Personal Data Processing Policy - Residenze Luiss

Introduction


Luiss, the Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter “Luiss” or the “Data Controller”), is an autonomous university offering an advanced educational model.
This notice outlines how Luiss processes the personal data provided by individuals applying for housing, and highlights their rights under the law.
We periodically update this document to align it with current legal provisions and/or new methods of processing personal data, thereby ensuring transparency.


What personal data do we collect?


The Data Controller collects and processes the following personal data:

  • student identification data (first name, last name, tax code, date and place of birth, gender);
  • contact details (email).


Depending on the type of request, documentation related to disability status and/or financial situation may also be processed. This data may fall under the special categories of personal data outlined in Article 9 of Regulation (EU) 2016/679.


For what purposes do we collect data, and why is its processing lawful?


The Data Controller collects and processes the data subject’s personal information for the following purposes:

  • to verify the requirements for allocating Luiss housing or affiliated housing (the legal basis for the processing is the performance of pre-contractual and contractual measures pursuant to Article 6(1)(b) of the GDPR);
     
  • to manage the potential allocation of Luiss housing or affiliated housing (the legal basis for the processing is the performance of the contract pursuant to Article 6, paragraph 1, letter b) of the GDPR).

If, in connection with a specific request, data relating to a person’s disability status is processed, which falls under the special categories of personal data outlined in Article 9 of Regulation (EU) 2016/679, such processing is carried out only to the extent strictly necessary and is lawful under Article 9(2)(b) of the same Regulation, as it is necessary for the fulfillment of obligations and the exercise of rights related to social protection.

Any data related to the data subject’s financial situation is processed solely for the purposes outlined above and in accordance with the lawful conditions set forth in Article 6 of the Regulation, as such data does not fall within the special categories referenced in Article 9.

Providing personal data is necessary to evaluate the request for housing allocation. Failure to provide this data will prevent the Data Controller from proceeding with the review and potential allocation of housing.


How does the Data Controller process personal data, and for how long is it retained?


The data subject’s personal data is processed both in paper form and electronically (servers, cloud databases, application software, etc.).


The Data Controller retains the data subject’s information for a period determined by the statute of limitations in civil law and in compliance with specific sector-specific laws, as well as for the time necessary to properly pursue the purposes identified above. Specifically, the data will be retained for the entire duration of the assignment process and the contractual relationship, and thereafter for a maximum period of 10 years from the termination of the relationship, unless otherwise required by law or to protect the Data Controller's rights.


Who do we share personal data with?

  • internal communication scope

    Only Luiss employees and collaborators who need access to a member’s personal data in order to provide the requested services may access it, and only the information that is instrumental and related to that purpose. Specifically:
     
  • Administrative staff
    :
    Our employees and contractors have been informed and trained on the importance of complying with the principles and rules regarding the processing of personal data.
     
  • external communication scope

    The Data Controller shares the personal information of data subjects with certain suppliers who assist in providing the requested services. These suppliers are specifically appointed as third-party external Data Processors for this purpose. In particular:
     
  • third parties that the Data Controller uses to provide services essential for managing all interactions with the data subject.


If the provider accesses the data, it will do so in compliance with current data protection laws and the instructions provided by the Data Controller.


The Data Controller will not disclose personal information to other third parties without the data subject’s consent, unless required by law or by an Authority:

  • when necessary for reasons of national security;
  • for reasons of public interest;
  • in response to a request from public authorities.


Is the data transferred abroad?


As a general rule, the data subject’s data is not transferred outside the European Economic Area. Should such a transfer become necessary, the provisions outlined in Chapter V of the GDPR will apply.

What rights does the law grant to data subjects, and how can they exercise them?


The GDPR guarantees specific rights to the data subject. Specifically, these include the right to access, rectify, object to processing for commercial purposes or exclusively automated processing, erase, restrict, and port the data, as well as the right to contact the Data Protection Authority. The Data Controller does not engage in automated decision-making processes or profiling activities as defined in Article 22 of the GDPR.


If a data subject wishes to exercise their legally recognized rights, they can simply send an email to privacy@luiss.it or write to the Data Controller, Luiss Guido Carli, at Viale Pola no. 12 – 00198 – Rome, outlining their request and providing the necessary information for its identification.


The contact details for the Data Protection Officer (DPO) can be found on the Data Controller's website at www.luiss.it.