Università Cattolica del Sacro Cuore , having its registered office at Largo Agostino Gemelli 1, 20123 Milano (Italy), Tax Code no. and VAT no. 01452060336 (hereinafter, “Data Controller”), being the data controller of your personal data, hereby informs you, pursuant to GDPR 2016/679 (hereinafter, “GDPR”) that your data will be processed in the manners and for the purposes described below:
- Object of processing
The Data Controller processes the personal data, identifiers (for example, name, surname, company name, address, telephone number, email address, bank and payment details) (hereinafter, “personal data” or “data”) submitted by yourself at the time of entering into a contract for services supplied by the Data Controller. - Purpose of processing
Your personal data will be processed:- Without your express consent (Art. 24, a), b), c) and Art. 6 b), e) GDPR), for the following Service Purposes:
- Finalizing contracts for services provided by the Data Controller;
- Fulfilling pre-contractual, contractual and tax obligations arising from existing relationships with you;
- Fulfilling obligations established by law, by regulations, by Community legislation or by orders of the Authority (for example, anti-money laundering measures);
- Exercising rights of the Data Controller, for example the right to defence in court;
- Only subject to your specific and distinct consent (Arts. 23 and Art. 7 GDPR), for the following Marketing Purposes:
- Sending you by email, mail and/or text messages and/or telephone calls, newsletters, business communications and/or advertising material on products or services offered by the Data Controller and surveying the degree of satisfaction for the quality of services;
- Sending you by email, mail and/or text messages and/or telephone calls commercial and/or promotional communications of third parties (for example, business partners).
- Without your express consent (Art. 24, a), b), c) and Art. 6 b), e) GDPR), for the following Service Purposes:
- Modalities of processing
The processing of your personal data is carried out through the operations indicated in Art. 4 no. 2) GDPR, and, more precisely: the collection, recording, organization, storage, consultation, treatment, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure and destruction of data. Your personal data will be processed both on paper and by electronic and/or automated means.
The Data Controller will retain your personal data for the time necessary to fulfil the purposes mentioned above and in any case for no longer than 10 years from the termination of the relationship for Service Purposes and no longer than 2 years from the collection of data for Marketing Purposes.
- Access to data
Your data may be made accessible for the purposes referred to in Art. 2.A) and 2.B):- to the Data Controller’s employees and collaborators, in their capacity as internal data processors and/or persons mandated and/or system administrators;
- to third-party companies or other entities (for example, credit institutions, professional firms, consultants, insurance companies providing insurance services, etc.) who carry out outsourced activities on behalf of the Data Controller, in their capacity as external data processors.
- Disclosure of data
Without the need for express consent (pursuant to Art. 24 a), b), d) and Art. 6 b) and c) GDPR), the Data Controller may disclose your data for the purposes of Art. 2.A) to Supervisory Bodies (e.g. IVASS), Judicial Authorities, insurance companies providing insurance services, as well as to entities to which disclosure is mandatory by law for the execution of the above-mentioned purposes. Said entities will process the data in their capacity as data controllers in their own right.
Your data will not be disseminated.
- Data transfer
Your personal data are stored on servers located in Italy, within the European Union. In any case, it is understood that the Data Controller has the right to move the servers to locations outside the EU if necessary. In this, the Data Controller hereby ensures that transfer of data to non-EU locations will take place in accordance with the applicable provisions of law, subject to the stipulation of the standard contractual requirements prescribed by the European Commission. - Providing personal data and consequences of refusing to answer
Providing data for the purposes of Art. 2.A) is mandatory. In lack thereof, we cannot guarantee the provision of the Services indicated in Art. 2.A).
On the other hand, providing data for the purposes of Art. 2.B) is optional. Therefore, you may decide not to provide any data or to deny at a later time the right to process data previously provided: in this case, you will not receive any newsletters, business communications or advertising material regarding the Services offered by the Data Controller. You will however still be entitled to the Services indicated in Art. 2.A).
- Rights of the data subject
In your capacity as the data subject, you are entitled to the rights stated in Art. 15 GDPR and, more precisely, the right:- to find out whether any of your personal details are held, even if they have not yet been recorded, and to be informed of what they are in a way that can be understood;
- to be informed: a) of the origin of the personal data; b) of the processing purposes and methods; c) of the logic applied in the event of processing performed using electronic instruments; d) of the identification details of the Data Controller, data processors, and the designated representative as provided for by Art. 3, par. 1, GDPR; e) of the entities or categories of entities to whom the data may be communicated or who may gain knowledge thereof in their capacity as designated representative on national soil, or as data processors or persons mandated;
- to obtain: a) the updating, rectification, and – when interested therein – the integration of the data; b) the erasure, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which it was collected or subsequently processed; c) notification that the operations described in points a) and b) have been made known, including specification of content, to those to whom the data has been communicated or disseminated, unless this proves impossible or involves a manifestly disproportionate effort in relation to the rights protected;
- to object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even if related to the purpose for which it is collected; b) to the processing of personal data relating to you for the purpose of sending advertising or direct sales material or to carry out market research or business communications, through the use of automated call systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail. It should be noted that the data subject’s right to object, set out in point b), above, for direct marketing purposes through automated methods extends to the traditional ones and that in any case the possibility remains for the data subject to exercise the right to object even in part. Therefore, the data subject can decide whether to receive only communications using traditional methods, or only automated communications or neither of the two kinds of communication.
- How to exercise your rights
You can exercise your rights at any time by sending:- a registered letter with notice of receipt to: Università Cattolica del Sacro Cuore , Largo Agostino Gemelli 1, 20123 Milano (Italy)
- una e-mail all’indirizzo dpo@unicatt.it
- Data controller, data processor and persons mandated
The Data Controller is Università Cattolica del Sacro Cuore , having its registered office at Largo Agostino Gemelli 1, 20123 Milano (Italy). The updated list of data processors and persons mandated is kept at the registered office of the Data Controller.