Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called " special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
|Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18||Email service provider in Cloud|
|Blackbaud, 65 Fairchild Street Charleston, SC 29492||Information systems support and maintenance services provider|
|Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia||Information systems support and maintenance services provider|
|Orfeo (Mamy Inc)vv||Information systems support and maintenance services provider|
|Agenzia BB Network srl||Agency that supports the University in finding apartments for rent to students|
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION BEING PROCESSED
The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form filled in by the person exercising parental responsibility.
Information processed are the following:
1) Identification data of the student
2) Information relating to the period of stay and the type of accommodation chosen;
3) Certain characteristics of the accommodation (documentable or non-documentable health problems but that the student deems useful to share for optimal accommodation);
4) Photograph of the applicant;
5) Preferences and habits in relation to housing and accommodation companions.
The student who does not want to share specific information concerning him/her can avoid responding to the proposed specifications.
However, in relation to the information referred to in number 5), the student is reminded that the answers provided in any case give JCU the possibility to generate a profile of the student.
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:
a) search for accommodation in accordance with the preferences expressed and, if any, health problems or other nature, which require specific attention;
b) services to support research and housing management;
c) management of the reservation and payment of the fee to JCU.
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; because it is necessary for compliance with a legal obligation to which JCU is subject.
Data collected on this circumstance are provided by the student's free choice, however, since we believe that some information is useful to JCU but their provision shall be left to the student's will, we will ask him/her to give his/her consent in order to be able to process the personal data referred to in points 3) and 5) of the Information being processed (paragraph 1).
In the absence of such consent, we will only process the data strictly necessary to provide the requested service, namely the data referred to in points 1), 2), and 4) of the Information being processed (paragraph 1).
4. PROCESS METHODS AND RETENTION
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected.
In any case, the deletion will take place within 5 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
a) Local Authorities (Police Headquarters) (communication required by Article 109 of the TULPS and the Decree of the Ministry of the Interior of 7 January 2013);
b) Schools of origin;
c) Parents of the student (also based on the Family Educational Rights and Privacy Act (FERPA) of 1974);
d) natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.
Data on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement.
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
He/she also has the right to lodge a complaint with the Supervisory Authority.
Moreover, the data comes partly from the data subject who filled out the specific form, partly from the JCU IT system Education Edge - BlackBaud (which in any case contains data provided, at another time, by the data subject), as well as by UNICRI Coordinator (United Nations International Crime and Justice Research Institute).
Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website https://www.johncabot.edu/privacy/housing.aspx, therefore we advise the data subject, to periodically check this information.
 The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).