Privacy Policy (Articles 13 and 14 of EU Regulation 2016/679)

Introduction 

Luiss, the Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter “Luiss”), is an autonomous university that offers an advanced educational model.

This notice describes how Luiss processes the personal data provided by individuals taking written exams using the Respondus Lockdown Browser software, and highlights the rights that the law guarantees to data subjects. To ensure maximum transparency regarding the administration of the identified written exams, it is deemed appropriate and necessary to provide more detailed information on certain specific aspects of the data processing carried out.

The policy is periodically updated to align with current legislation or new methods of processing personal data.

What personal data do we collect? 

The Data Controller collects and processes the following personal data:

• the data subject’s identifying information (first name, last name, username);
• contact details (email, phone number);
• pseudonymized identification data (user code);
• device identifier (IP address).

There is no processing of biometric data.

For what purposes do we collect your data, and why is the processing lawful? 

The Data Controller collects and processes the data subject’s personal information for the following purposes:

• to manage the relationship with the enrolled student by organizing all activities that support teaching and assess acquired skills through exams and interim tests (the legal basis for the processing is the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) of the GDPR, as well as the necessity for the performance of pre-contractual or contractual measures between the University and the data subject pursuant to Article 6(1)(b) of the GDPR);
• to ensure the proper conduct of exams and interim assessments (the legal basis for the processing is the University’s legitimate interest pursuant to Article 6(1)(f) of the GDPR, as well as the performance of a legal obligation pursuant to Article 6(1)(c) of the GDPR).

Regarding purpose b), it is emphasized that the faculty member serves as a public official under Articles 357 and 358 of the Italian Criminal Code, and therefore acts as the guarantor of the examination process's fairness. Furthermore, Law No. 475 of April 19, 1925, as amended, states that misconduct during exams is an offense and, as such, must be prevented in the first place and, if detected, potentially punished. A public official who becomes aware of a crime is required to report it.

How does the Data Controller process your personal data, and for how long does it retain it? 

The data subject’s personal data is processed both in paper form and electronically (servers, cloud databases, application software, etc.).

The Data Controller retains the data subject’s information for a period limited to the pursuit of the purposes, based on the time necessary for the proper fulfillment of the legitimate purposes as determined and explained above, and in any case not exceeding 5 years.

Nature of data provision and consequences of any failure to provide data 

Providing data for the aforementioned purposes is essential. Refusal to provide the data in the established manner, specifically regarding processing that involves the use of proctoring tools, will prevent the Data Controller from providing any services. This applies unless separate agreements identify alternative ways to conduct the exam in cases of justified, extraordinary, and documentable reasons. 

Who do we share your personal data with? 

• internal communication scope

Only University employees and collaborators who need access to a registered student’s personal data in order to provide the requested services may access it, and only the information that is instrumental and related to that purpose. Specifically:

• administrative staff;
• collaborators;
• tenured faculty.

Our employees and collaborators have been informed and trained on the importance of complying with the principles and rules regarding the processing of personal data.

• external communication

The Data Controller shares the personal information of data subjects with certain providers who assist in delivering the requested services and who are specifically appointed as external Data Processors for this purpose. In particular:

• third parties the Data Controller uses to provide services essential for managing all interactions with the data subject (e.g., Respondus Inc.: https://web.respondus.com/privacy/privacy-additional-lockdown-browser/).

If the provider accesses the data, it will do so in compliance with current data protection laws and the instructions provided by the Data Controller.

The Data Controller will not disclose personal information to other third parties without the data subject’s consent, unless required by law or by an Authority:

• if necessary for reasons of national security;
• for reasons of general interest;
• in response to a request from public authorities.

Is your data transferred abroad? 

As a general rule, the data of the data subject is not transferred outside the European Economic Area. Should such a transfer become necessary, the provisions outlined in Chapter V of the GDPR will apply. Specifically, Respondus Inc., appointed as an external data processor pursuant to Article 28 of the GDPR, operates in the United States of America and adheres to the EU-US Data Privacy Framework.

What are your rights as a data subject, and how can you exercise them? 

The European General Data Protection Regulation (2016/679) grants you, as a data subject, specific rights.

For each instance of processing, you can exercise the following rights:

• Right of access: You have the right to obtain a copy of the personal data we hold and process.
• Right to rectification: You have the right to rectify your personal data held by the Data Controller if it is outdated or incorrect;
• Right to object to the processing of personal data for commercial purposes: You can request that the Data Controller stop sending commercial communications at any time;
• Right to object to decisions based solely on automated processes: You may request not to be subject to decisions made solely on the basis of automated processes, including profiling;
• Right to withdraw consent: You have the right to withdraw your consent for a specific processing activity at any time.
• Right to contact the Data Protection Authority: You have the right to contact the Data Protection Authority if you have any concerns about how the Data Controller processes your personal data.
• You may also exercise the following rights under certain circumstances:
• Right to erasure: You may request that the Data Controller erase your personal data if the purposes of the processing have ceased and there are no legitimate interests or legal provisions requiring its continuation;
• Right to object to processing: You may request that the Data Controller cease a specific processing activity involving your personal data;
• Right to restrict processing: You have the right to request that the Data Controller restrict the processing of your personal data;
• Right to data portability: You have the right to obtain a copy of your data in a structured, machine-readable format that can be transferred to another Data Controller.

If you wish to exercise your rights as recognized by law, you can simply send an email to privacy@luiss.it or write to the Data Controller, Luiss Guido Carli, at Viale Pola no. 12 – 00198 – Rome, outlining your request and providing the necessary information to identify the applicant.

<p >The contact details for the Data Protection Officer (DPO) are available on the Data Controller's website: http://www.luiss.it/contatti.

The Data Controller will respond to you within one month. If the Data Controller is unable to respond within the specified timeframe, they will provide a detailed explanation of the reasons why your request cannot be fulfilled.