I. Purpose and lawfulness of the processing (art. 6 GDPR 2016/679).
The data processing will be carried out by the owner for one or more of the following purposes, where applicable:
A. Personal, fiscal, and, where applicable, health data are processed for the purpose of following up on the contract signed between the parties, and, more specifically for:
- management of pre-enrollment and admission procedures to study courses;
- management of enrollment procedures, including the activities connected with obtaining a residence permit;
- to deliver and manage the student’s academic education until graduation;
- management of University fees and any tuition fees;
- management of educational and administrative relationships;
- carrying out any curricular and extra-curricular internships;
- sending institutional communications to students by ordinary mail and e-mail;
- access to University premises;
- verification of the student’s self-declarations;
- participation in the active and passive electorate for the election of student representatives;
- management of disciplinary procedures against the student;
- national and international student mobility programs, incoming and outgoing student orientation, also through communication to public and/or private bodies for employment/professional purposes;
- disbursement of grants and subsidies for students;
- use of the University's fitness facilities, made available to the student free of charge;
- support of students with disabilities;
- participation in research projects and/or activities compatible with the University's institutional purposes;
- statistical surveys and internal University evaluations; video surveillance of the University facilities.
The conditions for the lawfulness of the processing are the execution of the contract itself, except for the execution of tasks in the public interest or the protection of students and University employees and/or legal obligations. In any case, no consent is required.
B. Personal data may be processed for the purpose of allowing the tutoring activity provided by the University free of charge, upon your request to that effect. The condition of lawfulness of the processing is the execution of the contract referred to in point A of which the tutoring activity is a supplementary service and, following the request to use the service, it will not be necessary to give any consent.
C. Personal data may be processed for the purpose of allowing the consultation service of the University's bibliographic resources, provided by the University free of charge, upon request by the interested party to this effect. The condition of lawfulness of the processing is the execution of the contract referred to in point A of which the consultation service is a supplementary service and, following the request to use the service, it will not be necessary to give any consent.
D. Personal data may be processed for the purpose of allowing the International SOS service, provided by the University free of charge. For this purpose, the University will communicate the student's contact details to the aforementioned service, which will contact the student in the event of an emergency. The condition of lawfulness of the treatment is to guarantee the safety of the student and it will not be necessary to give any consent.
E. Personal, fiscal, w, health data may be processed for the purpose of following up on the Housing Contract signed between the parties. The condition of lawfulness of the processing is the execution of the contract itself and no consent will be required.
F. Personal data (photo images and audio-video footage) may be processed for communication activities, institutional campaigns, editorial initiatives to promote the University and its educational offer, for paper and audio-video publications on the institutional website (Facebook, Twitter, Instagram, YouTube, etc.…), and on any official University communication channel. The condition for the lawfulness of the processing is your consent, which is optional. If consent is missing or revoked, the data above will not be processed. The consent form and all related information are provided during the registration phase.
G. The personal and contact data may be used to promote University services and products (marketing) by sending e-mails, post and/or text messages and/or phone calls, newsletters, etc. The condition of legitimacy is the promotion of services similar to those already provided to the student (soft spam).
H. The University will process the contact details provided by the student and/or communicated by the home University in order to contact the aforementioned University, as well as the subjects authorized to receive such information (parents, relatives, etc.) where such contact is made necessary by: obligations of law or equivalent act; in case of a risk event to protect students and/or employees and collaborators of the University; or for public order needs. Specifically, the University will be able to transmit the student's personal data (including particular and judicial data) to the home University located in countries outside the European Economic Area (including the United States) in order to report on academic and external conduct cases which could be related to discrimination, harassment or situations that could be classified as a crime under Title IX of the United States Education Act.. The condition of lawfulness of the processing is to guarantee the safety of the students and/or employees and collaborators of the Universities and the protection of public order more generally. Therefore, no consent will be required to process and transmit this type of data.
I. With regards to study, cultural, or leisure trips, the authorized University
personnel will process data as legitimated by the authorization itself. Any external
subject contacted by the University to provide travel-related services (transport,
accommodation, meals, etc.) such as hotels, tourist agencies, transport companies,
etc., will be independent data controllers according to the service offered and they
will collect any consent directly from the student, providing the necessary information.
The condition of lawfulness of the treatment is the execution of the contract that
allows participation in the trip, and no consent will be necessary.
II. Processing methods and data retention time:
Processing of personal data is carried out through the operations indicated in art. 4 no. 2) GDPR, specifically: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
Personal data is subjected to both paper and electronic and/or automated processing.
The Data Controller will process the personal data:
a. for the necessary time to fulfill the purposes indicated in the above points A and H, and in any case no later than 10 years from the pursuit of the academic qualification or from the loss of student status; to fulfil legal and fiscal obligations; and to allow the exercise of the rights referred to in art. 24 of the Italian Constitution (right of defense). Personal, enrollment, academic (including any disciplinary measures against the student and/or any news of crimes and/or relevant behavior), and graduation data will be kept indefinitely, also taking into account the archiving obligations established by current laws;
b. For the purposes set forth in letters B, C, and D, for the duration of the service provision and, in any case, not beyond the loss (for any reason) of the data subject's status as a student at the University;
c. For the purposes set forth in letter E, for the time necessary to fulfill the same and, in any case, not beyond 10 years from the termination of the Housing contract, for legal and tax compliance obligations, and to allow the exercise of the rights provided for in Article 24 of the Italian Constitution (right of defense);
d. For the purposes set forth in letter F, reference is made to the specific information provided at the time of enrollment;
e. For the purposes set forth in letter G, for the duration of the study program and not beyond 2 years from the achievement of the academic degree or from the loss of the data subject's status as a student of the faculty;
f. For the purposes set forth in letter I, for the time necessary to organize the trip and provide the service.
III. Access to data
The data may be made accessible for the above-mentioned purposes:
- to employees and collaborators of the Data Controller in Italy and abroad, in their capacity as authorized data processors and/or system administrators;
- to third-party companies or other entities that perform outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
- to individuals who are granted access by provisions of law or secondary legislation.
IV. Data Communication
Personal data may be communicated, during the university career and even after obtaining academic titles, to other public and private entities, when necessary for the implementation of the University's institutional purposes, including the provision of specific services to students, the conduct of internships, the management of inter-university exchange programs (e.g. Erasmus or based on bilateral agreements), the management of programs/post-graduate courses offered in collaboration with other partner universities, job placement and in any case for all activities connected and instrumental to these purposes. In compliance with current regulations, among others, personal data are periodically transmitted to the National Student Registry for the purposes specified in Article 1-bis of Legislative Decree no. 105/2003, converted into Law no. 170/2003, and sent to the Ministry of Education, University and Research (MIUR) for mandatory periodic statistical surveys. Data processing may also take place for historical, statistical or scientific purposes, in compliance with applicable laws and sector-specific codes of ethics. Your data may be communicated to public entities for compliance with obligations related to the control of self-certified declarations pursuant to Art. 71 of Presidential Decree no. 445/2000. In addition, personal data may be communicated to all individuals who, according to legal provisions, are required to know them or may know them, as well as to individuals who are entitled to access them. Personal data may be communicated to external entities, institutions and associations for guidance, internships, job placement, post-graduate training activities and for the allocation of housing. The aforementioned data may also be communicated to other public entities, such as public bodies responsible for managing research grants and scholarships, only for institutional purposes and in compliance with the principle of relevance for which they will be processed, and only for the duration of the respective processing for which they have been requested. The University, in carrying out its institutional functions, may transmit personal data to external companies to which it will entrust the outsourcing of specifically identified activities in order to optimize the services it offers to its students. For this purpose, and after verifying the requirements of experience, capacity and reliability, the aforementioned companies will be appointed Data Processors, unless such companies are qualified or qualify as Data Controllers. In exceptional cases, previously assessed, and for exclusively educational purposes, your telephone number may be made available to teachers or other personnel with a position at the University upon presentation of a motivated request.
In order to facilitate guidance, training and professional placement, also abroad, with the express consent of the data subject, the University may communicate or disseminate, also to private individuals and through electronic means, data relating to the results of students' exams (intermediate and final) and other personal data other than sensitive data, relevant in relation to the aforementioned purposes.
With the express consent of the data subject, the Controller may communicate the contact personal data for the promotion of services and products to third parties who assist the company in such activity and with whom the company has entered into contracts and/or agreements in the performance of marketing/promotional activities, authorizing the sending of promotional communications and/or informative material on products or services offered by the Controller and the detection of the degree of satisfaction with the quality of services through e-mail, mail and/or SMS and/or telephone contacts, newsletters, etc. The recipients to whom the data will be communicated are to be considered autonomous Data Controllers and as such will also be subject to the obligations under GDPR 2016/679 (information, lawfulness conditions, etc.). The list of these recipients is available, upon request, from the Data Controller.
Non-sensitive personal data may be communicated to external entities to which the University will turn to take advantage of services related to travel (transportation, lodging, meals, etc.) such as hotels, travel agencies, transportation companies, etc. It is confirmed that such entities will be autonomous Data Controllers based on the service offered and will directly collect any consents from the student, providing the appropriate information.
The data will not be disclosed, except with the express consent of the data subject.
V. Data Transfer
Personal data is stored on servers located in Rome (RM) and on the Cloud, and in any case within the European Economic Area.
The Data Controller ensures that the transfer of data to countries outside the EU will take place in compliance with applicable legal provisions, with full guarantee of application of the safeguards provided by the GDPR 2016/679, also in terms of the exercise of the data subject's rights.
VI. Data Subject Rights
The data subject is guaranteed the exercise of the rights set forth in Articles 15 et seq. of the GDPR, if applicable, namely the right to:
- obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information on its processing in an intelligible form;
- obtain: a) information on the source of the personal data; b) the purposes and methods of the processing; c) the logic involved in any automated processing of the personal data; d) the identification details of the controller, processors, and the designated representative pursuant to Article 3(1) of the GDPR; e) the recipients or categories of recipients to whom the personal data may be disclosed, including those designated as representative(s) in the territory of the State, processors or persons in charge;
- obtain: a) the rectification, erasure or blocking of personal data that has been processed unlawfully, including data whose retention is unnecessary for the purposes for which it has been collected or subsequently processed; b) notification of the operations carried out as per letter a) and b), including their contents, to those to whom the data has been communicated or disclosed, unless this proves impossible or involves a disproportionate effort;
object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him or her, even if it is relevant to the purpose of the collection; and to the processing of personal data for the purposes of sending advertising or direct sales material or for carrying out market research or communication. The data subject may decide to receive only traditional communications or only automated communications, or neither of the two types of communication. Where applicable, the data subject also has the rights provided for in Articles 16-21 of the GDPR:
- Right to rectification - the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her;
- Right to erasure (‘right to be forgotten’) - the right to obtain the erasure of personal data concerning him or her in the following cases (Article 17(1) of the GDPR):
- the personal data is no longer necessary for the purposes for which it was collected or processed, and there is no legal obligation for the data controller to retain it;
- the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the data subject objects to the processing of personal data for direct marketing purposes, including profiling, and there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data must be erased to comply with a legal obligation under the Union or Member State law to which the data controller is subject;
- personal data has been collected in relation to the offer of information society services to minors, and consent has been given by the minor or by the holder of parental responsibility over the minor.
It should be noted that the right to erasure does not apply if processing is necessary (Article 17(3) of the GDPR) for:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation that requires processing under Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- reasons of public interest in the area of public health;
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- the establishment, exercise or defense of legal claims.
- Right to restriction of processing - the right to have the use of personal data and, thus, processing, limited to what is necessary for preservation purposes, including:
- where the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
- where the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- where the data controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
- where the data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject.
- Right to data portability - the right to receive personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance.
- Right to object - the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. The data subject also has the right to object at any time to the processing of personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. If personal data is processed for scientific or historical research purposes or statistical purposes, the data subject may, on grounds relating to his or her particular situation, object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- Right to lodge a complaint with the supervisory authority - the right to lodge a complaint with the supervisory authority for data protection if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. For further information, please refer to: https://www.garanteprivacy.it/.
VII. Exercise of Rights
The data subject may exercise their rights at any time by contacting the University's internal DPO at the email address [email protected] or by sending a communication to the address indicated below, always addressed to the University's DPO.
VIII. Data Controller, Data Processors, and Authorized Persons
The Data Controller is John Cabot University, with registered office in Via della Lungara, 233, 00165 Rome.
The updated list of authorized persons, data processors, and sub-processors is kept at the Data Controller's registered office.
This information is made available to both adult students and parents of minor students (who are, in any case, not younger than 17 years old).