Privacy Policy regarding the processing of personal data

Privacy Policy regarding the processing of personal data

Introduction

This notice outlines the processing carried out by the Libera Università Internazionale degli Studi Sociali Guido Carli – Luiss (“Data Controller”), in accordance with Reg. EU/2016/67 and Italian Legislative Decree No. 196 of June 30, 2003, as amended (“Privacy Code”), regarding students' personal data, and outlines their statutory rights.

The privacy policy is periodically updated to reflect changes in regulations and new methods of processing personal data.

What personal data do we collect?

The Data Controller collects and processes the following personal data:

  • identifying data (first name, last name, place and date of birth, tax code, and citizenship);
  • image;
  • contact details (residential address, email address, phone number);
  • data related to academic background;
  • data regarding foreign language proficiency;
  • special or sensitive data (e.g., health data, judicial data);
  • data related to income and financial status (e.g., ISEE);
  • data regarding an emergency contact (first name, last name, phone number, email, and relationship).

Why do we collect your data, and why is its processing lawful?

The Data Controller collects and processes the data subject's personal data for the following purposes:

  1. to manage the relationship with the student, including administrative aspects, by organizing all educational activities, academic support, exchange programs, and the assessment of acquired skills through final exams and interim tests (the legal basis for the processing is the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) of Regulation (EU) 2016/679);
  2. to manage the administrative relationship with the enrolled student and to send them questionnaires about the services offered by the University (the legal basis for the processing is the contract signed between the University and the data subject);
  3. to use the student's image to create an electronic badge (the legal basis for processing is found in the contract signed between the University and the data subject);
  4. to send students questionnaires aimed at collecting statistical data requested by the Ministry of Education and other institutional entities, and to support the University in designing and conducting surveys and thematic studies (the legal basis for the processing is the contract signed between the University and the data subject);
  5. manage the student relationship from an accounting and tax perspective (the legal basis for processing is found in the contract and relevant legislation);
  6. contact the designated emergency contact in cases of extreme need (the legal basis for processing is the student's consent);
  7. manage the potential awarding of scholarships (the legal basis for the processing is found in the pre-contractual and/or contractual phase between the University and the data subject, as well as in the fulfillment of a legal obligation pursuant to Article 6(1)(c) of Regulation (EU) 2016/679);
  8. share the data of the student concerned with the entity awarding any scholarships (the legal basis for the processing lies in the performance of contractual obligations between the Data Controller and the Provider, carried out for the benefit of the data subject, as well as in the fulfillment of a legal obligation pursuant to Article 6(1)(c) of Regulation (EU) 2016/679);
  9. manage the potential allocation of affiliated housing (the legal basis for the processing lies in the contract signed between the University and the student);
  10. manage any exemptions from paying university fees for students with a certified disability, as well as handle specific requests based on a student's health condition (the lawful basis for processing personal data is the performance of a legal obligation, as per Article 6(1)(c) of EU Regulation 2016/679, and for special categories of data, the data subject's consent);
  11. provide library services, making educational, training, and research materials available to the data subject (the legal basis for the processing is found in the contract signed between the University and the data subject);
  12. provide and manage placement and internship services (the legal basis for the processing is the contract signed between the University and the student);
  13. compile the student's biography (the legal basis for the processing is found in the contract signed between the University and the data subject);
  14. manage access to and use of IT services—such as creating an email account, setting up the e-learning platform, or using voice assistance tools (Alexa)—and verify their proper use (the legal basis for processing is found in the contract between the University and the student);
  15. manage student participation in extracurricular educational activities organized by Luiss, including but not limited to Adoption Lab, Academyc Gym, and language courses (the legal basis for the processing is found in the contract signed between the University and the student);
  16. publish final thesis data on the Luiss online thesis archive https://tesi.luiss.it/ (the legal basis for processing arises when the graduation application is submitted);
  17. manage student participation in cultural and volunteer activities organized by Luiss (the legal basis for the processing is the data subject's consent, which is requested when the participation request is made);
  18. manage the booking of Luiss shuttles via the app (the legal basis for the processing is the contract signed between the University and the student);
  19. to allow, upon request from the data subject or legitimate third parties, the issuance of a certificate for the degree obtained from the University (the legal basis for the processing lies in the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) of Reg. EU/2016/679, as well as in the relevant legal provisions);
  20. to include the student in the Luiss Alumni community by sending job offers and invitations to events organized by the network in collaboration with Luiss (the legal basis for the processing is found in the contract signed between the University and the student);
  21. send commercial communications and newsletters about the services offered and initiatives promoted, invite the data subject to events, training events, or to participate in courses related to the educational program (the legal basis is the student's consent);
  22. process data for profiling purposes to carry out dedicated activities based on interests, experiences, skills, and knowledge (e.g., internship placement services, invitations to events based on the student's course of study...) (the legal basis is the student's consent).

How does the Data Controller process your personal data, and for how long is it retained?

The data subject's personal data is processed electronically (servers, cloud databases, software, etc.).

The Data Controller retains the data subject's data for a period consistent with legal requirements and considering the time needed to properly fulfill the purposes outlined above.

Who do we share your personal data with?

Internally

Only employees and other University personnel can access students' personal data to provide the requested services, and only the data necessary for that purpose, specifically:

  • administrative staff;
  • academic staff;
  • tutors and collaborators.

Our employees and other staff have been informed and trained on the importance of adhering to the rules and principles governing the processing of personal data.

Externally

<p >The Data Controller shares students' personal data with certain providers who play a role in delivering the requested services and who have been specifically appointed as external Data Processors, specifically:
  • third parties the Data Controller uses to manage the tax and accounting aspects of the relationship (for example, banks);
  • third parties the Data Controller uses to provide insurance services;
  • third parties the Data Controller uses for the overall management of the relationship with data subjects;
  • third parties the Data Controller uses to award scholarships;
  • third parties the Data Controller uses to offer and manage placement and internship services.

Providers who access the data do so in compliance with applicable data protection law and the instructions provided by the Data Controller.

The Data Controller may not disclose personal data to third parties without the data subject's consent, unless such disclosure is required by law or by the authorities:

  • if necessary for reasons of national security;
  • for reasons of public interest;
  • based on a request from public authorities.

Is your data transferred abroad?

As a general rule, the data subject’s personal data is not transferred outside the European Union. However, should it be necessary to transfer the data subject’s personal data outside the EU, the processing will be carried out in accordance with Title V (GDPR).

If students apply to participate in international exchange programs, they will receive a specific notice outlining the related transfers of personal data abroad.

What are your rights as a data subject, and how can you exercise them?

The GDPR grants specific rights to data subjects, notably:

  • Right of access: You have the right to obtain a copy of the personal data we hold and process.
  • Right to rectification: You have the right to rectify your personal data held by the Data Controller if it is outdated or incorrect;
  • Right to object to the processing of personal data for commercial purposes: you may request that the Data Controller cease sending commercial communications at any time;
  • Right to object to decisions based solely on automated processes: You can request not to be subject to decisions made based solely on automated processes, including profiling.
  • Right to withdraw consent: You have the right to withdraw your consent for a specific processing activity at any time;
  • Right to contact the Data Protection Authority: You have the right to contact the Data Protection Authority if you have any concerns about how the Data Controller processes your personal data.

You may also exercise the following rights under certain circumstances:

  • Right to erasure: You can request that the Data Controller erase your personal data if the purposes of the processing have ceased and there are no legitimate interests or laws requiring its continuation;
  • Right to object to processing: You can request that the Data Controller cease a specific processing activity involving your personal data;
  • Right to restrict processing: You have the right to ask the Data Controller to limit the processing of your personal data;
  • Right to data portability: You have the right to obtain a copy of your data in a structured, machine-readable format that can be transferred to another Data Controller.

Data subjects wishing to exercise their legal rights can send an email to privacy@luiss.it or write to the Data Controller, located at Viale Pola 12, 00198 Rome, Italy, outlining their request and providing the necessary information to identify themselves.

The contact details for the Data Protection Officer (DPO) can be found on the Data Controller's website at http://www.luiss.it/contatti.