INFORMATION ON THE PROCESSING OF PERSONAL DATA
PURSUANT TO ART. 13 EU REG. APRIL 27, 2016 NO. 679 (“GDPR”)
Update and version date: June 14, 2023, version 1
This Policy is intended to apply exclusively with respect to the Site indicated above and not to any other Sites/apps/links to which the User is redirected while browsing this Site.
This Policy does not replace but supplements documents and information related to the processing of personal data made available by the Controller for other purposes.
1. Data controller and contact details
The Data Controller is Collegio Universitario Don Nicola Mazza, C.F. 00748590288, via dei Savonarola, 176 Padova, Italy, e-mail firstname.lastname@example.org (hereinafter the “Controller“).
The Data Controller can be contacted by sending a registered letter with return receipt to the registered office or an e-mail to the above address.
The terms used in this Notice have the meaning assigned by the GDPR as supplemented as below.
Services: set of usable activities and performances that can be activated through the Site. By way of example and not exhaustive, through the Site the User can: view content, transmit messages via contact form, send information requests via chat, subscribe to the newsletter if present, use the contact data made available.
Data Subject: a person who accesses and navigates the Site and makes use of the Services offered.
Personal Data: means any information relating to an identified or identifiable natural person.
3. Categories of personal data processed
Through the Site and through the use of the Services, data belonging to the following categories may be processed:
- browsing data (to enable the proper functioning of the Site or the performance of promotional activities)
- general personal data of the User (personal data, contact data such as e-mail address, data contained in the transmitted message).
The User is invited not to provide data belonging to special categories or data owned by third parties. In said cases, the Controller undertakes to comply with the provisions of the Regulations due to the type of Data made available and the purpose.
4. Purposes of data processing
The Controller processes Users’ personal data for the following purposes:
- to enable the proper functioning of the Site;
- to respond to User requests made through the use of the contact form, if any, the webchat, if any, or directly (telephone or e-mail contact);
- for the performance of any administrative and accounting activities related to the Site, the fulfillment of legal obligations;
- for sending informative and/or promotional communications through newsletter tools (so-called marketing purposes).
5. Legal basis of data processing
The processing of data for the above purposes is justified by the following conditions:
- for the purposes referred to in (a), (b) the processing falls under the conditions of art 6 lett b) GDPR “the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject
- for the purposes referred to in (c) the processing falls under the conditions of Art 6 lett b) GDPR “processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject” as well as Art 6 lett c) GDPR “processing is necessary for compliance with a legal obligation to which the data controller is subject” as well as letter f) the “processing is necessary for the pursuit of the legitimate interests of the data controller or third
- for the purposes referred to in (d) the processing falls under the condition of Art 6 lett A) GDPR “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
6. Nature of provision and consequences of refusal.
The provision of personal data is free and voluntary.
However, refusal to provide personal data may deny the fulfillment of requests.
The provision of personal data for the purposes referred to in (d) is purely optional. Refusal to provide it will not prevent the provision of the Services. Consent to the processing of personal data for the aforementioned purposes is required under Article 6(1)(a) of the GDPR and current legislation.
7. Categories of data recipients. Processor and Autonomous Data Controller
Personal data provided by the User for the purposes are not diffused. For the pursuit of the purposes, the Controller may need third parties: the data may therefore be made aware of the following recipients who will be appointed Data Processors ex art 28 GDPR:
- collaborators in any title of the Data Controller (e.g. employees), in their capacity as authorized processors;
- entities that manage the Site and/or provide individual Services (e.g., softwarehouse, communication and web agencies;)
The updated list of designated Data Processors can be provided upon request by Data Subjects.
The data may also be made known to other parties, such as autonomous data controllers:
- Public and/or private entities that may become aware of the data (law firms, banking institutions;)
- Public Authorities, to the extent permitted by law.
8. Transfer of personal data to third countries
Data may be transferred to countries outside the European Union/EEA. The Controller ensures that any such transfers will take place:
- in accordance with specific standard contractual clauses approved by the European Commission pursuant to Article 46 GDPR;
- to countries that the European Commission has deemed to guarantee an adequate level of protection, in accordance with the provisions of Art. 44 et seq. GDPR.
9. Period of data retention
Personal data collected are retained for a period of time not exceeding the achievement of the purposes for which they are processed. In particular:
- Data collected automatically in the course of browsing the Site (purposes referred to in point a) are retained for a period of 60 days;
- Data collected for the purposes referred to in point (b) are retained for the time necessary to process the request and in any case no longer than 24 months from the processing of the request unless a different duration is justified by the relationship between the parties (separate Notice);
- Data collected for the purposes referred to in (c) in accordance with the provisions of current civil, fiscal and administrative regulations;
- Data collected for the purposes under (d) until consent is revoked;
It should be noted that different periods of data retention may be determined by specific legal regulations, by orders of the Authority or by the participation of the Data Controller in judicial proceedings involving the processing of data.
10. Methods of Processing
The processing of data will be carried out using paper and computer tools, in compliance with the provisions on the protection of personal data and, in particular, with the appropriate technical and organizational measures referred to in Article 32.1 GDPR, as well as with the observance of all precautionary measures that guarantee the relative integrity, confidentiality and availability. The processing operations referred to in this Notice are not subject to automated decision-making processes.
11. Rights of the Data Subject.
The Data Subject may exercise his or her rights under the GDPR at any time, in the manner described in Article 1) above. In particular, the Data Subject is entitled to:
Right of access
A data subject may ask us whether or not we process any of his or her data, and if so, he or she may obtain access to such data from us in the form of a copy. When a data subject makes a request for access, we also provide him or her with additional information, such as the purposes of the processing, the categories of personal data in question, and any other information necessary for the data subject to exercise this right.
Right of rectification
The data subject has the right to correct his or her data if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data and, taking into account the purposes of processing, complete incomplete data.
Right of deletion
The data subject has the right to have his or her personal data deleted. The deletion of personal data can only occur in certain cases, listed in Article 17 of the GDPR. This includes situations where the data subject’s personal data is no longer necessary in relation to the initial purposes for which it was processed, as well as situations where it was processed unlawfully. In relation to how we provide some services, we inform that it may take some time before backup copies are deleted. We also inform you that the Data Controller will, within the limits of the state of the art, provide for the deletion of the data subject’s personal data, unless the retention of such data is required by law.
Right to limitation of processing
The data subject has the right to obtain the restriction of the processing of his/her personal data, which means that we suspend the processing of the data subject’s data for a certain period of time. Circumstances that may give rise to this right (Article 18 GDPR) include situations where the accuracy of personal data has been disputed, but time is needed to verify its (in)accuracy. If the data subject has obtained a restriction on the processing of your data, we will inform them before this restriction is lifted.
Right to Oppose
You have the right to object to the processing of your personal data, which means that you can request us to stop processing your personal data for certain purposes (e.g. direct marketing; soft spam). We inform that this right is granted to the data subject only in special circumstances (Article 21 GDPR) and, in particular, in case the legal basis of processing is the legitimate interest of the Data Controller.
Right to data portability
The right to data portability implies that the data subject may ask us to provide him or her with personal data in a structured, commonly used and machine-readable format and to ask us to transmit such data directly to another data controller, where this is technically feasible.
Right to withdraw consent
The data subject has the right to withdraw consent to the processing of personal data at any time, if the processing is based on his or her consent (e.g. direct marketing). In any case, revocation of consent does not affect the lawfulness of processing based on consent prior to revocation.
Right to lodge a complaint with the supervisory authority
The Data Subject also has the right to lodge a complaint with the supervisory authority if he/she believes that a processing that concerns him/her violates the GDPR and/or current legislation on the processing of personal data. Please note that in Italy said authority is represented by the Guarantor for the Protection of Personal Data. A Data Subject who is not resident in Italy may lodge a complaint before the designated Control Authority in his or her country of residence.