Orientation Privacy

Information on the processing of personal data - articles 13 and 14 of EU Regulation 2016/679 ("GDPR")

Versione italiana


John Cabot University ("JCU"), with registered office in Via della Lungara, 233, 00165 Rome, Italy, is the Data Controller, as required by articles 4 and 24 of EU Regulation 679/2016, with reference to the use of personal data (hereinafter "Data"), including those called "particular" which may be deductible, even indirectly, from information provided by the data subject or by a third party.


John Cabot University uses the following subjects as Data Processors:

Data Processor  Description 
Eduservices S.r.l., Piazza San Lorenzo, 6 - 50123 Firenze - Italia Service provider and related consultancy for collecting documentation and obtaining student residence permits (and other, similar, necessary documentation)
Microsoft Ireland Operations Limited  (IE8256796U), South County Business Park, Leopardstown, Dublin 18 Email service provider in Cloud
Blackbaud, 2000 Daniel Island Drive Charleston Information systems support and maintenance services provider
Wedot S.R.L., Via Gaetano Donizetti, 9 - 00198 Roma - Italia Information systems support and maintenance services provider

However, it is possible that JCU identifies other subjects designated as Data Processors but not included in the table above, in any case, these subjects will be functional to the processing operated by JCU and bound to the principle of purpose as well as to the respect of the current legislation on the protection of personal data.


Information processed are the following:

1)     Contact details (data subject);

2)     Identification number assigned to the student by JCU;

3)     Contact details in case of emergency (data of third parties);

4)     ID details (included the scanned version);

5)     Information to obtain the documents concerning the regularization of the stay in Italy;

6)     Bank and financial information;

7)     Information on special needs.

Furthermore, some of the information relating to the data subject was acquired (together with the necessary notice) during the previous contact moments (for example during Admission). 


The personal data relating to the data subject and his/her family members, are functional to the pursuit of the following purposes:

a)      Collect the necessary information, once the admission process has been completed, to guarantee the student's regularity in all aspects (administrative, educational, ...) and to be able to prepare the management of his/her position within the JCU courses;

b)     Support the student in obtaining the Residence Permit;

c)      Provide services to support the student's stay (activities that stimulate learning, extra-curricular activities, tutoring services);

d)     Manage emergency situations concerning the student.


We may process the personal data of the data subject because it is necessary (i) for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject as provided for in the pre-contractual measures; (ii) for compliance with a legal obligation to which JCU is subject; (iii) for the purposes of the legitimate interests pursued by JCU in organizing academic activity and verifying the regularity, under different profiles, of the student's position.

Data referred to in paragraph 1, points 1), 2), 3), 4) and 6), collected on this occasion or previously, are necessary for the management of the student's position and the pursuit of the aforementioned purposes.

It should also be borne in mind that, pursuant to Article 96 of Legislative Decree 196 of 2003, in order to facilitate the orientation, training and professional integration, also abroad, the institutions of the national education system, regional vocational training centers, private schools as well as institutions of high artistic and dance training and public or private and legally recognized universities, upon request of the data subjects, can communicate or disseminate, also to private individuals and electronically, data relating to the training results, intermediate and final, of students and other personal data other than those referred to in articles 9 and 10 of the Regulation, relevant in relation to the aforementioned purposes. 

In relation to the processing of Data referred to in paragraph 1, point 5), the data subject's consent is required, which will be collected using the appropriate form.


The personal data of the data subject are processed in paper or electronic format.

Adequate security measures are adopted to prevent data breaches, unlawful or incorrect use and unauthorized access and to guarantee the security of data processed under the triple profile of confidentiality, integrity and availability.

The personal data will be retained exclusively for the period and the purposes for which they were collected. The data of the data subject will be retained for the duration of the Courses in which he/she is enrolled and, subsequently, for 5 years.


The personal data of the data subject can be processed by: JCU staff, teachers and subjects of JCU or who collaborate with JCU, who need these data to carry out their duties, as well as other subjects who provide services to which the University has specifically assigned the task of processor or qualified interlocutor (for example, considering that it is an independent data controller) for the processing of the Data.

The processing of data, from simple access, to visualization and data entry, is always bound to the purpose for which the data was collected and conforms to the principles expressed in articles 5 and 25 of GDPR.

Furthermore, Data of the data subject may also be communicated to/received from:

1. Ministry of the Interior, Police Stations;

2. other national or foreign public bodies;

3. mailing service companies;

4. travel agencies;

5. hotels (for travel);

6. hospitals.

Data on the data subjects cannot be disseminated.


The personal data of the data subjects may be transferred to the United States of America, for this purpose the recipient, designated as Data Processor, is certified pursuant to the Privacy Shield Agreement[1].


In the case provided, the data subject has the right to obtain access to personal data from JCU and the rectification or erasure of them or the restriction of the processing that concerns him/her or to object to processing (articles 15 to 22 of GDPR).

He/she also has the right to lodge a complaint with the Supervisory Authority.

The data subject can provide his/her requests to JCU by writing to the office of the Referent for the protection of the data subject’s rights (also known as DPO – Data Protection Officer) located in Via della Lungara, 233, 00165 Rome, Italy, or by sending a communication to the address [email protected].

If you believe that we have collected information on an under 14 years old, without the consent of or in contrast with the will of the person that exercises parental responsibility, please contact us at [email protected] so that we can either manage the complaint or delete the information.


JCU reserves the right to modify the information entered on this page/document, by publishing the changes on the website, therefore we advise the data subject to periodically check this information.

[1] The Privacy Shield is an Agreement designed by the US Department of Commerce, the European Commission and the Swiss administration, respectively, to provide a mechanism for the Companies on both sides of the Atlantic to meet data protection requirements during the transfer of personal data from the European Union and Switzerland in the United States in support of transatlantic trade. On 12 July 2016, the European Commission considered that the U.S. Privacy Shield Framework is adequate to allow data transfer based on EU law (adequacy decision).