Guidance - Personal Data Processing Policy

Luiss, the Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter Luiss), is an autonomous university offering an advanced educational model.

This notice outlines how Luiss processes personal data provided by individuals seeking information about Luiss’s educational offerings, for any reason, and highlights the rights guaranteed to them by law.

The policy is updated periodically to align with current legislation or new methods of processing personal data.

The Data Controller collects and processes the following personal data:

• the data subject’s identifying information (first name, last name);
• contact details (email, phone number);
• information about the course of study.

The Data Controller collects and processes the data subject’s personal information for the following purposes:

• to respond to submitted inquiries and send communications regarding the services offered and initiatives promoted (the legal basis is the data subject’s consent).

The data subject’s personal data is processed both in paper form and electronically (servers, cloud databases, application software, etc.).

The Data Controller retains the data subject’s information for a period determined in accordance with the civil statute of limitations and in compliance with specific sector laws, as well as for the time necessary to properly pursue the purposes identified above.

• internal communication

Only University employees and collaborators who need access to a member’s personal data in order to provide the requested services may access it, and only the information that is instrumental and related to that purpose. Specifically:

• administrative staff;
• collaborators;
• faculty.

Our employees and collaborators have been informed and trained on the importance of complying with the principles and rules regarding the processing of personal data.

• external communication

The Data Controller shares the personal information of data subjects with certain providers that assist in delivering the requested services. These providers are specifically appointed as third-party external Data Processors for this purpose. In particular:

• third parties the Data Controller uses to provide services essential for managing all interactions with the data subject (e.g., newsletter service providers…).

If the provider accesses the data, it will do so in compliance with current data protection laws and the instructions provided by the Data Controller.

The Data Controller will not disclose personal information to other third parties without the data subject’s consent, unless required by law or by an Authority:

• when necessary for reasons of national security;
• for reasons of general interest;
• in response to a request from public authorities.

Member data is not transferred outside the European Economic Area.