Scuola Politecnica di Design
Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)
The personal data of the Data Subjects are collected by Scuola Politecnica di Design at the time of enrollment or at the time of any application for enrollment in order to take advantage of the services offered by the school only within the framework of the institutional purposes relating to the education and training of students and the administrative purposes instrumental to them, as defined by the regulations in force.
The Data Controller is Scuola Politecnica di Design, in the person of its legal representative, domiciled at the registered office at Piazzale Lugano 19 – 20158 Milan (Italy) (hereinafter, “SPD” or “Data Controller”).
The Data Controller is part of a group of companies (“Plena Education SPA”) which designs and delivers training in the business and education sectors.
1. TYPE OF DATA PROCESSED
The Data Controller collects and processes the following personal data referring to the Data Subject:
a) Personal Data, such as first name, last name, date of birth of the Data Subject;
b) Contact Data, such as for example residence address, domicile, e-mail, telephone of the Data Subject;
c) CV Data, such as information pertaining to professional career, work experience, educational activities, as well as any and all additional information that the Data Subject may include in his/her CV.
Hereinafter referred to as “Personal Data”.
2. PURPOSES, LEGAL LAWFULNESS FOR PROCESSING AND NATURE OF THE PROCESSING
The Personal Data provided by the Data Subject will be used exclusively for the following purposes:
a) SPD will process the Data Subjects to enable to take advantage of the services offered by SPD and related activities and in particular:
– to manage the relationship with the Data Subject by organizing the complex of training activities, teaching support and assessment of skills acquired, through examinations and intermediate tests, as well as through final test;
– to manage access to and use of the IT Services and verify their functionality and proper use (except as provided in paragraph (e) in relation to Cloud Services with respect to the use of systems of suppliers based in non-EU countries);
– to manage from an administrative, accounting and fiscal point of view the relationship with the Data Subject;
– to manage the Data Subject ‘s participation in educational, extra-curricular activities organized by SPD;
– to communicate with the Data Subject, through the contact information provided by the Data Subject, regarding SPD’s educational activities;
– to promote and manage placement initiatives.
The legal basis for the processing of Personal Data for the pursuit of the aforementioned purposes is the execution of the contract to which the Data Subject is a party, the performance of the service requested by the Data Subject and the proper management of the related services. The provision of data is mandatory. Failure to provide it will result in the inability of the Data Subject to take advantage of the activities related to education and training offered by SPD.
b) SPD will process Personal Data of Data Subjects to fulfill SPD’s legal obligations or performance of specific tasks arising from the law, a regulation or legislation, national and European, such as by way of example obligations in relation to the allocation and disbursement of scholarships. The legal basis for the processing of Personal Data is the fulfillment of a legal obligation.
c) SPD will process Personal Data of Data Subjects in order to contact themfor the purpose of sending information, by e-mail, about courses offered and in which they have shown interest or about courses similar to those already attended or purchased. The legal basis for the processing is the legitimate interest of SPD to carry out the communications aimed at informing the Data Subjects about their educational offerings or to follow up on the information requests received in order to maintain and strengthen the human and professional relationships established with the Data Subjects. Legitimate interest that does not affect the rights and freedoms of the Data Subjects as it finds its respective balance in the interest and reasonable expectation of the Data Subjects to receive information about the courses offered by SPD and to obtain constant support from SPD.
d) SPD will process Personal Data of Data Subjects for promotional, commercial and marketing purposes: the Personal Data may be used, both by telematic means (such as SMS, e-mail, etc. ) as well as by analog modes (such as mail, telephone), also for a) sending/communication by the Data Controller of advertising, informational, promotional material on new products/services of educational offerings of SPD and/or other companies of the Plena Education SPA Group; b) direct sales and/or placement by the Data Controller of products/services, facilitations and promotions of the Data Controller and/or other companies of the Group Plena Education SPA Group, as well as third party companies, through different sales channels or appointed third party companies; c) verification of the degree of satisfaction with the quality of the product/service provided, statistical and market studies and research, directly or through specialized companies, through interviews or other means of detection. The legal basis for such processing is the consent of the Data Subject. The provision of data is optional. Failure to authorize their processing, while not preventing in any way the use of the services offered by SPD, may not allow Data Subjects to take full advantage of the benefits we offer to our community through information of an advertising, commercial, and marketing nature.
e) In order to ensure the best educational experience, SPD will make available to Data Subjects a suite of cloud services, including email and cloud storage services, provided by third parties based in the United States (“Cloud Services”). S Data Subjects’ Personal Data may therefore be disclosed to the companies that operate the aforementioned Cloud Services, solely on the basis of the Data Subject’s explicit consent, which constitutes the legal basis for such processing. It is understood in any case that the Cloud Services are regulated. Failure to give consent will not allow the Data Subject to activate the Cloud Services.
f) SPD will process Data Subjects’ Personal Data in order to maintain the security of the IT facilities, devices and files to which Data Subjects have access. The legal basis for such processing is SPD’s legitimate interest in improving and creating a secure IT environment for Data Subjects, including in compliance with the rules of conduct described within the IT Regulations, already signed by the Data Subject and published at the following link. Legitimate interest that does not affect the rights and freedoms of the Data Subjects as it finds its respective balance in the interest of the Data Subjects to benefit from the IT facilities and devices and in the reasonable expectation of the latter that such service will be provided to them.
g) SPD will process Personal Data Data Subjects to enforce or defend a right in court. The legal basis for the processing of Personal Data is the legitimate interest of the owner or a third party and the expression of a constitutionally guaranteed right.
3. PERSONAL DATA RETENTION PERIOD
The Data Controller intends to retain the Personal Data for a period not exceeding that necessary to achieve the purposes for which it was collected and processed.
For the purposes referred to in point a) of paragraph 2, the Personal Data processed will be retained for a period of 10 years after the termination of the contract under which the above-mentioned processing is carried out, in accordance with the provisions of the prescription rules.
For the purposes referred to in point b) of paragraph 2, the Personal Data processed for the fulfillment of legal obligations will be processed for as long as required by the legal regulations with which SPD must comply.
For the purposes referred to in point c) of paragraph 2, Personal Data will be retained for a period of [12 months] from the first contact for informational purposes transmitted to the Data Subject, extendable by subsequent periods of [12 months] where the Data Subject gives positive feedback to the communication, which will start from the time of the Data Subject’s feedback, subject to any Data Subject’s eventual opt-out via links at the bottom of communication emails.
For the purposes referred to in point d) of paragraph 2, Personal Data will be retained for a period of time not exceeding 24 months from the release of consent by the Data Subject to the performance of said processing.
For the purposes referred to in point f) and g) of paragraph 2, Personal Data processed to maintain the security of IT facilities and for the exercise of the right of defense will be retained for as long as necessary to achieve these purposes and in accordance with the provisions of the prescription rules.
4. CATEGORIES OF DATA RECIPIENTS
Personal Data may be communicated, to the extent strictly pertinent to the above obligations, tasks and purposes and in compliance with the relevant regulations, to the following categories of subjects:
a) Employees and collaborators of SPD who need to receive them in order to provide the requested services to the Data Subjects and limited only to information instrumental and related thereto;
b) Individuals and/or external legal entities that provide services instrumental to the activities of the Data Controller for the purposes referred to in paragraph 2 above, and who are therefore involved in the organization of SPD’s activities;
c) Subjects to whom such communication must be made to fulfill or to require the fulfillment of specific obligations under laws, regulations and/or national and EU legislation.
Subjects belonging to the above categories act as data processors or operate completely independently as separate data controllers. The list of any data processors is constantly updated and available at the Data Controller’s office.
It should be noted that for business and administrative purposes, some Personal Data may be disclosed to companies belonging to the same corporate Plena Education SPA Group as the Data Controller, this is in line with Recital No. 48 GDPR according to which “Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. […].”
Except as provided for above, Personal Data will not be disclosed to third parties. Any further communication or dissemination will take place only with the explicit consent of the Data Subject.
5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
The processing of Personal Data will be carried out at SPD’s premises and the Personal Data of the Data Subjects will be stored at servers and/or archives located within the European Union or in countries that provide adequate guarantees for the protection of personal data as referred to in Article 46 of the GDPR. For the purpose of the activation of the Cloud Services, made available by SPD, Data Subject’s Personal Data will be disclosed to the providers of the respective services, located in the United States of America. We believe it is appropriate to specify that the current level of data protection provided by U.S. legislation is not equivalent to that guaranteed by European legislation (and in particular the GDPR), in view of surveillance programs that do not guarantee adequate protections for European users. In such a case, therefore, the transfer of Data abroad will take place after collecting the explicit and informed consent of the Data Subject.
RIGHTS OF THE DATA SUBJECT
The Data Subject, is entitled to the rights conferred by the GDPR under Articles 12-23 of the GDPR. In particular, Data Subjects have the right to request and obtain, at any time: (i) access to their Personal Data; (ii) information about the processing carried out; (iii) rectification and/or updating of Personal Data; (iv) erasure of Personal Data; (v) restriction of processing; (vi) to exercise the right to object to the processing; (vii) portability of Personal Data (i.e., to receive Personal Data in a structured, machine-readable, commonly used format), (viii) to exercise the right to revoke one’s consent to the processing of Personal Data, where this rises to the legal basis for the specific purpose for which the processing is put in place (this, in any case, will not affect the lawfulness of the processing carried out on the basis of the consent given before revocation), and, finally, (ix) to lodge a complaint with a data protection authority (Garante per la Protezione dei Dati Personali).
The above rights may be exercised at any time by simple request to the Data Controller, to be sent:
– To e-mail address firstname.lastname@example.org.
For other information or clarifications on the mentioned rights, you can contact SPD at the same contact details.
The Data Subject consents to the processing of his/her Personal Data for the purposes set forth in paragraph 2 letter e), i.e., the transfer of his/her Personal Data to companies that operate Cloud Services (such as e-mail, storage services, etc.) based in the United States of America.