John Cabot University systematically undertakes to comply with the current legislation on data protection and user privacy protection.
The following information describes the provisions of articles 13 and 14 of GDPR.
If you decide to request information and/or enter the process of selection and admission to JCU, we are committed to using the information entered (i.e. personal and special data concerning you) only for the purposes of carrying out the requested service or for the other purposes illustrated in this notice or in those that will subsequently be performed.
The information we are providing refers to the websites listed below (hereinafter "Website") and not to other websites that may be consulted by the user through links contained in them:
PERSONAL DATA CONTROLLER
John Cabot University (hereinafter “JCU” or just “University”), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data processor | Description |
|---|---|
| Modern Campus, 1320 Flynn Road Suite 100 Camarillo, CA 93012 | Software as Service provider for content management |
| Higher Education Marketing: 6560 de l'esplanade, suite 204 Montreal, Quebec, H2V 4L5 | Partner of OmniUpdate for IT services |
| SiteImprove Italia srl Via Motta Emilio, 10, 20144 Milano | Software as Service provider for website improvement |
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| WordPress Automatic Inc. 60 29th Street #343, San Francisco, CA 94110 | Software provider for creating and managing websites and blogs |
| Dude Solutions, 11000 Regency Parkway, Suite 110, Cary, NC 27518 | Software provider for events management, web calendar |
| HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States | Software as Service provider in support of marketing activities |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION BEING PROCESSED
1.1 BROWSING DATA
The Website for its operation does not collect information that directly identifies the user.
The information collected for browsing the listed websites includes: the IP address of the computer/device used to access, the URL of origin, the pages visited and the time spent on them, the browser used, date and time.
1.2 COOKIES
Taking into account the Provision of the Data Protection Authority dated 8 May 2014 "Identification of the simplified procedures for the information and the acquisition of consent for the use of cookies", JCU informs the user about the cookies used on the Website.
Cookies are small text files that the websites visited by the user send and store on his/her personal computer or any other device, even mobile, to be re-transmitted to the same websites at the next visit. Cookies are used for different purposes: for example, to remember the user's actions and preferences (such as, for example, login data, chosen language, font sizes, other display settings, etc.) in a way that should not be indicated again when the user returns to visit the website or browse from one page to another on the website.
Essential cookies are cookies that are used to browse or provide a service requested by the user. They are not used for other purposes and are normally installed directly by the website owner.
Without such cookies, some operations could not be performed or would be more complex and/or less secure. In other words, these cookies are indispensable for the functioning of the Website or necessary to perform activities requested by the user.
Technical functionality cookies allow the user to navigate according to a series of selected criteria such as, for example, the language, in order to improve the service rendered to the same. It is possible not to allow the activation of these cookies on your device. However, their eventual deactivation would not allow for easy use of the website.
Performance and functionality cookies collect information about how visitors move around and interact with the website. They are not essential to the functioning of the website but they help us improve it.
Advertising and Marketing Cookies collect information about your visits to certain parts of our websites which might indicate your interest in a particular major or other educational offerings. They help us then provide you with advertising that matches your interests.
Third-party analytical cookies are cookies from other websites that can be sent to the user's device after browsing this website. These cookies are not strictly necessary for browsing, but by denying consent to send third-party cookies some advanced features such as sharing pages on social networks or participating in discussions could be prevented. Since this website is not able to govern cookies issued by other websites, in order to obtain information on these cookies, their characteristics and how they work and to give or deny the specific consent, the user should contact the websites that directly emit these cookies.
Below are the cookies that are downloaded by interacting with the websites to which this information relates.
| Cookie name | Description | Type |
|---|---|---|
| _cfduid | Cloudflare | Essential (technical) |
| _hstc | Hubspot | Advertising and Marketing |
| _ga | Google Analytics | Performance and Functionality |
| _gid | Google Analytics | Performance and Functionality |
| hubspotutk | Hubspot | Advertising and Marketing |
1.3 DATA PROVIDED VOLUNTARILY BY THE USER/DATA SUBJECT
Information processed by JCU can be obtained through the forms made available on the Website and filled in voluntarily by users but also through social channels and, in particular, the official Facebook page; this information is, for example: name and surname, address, e-mail, telephone number.
The action of sending, for any reason, of emails to the addresses indicated on this Website entails the subsequent acquisition of the sender's address, necessary to reply to communications via email, as well as any other data entered in the email.
If, for whatever reason, the communications forwarded by the user/data subject are in surplus or not necessary with respect to the processing that JCU carries out/intends to carry out, JCU reserves the right to proceed with the immediate deletion of data or otherwise processing the data so as not to create organizational and legal repercussions that are deemed to be in conflict with the JCU's personal data management system.
Specific information for data protection (articles 13 and 14 of GDPR), where deemed necessary, will be prepared and will be viewable in the individual sections of the website that contain requests for personal data not attributable to this information.
Once the user acquires the JCU student status, the University will use this information to communicate with the student.
1.4 DATA OF MINORS
Our websites are aimed at students of all ages, but we do not collect information on minors under 14 years without the authorization of those who exercise parental responsibility.
2. PURPOSE OF DATA PROCESSING
Data collected, subject of the processing, are processed and used exclusively for the purpose of:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because the processing is strictly correlated with the browsing activity or, in reference to the services requested through the forms on the Website or the contact details present therein, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or, more generally, to reply to a request of the data subject.
Data collected on this occasion are not subject to your consent as it is your free choice to provide them to receive the information and/or services object of your request.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Once the status of JCU student is obtained, the data subject and his/her personal information will also be protected in compliance with the Family Educational Rights and Privacy Act (FERPA). To learn more about the execution of FERPA in JCU, you can visit the website.
To protect the personal data processed, JCU has adopted adequate organizational, technical and physical measures - in accordance with the provisions of article 32 of GDPR - in order to maintain the confidentiality, availability, and integrity of the information collected.
All information provided within the Website is encrypted using the 128-bit Secure Sockets Layer (SSL) system and public-key encryption.
The Website is certified as "Comodo secure site". To learn more about the safety certification program, we recommend that you visit the www.comodo.com sites.
Notwithstanding the foregoing, users and visitors of JCU Website shall keep in mind that the Website and all associated services are managed on software, hardware and networks systems, whose components may, from time to time, require maintenance or be subject to inefficiencies (which JCU will try to resolve promptly).
The browsing data will be anonymous at the end of the session, unless legal obligations or other legitimate reasons do not induce the Data Controller to behave differently (for example following a request by the Judicial Authority or in case of activities carried out against JCU or of the Website).
Other processed data are kept for the time necessary to make the service requested by the user, after which they are aggregated and made anonymous. In particular:
5. COMMUNICATION AND CIRCULATION OF DATA
JCU will communicate personal information to third parties always in accordance with the legitimate aims pursued and in any case in compliance with articles 5 and 25 of GDPR.
The recipients of the communication from/to JCU belong to the following categories:
Information about the user cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46/EC and regarding adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act, to (ii) the United States of America through a certified data controller pursuant to the Privacy Shield Agreement[1], as well as (iii) to California (USA) in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87 / EU with the controller.
7. DATA SUBJECTS’ RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
Data subjects have the right to lodge a complaint with the Supervisory Authority.
The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 year old, without the consent of or in contrast with the will of the person who exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE/DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deduced, even indirectly, from information provided by the data subject or by a third party.
DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data Processor | Description |
|---|---|
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 65 Fairchild Street Charleston, SC 29492 | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia | Information systems support and maintenance services provider |
| HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States | Software as Service provider in support of marketing activities |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION PROCESSED
Information collected in the Admission form is gathered into 7 sections:
Some of this information is needed, others are optional, to distinguish them we have marked the necessary information with an asterisk.
Furthermore, some of the information relating to the data subject was previously collected (see specific notice in the Marketing section of this page) and will be included in the documentation relating to the interaction of the data subject with the JCU and his/her preferences (expressed on the occasion of the support services required, tutoring and orientation activities, housing, wellbeing, ...).
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (II) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in the organization of academic activity, the undertaking of commitments with structures with which JCU has an agreement (outside Italy, for example) and the selection of students to be admitted to its structure and/or courses.
The data collected on this occasion are not subject to your consent as it is your free choice to give them to us starting and completing the Admission procedure for the Courses and Activities proposed by JCU.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Appropriate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected. If a request for enrollment is not accepted or not completed, the data of the data subject will be retained for a year and, subsequently, deleted. Otherwise, if the student enrolls in the JCU Courses, the data collected will be retained for the period of the Courses and, subsequently, deletion will take place within 10 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
Information on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
The data subject also has the right to lodge a complaint with the Supervisory Authority.
In relation to the processing envisaged for the purpose referred to in paragraph 2, letter c), the data subject has the right to either object to it immediately, or revoke the consent subsequently.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the Website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
John Cabot University, as Data Controller of personal data (hereinafter, the "Data Controller") informs Visitors pursuant to EU Regulation 2016/679 ("GDPR") and current national legislation on personal data protection that all external subjects who are not in possession of a JCU ID must identify themselves by showing a personal identification document in order to access University premises.
The Data Controller processes personal, identifying and non-particular data (specifically: name, surname, number and type of identity document, hereinafter, "Personal Data" or even "Data") communicated by you when accessing University premises. To guarantee the safety of places and people, the Data Controller reserves the right to verify the Data provided through authorized personnel who will check the identification document mentioned above.
Your Personal Data is processed without your prior consent, for the following purposes and legal bases:
The processing of your Personal Data is carried out electronically and on paper by means of collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation, and data destruction.
For the purposes and in the way described in this paragraph, you will be asked to fill out a form that will contain the data referred to above.
The Data Controller processes Personal Data for the time necessary to fulfill the aforementioned purposes, and in any case no later than two weeks from the date of access to the Data Controller’s premises.
The provision of data is mandatory, and any refusal to provide such data will result in the impossibility of accessing the premises of the Data Controller.
Your data can be accessed for the aforementioned purposes by: employees and/or collaborators of the Data Controller (e.g., reception service personnel, security service personnel), in their capacity as data processors and/or internal data processors and/or system administrators; associated or subsidiary companies and third-party companies or other subjects (for example, surveillance service providers, professional firms, etc.) who carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
Your Data may also be communicated, even without your consent, to supervisory bodies, law enforcement agencies or the judiciary, upon their express request, which will treat them as independent data controllers for institutional purposes and/or pursuant to the law during investigations and checks.
The Data will not be disclosed or transferred to non-EU countries.
The Data Controller informs you that, as an interested party, if the limitations established by law do not apply, you have the right to: obtain confirmation of the existence or not of your personal data, even if not yet registered, and that such data are made available to you in an intelligible form; obtain indication and, where appropriate, copy: a) of the origin and category of personal data; b) of the logic applied in case of treatment carried out with the aid of electronic instruments; c) the purposes and methods of processing; d) of the identification details of the Data Controller and managers; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them, in particular if they are recipients of third countries or international organizations; e) when possible, of the data retention period or the criteria used to determine this period; f) the existence of an automated decision-making process and, in this case, the logic used, the importance and the consequences envisaged for the data subject; g) the existence of adequate guarantees in the event of transfer of data to a non-EU country or to an international organization; obtain, without unjustified delay, the updating and correction of inaccurate data or, when interested, the integration of incomplete data; obtain the cancellation, transformation into anonymous form or blocking of data: a) processed unlawfully; b) no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) in case of revocation of the consent on which the treatment is based and in case there is no other legal basis, d) if you have opposed the treatment and there is no overriding legitimate reason to continue the treatment; e) in case of fulfillment of a legal obligation; f) in the case of data referring to minors. The Data Controller can refuse the cancellation only in the case of: a) exercise of the right to freedom of expression and information; b) fulfillment of a legal obligation, execution of a task carried out in the public interest or exercise of public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or for statistical purposes; e) exercise of a right in court; obtain the limitation of the treatment in the case of: a) disputing the accuracy of the personal data; b) unlawful treatment of the Data Controller to prevent its cancellation; c) exercise of your right in court; d) verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the interested party; receive, if the treatment is carried out by automatic means, without impediments and in a structured, commonly used and readable format, the personal data concerning you to transmit them to another Data Controller or - if technically feasible - to obtain direct transmission by the Data Controller to another Data Controller; object, in whole or in part: a) for legitimate reasons related to your particular situation, to the processing of your personal data; b) to the processing of personal data concerning you for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or by traditional marketing methods by telephone and/or paper mail; lodge a complaint with the Personal Data Protection Authority. In the above cases, where necessary, the Data Controller will inform the third parties to whom your personal data are communicated of any exercise of rights by you, with the exception of specific cases (e.g. when this fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right).
You may exercise your rights at any time by:
The Data Controller is John Cabot University, based in Rome, Via della Lungara, 233. The updated list of data processors can be found, upon request by the interested party, by sending an email to the address: [email protected]. The designated DPO can be reached at this email, both to exercise your rights and for any clarification.
DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data Processor | Description |
|---|---|
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 65 Fairchild Street Charleston, SC 29492 | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia | Information systems support and maintenance services provider |
| HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States | Software as Service provider in support of marketing activities |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION PROCESSED
Information collected in the Financial Aid form:
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members are functional to the pursuit of the following purposes:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (II) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in the organization of academic activity, the undertaking of commitments with structures with which JCU has an agreement (outside Italy, for example) and the selection of students to be admitted to its structure and/or courses.
The data collected on this occasion are not subject to your consent as it is your free choice to give them to us starting and completing the Admission procedure for the Courses and Activities proposed by JCU.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Appropriate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected. If a request for enrollment is not accepted or not completed, the data of the data subject will be retained for a year and, subsequently, deleted. Otherwise, if the student enrolls in the JCU Courses, the data collected will be retained for the period of the Courses and, subsequently, deletion will take place within 10 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
Data of the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
The data subject also has the right to lodge a complaint with the Supervisory Authority.
In relation to the processing envisaged for the purpose referred to in paragraph 2, letter c), the data subject has the right to either object to it immediately, or revoke the consent subsequently.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the Website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as defined by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data processor | Description |
|---|---|
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 65 Fairchild Street Charleston, SC 29492 | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia | Information systems support and maintenance services provider |
| Maxient LLC, P.O. Box 7224, Charlottesville, VA 22906 | "Maxient Conduct Manager" Software as a Service Provider |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION PROCESSED
The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form "Authorization for release and confidential information acquisition" filled in by the person exercising parental responsibility.
Information collected are the following:
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject are functional to the pursuit of the purpose of assistance in relation to physical and mental problems in order to facilitate the achievement of the student's educational and personal goals.
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
The legal basis of the processing is represented by the student's consent, expressed directly or through the Legal Guardian of the Parental Responsibility.
The provision of data is left to the free choice of the student and only after the expression of the consent, JCU will proceed to the processing of his/her personal data, including special categories of personal data.
In the absence of this consent, JCU will refrain from processing for the purposes indicated.
4. PROCESS METHODS AND RETENTION PERIOD
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected.
In any case, the deletion will take place after the expiration of 10 years from collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1], as well as from/to Maxient LLC, in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87/EU with the data controller.
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
He/she also has the right to lodge a complaint with the Supervisory Authority.
Furthermore, the data subject is informed that the data being processed are provided by him/her and by the doctors who interact with JCU to provide the requested service.
Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected] .
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called " special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data processor | Description |
|---|---|
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 65 Fairchild Street Charleston, SC 29492 | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia | Information systems support and maintenance services provider |
| Orfeo (Mamy Inc)vv | Information systems support and maintenance services provider |
| Agenzia BB Network srl | Agency that supports the University in finding apartments for rent to students |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION BEING PROCESSED
The data subject shall consider that, if he/she is under 18 years old, he/she shall have the form filled in by the person exercising parental responsibility.
Information processed are the following:
The student who does not want to share specific information concerning him/her can avoid responding to the proposed specifications.
However, in relation to the information referred to in number 5), the student is reminded that the answers provided in any case give JCU the possibility to generate a profile of the student.
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members, collected both in this form and in the previous "Application" phase, are functional to the pursuit of the following purposes:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; because it is necessary for compliance with a legal obligation to which JCU is subject.
Data collected on this circumstance are provided by the student's free choice, however, since we believe that some information is useful to JCU but their provision shall be left to the student's will, we will ask him/her to give his/her consent in order to be able to process the personal data referred to in points 3) and 5) of the Information being processed (paragraph 1).
In the absence of such consent, we will only process the data strictly necessary to provide the requested service, namely the data referred to in points 1), 2), and 4) of the Information being processed (paragraph 1).
4. PROCESS METHODS AND RETENTION
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected.
In any case, the deletion will take place within 5 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
Data on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, Blackbaud, based in 2000 Daniel Island Drive Charleston, SC 29492-7541, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
He/she also has the right to lodge a complaint with the Supervisory Authority.
Moreover, the data comes partly from the data subject who filled out the specific form, partly from the JCU IT system Education Edge - BlackBaud (which in any case contains data provided, at another time, by the data subject), as well as by UNICRI Coordinator (United Nations International Crime and Justice Research Institute).
Since the processing of personal data is based on the consent of the data subject, it is specified that the revocation of consent does not affect the legitimacy of the processing operated before the revocation.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject, to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
Contact information collection form to update data subject on John Cabot University initiatives
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "special categories of personal data" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data processor | Description |
|---|---|
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 65 Fairchild Street Charleston, SC 29492 | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma – Italia | Information systems support and maintenance services provider |
| HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States | Software as Service provider in support of marketing activities |
| OmniUpdate, 1320 Flynn Road Suite 100 Camarillo, CA 93012 | Software as Service provider for content management |
| Higher Education Marketing: 6560 de l'esplanade, suite 204 Montreal, Quebec, H2V 4L5 | OmniUpdate partner for IT services |
| Dali Studio s.r.l. | Graphic Designers |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION BEING PROCESSED
If you decide to provide us by filling in the information request form, the following information/personal data will be processed:
In addition, if the data subject assumes the position of student of the JCU, we will use the information collected here - together with the additional information we will acquire during the application phase - in the documentation relating to his/her interaction with JCU and his/her preferences (relating to the services of assistance required, tutoring and orientation activities, housing, ...).
2. PURPOSE OF DATA PROCESSING
This privacy notice applies as long as the data subject does not develop a further relationship with the University, at the moment in which the data subject obtains the status of student of JCU, we will take care of giving information about this process, even in virtue of the numerous information which, although in compliance with the principles set out in articles 5 and 25 of GDPR, we will request.
Considering the above information, the data will be processed for the following purposes:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process your personal data because it is necessary for a legal obligation, to respond to a particular request from you, for a legitimate interest of JCU to promote its image and its educational purpose, consistently with the interest expressed by the data subject.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
Data will be retained exclusively for the period and the purposes for which they were collected.
In any case, the deletion will take place within 10 years of collection.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which Data were collected in conformity with the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to:
Data on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46 / EC and regarding the adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act;(ii) United States of America through a certified data controller pursuant to the Privacy Shield Agreement[1],;(iii) California (USA), in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87/EU with the controller.
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
You also have the right to lodge a complaint with the Supervisory Authority.
If our processing of personal data is based on consent and you have given your consent, you can revoke it or refuse to send information about JCU's initiatives by writing an email to [email protected]. In any case, revocation of consent does not affect the legitimacy of the processing operated before the revocation.
The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
PERSONAL DATA CONTROLLER
John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "particular" which may be deductible, even indirectly, from information provided by the data subject or by a third party.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
| Data Processor | Description |
|---|---|
| Eduservices S.r.l., Piazza San Lorenzo, 6 - 50123 Firenze - Italia | Service provider and related consultancy for collecting documentation and obtaining student residence permits (and other, similar, necessary documentation) |
| Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 | Email service provider in Cloud |
| Blackbaud, 2000 Daniel Island Drive Charleston | Information systems support and maintenance services provider |
| Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma - Italia | Information systems support and maintenance services provider |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
1. INFORMATION BEING PROCESSED
Information processed are the following:
Furthermore, some of the information relating to the data subject was acquired (together with the necessary notice) during the previous contact moments (for example during Admission).
2. PURPOSE OF DATA PROCESSING
The personal data relating to the data subject and his/her family members, are functional to the pursuit of the following purposes:
3. LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (ii) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in organizing academic activity and verifying the regularity, under different profiles, of the student's position.
Data referred to in paragraph 1, points 1), 2), 3), 4) and 6), collected on this occasion or previously, are necessary for the management of the student's position and the pursuit of the aforementioned purposes.
It should also be borne in mind that, pursuant to Article 96 of Legislative Decree 196 of 2003, in order to facilitate the orientation, training and professional integration, also abroad, the institutions of the national education system, regional vocational training centers, private schools as well as institutions of high artistic and dance training and public or private and legally recognized universities, upon request of the data subjects, can communicate or disseminate, also to private individuals and electronically, data relating to the training results, intermediate and final, of students and other personal data other than those referred to in articles 9 and 10 of the Regulation, relevant in relation to the aforementioned purposes.
In relation to the processing of Data referred to in paragraph 1, point 5), the data subject's consent is required, which will be collected using the appropriate form.
4. PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.
The personal data will be retained exclusively for the period and the purposes for which they were collected. The data of the data subject will be retained for the duration of the Courses in which he/she is enrolled and, subsequently, for 5 years.
5. COMMUNICATION AND CIRCULATION OF DATA
The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.
The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.
Furthermore, Data of the data subject may also be communicated to/received from:
Data on the data subjects cannot be disseminated.
6. TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].
7. DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
He/she also has the right to lodge a complaint with the Supervisory Authority.
The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
8. CHANGES OF INFORMATION MADE ON THIS PAGE / DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.
[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).
Download the policy and disclaimer
John Cabot University systematically undertakes to comply with the current legislation on data protection and user privacy protection.
The following information describes the provisions of articles 13 and 14 of GDPR.
Upon you giving your consent for JCU to use your image, we are committed to using it only for the purpose of promoting JCU’s courses and initiatives.
Your image might be published:
PERSONAL DATA CONTROLLER
John Cabot University (hereinafter “JCU” or just “University”), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller.
PERSONAL DATA PROCESSORS
John Cabot University uses the following subjects as Data Processors:
|
Data processor |
Description |
|
Modern Campus, 1320 Flynn Road Suite 100 Camarillo, CA 93012 |
Software as Service provider for content management |
|
Higher Education Marketing: 6560 de l'esplanade, suite 204 Montreal, Quebec, H2V 4L5 |
Partner of OmniUpdate for IT services |
|
SiteImprove Italia srl Via Motta Emilio, 10, 20144 Milano |
Software as Service provider for website improvement |
|
Microsoft Ireland Operations Limited (IE8256796U), South County Business Park, Leopardstown, Dublin 18 |
Email service provider in Cloud |
|
WordPress Automatic Inc. 60 29th Street #343, San Francisco, CA 94110 |
Software provider for creating and managing websites and blogs |
|
Dude Solutions, 11000 Regency Parkway, Suite 110, Cary, NC 27518 |
Software provider for events management, web calendar |
|
HubSpot, 25 First Street, 2nd Floor Cambridge, MA 02141 United States |
Software as Service provider in support of marketing activities |
However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.
LEGAL BASIS FOR THE PROCESSING OF YOUR INFORMATION
We may process your image based on your consent. You may revoke your consent at all times by sending an email to [email protected].
PROCESS METHODS AND DATA RETENTION
The personal data of the data subject are processed in paper or electronic format.
Once obtained your consent to the processing of your image, JCU will store it in its Content Management System and may publish it on its websites or social media.
To protect the personal data processed, JCU has adopted adequate organizational, technical and physical measures - in accordance with the provisions of article 32 of GDPR - in order to maintain the confidentiality, availability and integrity of the information collected.
All information provided within the Website is encrypted using the 128-bit Secure Sockets Layer (SSL) system and public-key encryption.
The Website is certified as "Comodo secure site". To learn more about the safety certification program, we recommend that you visit the www.comodo.com sites.
Notwithstanding the foregoing, users and visitors of the JCU Website shall keep in mind that the Website and all associated services are managed on software, hardware, and networks systems, whose components may, from time to time, require maintenance or be subject to inefficiencies (which JCU will try to resolve promptly).
Processed data are kept for the time necessary for the above purpose, after which they are deleted.
TRANSFER OF EXTRA EU DATA
The personal data of the data subjects may be transferred to (i) Canada for which the European Commission has expressed its Adequacy Decision on December 20, 2001, in compliance with the European Parliament and Council Directive 95/46/EC and regarding adequacy of the protection provided by the Canadian Personal Information Protection and Electronic Documents Act, to (ii) the United States of America through a certified data controller pursuant to the Privacy Shield Agreement, as well as (iii) to California (USA) in this case adopting the clauses "EU controller to non-EU or EEA processor" referred to in decision 2010/87 / EU with the controller.
DATA SUBJECTS RIGHTS
In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).
Data subjects have the right to lodge a complaint with the Supervisory Authority.
The data subject can provide his/her requests to JCU by writing to the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].
If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises the parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.
CHANGES OF INFORMATION MADE ON THIS PAGE/DOCUMENT
JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.
Pursuant to article 13 of EU Regulation no. 679/2016 (hereinafter, “GDPR”) concerning the protection of individuals with regard to the processing of personal data, John Cabot University (hereinafter, “Owner”) informs that the students’ data will be processed in accordance with the following Privacy Policy.
I. Purpose and lawfulness of the processing (art. 6 GDPR 2016/679).
The data processing will be carried out by the owner for one or more of the following purposes, where applicable:
A. Personal, fiscal, and, where applicable, health data are processed for the purpose of following up on the contract signed between the parties, and, more specifically for:
The conditions for the lawfulness of the processing are the execution of the contract itself, except for the execution of tasks in the public interest or the protection of students and University employees and/or legal obligations. In any case, no consent is required.
II. Processing methods and data retention time:
Processing of personal data is carried out through the operations indicated in art. 4 no. 2) GDPR, specifically: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
Personal data is subjected to both paper and electronic and/or automated processing.
The Data Controller will process the personal data:
for the necessary time to fulfill the purposes indicated in the above points A and H, and in any case no later than 10 years from the pursuit of the academic qualification or from the loss of student status; to fulfill legal and fiscal obligations; and to allow the exercise of the rights referred to in art. 24 of the Italian Constitution (right of defense). Personal, enrollment, academic (including any disciplinary measures against the student and/or any news of crimes and/or relevant behavior), and graduation data will be kept indefinitely, also taking into account the archiving obligations established by current laws;
III. Access to data
The data may be made accessible for the above-mentioned purposes:
IV. Data Communication
Personal data may be communicated, during the university career and even after obtaining academic titles, to other public and private entities, when necessary for the implementation of the University's institutional purposes, including the provision of specific services to students, the conduct of internships, the management of inter-university exchange programs (e.g. Erasmus or based on bilateral agreements), the management of programs/post-graduate courses offered in collaboration with other partner universities, job placement and in any case for all activities connected and instrumental to these purposes. In compliance with current regulations, among others, personal data are periodically transmitted to the National Student Registry for the purposes specified in Article 1-bis of Legislative Decree no. 105/2003, converted into Law no. 170/2003, and sent to the Ministry of Education, University and Research (MIUR) for mandatory periodic statistical surveys. Data processing may also take place for historical, statistical or scientific purposes, in compliance with applicable laws and sector-specific codes of ethics. Your data may be communicated to public entities for compliance with obligations related to the control of self-certified declarations pursuant to Art. 71 of Presidential Decree no. 445/2000. In addition, personal data may be communicated to all individuals who, according to legal provisions, are required to know them or may know them, as well as to individuals who are entitled to access them. Personal data may be communicated to external entities, institutions and associations for guidance, internships, job placement, post-graduate training activities and for the allocation of housing. The aforementioned data may also be communicated to other public entities, such as public bodies responsible for managing research grants and scholarships, only for institutional purposes and in compliance with the principle of relevance for which they will be processed, and only for the duration of the respective processing for which they have been requested. The University, in carrying out its institutional functions, may transmit personal data to external companies to which it will entrust the outsourcing of specifically identified activities in order to optimize the services it offers to its students. For this purpose, and after verifying the requirements of experience, capacity and reliability, the aforementioned companies will be appointed Data Processors, unless such companies are qualified or qualify as Data Controllers. In exceptional cases, previously assessed, and for exclusively educational purposes, your telephone number may be made available to teachers or other personnel with a position at the University upon presentation of a motivated request.
In order to facilitate guidance, training and professional placement, also abroad, with the express consent of the data subject, the University may communicate or disseminate, also to private individuals and through electronic means, data relating to the results of students' exams (intermediate and final) and other personal data other than sensitive data, relevant in relation to the aforementioned purposes.
With the express consent of the data subject, the Controller may communicate the contact personal data for the promotion of services and products to third parties who assist the company in such activity and with whom the company has entered into contracts and/or agreements in the performance of marketing/promotional activities, authorizing the sending of promotional communications and/or informative material on products or services offered by the Controller and the detection of the degree of satisfaction with the quality of services through e-mail, mail and/or SMS and/or telephone contacts, newsletters, etc. The recipients to whom the data will be communicated are to be considered autonomous Data Controllers and as such will also be subject to the obligations under GDPR 2016/679 (information, lawfulness conditions, etc.). The list of these recipients is available, upon request, from the Data Controller.
Non-sensitive personal data may be communicated to external entities to which the University will turn to take advantage of services related to travel (transportation, lodging, meals, etc.) such as hotels, travel agencies, transportation companies, etc. It is confirmed that such entities will be autonomous Data Controllers based on the service offered and will directly collect any consents from the student, providing the appropriate information.
The data will not be disclosed, except with the express consent of the data subject.
V. Data Transfer
Personal data is stored on servers located in Rome (RM) and on the Cloud, and in any case within the European Economic Area.
The Data Controller ensures that the transfer of data to countries outside the EU will take place in compliance with applicable legal provisions, with full guarantee of application of the safeguards provided by the GDPR 2016/679, also in terms of the exercise of the data subject's rights.
VI. Data Subject Rights
The data subject is guaranteed the exercise of the rights set forth in Articles 15 et seq. of the GDPR, if applicable, namely the right to:
object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him or her, even if it is relevant to the purpose of the collection; and to the processing of personal data for the purposes of sending advertising or direct sales material or for carrying out market research or communication. The data subject may decide to receive only traditional communications or only automated communications, or neither of the two types of communication. Where applicable, the data subject also has the rights provided for in Articles 16-21 of the GDPR:
It should be noted that the right to erasure does not apply if processing is necessary (Article 17(3) of the GDPR) for:
VII. Exercise of Rights
The data subject may exercise their rights at any time by contacting the University's internal DPO at the email address [email protected] or by sending a communication to the address indicated below, always addressed to the University's DPO.
VIII. Data Controller, Data Processors, and Authorized Persons
The Data Controller is John Cabot University, with registered office in Via della Lungara, 233, 00165 Rome.
The updated list of authorized persons, data processors, and sub-processors is kept at the Data Controller's registered office.
This information is made available to both adult students and parents of minor students (who are, in any case, not younger than 17 years old).
