Introduction

This notice describes how Luiss processes the personal data of students collected upon enrollment in Bachelor’s and Master’s degree programs, and highlights the rights that the law guarantees to data subjects.

The policy is periodically updated to align with current legislation or new methods of processing personal data.

What personal data do we collect? 

The Data Controller collects and processes the following personal data:

• the data subject’s identifying information (first name, last name, place and date of birth, tax code, citizenship);
• image;
• contact details (residential address, email, phone number);
• information about your educational background;
• data regarding foreign language proficiency;
• special data (e.g., health data, disabilities, including partial ones…);
• data indicating income and financial status (ISEE, etc.);
• emergency contact details (first name, last name, phone number, email, and relationship).

For what purposes do we collect your data, and why is the processing lawful?

The Data Controller collects and processes the data subject’s personal information for the following purposes:

1. to manage the relationship with the enrolled student by organizing all educational activities, instructional support, and the assessment of acquired skills through exams, intermediate tests, and a final exam (the legal basis for the processing is the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) of Regulation (EU) 2016/679);
2. to manage the administrative aspects of the relationship with the enrolled student and to send them questionnaires regarding the services offered by the University (the legal basis for the processing is found in the contract signed between the University and the enrolled student);
3. to use the student’s image to create an electronic badge (the legal basis for the processing is found in the contract signed between the University and the enrolled student);
4. to send questionnaires to the enrolled student to collect statistical data requested by the Ministry of Education, Universities, and Research (MIUR) and other institutional entities, and to support the University in designing and implementing surveys and thematic studies (the legal basis for the processing is found in the legal obligation to which the Data Controller is subject, as well as in the contract signed between the University and the enrolled student);
5. manage the relationship with the enrolled student from an accounting and tax perspective (the legal basis for the processing is found in the contract and in the relevant legal provisions);
6. contact the designated emergency contact in cases of extreme need (the legal basis is found in the consent of the data subject);
7. manage the awarding and disbursement of scholarships (the legal basis for the processing is found in the pre-contractual and/or contractual phase between the University and the enrolled student, as well as in the fulfillment of a legal obligation pursuant to Article 6(1)(c) of Regulation (EU) 2016/679);
8. share the data of the student concerned with the entity providing any scholarships (the legal basis for the processing is found in the performance of contractual obligations between the Data Controller and the providing entity, carried out for the benefit of the data subject, as well as in the fulfillment of a legal obligation pursuant to Article 6(1)(c) of Regulation (EU) 2016/679);
9. manage the potential allocation of affiliated housing (the legal basis for the processing is found in the contract between the University and the enrolled student); 
10. manage any exemptions from paying university fees for students with a confirmed disability, and handle specific requests based on a student’s health condition (the lawful basis for processing personal data is the fulfillment of a legal obligation, pursuant to Article 6(1)(c) of EU Regulation 2016/679, while for special categories of data, it is the data subject’s consent);
11. provide library services, making educational materials available to the data subject for study, training, and research (the legal basis for the processing is found in the contract signed between the University and the enrolled student); 
12. provide and manage placement and internship services (the legal basis for the processing is found in the contract signed between the University and the enrolled student);
13. compile the student’s biography (the legal basis for the processing is found in the contract signed between the University and the enrolled student);
14. manage access to and use of IT services—such as creating an email account, the e-learning platform, or services provided by voice assistance tools (Alexa)—and verify their proper use (the legal basis is found in the contract signed between the University and the data subject);
15. manage the student’s participation in educational and extracurricular activities organized by Luiss, including but not limited to the Adoption Lab, the Academic Gym, and language courses (the legal basis for the processing is the performance of contractual obligations between the Data Controller and the data subject);
16. publish data related to the final paper in the Luiss online thesis archive https://tesi.luiss.it/ (the legal basis for the processing is found in the data subject’s consent, requested when submitting the graduation application);
17. manage the student’s participation in cultural and volunteer activities organized by Luiss (the legal basis for the processing is found in the data subject’s consent, requested when applying to participate);
18. manage the booking of Luiss shuttles via the app (the legal basis for the processing is found in the contract between the University and the enrolled student);
19. to allow, upon request from the data subject or entitled third parties, the certification of the degree obtained from the University (the legal basis for the processing is found in the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6(1)(e) of Reg. EU/2016/679, as well as in the relevant legal provisions);
20. include the student in the Luiss Alumni community by sending job offers and invitations to events organized by the network in collaboration with Luiss (the legal basis for the processing is found in the contract between the University and the enrolled student);
21. send commercial communications and newsletters about the services offered and initiatives promoted, invite the data subject to events, training events, or to participate in courses related to the educational program (the legal basis is found in the data subject’s consent); 
22. process data for profiling purposes to carry out dedicated activities based on interests, experiences, skills, and knowledge (e.g., internship placement services, invitations to events based on the course of study pursued, etc.) (the legal basis for the processing is the data subject’s consent).

How does the Data Controller process your personal data, and for how long is it retained?

The data subject’s personal data is processed electronically (servers, cloud databases, application software, etc.).

The Data Controller retains the data subject’s information for a period determined in accordance with the criteria of civil statute of limitations and in compliance with specific sector laws, as well as for the time necessary to properly pursue the purposes identified above.

Who do we share your personal data with?

• internal communication scope

Only University employees and collaborators who need access to a member’s personal data in order to provide the requested services may access it, and only the information that is instrumental and related to that purpose. Specifically:

• administrative staff;
• faculty;
• tutors and collaborators.

Our employees and partners have been informed and trained on the importance of adhering to the principles and rules regarding the processing of personal data.

• external communication

<p >The Data Controller shares the personal information of data subjects with certain providers that assist in delivering the requested services and are specifically appointed as external Data Processors for this purpose. Specifically:

• third parties the Data Controller uses to manage the tax and accounting aspects of the relationship (for example, credit institutions);
• third parties the Data Controller uses to provide insurance services;
• third parties the Data Controller uses to provide services essential for managing all interactions with the data subject;
• third parties the Data Controller uses to potentially award scholarships;
• third parties (public or private) that the Data Controller uses to offer and manage placement and internship services.

If the provider accesses the data, it will do so in compliance with current data protection laws and the instructions provided by the Data Controller.

The Data Controller shares data subjects' information with third parties that fund scholarships. This processing is instrumental and strictly related to the disbursement of financial contributions.

The Data Controller does not disclose personal information to other third parties without the data subject’s consent, unless required by law or an Authority:

• when necessary for reasons of national security;
• for reasons of general interest;
• in response to a request from public authorities.

Is your data transferred abroad?

The data subject’s personal data is transferred abroad to provide certain services. In these cases, the transfer is based on adequacy decisions or the European Commission’s standard clauses.

Specifically, to provide the Library's services through the “Alma” platform provided by Ex Libris Ltd., data subjects' data may be transferred to Israel. In this case, the transfer is based on adequacy decision 2011/61/EU issued by the European Commission on January 31, 2011.

If a student applies to participate in international exchange programs, they will receive a specific notice outlining the related transfers of personal data abroad.

What are your rights as a data subject, and how can you exercise them?

The European General Data Protection Regulation (2016/679) grants you, as a data subject, specific rights.

For each instance of processing, you can exercise the following rights:

 

• Right of access: You have the right to obtain a copy of the personal data we hold and process.
• Right to rectification: You have the right to rectify your personal data held by the Data Controller if it is outdated or incorrect;
• Right to object to the processing of personal data for commercial purposes: You can request that the Data Controller cease sending commercial communications at any time; 
• Right to object to decisions based solely on automated processes: You may request not to be subject to decisions made solely on the basis of automated processes, including profiling; 
• Right to withdraw consent: You have the right to withdraw your consent for a specific processing activity at any time. 
• Right to contact the Data Protection Authority: You have the right to contact the Data Protection Authority if you have any concerns about how the Data Controller processes your personal data.

You may also exercise the following rights under certain circumstances:

 

• Right to erasure: You may request that the Data Controller erase your personal data if the purposes of the processing have ceased and there are no legitimate interests or legal provisions requiring its continuation; 
• Right to object to processing: You may request that the Data Controller cease a specific processing activity involving your personal data;
• Right to restrict processing: You have the right to request that the Data Controller restrict the processing of your personal data;
• Right to data portability: You have the right to obtain a copy of your data in a structured, machine-readable format that can be transferred to another Data Controller. 

If the data subject wishes to exercise their rights as recognized by law, they can simply send an email to privacy@luiss.it or write to the Data Controller, Luiss Guido Carli, at Viale Pola no. 12 – 00198 – Rome, outlining your request and providing the necessary information to identify the requester. 

The contact details for the Data Protection Officer (DPO) can be found on the Data Controller's website at www.Luiss.it. 

The Data Controller will respond to you within one month. If the Data Controller is unable to respond within the specified timeframe, they will provide a detailed explanation of the reasons why your request cannot be fulfilled.