John Cabot University, as Data Controller of personal data (hereinafter, the "Data Controller") informs Visitors pursuant to EU Regulation 2016/679 ("GDPR") and current national legislation on personal data protection that all external subjects who are not in possession of a JCU ID must identify themselves by showing a personal identification document in order to access University premises.
1. Data Processed
The Data Controller processes personal, identifying and non-particular data (specifically: name, surname, number and type of identity document, hereinafter, "Personal Data" or even "Data") communicated by you when accessing University premises. To guarantee the safety of places and people, the Data Controller reserves the right to verify the Data provided through authorized personnel who will check the identification document mentioned above.
2. Purpose and Treatment
Your Personal Data is processed without your prior consent, for the following purposes and legal bases:
- fulfillment of contractual obligations and pre-contractual commitments, specifically to:
♦ allow you to enter the Data Controller's premises, also following the issue of a
badge to access library services;
- the pursuit of a legitimate interest of the visitor, specifically to:
♦ allow you to enter the Data Controller's premises even following the issue of a
- the pursuit of a legitimate interest of the Data Controller, specifically to:
♦ protect the Data Controller's premises and corporate assets;
♦ exercise the Data Controller’s rights in court and manage any disputes;
♦ prevent and suppress unlawful acts;
- the fulfillment by the Data Controller’s legal obligations, such as:
♦ compliance with the obligations established by laws, regulations or community legislation
or imposed by the Authorities regarding safety on company premises.
- safeguarding the vital interests of the data subject, specifically to:
♦ ensure your safety and security within the Data Controller's premises.
3. Processing Methods
The processing of your Personal Data is carried out electronically and on paper by means of collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation, and data destruction.
For the purposes and in the way described in this paragraph, you will be asked to fill out a form that will contain the data referred to above.
4. Data Retention
The Data Controller processes Personal Data for the time necessary to fulfill the aforementioned purposes, and in any case no later than two weeks from the date of access to the Data Controller’s premises.
5. Data Provision
The provision of data is mandatory, and any refusal to provide such data will result in the impossibility of accessing the premises of the Data Controller.
6. Access to Data
Your data can be accessed for the aforementioned purposes by: employees and/or collaborators of the Data Controller (e.g., reception service personnel, security service personnel), in their capacity as data processors and/or internal data processors and/or system administrators; associated or subsidiary companies and third-party companies or other subjects (for example, surveillance service providers, professional firms, etc.) who carry out outsourcing activities on behalf of the Data Controller, in their capacity as external data processors.
7. Data Communication
Your Data may also be communicated, even without your consent, to supervisory bodies, law enforcement agencies or the judiciary, upon their express request, which will treat them as independent data controllers for institutional purposes and/or pursuant to the law during investigations and checks.
8. Data Transfer
The Data will not be disclosed or transferred to non-EU countries.
9. Rights of the Interested Party
The Data Controller informs you that, as an interested party, if the limitations established by law do not apply, you have the right to: obtain confirmation of the existence or not of your personal data, even if not yet registered, and that such data are made available to you in an intelligible form; obtain indication and, where appropriate, copy: a) of the origin and category of personal data; b) of the logic applied in case of treatment carried out with the aid of electronic instruments; c) the purposes and methods of processing; d) of the identification details of the Data Controller and managers; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them, in particular if they are recipients of third countries or international organizations; e) when possible, of the data retention period or the criteria used to determine this period; f) the existence of an automated decision-making process and, in this case, the logic used, the importance and the consequences envisaged for the data subject; g) the existence of adequate guarantees in the event of transfer of data to a non-EU country or to an international organization; obtain, without unjustified delay, the updating and correction of inaccurate data or, when interested, the integration of incomplete data; obtain the cancellation, transformation into anonymous form or blocking of data: a) processed unlawfully; b) no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) in case of revocation of the consent on which the treatment is based and in case there is no other legal basis, d) if you have opposed the treatment and there is no overriding legitimate reason to continue the treatment; e) in case of fulfillment of a legal obligation; f) in the case of data referring to minors. The Data Controller can refuse the cancellation only in the case of: a) exercise of the right to freedom of expression and information; b) fulfillment of a legal obligation, execution of a task carried out in the public interest or exercise of public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or for statistical purposes; e) exercise of a right in court; obtain the limitation of the treatment in the case of: a) disputing the accuracy of the personal data; b) unlawful treatment of the Data Controller to prevent its cancellation; c) exercise of your right in court; d) verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the interested party; receive, if the treatment is carried out by automatic means, without impediments and in a structured, commonly used and readable format, the personal data concerning you to transmit them to another Data Controller or - if technically feasible - to obtain direct transmission by the Data Controller to another Data Controller; object, in whole or in part: a) for legitimate reasons related to your particular situation, to the processing of your personal data; b) to the processing of personal data concerning you for the purpose of sending advertising material or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or by traditional marketing methods by telephone and/or paper mail; lodge a complaint with the Personal Data Protection Authority. In the above cases, where necessary, the Data Controller will inform the third parties to whom your personal data are communicated of any exercise of rights by you, with the exception of specific cases (e.g. when this fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right).
10. Rights of the interested party
You may exercise your rights at any time by:
1. sending a registered letter with return receipt to the address of the Data Controller,
indicated in the following paragraph 11;
2. sending an email to: [email protected]
11. Data Controller
The Data Controller is John Cabot University, based in Rome, Via della Lungara, 233. The updated list of data processors can be found, upon request by the interested party, by sending an email to the address: [email protected]. The designated DPO can be reached at this email, both to exercise your rights and for any clarification.