Privacy Policy

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR") 

John Cabot University systematically undertakes to comply with the current legislation on data protection and user privacy protection.

The following information describes the provisions of articles 13 and 14 of GDPR.

If you decide to request information and/or enter the process of selection and admission to JCU, we are committed to using the information entered (i.e. personal and special data concerning you) only for the purposes of carrying out the requested service or for the other purposes illustrated in this notice or in those that will subsequently be performed.

The information we are providing refers to the websites listed below (hereinafter "Website") and not to other websites that may be consulted by the user through links contained in them:

• www.johncabot.edu

• blog.johncabot.edu

• myjcu.johncabot.edu (limited to the sections accessible without registration, blog)

• https://jcualumni.org/

PERSONAL DATA CONTROLLER

John Cabot University (hereinafter “JCU” or just “University”), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller. 

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION BEING PROCESSED

1.1 BROWSING DATA                    

The Website for its operation does not collect information that directly identifies the user.

The information collected for browsing the listed websites includes: the IP address of the computer/device used to access, the URL of origin, the pages visited and the time spent on them, the browser used, date and time.

1.2 COOKIES

Taking into account the Provision of the Data Protection Authority dated 8 May 2014 "Identification of the simplified procedures for the information and the acquisition of consent for the use of cookies", JCU informs the user about the cookies used on the Website.

Cookies are small text files that the websites visited by the user send and store on his/her personal computer or any other device, even mobile, to be re-transmitted to the same websites at the next visit. Cookies are used for different purposes: for example, to remember the user's actions and preferences (such as, for example, login data, chosen language, font sizes, other display settings, etc.) in a way that should not be indicated again when the user returns to visit the website or browse from one page to another on the website.

Essential cookies are cookies that are used to browse or provide a service requested by the user. They are not used for other purposes and are normally installed directly by the website owner.

Without such cookies, some operations could not be performed or would be more complex and/or less secure. In other words, these cookies are indispensable for the functioning of the Website or necessary to perform activities requested by the user.

Technical functionality cookies allow the user to navigate according to a series of selected criteria such as, for example, the language, in order to improve the service rendered to the same. It is possible not to allow the activation of these cookies on your device. However, their eventual deactivation would not allow for easy use of the website.

Performance and functionality cookies collect information about how visitors move around and interact with the website. They are not essential to the functioning of the website but they help us improve it.

Advertising and Marketing Cookies collect information about your visits to certain parts of our websites which might indicate your interest in a particular major or other educational offerings. They help us then provide you with advertising that matches your interests.

Third-party analytical cookies are cookies from other websites that can be sent to the user's device after browsing this website. These cookies are not strictly necessary for browsing, but by denying consent to send third-party cookies some advanced features such as sharing pages on social networks or participating in discussions could be prevented. Since this website is not able to govern cookies issued by other websites, in order to obtain information on these cookies, their characteristics and how they work and to give or deny the specific consent, the user should contact the websites that directly emit these cookies.

Below are the cookies that are downloaded by interacting with the websites to which this information relates.

1.3 DATA PROVIDED VOLUNTARILY BY THE USER/DATA SUBJECT

Information processed by JCU can be obtained through the forms made available on the Website and filled in voluntarily by users but also through social channels and, in particular, the official Facebook page; this information is, for example: name and surname, address, e-mail, telephone number.

The action of sending, for any reason, of emails to the addresses indicated on this Website entails the subsequent acquisition of the sender's address, necessary to reply to communications via email, as well as any other data entered in the email.

If, for whatever reason, the communications forwarded by the user/data subject are in surplus or not necessary with respect to the processing that JCU carries out/intends to carry out, JCU reserves the right to proceed with the immediate deletion of data or otherwise processing the data so as not to create organizational and legal repercussions that are deemed to be in conflict with the JCU's personal data management system.

Specific information for data protection (articles 13 and 14 of GDPR), where deemed necessary, will be prepared and will be viewable in the individual sections of the website that contain requests for personal data not attributable to this information. 

Once the user acquires the JCU student status, the University will use this information to communicate with the student.

1.4 DATA OF MINORS

Our websites are aimed at students of all ages, but we do not collect information on minors under 14 years without the authorization of those who exercise parental responsibility.

2. PURPOSE OF DATA PROCESSING

Data collected, subject of the processing, are processed and used exclusively for the purpose of:

• website management and maintenance;
• supply of the services requested by the users themselves through the Website or through the contacts present on the Website.

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process the personal data of the data subject because the processing is strictly correlated with the browsing activity or, in reference to the services requested through the forms on the Website or the contact details present therein, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or, more generally, to reply to a request of the data subject.

Data collected on this occasion are not subject to your consent as it is your free choice to provide them to receive the information and/or services object of your request.

4. PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Once the status of JCU student is obtained, the data subject and his/her personal information will also be protected in compliance with the Family Educational Rights and Privacy Act (FERPA). To learn more about the execution of FERPA in JCU, you can visit the website.

To protect the personal data processed, JCU has adopted adequate organizational, technical and physical measures - in accordance with the provisions of article 32 of GDPR - in order to maintain the confidentiality, availability, and integrity of the information collected.

All information provided within the Website is encrypted using the 128-bit Secure Sockets Layer (SSL) system and public-key encryption.

The Website is certified as "Comodo secure site". To learn more about the safety certification program, we recommend that you visit the www.comodo.com sites.

Notwithstanding the foregoing, users and visitors of JCU Website shall keep in mind that the Website and all associated services are managed on software, hardware and networks systems, whose components may, from time to time, require maintenance or be subject to inefficiencies (which JCU will try to resolve promptly).

The browsing data will be anonymous at the end of the session, unless legal obligations or other legitimate reasons do not induce the Data Controller to behave differently (for example following a request by the Judicial Authority or in case of activities carried out against JCU or of the Website).

Other processed data are kept for the time necessary to make the service requested by the user, after which they are aggregated and made anonymous. In particular:

-        if the data subject obtains the status of "student" the personal data are retained for the entire duration of the course of study and for 10 years after the student has left John Cabot University;

-        if the data subject does not obtain the status of "student", personal data is retained for 10 years after the first contact.

5. COMMUNICATION AND CIRCULATION OF DATA

JCU will communicate personal information to third parties always in accordance with the legitimate aims pursued and in any case in compliance with articles 5 and 25 of GDPR.

The recipients of the communication from/to JCU belong to the following categories:

• Universities/partners with which the University has agreements in relation to projects/events to which the user registers through the forms on the Website;
• Participants in project initiatives in which the user registers through the forms on the Website;
• Web Community for the contents published on the Website (interviews, photos, videos, etc.).

Information about the user cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA                      

The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46/EC and regarding adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act, to (ii) the United States of America through a certified data controller pursuant to the Privacy Shield Agreement[1], as well as (iii) to California (USA) in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87 / EU with the controller.

7. DATA SUBJECTS’ RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

Data subjects have the right to lodge a complaint with the Supervisory Authority.

The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 year old, without the consent of or in contrast with the will of the person who exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE/DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deduced, even indirectly, from information provided by the data subject or by a third party.

DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION PROCESSED

Information collected in the Admission form is gathered into 7 sections:

1)     Biographical information

2)     Contact information

3)     Academic interests

4)     Disciplinary measures

5)     Course of studies

6)     Information on the student's family and on any tutor

7)     Financial information

8)     Additional information

Some of this information is needed, others are optional, to distinguish them we have marked the necessary information with an asterisk.

Furthermore, some of the information relating to the data subject was previously collected (see specific notice in the Marketing section of this page) and will be included in the documentation relating to the interaction of the data subject with the JCU and his/her preferences (expressed on the occasion of the support services required, tutoring and orientation activities, housing, wellbeing, ...).

2. PURPOSE OF DATA PROCESSING

The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:

a)      proceed with the admission of the student (herein informed as data subject) to the JCU courses;

b)     manage the student's position once admitted to the JCU;

c)      direct marketing (promotion of events and initiatives similar to those in which the data subject participated).

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (II) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in the organization of academic activity, the undertaking of commitments with structures with which JCU has an agreement (outside Italy, for example) and the selection of students to be admitted to its structure and/or courses.

The data collected on this occasion are not subject to your consent as it is your free choice to give them to us starting and completing the Admission procedure for the Courses and Activities proposed by JCU.

4. PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Appropriate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

Data will be retained exclusively for the period and the purposes for which they were collected. If a request for enrollment is not accepted or not completed, the data of the data subject will be retained for a year and, subsequently, deleted. Otherwise, if the student enrolls in the JCU Courses, the data collected will be retained for the period of the Courses and, subsequently, deletion will take place within 10 years of collection.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.

The processing of data, from simple access to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:

1)     National and international public bodies, such as Ministries and Offices of the Public Administration, in relation to the performance of the institutional tasks of the University, to the recognition of qualifications and other reasons always functional to the aims pursued and to the relative contractual and legal obligations towards the data subject in relation to provisions that require the communication of certain information to third parties, as well as the legitimate interests of JCU;

2)     Universities with which JCU has agreements;

3)     Natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.

Information on the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

The data subject also has the right to lodge a complaint with the Supervisory Authority.

In relation to the processing envisaged for the purpose referred to in paragraph 2, letter c), the data subject has the right to either object to it immediately, or revoke the consent subsequently.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the Website, therefore we advise the data subject to periodically check this information. 

John Cabot University, as Data Controller of personal data (hereinafter, the "Data Controller") informs Visitors pursuant to EU Regulation 2016/679 ("GDPR") and current national legislation on personal data protection that all external subjects who are not in possession of a JCU ID must identify themselves by showing a personal identification document in order to access University premises. 

1. Data Processed

The Data Controller processes personal, identifying and non-particular data (specifically: name, surname, number and type of identity document, hereinafter, "Personal Data" or even "Data") communicated by you when accessing University premises. To guarantee the safety of places and people, the Data Controller reserves the right to verify the Data provided through authorized personnel who will check the identification document mentioned above.

2. Purpose and Treatment

Your Personal Data is processed without your prior consent, for the following purposes and legal bases:

• fulfillment of contractual obligations and pre-contractual commitments, specifically to:

♦ allow you to enter the Data Controller's premises, also following the issue of a badge to access library services;

• the pursuit of a legitimate interest of the visitor, specifically to:

♦ allow you to enter the Data Controller's premises even following the issue of a badge;

• the pursuit of a legitimate interest of the Data Controller, specifically to:

♦ protect the Data Controller's premises and corporate assets;

♦ exercise the Data Controller’s rights in court and manage any disputes;

♦ prevent and suppress unlawful acts;

• the fulfillment by the Data Controller’s legal obligations, such as:

♦ compliance with the obligations established by laws, regulations or community legislation or imposed by the Authorities regarding safety on company premises.

• safeguarding the vital interests of the data subject, specifically to:

♦ ensure your safety and security within the Data Controller's premises.

3. Processing Methods

The processing of your Personal Data is carried out electronically and on paper by means of collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation, and data destruction.

For the purposes and in the way described in this paragraph, you will be asked to fill out a form that will contain the data referred to above.

4. Data Retention

The Data Controller processes Personal Data for the time necessary to fulfill the aforementioned purposes, and in any case no later than two weeks from the date of access to the Data Controller’s premises.

5. Data Provision

The provision of data is mandatory, and any refusal to provide such data will result in the impossibility of accessing the premises of the Data Controller.

6. Access to Data

Your data can be accessed for the aforementioned purposes by: employees and/or collaborators of the Data Controller (e.g., reception service personnel, security service personnel), in their capacity as data processors and/or internal data processors and/or system administrators; associated or subsidiary companies and third-party companies or other subjects (for example, surveillance service providers, professional firms, etc.) who carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.

7. Data Communication

Your Data may also be communicated, even without your consent, to supervisory bodies, law enforcement agencies or the judiciary, upon their express request, which will treat them as independent data controllers for institutional purposes and/or pursuant to the law during investigations and checks. 

8. Data Transfer

The Data will not be disclosed or transferred to non-EU countries.

9. Rights of the Interested Party

The Data Controller informs you that, as an interested party, if the limitations established by law do not apply, you have the right to: obtain confirmation of the existence or not of your personal data, even if not yet registered, and that such data are made available to you in an intelligible form; obtain indication and, where appropriate, copy: a) of the origin and category of personal data; b) of the logic applied in case of treatment carried out with the aid of electronic instruments; c) the purposes and methods of processing; d) of the identification details of the Data Controller and managers; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them, in particular if they are recipients of third countries or international organizations; e) when possible, of the data retention period or the criteria used to determine this period; f) the existence of an automated decision-making process and, in this case, the logic used, the importance and the consequences envisaged for the data subject; g) the existence of adequate guarantees in the event of transfer of data to a non-EU country or to an international organization; obtain, without unjustified delay, the updating and correction of inaccurate data or, when interested, the integration of incomplete data; obtain the cancellation, transformation into anonymous form or blocking of data: a) processed unlawfully; b) no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) in case of revocation of the consent on which the treatment is based and in case there is no other legal basis, d) if you have opposed the treatment and there is no overriding legitimate reason to continue the treatment; e) in case of fulfillment of a legal obligation; f) in the case of data referring to minors. The Data Controller can refuse the cancellation only in the case of: a) exercise of the right to freedom of expression and information; b) fulfillment of a legal obligation, execution of a task carried out in the public interest or exercise of public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or for statistical purposes; e) exercise of a right in court; obtain the limitation of the treatment in the case of: a) disputing the accuracy of the personal data; b) unlawful treatment of the Data Controller to prevent its cancellation; c) exercise of your right in court; d) verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the interested party; receive, if the treatment is carried out by automatic means, without impediments and in a structured, commonly used and readable format, the personal data concerning you to transmit them to another Data Controller or - if technically feasible - to obtain direct transmission by the Data Controller to another Data Controller; object, in whole or in part: a) for legitimate reasons related to your particular situation, to the processing of your personal data; b) to the processing of personal data concerning you for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or by traditional marketing methods by telephone and/or paper mail; lodge a complaint with the Personal Data Protection Authority. In the above cases, where necessary, the Data Controller will inform the third parties to whom your personal data are communicated of any exercise of rights by you, with the exception of specific cases (e.g. when this fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right).

10. Rights of the interested party

You may exercise your rights at any time by:

1. sending a registered letter with return receipt to the address of the Data Controller, indicated in the following paragraph 11;
2. sending an email to: [email protected]

11. Data Controller

The Data Controller is John Cabot University, based in Rome, Via della Lungara, 233. The updated list of data processors can be found, upon request by the interested party, by sending an email to the address: [email protected]. The designated DPO can be reached at this email, both to exercise your rights and for any clarification.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR") 

DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.

DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION PROCESSED

Information collected in the Financial Aid form:
1)      Full name, place and date of birth
2)      Nationality and Country of origin
3)      Contact information (email, permanent address, phone)
4)      Information on the student's family and on any tutor
5)      Financial information

2. PURPOSE OF DATA PROCESSING

The personal data relating to the data subject and his/her family members are functional to the pursuit of the following purposes:
a)      proceed with the admission of the student (herein informed as data subject) to JCU Financial Aid programs;
b)      manage the student's position once admitted to the JCU;
c)      direct marketing (promotion of events and initiatives similar to those in which the data subject participated).

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (II) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in the organization of academic activity, the undertaking of commitments with structures with which JCU has an agreement (outside Italy, for example) and the selection of students to be admitted to its structure and/or courses.

The data collected on this occasion are not subject to your consent as it is your free choice to give them to us starting and completing the Admission procedure for the Courses and Activities proposed by JCU.

4. PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Appropriate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

Data will be retained exclusively for the period and the purposes for which they were collected. If a request for enrollment is not accepted or not completed, the data of the data subject will be retained for a year and, subsequently, deleted. Otherwise, if the student enrolls in the JCU Courses, the data collected will be retained for the period of the Courses and, subsequently, deletion will take place within 10 years of collection.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:
1)      National and international public bodies, such as Ministries and Offices of the Public Administration, in relation to the performance of the institutional tasks of the University, to the recognition of qualifications and other reasons always functional to the aims pursued and to the relative contractual and legal obligations towards the data subject in relation to provisions that require the communication of certain information to third parties, as well as the legitimate interests of JCU;
2)      Universities with which JCU has agreements;
3)      Natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.

Data of the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

The data subject also has the right to lodge a complaint with the Supervisory Authority.

In relation to the processing envisaged for the purpose referred to in paragraph 2, letter c), the data subject has the right to either object to it immediately, or revoke the consent subsequently.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the Website, therefore we advise the data subject to periodically check this information.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

PERSONAL DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors: 

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION PROCESSED

The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form "Authorization for release and confidential information acquisition" filled in by the person exercising parental responsibility.

Information collected are the following:

1)     Identification data of the student

2)     Data related to the physical and mental health of the student.

2. PURPOSE OF DATA PROCESSING

The personal data relating to the data subject are functional to the pursuit of the purpose of assistance in relation to physical and mental problems in order to facilitate the achievement of the student's educational and personal goals. 

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

The legal basis of the processing is represented by the student's consent, expressed directly or through the Legal Guardian of the Parental Responsibility.

The provision of data is left to the free choice of the student and only after the expression of the consent, JCU will proceed to the processing of his/her personal data, including special categories of personal data.

In the absence of this consent, JCU will refrain from processing for the purposes indicated.

4. PROCESS METHODS AND RETENTION PERIOD

The personal data of the data subject are processed in paper or electronic format.

Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

Data will be retained exclusively for the period and the purposes for which they were collected.

In any case, the deletion will take place after the expiration of 10 years from collection.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by: JCU staff who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:

a)      Public administrations and local authorities;

b)     Persons in charge of parental responsibility;

c)      Doctors of the Campus;

d)     Psychologists, psychiatrists, and consultants;

Data on the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1], as well as from/to Maxient LLC, in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87/EU with the data controller.

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

He/she also has the right to lodge a complaint with the Supervisory Authority.

Furthermore, the data subject is informed that the data being processed are provided by him/her and by the doctors who interact with JCU to provide the requested service.

Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected] .

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR") 

PERSONAL DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called " special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data. 

1. INFORMATION BEING PROCESSED

The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form filled in by the person exercising parental responsibility.

Information processed are the following:

1)     Identification data of the student

2)     Information relating to the period of stay and the type of accommodation chosen;

3)     Certain characteristics of the accommodation (documentable or non-documentable health problems but that the student deems useful to share for optimal accommodation);

4)     Photograph of the applicant;

5)     Preferences and habits in relation to housing and accommodation companions.

The student who does not want to share specific information concerning him/her can avoid responding to the proposed specifications.

However, in relation to the information referred to in number 5), the student is reminded that the answers provided in any case give JCU the possibility to generate a profile of the student.

2. PURPOSE OF DATA PROCESSING

The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:

a)      search for accommodation in accordance with the preferences expressed and, if any, health problems or other nature, which require specific attention;

b)     services to support research and housing management;

c)      management of the reservation and payment of the fee to JCU.

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process the personal data of the data subject because it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; because it is necessary for compliance with a legal obligation to which JCU is subject.

Data collected on this circumstance are provided by the student's free choice, however, since we believe that some information is useful to JCU but their provision shall be left to the student's will, we will ask him/her to give his/her consent in order to be able to process the personal data referred to in points 3) and 5) of the Information being processed (paragraph 1).

In the absence of such consent, we will only process the data strictly necessary to provide the requested service, namely the data referred to in points 1), 2), and 4) of the Information being processed (paragraph 1).

4. PROCESS METHODS AND RETENTION

The personal data of the data subject are processed in paper or electronic format.

Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

Data will be retained exclusively for the period and the purposes for which they were collected.

In any case, the deletion will take place within 5 years of collection.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by: JCU staff, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:

a)      Local Authorities (Police Headquarters) (communication required by Article 109 of the TULPS and the Decree of the Ministry of the Interior of 7 January 2013);

b)     Schools of origin;

c)      Parents of the student (also based on the Family Educational Rights and Privacy Act (FERPA) of 1974);

d)     natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.

Data on the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

He/she also has the right to lodge a complaint with the Supervisory Authority.

Moreover, the data comes partly from the data subject who filled out the specific form, partly from the JCU IT system Education Edge - BlackBaud (which in any case contains data provided, at another time, by the data subject), as well as by UNICRI Coordinator (United Nations International Crime and Justice Research Institute).

Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject, to periodically check this information.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

Contact information collection form to update data subject on John Cabot University initiatives

PERSONAL DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION BEING PROCESSED

If you decide to provide us by filling in the information request form, the following information/personal data will be processed:

• Name, contact information such as email address and telephone number and date of birth;
• information relating to training (Ongoing attended school or previously attended, academic interests, ...).

In addition, if the data subject assumes the position of student of the JCU, we will use the information collected here - together with the additional information we will acquire during the application phase - in the documentation relating to his/her interaction with JCU and his/her preferences (relating to the services of assistance required, tutoring and orientation activities, housing, ...).

2. PURPOSE OF DATA PROCESSING

This privacy notice applies as long as the data subject does not develop a further relationship with the University, at the moment in which the data subject obtains the status of student of JCU, we will take care of giving information about this process, even in virtue of the numerous information which, although in compliance with the principles set out in articles 5 and 25 of GDPR, we will request.

Considering the above information, the data will be processed for the following purposes:

a)      provide information and/or service requested (due to the completion of the form submitted to you) and proceed with institutional communications;

b)     organizational reasons to promote the activity of JCU and inform the data subject about the Orientation initiatives;

c)      research and statistical purposes. These data can be processed both on a non-aggregated basis and on an anonymous and aggregated basis.

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process your personal data because it is necessary for a legal obligation, to respond to a particular request from you, for a legitimate interest of JCU to promote its image and its educational purpose, consistently with the interest expressed by the data subject.

4. PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

Data will be retained exclusively for the period and the purposes for which they were collected.

In any case, the deletion will take place within 10 years of collection.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which Data were collected in conformity with the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to:

a)      National and international public bodies, such as Ministries and Offices of the Public Administration, in relation to the performance of the institutional tasks of the University;

b)     Natural or legal persons, external bodies and associations, including professional firms and companies, always for the purposes illustrated and for the legitimate interests of JCU.

Data on the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46 / EC and regarding the adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act;(ii) United States of America through a certified data controller pursuant to the Privacy Shield Agreement[1],;(iii) California (USA), in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87/EU with the controller.

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

You also have the right to lodge a complaint with the Supervisory Authority.

If our processing of personal data is based on consent and you have given your consent, you can revoke it or refuse to send information about JCU's initiatives by writing an email to [email protected]. In any case, revocation of consent does not affect the legitimacy of the processing operated before the revocation.

The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information. 

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

PERSONAL DATA CONTROLLER

John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "particular" which may be deductible, even indirectly, from information provided by the data subject or by a third party.

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

1. INFORMATION BEING PROCESSED

Information processed are the following:

1)     Contact details (data subject);

2)     Identification number assigned to the student by JCU;

3)     Contact details in case of emergency (data of third parties);

4)     ID details (included the scanned version);

5)     Information to obtain the documents concerning the regularization of the stay in Italy;

6)     Bank and financial information;

7)     Information on special needs.

Furthermore, some of the information relating to the data subject was acquired (together with the necessary notice) during the previous contact moments (for example during Admission). 

2. PURPOSE OF DATA PROCESSING

The personal data relating to the data subject and his/her family members, are functional to the pursuit of the following purposes:

a)      Collect the necessary information, once the admission process has been completed, to guarantee the student's regularity in all aspects (administrative, educational, ...) and to be able to prepare the management of his/her position within the JCU courses;

b)     Support the student in obtaining the Residence Permit;

c)      Provide services to support the student's stay (activities that stimulate learning, extra-curricular activities, tutoring services);

d)     Manage emergency situations concerning the student.

3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (ii) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in organizing academic activity and verifying the regularity, under different profiles, of the student's position.

Data referred to in paragraph 1, points 1), 2), 3), 4) and 6), collected on this occasion or previously, are necessary for the management of the student's position and the pursuit of the aforementioned purposes.

It should also be borne in mind that, pursuant to Article 96 of Legislative Decree 196 of 2003, in order to facilitate the orientation, training and professional integration, also abroad, the institutions of the national education system, regional vocational training centers, private schools as well as institutions of high artistic and dance training and public or private and legally recognized universities, upon request of the data subjects, can communicate or disseminate, also to private individuals and electronically, data relating to the training results, intermediate and final, of students and other personal data other than those referred to in articles 9 and 10 of the Regulation, relevant in relation to the aforementioned purposes. 

In relation to the processing of Data referred to in paragraph 1, point 5), the data subject's consent is required, which will be collected using the appropriate form.

4. PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

The personal data will be retained exclusively for the period and the purposes for which they were collected. The data of the data subject will be retained for the duration of the Courses in which he/she is enrolled and, subsequently, for 5 years.

5. COMMUNICATION AND CIRCULATION OF DATA

The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:

1. Ministry of the Interior, Police Stations;

2. other national or foreign public bodies;

3. mailing service companies;

4. travel agencies;

5. hotels (for travel);

6. hospitals.

Data on the data subjects cannot be disseminated.

6. TRANSFER OF EXTRA EU DATA

The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].

7. DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

He/she also has the right to lodge a complaint with the Supervisory Authority.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

Download the policy and disclaimer

John Cabot University systematically undertakes to comply with the current legislation on data protection and user privacy protection.

The following information describes the provisions of articles 13 and 14 of GDPR.

Upon you giving your consent for JCU to use your image, we are committed to using it only for the purpose of promoting JCU’s courses and initiatives.

Your image might be published:

1)  on the following websites:

• johncabot.edu

• https://blog.johncabot.edu/

• https://news.johncabot.edu/

• myjcu.johncabot.edu (limited to the sections accessible without registration, blog)

• https://jcualumni.org/

2) on social media platforms such as Facebook, LinkedIn, Instagram, YouTube, Snapchat, Twitter, TikTok, and Pinterest.

3) in print and electronic publications, brochures, and other forms of communication such as CDs, DVDs and other multimedia platforms.

PERSONAL DATA CONTROLLER

John Cabot University (hereinafter “JCU” or just “University”), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller.

PERSONAL DATA PROCESSORS

John Cabot University uses the following subjects as Data Processors:

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.

LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION

We may process your image based on your consent. You may revoke your consent at all times by sending an email to [email protected].

PROCESS METHODS AND DATA RETENTION

The personal data of the data subject are processed in paper or electronic format.

Once obtained your consent to the processing of your image, JCU will store it in its Content Management System and may publish it on its websites or social media.

To protect the personal data processed, JCU has adopted adequate organizational, technical and physical measures - in accordance with the provisions of article 32 of GDPR - in order to maintain the confidentiality, availability and integrity of the information collected.

All information provided within the Website is encrypted using the 128-bit Secure Sockets Layer (SSL) system and public-key encryption.

The Website is certified as "Comodo secure site". To learn more about the safety certification program, we recommend that you visit the www.comodo.com sites.

Notwithstanding the foregoing, users and visitors of the JCU Website shall keep in mind that the Website and all associated services are managed on software, hardware, and networks systems, whose components may, from time to time, require maintenance or be subject to inefficiencies (which JCU will try to resolve promptly).

Processed data are kept for the time necessary for the above purpose, after which they are deleted.

TRANSFER OF EXTRA EU DATA                        

The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46/EC and regarding adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act, to (ii) the United States of America through a certified data controller pursuant to the Privacy Shield Agreement, as well as (iii) to California (USA) in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87 / EU with the controller.

DATA SUBJECTS RIGHTS

In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

Data subjects have the right to lodge a complaint with the Supervisory Authority.

The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.

CHANGES OF INFORMATION MADE ON THIS PAGE/DOCUMENT

JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.

Pursuant to article 13 of EU Regulation no. 679/2016 (hereinafter, “GDPR”) concerning the protection of individuals with regard to the processing of personal data, John Cabot University (hereinafter, “Owner”) informs that the students’ data will be processed in accordance with the following Privacy Policy.

I. Purpose and lawfulness of the processing (art. 6 GDPR 2016/679).

The data processing will be carried out by the owner for one or more of the following purposes, where applicable:

    A. Personal, fiscal, and, where applicable, health data are processed for the purpose of following up on the contract signed between the parties, and, more specifically for:

1. management of pre-enrollment and admission procedures to study courses;
2. management of enrollment procedures, including the activities connected with obtaining a residence permit;
3. to deliver and manage the student’s academic education until graduation;
4. management of University fees and any tuition fees;
5. management of educational and administrative relationships;
6. carrying out any curricular and extra-curricular internships;
7. sending institutional communications to students by ordinary mail and e-mail;
8. access to University premises;
9. verification of the student’s self-declarations;
10. participation in the active and passive electorate for the election of student representatives;
11. management of disciplinary procedures against the student;
12. national and international student mobility programs, incoming and outgoing student orientation, also through communication to public and/or private bodies for employment/professional purposes;
13. disbursement of grants and subsidies for students;
14. use of the University's fitness facilities, made available to the student free of charge;
15. support of students with disabilities;
16. participation in research projects and/or activities compatible with the University's institutional purposes;
17. statistical surveys and internal University evaluations; video surveillance of the University facilities.

The conditions for the lawfulness of the processing are the execution of the contract itself, except for the execution of tasks in the public interest or the protection of students and University employees and/or legal obligations. In any case, no consent is required.

    B. Personal data may be processed for the purpose of allowing the tutoring activity provided by the University free of charge, upon your request to that effect. The condition of lawfulness of the processing is the execution of the contract referred to in point A of which the tutoring activity is a supplementary service and, following the request to use the service, it will not be necessary to give any consent.

    C. Personal data may be processed for the purpose of allowing the consultation service of the University's bibliographic resources, provided by the University free of charge, upon request by the interested party to this effect. The condition of lawfulness of the processing is the execution of the contract referred to in point A of which the consultation service is a supplementary service and, following the request to use the service, it will not be necessary to give any consent.

    D. Personal data may be processed for the purpose of allowing the International SOS service, provided by the University free of charge. For this purpose, the University will communicate the student's contact details to the aforementioned service, which will contact the student in the event of an emergency. The condition of lawfulness of the treatment is to guarantee the safety of the student and it will not be necessary to give any consent.

    E. Personal, fiscal, w, health data may be processed for the purpose of following up on the Housing Contract signed between the parties. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.

    F. Personal data (photo images and audio-video footage) may be processed for communication activities, institutional campaigns, editorial initiatives to promote the University and its educational offer, for paper and audio-video publications on the institutional website (Facebook, Twitter, Instagram, YouTube, etc.…), and on any official University communication channel. The condition for the lawfulness of the processing is your consent, which is optional. If consent is missing or revoked, the data above will not be processed. The consent form and all related information are provided during the registration phase.

    G. The personal and contact data may be used to promote University services and products (marketing) by sending e-mails, post and/or text messages and/or phone calls, newsletters, etc. The condition of legitimacy is the promotion of services similar to those already provided to the student (soft spam).

    H. The University will process the contact details provided by the student and/or communicated by the home University in order to contact the aforementioned University, as well as the subjects authorized to receive such information (parents, relatives, etc.) where such contact is made necessary by: obligations of law or equivalent act; in case of a risk event to protect students and/or employees and collaborators of the University; or for public order needs. Specifically, the University will be able to transmit the student's personal data (including particular and judicial data) to the home University located in countries outside the European Economic Area (including the United States) in order to report on academic and external conduct cases which could be related to discrimination, harassment or situations that could be classified as a crime under Title IX of the United States Education Act.. The condition of lawfulness of the processing is to guarantee the safety of the students and/or employees and collaborators of the Universities and the protection of public order more generally. Therefore, no consent will be required to process and transmit this type of data.

    I. With regards to study, cultural, or leisure trips, the authorized University personnel will process data as legitimated by the authorization itself. Any external subject contacted by the University to provide travel-related services (transport, accommodation, meals, etc.) such as hotels, tourist agencies, transport companies, etc., will be independent data controllers according to the service offered and they will collect any consent directly from the student, providing the necessary information. The condition of lawfulness of the treatment is the execution of the contract that allows participation in the trip, and no consent will be necessary.

II. Processing methods and data retention time:

Processing of personal data is carried out through the operations indicated in art. 4 no. 2) GDPR, specifically: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.

Personal data is subjected to both paper and electronic and/or automated processing.

The Data Controller will process the personal data:

    a. for the necessary time to fulfill the purposes indicated in the above points A and H, and in any case no later than 10 years from the pursuit of the academic qualification or from the loss of student status; to fulfill legal and fiscal obligations; and to allow the exercise of the rights referred to in art. 24 of the Italian Constitution (right of defense). Personal, enrollment, academic (including any disciplinary measures against the student and/or any news of crimes and/or relevant behavior), and graduation data will be kept indefinitely, also taking into account the archiving obligations established by current laws;

    b. For the purposes set forth in letters B, C, and D, for the duration of the service provision and, in any case, not beyond the loss (for any reason) of the data subject's status as a student at the University;

    c. For the purposes set forth in letter E, for the time necessary to fulfill the same and, in any case, not beyond 10 years from the termination of the Housing contract, for legal and tax compliance obligations, and to allow the exercise of the rights provided for in Article 24 of the Italian Constitution (right of defense);

    d. For the purposes set forth in letter F, reference is made to the specific information provided at the time of enrollment;

    e. For the purposes set forth in letter G, for the duration of the study program and not beyond 2 years from the achievement of the academic degree or from the loss of the data subject's status as a student of the faculty;

    f. For the purposes set forth in letter I, for the time necessary to organize the trip and provide the service.

III. Access to data

The data may be made accessible for the above-mentioned purposes:

• to employees and collaborators of the Data Controller in Italy and abroad, in their capacity as authorized data processors and/or system administrators;
• to third-party companies or other entities that perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
• to individuals who are granted access by provisions of law or secondary legislation.

IV. Data Communication

Personal data may be communicated, during the university career and even after obtaining academic titles, to other public and private entities, when necessary for the implementation of the University's institutional purposes, including the provision of specific services to students, the conduct of internships, the management of inter-university exchange programs (e.g. Erasmus or based on bilateral agreements), the management of programs/post-graduate courses offered in collaboration with other partner universities, job placement and in any case for all activities connected and instrumental to these purposes. In compliance with current regulations, among others, personal data are periodically transmitted to the National Student Registry for the purposes specified in Article 1-bis of Legislative Decree no. 105/2003, converted into Law no. 170/2003, and sent to the Ministry of Education, University and Research (MIUR) for mandatory periodic statistical surveys. Data processing may also take place for historical, statistical or scientific purposes, in compliance with applicable laws and sector-specific codes of ethics. Your data may be communicated to public entities for compliance with obligations related to the control of self-certified declarations pursuant to Art. 71 of Presidential Decree no. 445/2000. In addition, personal data may be communicated to all individuals who, according to legal provisions, are required to know them or may know them, as well as to individuals who are entitled to access them. Personal data may be communicated to external entities, institutions and associations for guidance, internships, job placement, post-graduate training activities and for the allocation of housing. The aforementioned data may also be communicated to other public entities, such as public bodies responsible for managing research grants and scholarships, only for institutional purposes and in compliance with the principle of relevance for which they will be processed, and only for the duration of the respective processing for which they have been requested. The University, in carrying out its institutional functions, may transmit personal data to external companies to which it will entrust the outsourcing of specifically identified activities in order to optimize the services it offers to its students. For this purpose, and after verifying the requirements of experience, capacity and reliability, the aforementioned companies will be appointed Data Processors, unless such companies are qualified or qualify as Data Controllers. In exceptional cases, previously assessed, and for exclusively educational purposes, your telephone number may be made available to teachers or other personnel with a position at the University upon presentation of a motivated request.

In order to facilitate guidance, training and professional placement, also abroad, with the express consent of the data subject, the University may communicate or disseminate, also to private individuals and through electronic means, data relating to the results of students' exams (intermediate and final) and other personal data other than sensitive data, relevant in relation to the aforementioned purposes.

With the express consent of the data subject, the Controller may communicate the contact personal data for the promotion of services and products to third parties who assist the company in such activity and with whom the company has entered into contracts and/or agreements in the performance of marketing/promotional activities, authorizing the sending of promotional communications and/or informative material on products or services offered by the Controller and the detection of the degree of satisfaction with the quality of services through e-mail, mail and/or SMS and/or telephone contacts, newsletters, etc. The recipients to whom the data will be communicated are to be considered autonomous Data Controllers and as such will also be subject to the obligations under GDPR 2016/679 (information, lawfulness conditions, etc.). The list of these recipients is available, upon request, from the Data Controller.

Non-sensitive personal data may be communicated to external entities to which the University will turn to take advantage of services related to travel (transportation, lodging, meals, etc.) such as hotels, travel agencies, transportation companies, etc. It is confirmed that such entities will be autonomous Data Controllers based on the service offered and will directly collect any consents from the student, providing the appropriate information.

The data will not be disclosed, except with the express consent of the data subject.

V. Data Transfer

Personal data is stored on servers located in Rome (RM) and on the Cloud, and in any case within the European Economic Area.

The Data Controller ensures that the transfer of data to countries outside the EU will take place in compliance with applicable legal provisions, with full guarantee of application of the safeguards provided by the GDPR 2016/679, also in terms of the exercise of the data subject's rights.

VI. Data Subject Rights

The data subject is guaranteed the exercise of the rights set forth in Articles 15 et seq. of the GDPR, if applicable, namely the right to:

• obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information on its processing in an intelligible form;
• obtain: a) information on the source of the personal data; b) the purposes and methods of the processing; c) the logic involved in any automated processing of the personal data; d) the identification details of the controller, processors, and the designated representative pursuant to Article 3(1) of the GDPR; e) the recipients or categories of recipients to whom the personal data may be disclosed, including those designated as representative(s) in the territory of the State, processors or persons in charge;
• obtain: a) the rectification, erasure or blocking of personal data that has been processed unlawfully, including data whose retention is unnecessary for the purposes for which it has been collected or subsequently processed; b) notification of the operations carried out as per letter a) and b), including their contents, to those to whom the data has been communicated or disclosed, unless this proves impossible or involves a disproportionate effort;

object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him or her, even if it is relevant to the purpose of the collection; and to the processing of personal data for the purposes of sending advertising or direct sales material or for carrying out market research or communication. The data subject may decide to receive only traditional communications or only automated communications, or neither of the two types of communication. Where applicable, the data subject also has the rights provided for in Articles 16-21 of the GDPR:

• Right to rectification - the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her;
• Right to erasure (‘right to be forgotten’) - the right to obtain the erasure of personal data concerning him or her in the following cases (Article 17(1) of the GDPR):

1. the personal data is no longer necessary for the purposes for which it was collected or processed, and there is no legal obligation for the data controller to retain it;
2. the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. the data subject objects to the processing of personal data for direct marketing purposes, including profiling, and there are no overriding legitimate grounds for the processing;
4. the personal data has been unlawfully processed;
5. the personal data must be erased to comply with a legal obligation under the Union or Member State law to which the data controller is subject;
6. personal data has been collected in relation to the offer of information society services to minors, and consent has been given by the minor or by the holder of parental responsibility over the minor.

It should be noted that the right to erasure does not apply if processing is necessary (Article 17(3) of the GDPR) for:

1. exercising the right of freedom of expression and information;
2. compliance with a legal obligation that requires processing under Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
3. reasons of public interest in the area of public health;
4. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
5. the establishment, exercise or defense of legal claims.

• Right to restriction of processing - the right to have the use of personal data and, thus, processing, limited to what is necessary for preservation purposes, including:

1. where the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
2. where the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. where the data controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
4. where the data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject.

• Right to data portability - the right to receive personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.
• Right to object - the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. The data subject also has the right to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. If personal data is processed for scientific or historical research purposes or statistical purposes, the data subject may, on grounds relating to his or her particular situation, object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
• Right to lodge a complaint with the supervisory authority - the right to lodge a complaint with the supervisory authority for data protection if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. For further information, please refer to: https://www.garanteprivacy.it/.

VII. Exercise of Rights

The data subject may exercise their rights at any time by contacting the University's internal DPO at the email address [email protected] or by sending a communication to the address indicated below, always addressed to the University's DPO.

VIII. Data Controller, Data Processors, and Authorized Persons

The Data Controller is John Cabot University, with registered office in Via della Lungara, 233, 00165 Rome.

The updated list of authorized persons, data processors, and sub-processors is kept at the Data Controller's registered office.

This information is made available to both adult students and parents of minor students (who are, in any case, not younger than 17 years old).