Luiss - Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter Luiss) is an independent university with an advanced education model.
This privacy notice describes the characteristics of the processing undertaken by Luiss in relation to the personal data of students collected for the enrollment in degree courses and highlights the students’ statutory rights in this regard.
The privacy notice is periodically updated to take account of regulatory developments and new methods of processing personal data.
What personal data do we collect?
The Controller collects and processes the following personal data:
- identifying data (name, surname, place and date of birth, personal tax number and citizenship);
- contact data (residential address, e-mail address, telephone number);
- data relating to academic record;
- data relating to knowledge of foreign languages;
- particular (sensitive) data, exclusively, if necessary, for the execution of the contractual obligations with the person concerned (e.g. health data, even partial handicap ...);
- data relating to income and assets situation.
Why do we collect your data and why is their processing lawful?
The Controller collects and processes the data subject’s personal information in pursuit of the following purposes:
- to manage – including from an administrative point of view – the relationship with the registered student, organizing all the training activities, teaching support, exchange programs and assessment of the acquired skills, through final exams and interim tests (the legal basis for the processing lies in the contract signed between the University and the registered student);
- to manage – from an accounting and tax point of view – the relationship with the registered student (the legal basis for the processing lies in the contract and the relevant law);
- to manage the possible disbursement of scholarships (the legal basis for the processing lies in the pre-contractual and/or contractual arrangements between the University and the registered student);
- to manage the possible exemption from the payment of the university contributions for the students with verified disability (the legal basis for the processing lies in the relevant law);
- to offer and manage placement and internship services (the legal basis for the processing lies in the contract signed between the University and the registered student);
- to administer questionnaires to the students to obtain feedback about the services offered by the University (the legal basis for the processing lies in the consent given by the data subject);
- to provide the library services, making the educational material available for study, training and research (the legal legitimacy of the treatment can be found in the contract signed between the University and the student);
- to offer and manage placement and internship services, also by filling in the student's biography (the legal basis of the treatment can be found in the contract signed between the University and the student);
- manage access to and use of IT services - such as the creation of an e-mail account and the e-learning platform - and verify its correct use (the legal basis can be found in the contract signed between the University and the student);
- manage specific requests motivated by the student's state of health (the legal basis of the treatment is Article 9, paragraph 2, letter g) of GDPR);
- send commercial communications and newsletters relating to the services offered and to the initiatives promoted, invite the interested party to events, training events or to participate in courses related to the training course (the legal legitimacy can be found in the consent of the interested party).
How does the Controller process your personal data and how long is the data stored for?
The data subject’s personal data are processed both on paper and electronically (servers, cloud database, software, etc.).
The Controller stores the data subject’s data for a period of time consistent with what the law prescribes and having regard to the time required to correctly achieve the purposes stated above.
To whom do we communicate your personal data?
The personal data of registered students can be accessed solely by the University’s employees and other personnel so as to provide the students with the requested services and limited solely to the data necessary to that end, in particular:
- administrative staff;
- academic staff;
- tutors and collaborators.
Our employees and other personnel have been informed and trained regarding the importance of observing the rules and principles governing the processing of personal data.
The Controller shares the personal data of registered students with some suppliers that play a role in providing the requested services and that have been specifically appointed as external Processors to that end, in particular:
- third parties whose services the Controller avails of to handle tax and accounting aspects of the relationship (for example, banks);
- third parties whose services the Controller avails of to provide insurance;
- third parties whose services the Controller avails of to manage the overall relationship with data subjects;
- third parties whose services the Controller avails of for the purposes of the granting of scholarships;
- third parties whose services the Controller avails of for the purposes of the offering and managing placement and internship services.
Suppliers that access data do so in compliance with applicable data protection law and the instructions given by the Controller.
The Controller may not communicate personal data to third parties without the data subject’s consent unless communication is mandated by law or by the authorities:
- should such prove necessary on grounds of national security;
- for reasons of general interest;
- on foot of a request made by public authorities.
Are your data transferred abroad?
The personal data of the student are transferred abroad for the provision of certain services: the transfer in these cases is based on adequacy decisions or on the standard clauses of the European Commission. The student can receive more information on the countries of destination and the services that involve the transfer by contacting email@example.com.
If the student requests to participate in international exchange programs, he will receive a specific information which will provide evidence of the related transfers of personal data abroad.
What are your rights as a data subject and how can you exercise them?
The European Union’s General Data Protection Regulation (GDPR) grants data subjects’ specific rights, in particular, regarding access to data, rectification of data, objection to processing of data for commercial purposes or automated processing of data, erasure of data, restrictions on processing of data and portability of data. Data subjects are also entitled to seek redress through the Data Protection Authority.
Any data subjects wishing to exercise their statutory rights may, without formality, send an e-mail to firstname.lastname@example.org or write to the Controller Luiss Guido Carli at Viale Pola 12, 00198 Rome, Italy, setting out their request and furnishing the information necessary to identify them.
The references of the Responsible for the protection of personal data (RPD or Data Protection Officer, DPO) can be consulted on the website of the Owner http://www.luiss.it/contatti.
The Controller will reply within one month. Should the Controller be unable to reply by the above deadline, it will give you a detailed explanation as to why your request cannot be satisfied.