European General Data Protection Regulation (GDPR)

Università Carlo Cattaneo – LIUC (hereinafter referred to as the “Università”), with its registered office at Corso Matteotti 22, Castellanza, declares to fall within the scope of application of the General Regulations on Protection of Personal Data (hereinafter referred to as the “Law” or “GDPR”), with reference to the use of personal data (hereinafter referred to as the “data”), including data considered “sensitive” (in the broadest sense of the term provided by law), that is to say information relating to health, one’s own or of family members, provided by the data subject.

1 General principles

The collected data will be:

1. handled in a lawful, correct and transparent way towards the data subject according to the principles of “lawfulness, correctness and transparency”;
2. collected for specific, explicit and legitimate purposes and, subsequently, processed in ways that are not incompatible with these purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, in accordance with the principle of “data minimisation”;
4. accurate and, if necessary, updated; all reasonable measures will be taken to cancel or correct inaccurate data in relation to the purposes for which they are processed, in accordance with the principle of “accuracy”;
5. stored in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which they are processed, in accordance with the principle of “limitation of conservation”;
6. processed in such a way as to ensure adequate security of personal data, including protection, through appropriate technical and organisational measures, unauthorised or unlawful processing and accidental loss, destruction or damage, in accordance with the principle of “integrity and confidentiality” ». (Article 5 GDPR).

2 Methods of processing

The processing of personal data may take place using manual, computerised and telematic tools, though always under the supervision of technical and organisational measures to guarantee security and confidentiality, especially in order to reduce the risk of destruction or loss, even accidental, of data, unauthorised access, or processing that is not allowed or does not comply with the purpose of the collection.

Except as provided for in the specific information, concerning data for which consent is not required or can not be deleted, the data will be kept only for the time and scope for which they were collected.

The Università can avail itself of the support of external suppliers for the provision of some services necessary for technical-administrative management, which may be aware of the personal data of the data subjects, for the sole purpose of the requested service.

3 Rights of the data subject

In relation to the processing of personal data, an data subject has the right to request:

1. access: they may ask for confirmation whether or not data is being processed concerning them;
2. correction: they may request to rectify or supplement the data that they have provided or otherwise is in possession of the Università, if they consider such data to be inaccurate, in any case where they can not modify them independently;
3. cancellation: they may request that the data acquired or processed by the Università be cancelled, if such data are no longer necessary for the purposes indicated, in any case of revocation of consent or opposition to treatment, in any case of unlawful processing, or if there is a legal obligation cancellation policy;

Please note that pursuant to article 6 and article17, third paragraph of the Law, the data will be processed in any case where it is necessary to fulfill a legal obligation to which the data processor is subject, if the processing and storage or storage of data are necessary for the execution of a task of public interest, or connected to the exercise of public authority for which the data processor is invested;

1. limitation: they may request the limitation of the processing of personal data, when one of the conditions is set forth in article 18 of the GDPR; in this case, the data will not be processed, except for storage, without consent, with the exception of what is stated in the same article, in paragraph 2;
2. opposition: they may oppose at any time the processing of their data on the basis of a legitimate interest of the Università. In some cases (such as in the exercise of their institutional functions, or defence in a court of Law) the legitimate interest of the Università prevails over that of the data subject; the opposition of the data subject will instead always and always in the interest of the Università in the case of data processing for marketing or commercial purposes. Article 21 of the Law will apply
3. portability: they may ask to receive their data, or send the data to another owner indicated by them, in a structured format, commonly used and readable by an automatic device.
4. right to be forgotten: this information only concerns the processing of personal data that the data subject has provided to the Università, possibly also by purchasing services provided against payment or by participating in initiatives and courses – and those that, eventually, the Università will acquire during the course of the relationship.

If the data subject wants to assert the above rights, in particular the right to be forgotten (article 17 of the GDPR), they should send a written request to the e-mail address privacy@liuc.it

Please note that having regard to article 6 and article 17, third paragraph of the Law, the data will be processed in any case where it is necessary to fulfill a legal obligation to which the data processor is subject, if the processing and storage or storage of data are necessary for the execution of a task of public interest, or related to the exercise of official authority vested in the data processor.

4 Contacts

Any questions concerning this privacy statement or how to process personal data should be addressed to the person responsible for Personal Data Protection, contactable at the following email address: rpd@liuc.it

5 Changes to the Privacy and Cookie Policy

The Università reserves the right to make changes to this Privacy Policy at any time, by giving notice by publishing it on the LIUC website. Data subjects are therefore invited to check such updates on the LIUC webite.

If any changes are particularly significant and/or impact heavily on the rights of the data subject, the Università could also communicate them via a different method (such as sending an email).

1 Information collected

The Università can collect the following types of personal data:

• name and contact information, such as address, e-mail address and telephone number, as well as place and date of birth, tax code and passport or identity card number, country of residence and nationality, as well as bank details. A unique matriculation number will also be assigned to each student;
• information relating to previous scholastic, academic or professional experience, the duration of studies and the results of exams, the title of the thesis or the final project. The documentation on exams taken, exam marks and other information contained in the student’s curriculum, on evaluation of study experiences abroad, on work experience (internship or other), and evaluation questionnaires will be kept;
• information on the family or personal situation and on both academic and extra-curricular interests, for example where this is relevant for assessment of the suitability to receive a scholarship or to provide appropriate assistance in relation to the needs of each student;
• personal data may also be processed in relation to participation in sporting events and academic competitions based on merit;
• sensitive personal data: information on the health of the student and their family members, political opinions, belonging to political student groups, possible convictions or crimes that are detected in internal disciplinary proceedings, etc. will be treated only for the purposes permitted by law and only for the tasks of the Università. Sensitive data also refers to all information related to a special category of students with disabilities (such as DSA/BES).

If an data subject does not express their consent to the processing of sensitive data, the Università will not be able to register them in the IT systems of the Università.

2 Purpose and processing of data

Information concerning the Università career and the images of students, produced by the Università in the exercise of their institutional functions, will be processed, also with the aid of electronic or automated means. The data will be processed for the following purposes:

1. The Università can use data for Università orientation, to access the use of available academic resources and services. This purpose includes all the processing activities relevant and necessary to provide a comprehensive, continuous and global educational and work guidance service. Relevant data processing activities will be the selection and admission procedure, enrolment and career, the use of e-learning platforms and communication between students, communication between teachers and students or between Università staff and students, the degree, the publication of theses, job placement, accommodation, catering, sport and culture, and social commitment initiatives.
2. for the activities and institutional tasks of the Università. This also includes participation in institutional events (such as a graduation ceremony, etc.) or other initiatives related to compulsory academic activities; There is also provision for: communication of contact data within the group to which students belong in relation to lectures/lessons and assessment of exams, the sending of multi-media aids, the dissemination of periodical publications reserved exclusively for students of the Università and referred to important institutional events for career and Università life, job market orientation initiatives (internships and placements), post-graduate training and scholarships;
3. for the dissemination of periodical publications both in paper and electronic format; other publishing/digital/paper activities for communication/promotion purposes of the Università that require the use of images made within the Università;
4. for reasons of security and internal organisation, including the assignment of the card for access to Università services.
5. for sending periodic newsletters as well as notices and invitations to participate in cultural and social events and initiatives offered by the Università , including initiatives to support the Università;
6. for registration and participation in competitions or academic competitions;
7. for library services purposes, to allow access, among other things, to the services and materials contained therein, to borrow books and other editorial products, for consultation and, more generally, to benefit from all the services offered by the library;
8. for research and statistical purposes, in an anonymous and aggregate form;
9. For compliance with legal obligations. It should also be noted that the Università may transmit some data to other organisations if this is necessary to fulfill legal obligations (such as identification or prevention of crimes or if required by law).

3 Circulation and communication of data

Personal data can be accessed by students enrolled on courses, and similar activities, through the e-learning platform, the staff of the Università, the teachers of courses attended, and other persons required by law or charged with administrative aspects and academic services who need the data for the performance of their duties or for the position held, as well as the other persons who provide services to the Università, who, in relation to the tasks performed, have access to the data.

All this, is always in relation to the purposes indicated above.

Furthermore, the data of the data subject may also be communicated to:

1. national and international public bodies such as Ministries and Public Administration Offices, in relation to the performance of the Università’s institutional duties, including those relating to the procedures for issuing a residence permit;
2. banking institutions;
3. natural or legal persons, external bodies and associations, including public and professional studies and companies (also outside Italy), for the execution of contract with the data subject and for the legitimate interests of the Università. These data may also be disclosed to other legal persons.
4. other student networks, in this context the data could be accessible to former students, even those who live outside Italy;
5. close family environment, in any case where it is necessary to inform and provide them with urgent communications;
6. international bodies, in relation to participation in international programmes when the country of destination complies with the principle of adequacy (even if the Università has a mobility agreement with that country).

4 Consent to data processing

The processing of the following data is not subject to student consent: data processed for purposes of security and internal organisation; data for the use of requested and subscribed academic goods and services; institutional tasks of data processing of the Università as well as for the performance of activities and communications relating to products and services for which an data subject has shown particular interest; processing of data for access to the Library and related services and processing of data for the fulfillment of legal obligations.

Data that are processed with the consent of the data subjects may not be necessary, but they are nevertheless significant in order to provide some services in the interest of a student.

5 Basis for processing information

Data can be processed when:

• it is necessary for the execution of the relationship with a student or to take action at the request of the same, even before the acquisition of the student’s qualification;
• it is necessary for the performance of tasks of public interest as an academic institution, internal organisation and institutional communication;
• it is necessary for the protection of vital interests of the Università or those of third parties, including security measures, for the Università or for the legitimate interests of third parties;
• the consent of the data subject was given;
• a legal obligation must be respected.

6 International data transfers

Some personal data may be transferred and stored in a destination outside the European Economic Area (“EEA”).

In such circumstances, personal data will only be transferred:

• if the transfer is subject to one or more “adequate safeguards” for international transfers provided for by an applicable law (for example, standard data protection clauses adopted by the European Commission);
• if a decision of the European Commission establishes that the country or territory to which the transfer is made guarantees an adequate level of protection; or
• if there is another situation where transfer is permitted by an applicable law

1 Information collected

The Università can collect the following types of personal data:

• the name and contact information, such as address, e-mail address and telephone number, data relating to the company or business in which the data subject works;
• information relating to previous training, role within the company and other information related to the professional sphere. Documentation will be kept on the assessment of previous interactions with the Università and on feedback in relation to the role of the company (clients for teaching or research activities of the Università, suppliers of the Università, partners in activities or specific programmes such as Career Service for the organisation of internships and work placements, dissemination of job opportunities, graduate reports) or for fundraising activities or contributions for the right to study;
• information related to interaction with the Università such as participation in events and/or training courses, organisation of internships and work placements and job opportunities for students and Università graduates.

2 Purpose and processing of data

As an individual, employee or representative of certain companies, images, produced by the Università in carrying out the activities or in the relationships, will be processed, also with the aid of electronic or automated means. The data will be processed for the following purposes:

1. for the supply of goods and services;
2. for the management of academic and training initiatives, including work placement activities, internships and any other related training activity;
3. for the provision of research services, including research activities and training products;
4. to support the activities of the Università and fundraising;
5. under explicit consent, for the dissemination of periodical publications, including the collection of funds and initiatives to support the activities of the Università, both in paper and electronic format; other publishing/digital/paper activities for communication/promotion purposes of the Università that require the use of images made within the Università, which could also consist of publication on social networks.
6. for reasons of security and internal organisation. Furthermore, for the same reasons, the data collected may be used for statistical and research purposes in an anonymous and aggregate form;
7. for the organisation and participation in other entrepreneurial events and initiatives, including entry competitions;
8. for compliance with contractual and legal obligations. It should also be noted that the Università may transmit some data to other organisations if this is necessary for the identification or prevention of crimes or if this is required by law.

3 Circulation and communication of data

Access to data is permitted for the personnel of the Università, who need the data for the fulfillment of their duties, as well as the other persons who provide services to the Università in relation to the tasks performed. Access to data is always connected to the purposes indicated previously.

Furthermore, the data of the data subject may also be communicated to:

1. national and international public bodies, such as Ministries and Public Administration Offices, in relation to the performance of the Università’s institutional tasks,
2. banking institutions, in particular UBI Banca, as part of the contract with the data subject;
3. public and private bodies to demonstrate the previous experience, skills and field of excellence of the Università and its professors and researchers;
4. natural or legal persons, external bodies and associations, including public and professional studies and companies (also outside the Italian Republic), for the execution of the contract with the data subject and for the legitimate interests of the Università;
5. close relatives, in any case where it is necessary to inform them and provide them with urgent communications;
6. international bodies, in relation to participation in international programmes or financing activities when the country of destination complies with the principle of adequacy of the GDPR.

4 Data Concession

The following Data are not subject to the consent of an data subject: data processed for security and internal organisation purposes; data for the use of goods and services requested and signed and processing of data for the fulfillment of legal obligations. Data that are processed with the consent of the data subjects may not be necessary, but they are nevertheless significant in order to provide some services. The data provided will go to servers located in the European Economic Area.

5 Basis for processing information

Data can be processed when:

• it is necessary for the execution of a contract or a contract of collaboration with the company of affiliation;
• it is necessary to provide or receive the goods and services contained in the contract, as well as other ancillary activities;
• it is necessary for the performance of tasks of public interest as an academic institution;
• it is necessary under an agreed convention for internships or work placements;
• it is necessary for the Università or for the legitimate interests of third parties, including security measures and internal organisation and institutional communications;
• the consent of the data subject was given;
• a legal obligation must be respected.

6 International data transfers

Some personal data may be transferred and stored in a destination outside the European Economic Area (“EEA”), for example where they are processed by one of the suppliers or partners of the Università.

In such circumstances, personal data will only be transferred if:

• the transfer is subject to one or more “adequate safeguards” for international transfers provided for by the applicable law (for example, standard data protection clauses adopted by the European Commission);
• a decision of the European Commission establishes that the country or territory to which the transfer is made guarantees an adequate level of protection; or
• there exists another situation where transfer is permitted by applicable law (for example, in the case of explicit consent).

Information collected

The Università can collect the following types of personal data

• the name and contact information, such as address, e-mail address and image telephone number (photo and/or video footage during Università events);
• information relating to interactions with the Università such as participation in events and/or training courses;
• information related to previous training, work history, and personal professional profile. The documentation on interaction with the Università and the preferences of the data subjects will also be kept.

2 Purpose and processing of data

Images and related information, stored or produced by the Università in the exercise of its institutional functions, will be processed, also with the aid of electronic or automated means. This privacy statement applies until the data subject has not developed a further relationship with the Università. The data will be processed for the following purposes:

1. a) to provide information on services similar to those initially requested, institutional communications and retargeting purposes;
2. b) to respond to the particular requests of the data subject and to use the services requested;
3. c) for security purposes and internal organisation;
4. d) the collected data can be used for research and statistical purposes. These data may be processed either on a non-aggregated basis or on an anonymous and aggregated basis;
5. e) with the explicit consent, for sending to the e-mail address provided with periodical publications, including the collection of funds and initiatives to support the activities of the Università; other publishing/digital/paper activities for communication/promotion purposes of the Università, even if they require the use of images produced within the Università;
6. f) for data subjects who register as users of the Library: to allow access to the services and materials contained therein, to borrow books and other editorial products, for consultation and, more generally, to benefit from all the services offered by the library;
7. g) the Università may transmit some data to other organisations if this is necessary for the identification or prevention of crimes or if this is required by law.

3 Circulation and communication of data

Data may be accessed by the Università’s personnel, professors and subjects provided for by law or who in any case collaborate with the Università, who need the dada for the performance of their duties, as well as other persons providing services, to whom the Università has specifically conferred the role of manager or qualified interlocutor for the processing of the data of these subjects, in relation to the tasks performed, who have access to the relevant data.

Access to the data is always connected to the purposes indicated previously.

Furthermore, the data of the data subject may also be communicated to:

1. a) national and international public bodies, such as Ministries and Public Administration Offices, in relation to the performance of the Università’s institutional duties;
2. b) natural or legal persons, external bodies and associations, including public and professional studies and companies (also outside the Italian Republic), for the execution of the contract with an data subject and for the legitimate interests of the Università.

4 Data concession

The following Data are not subject to the consent of an data subject: data processed for security and internal organisation purposes; data for the use of available academic goods and services; institutional tasks of data processing of the Università as well as for the performance of activities and communications relating to products and services for which the data subject has shown particular interest; processing of data for the fulfillment of legal obligations. Data that are processed with the consent of the data subjects may not be necessary, but they are nevertheless significant or in order to provide some services. The data provided will be stored on servers located in the European Economic Area.

5 Basis for processing information

Data may be processed if it is necessary to respond to a particular request by an data subject, to pursue a legitimate interest or because there is a legal obligation.

In this regard, the personal data of an data subject are processed for:

• interaction with the data subject and to handle any doubts or feedback from the same;
• any other purpose for which the data subject has provided to them;
• the necessity of the Università to carry out its activities in the public interest or because it is necessary for the legitimate interests of third parties.

6 International data transfers

Personal data will not be transferred or stored in a destination outside the European Economic Area (“EEA”).