Pursuant to Art. 13 of Legislative Decree no. 196/2003 and Art. 13 and 14 of EU Regulation 2016/679
The American University of Rome, with registered office in Rome, at Via Pietro Roselli n. 4, as Data Controller, pursuant to Articles 4 and 28 of Legislative Decree no. 196/2003 (hereinafter, the “Privacy Act”) and Articles 4, 7, and 24 of EU Regulation 2016/679 regarding the protection of personal data for natural persons (hereinafter, “EU Regulation”). Please be advised that pursuant to Art. 13 of the Privacy Act, and Art. 13 and 14 of the EU Regulation, we are the Data Controller for your persona data. As such, we shall process your data for the purposes, and using the methods indicated herein, in compliance with the aforementioned laws and regulations, as well as the principles of lawfulness, ethics, minimization, integrity, transparency, accountability, and the duties of confidentiality to which the undersigned University is bound, in order to provide the utmost protection to your privacy.
The EU Regulation aims to ensure that personal-data processing takes place in a manner that respects the fundamental rights and liberties of natural persons, especially the right to personal-data protection.
“Data Processing” means any operation or set of operations, performed with or without the support of automated processes, and applied to personal data or to sets of personal data, including: collection, recording, organization, structuring, retention, adjustment or modification, excerpting, review, use, disclosure via submission, dissemination or any other means of making such data available, comparison or mining, limitation, erasure, or deletion.
1.TYPES OF PERSONAL DATA
Some personal data (first and last name, email address, telephone number, mailing address, etc.) are collected and filed by the University pursuant to previous communications, personal contacts, terminated/completed academic enrollments or contracts, registrations on our website, voluntary email correspondence, published or public-domain mailing lists and services. These shall be processed in accordance with your wishes.
Moreover, the University may process:
Personal data shall be accurate, complete, and tailored to the purposes for which they are collected and thereafter processed.
All data shall be processed for institutional and administrative purposes by The American University of Rome, connected or relating to activities undertaken by the University to manage its fundraising and development processes.
Personal data supplied or collected shall be processed for the following purposes:
3.LEGAL BASIS FOR PROCESSING
The lawfulness of Data Controller’s processing your personal information is ensured in that it is done in conformity with subparts (a), (b), (c) and (f) of Art. 6, paragraph 1 of EU Regulation, with Art. 9, paragraph 2 of Regulation EU. 4.
4.PROCESSING METHOD; DATA RETENTION
Processing shall be completed manually and/or using automation (e.g. profiling), including with the support of electronic/online and automated instruments, in compliance with the security criteria set forth under Art. 32 of EU Regulation 2016/679, and Attachment B to the Privacy Act (Art. 33-36 of the Act), and shall be performed by duly appointed persons, in compliance with Art. 29 of EU Regulation 2016/679.
Personal data shall be included in any Entries or Logs/Registers required by law for the aforementioned purposes.
5.DISCLOSURE AND DISSEMINATION OF PERSONAL DATA IN THE PURSUIT OF THE PROCESSING PURPOSES.
Personal data may be disclosed to third parties to whom disclosure is required to comply with a legal or statutory duty, as well activities otherwise related to the services provided (including but not limited to: persons, companies, or professional firms that provide support, consulting, or cooperation with bookkeeping, accounting, legal affairs, tax reporting, and finance, to third-party suppliers of services to the University, affiliated organizations and individuals which support and provide services to alumni and supporters (such as, donors of the University who have assigned a scholarship).
The following is a specific list of by category of persons who might have access to your personal data:
Outside the foregoing cases, disclosure of personal data to third parties shall only take place with the data subject's express consent.
Please note, furthermore, that personal data shall not be subject to dissemination, unless specifically authorized by statute and/or regulations, or with the data subject's express consent.
6.OPTIONAL OR MANDATORY NATURE OF CONSENT FOR THE PURSUIT OF CERTAIN PURPOSES
In those cases illustrated by points 2 subparts (a), (b), (c) and 5. (i.e. required third-party disclosures) and pursuant to the Privacy Act and the EU Regulation, the Data Controller is under no duty to acquire explicit consent to process the worker’s personal data. Such processing shall be for primary purposes under Art. 24 of the Privacy Code and Art. 6 of the EU Regulation. No explicit consent from the data subject shall be required, either because such processing is required to discharge a statutory, regulatory duty (Italian or EU), or because processing is necessary for contract performance and management, or to comply with a specific request submitted by the data subject or - finally, because such processing is done for administrative-accounting purposes.
Should the data subject not wish to submit such requested data (necessary for the reasons described supra), it may be impossible to fulfill its requests.
For the cases illustrated in point (2), subparts (d), (e), (f), (g), or for other, distinct reasons, personal-data processing may only be performed with the data subject's express consent.
7.RETENTION PERIOD FOR DATA AND OTHER INFORMATION
Pursuant to Art. 13, paragraph 2, subpart (a) of the EU Regulation, please be advised that, in compliance with the principles of lawfulness, purpose limitation, and data minimization set forth in Art. 5 of EU Regulation 2016/679, for the purposes appearing in point 2 subparts (a), (b), (c) the retention period shall be for no longer than required to achieve the purposes for which they were collected and processed, in accordance with any time periods set by law.
Such retention shall be without prejudice to any statutory five- or ten-year retention terms as may apply to a civil, accounting, or tax-related duties.
For the purposes appearing in point 2, subpart (d), (e), (f), the retention period shall be for ten (10) years from the most recent consent;
Pursuant to Art. 13, paragraph 1, subpart (f) of the EU Regulation, please be advised that data collected may be transferred to an EU member state, to a non-EU country (especially the U.S.), to international organizations, insofar as permitted by Art. 44 et seq. of the EU Regulation.
8. DATA CONTROLLER AND DATA PROTECTION OFFICER.
Identifiers for the Data Controller are as follows:
- THE AMERICAN UNIVERSITY OF ROME, with registered office in Rome, at Via Pietro Roselli n. 4.
The DPO (Data Protection Officer) presently in office is Ms. Loredana Passaretti, Esq., with offices in Rome at Via Flaminia n. 213, e-mail: firstname.lastname@example.org.
9. DATA-SUBJECT RIGHTS
You may exercise your rights under Art. 7 of the Privacy Act and under Art. 15-22 of the EU Regulation at any time. You have the right to:
A. Access your personal data; B. Obtain information on processing purposes, the categories of personal data, the recipients or categories of recipients to whom personal data are or shall be disclosed, and if possible the retention period for the same; C. Secure data correction. Secure data erasure, except for data contained in documents which must be kept by the university as part of its activity, and only in the case of a legitimate reason for requesting erasure;D. Secure processing limitation(s);E. Be alerted by Data Controller in instances of personal-data correction or cancellation; F. Data Portability: obtain your data from a data controller in a structured, machine-readable, commonly used format, and have them forwarded to another data controller without delay;G. Object to processing at any time, including for direct-marketing data processing;H. Object to decisions being predicated on data mining, including profiling, on any natural person. I. File a complaint with the Data Protection Authority, following the procedure and instructions posted to the Authority's official website: www.garanteprivacy.it.
You may exercise your rights under Art. 7 of the Privacy Act and Art. 15-22 of the EU Regulation by sending a written request to the registered address, or to the DPO via email.
For your convenience, please find the full text of Art. 7 of the Privacy Act below. Articles 15-22 of the EU Regulation may be viewed here: https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ITA.
FULL TEXT OF ARTICLE 7 OF THE PRIVACY ACT Art. 7 (Rights to access personal data and other rights)
1. The data subject has the right to have confirmation on whether his/her personal data exists, even if not yet recorded, and to have them provided in an intelligible format. 2. The data subject has the right to know: a) The source of the personal data; b) the purposes and methods for processing; c) the logic applied - in cases where processing is performed with the aid of electronic instruments; d) identifiers for the data controller, data supervisors, and the data protection officer appointed under Article 5, paragraph 2; e) the persons/entities, or categories of persons/entities to whom personal data may be disclosed or who may have access to the same in their role as Data Protection Authority, data supervisors, or data processors. 3. The data subject has the right to secure: a) updates, corrections, or should the circumstances warrant, supplementation of their data; b) erasure, pseudonymization, or blocking of any unlawfully processed data, including those whose retention is not necessary given the purposes for which they were collected and thereafter processed; c) an affidavit that the operations appearing in points (a) and (b) hereof were (including their content) disclosed to those to whom data were disclosed or disseminated, except in cases where discharging such duty would be impossible, or require the use of resources that clearly outweigh the right sought to be protected. 4. The data subject has the right to object, in whole or in part: a) for legitimate reasons, to the processing of their personal data, even if germane to the purpose for which they were collected; b) to the processing of their personal data for marketing or direct-sales, or market research and promotional mailings.