Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
|Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18||Email service provider in Cloud|
|Blackbaud, 65 Fairchild Street Charleston, SC 29492||Information systems support and maintenance services provider|
|Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia||Information systems support and maintenance services provider|
|Maxient LLC, P.O. Box 7224, Charlottesville, VA 22906||"Maxient Conduct Manager" Software as a Service Provider|
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION PROCESSED
The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form "Authorization for release and confidential information acquisition" filled in by the person exercising parental responsibility.
Information collected are the following:
1) Identification data of the student
2) Data related to the physical and mental health of the student.
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject are functional to the pursuit of the purpose of assistance in relation to physical and mental problems in order to facilitate the achievement of the student's educational and personal goals.
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
The legal basis of the processing is represented by the student's consent, expressed directly or through the Legal Guardian of the Parental Responsibility.
The provision of data is left to the free choice of the student and only after the expression of the consent, JCU will proceed to the processing of his/her personal data, including special categories of personal data.
In the absence of this consent, JCU will refrain from processing for the purposes indicated.
4. PROCESS METHODS AND RETENTION PERIOD
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected.
In any case, the deletion will take place after the expiration of 10 years from collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
a) Public administrations and local authorities;
b) Persons in charge of parental responsibility;
c) Doctors of the Campus;
d) Psychologists, psychiatrists, and consultants;
Data on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement, as well as from/to Maxient LLC, in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87/EU with the data controller.
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
He/she also has the right to lodge a complaint with the Supervisory Authority.
Furthermore, the data subject is informed that the data being processed are provided by him/her and by the doctors who interact with JCU to provide the requested service.
Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address firstname.lastname@example.org .
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at email@example.com so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website https://www.johncabot.edu/privacy/health.aspx, therefore we advise the data subject to periodically check this information.
 The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).