Introduction

Luiss, the Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter Luiss), is an autonomous university offering an advanced educational model.

Please take a few minutes to read this notice, which outlines how Luiss processes personal data provided by individuals who wish to participate in orientation activities organized by Luiss, and highlights their rights under the law.

We periodically update this document to align it with current legal provisions and/or new methods of processing personal data, thereby ensuring transparency.

What personal data do we collect?

Luiss, the data controller, collects and processes the following personal data:

• student identification data (first name, last name, gender, place and date of birth, tax code);
• contact details (email, phone number);
• data related to the student’s educational institution of origin;
• data related to the student's academic record.

For what purposes do we collect data, and why is the processing legitimate?

Luiss collects and processes the data subject’s personal information for the following purposes:

• to manage, including administratively, the data subject’s registration for orientation activities organized by Luiss (the legal basis for the processing is found in the contractual relationship between the University and the data subject);
• to manage the services necessary for the data subject’s participation in the event (the legal basis for the processing is found in the contractual relationship between the Data Controller and the data subject);
• to send promotional and informational communications about the university’s activities, as well as newsletters regarding the services offered and the initiatives and events promoted (the legal basis is found in the data subject’s consent).

How does the Data Controller process personal data, and for how long is it retained?

The data subject’s personal data is processed electronically (servers, cloud databases, application software, etc.).

The Data Controller retains the data subject’s information for a period determined in accordance with the statute of limitations under civil law and in compliance with specific sector-specific laws, as well as for the time necessary to properly fulfill the purposes identified above.

Who do we share personal data with?

• internal communication

Only University employees and collaborators who need access to a member’s personal data in order to provide the requested services may access it, and only the information that is instrumental and related to that purpose. Specifically:

• administrative staff;

Our employees and partners have been informed and trained on the importance of complying with the principles and rules regarding the processing of personal data.

• external communication

The Data Controller shares the personal information of data subjects with certain providers that assist in delivering the requested services. These providers are specifically appointed as third-party Data Processors external to the processing for this purpose. In particular:

• third parties that the Data Controller uses to provide services essential for managing all interactions with the data subject (e.g., newsletter service providers, streaming service platforms, etc.).

If the provider accesses the data, it will do so in compliance with current data protection laws and the instructions provided by the Data Controller.

The Data Controller may share the personal data of data subjects with partners and sponsors identified on a case-by-case basis, in accordance with specific agreements entered into with the University. These entities, as independent Data Controllers, will provide data subjects with their own privacy notices and, more broadly, fulfill all obligations set forth by the relevant legislation.

The Data Controller does not disclose personal information to other third parties without the data subject’s consent, unless required by law or by an Authority:

• when necessary for reasons of national security;
• for reasons of public interest;
• in response to a request from public authorities.

Is data transferred abroad?

Member data is not transferred outside the European Economic Area.

What rights does the law grant to data subjects, and how can they exercise them?

The European General Data Protection Regulation (2016/679) grants data subjects specific rights. Specifically, these include the rights to access, rectify, object to processing for commercial purposes or exclusively automated processing, erase, restrict, and port the data, as well as the right to contact the Data Protection Authority.

If the data subject wishes to exercise their rights as recognized by law, they can simply send an email to privacy@luiss.it or write to the Data Controller, Luiss Guido Carli, at Viale Pola no. 12 – 00198 – Rome, outlining their request and providing the necessary information for identification.

The contact details for the Data Protection Officer (DPO) can be found on the Data Controller's website at www.luiss.it.

The Data Controller will respond within one month. If the Data Controller is unable to respond within the specified timeframe, it will provide a detailed explanation of the reasons why it cannot fulfill the request.