provisions that require the communication of certain information to third parties, as well as the legitimate interests of JCU;
2) Universities with which JCU has agreements;
3) Natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.
Information on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement.
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
The data subject also has the right to lodge a complaint with the Supervisory Authority.
In relation to the processing envisaged for the purpose referred to in paragraph 2, letter c), the data subject has the right to either object to it immediately, or revoke the consent subsequently.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address firstname.lastname@example.org.
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at email@example.com so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the Website https://www.johncabot.edu/privacy/admissions.aspx, therefore we advise the data subject to periodically check this information.
 The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).