PRIVACY POLICY
Reviewed June 2021
Pursuant to Art. 13 of Legislative Decree no. 196/2003 and Art. 13 and 14 of EU Regulation 2016/679 (GDPR)
The American University of Rome (AUR), with registered headquarters in Rome, Via Pietro Roselli n. 4, pursuant to Articles 4 and 28 of Legislative Decree no. 196/2003 (hereinafter, the “Privacy Act”) and Articles 4, 7, and 24 of EU General Data Protection Regulation 2016/679 on the protection of natural persons’ personal data (hereinafter, “GDPR”), and Art. 13 of the Privacy Act, and Art. 13 and 14 of the GDPR, is Data Controller for the personal data pertaining to you and acquired upon your matriculation, enrollment, or as part of the admissions process. As such, AUR ensures the lawfulness of processing your personal information in conformity with subparts (a)-(c) and (f) of Art. 6, paragraph 1 of GDPR as well as subpart (a) of Art. 9, paragraph 2 of GDPR, as well as the principles of lawfulness, ethics, integrity, transparency, accountability and confidentiality, to which the undersigned University is bound, in order to provide the utmost protection to your privacy. AUR as the Data Controller
1. TYPES OF PERSONAL DATA
- Identifiers and informational personal data:
first and last name; tax ID number; date and place of birth; home address; email address; telephone number; passport number; IP address; image; credit-card number; account name or nickname; data on degree(s) earned to access a university course; grades and GPA and other academic data; income-related data; etc...);
- Sensitive data:
racial or ethnic background; health status (mental or physical), information on learning or physical disabilities;
- Judicial data:
convictions; criminal record; restraints on liberty.
2. PERSONAL DATA-PROCESSING AND ITS PURPOSES
“Data Processing” is the performance of any operation applied to personal data, including: collection; recording; organization; structuring; retention; adjustment or modification; excerpting; reviewing; disclosing via submission, dissemination or any other means of making such data available; comparing; erasing; deleting.
All data shall be processed by AUR for institutional/administrative/teaching/service-related purposes, or payments and subsidies, connected or relating to activities undertaken by the University to perfect and manage its relationship with the student.
Personal data supplied or collected by AUR shall be processed for the following purposes:
LEGAL OBLIGATIONS
a) Complying with regulatory or statutory duties (Italian or EU), and for purposes relating to civil law, withholdings, accounting, or tax reporting.
CONTRACTUAL/INSTITUTIONAL OBLIGATIONS
b) Performing any duties arising from the student's enrollment and matriculation into AUR (e.g. administrative processing, teaching and pedagogy, institutional affairs, election of student officers, protection of student safety and health, etc.
c) Rendering of services (library, sports, field trips, housing, internships, etc.), or managing conferences, financial aid, scholarships, grants and fellowships.
d) Use of photos on student IDs or for other internal-organizational purposes.
e) Video surveillance for safety and crime-prevention purposes.
f) Safety and security alerts including using automated methods (text message, email)
SOCIAL ENGAGEMENT/PROMOTION (AUR’s legitimate interest)
g) Sending AUR newsletters, invitation to AUR events and programs, AUR commercial and promotional communications and correspondence;
h) Promoting work-placement, post-graduate, and professional-training programs or courses both during the student's academic career at AUR as well as thereafter;
USE OF PHOTOS and VIDEOS
i) Printing or posting/publishing on AUR website and social-media/of any images/photos/videos/audio, shot or recorded over the course of any AUR institutional, educational, academic, training, promotional conference or event or any related activity;
SENSITIVE INFORMATION
j) processing of any sensitive personal information (that reveal my ethnic or racial origin, data related to health, medical history and conditions, criminal history and records, in the pursuit of those purposes set forth in point 2, subparts (a), (b), (c), (d), (e) and (f) and of the privacy policy.
3. MANDATORY CONSENT TO DATA PROCESSING AND DISTRIBUTION, AS A CONDITION TO REGISTRATION, FOR THE FULFILLMENT OF THE AUR-STUDENT CONTRACT
For the purposes illustrated in point 2 letters (a) to (h), and pursuant to the Privacy Law and the GDPR, the Data Controller is not required to acquire explicit consent to the processing of the student’s personal data as this processing is 1) necessary to fulfill a legal or regulatory obligation (Italian or Community), and 2) necessary for the execution and management of AUR’s contract with the student, or to comply with a specific request submitted by the concerned party, or because such processing is carried out for institutional activities related to the management of AUR’s relationship with the student or for administrative-accounting purposes or to respond to a legitimate requirement of AUR in the pursuit of its mission. The treatment of such data will be for the primary purposes referred to in art. 24 of the Privacy Code (“Responsibility of the Controller”) and art. 6 of the GDPR (“Lawfulness of Processing”), in conformity with subparts b contractual execution), c (legal obligation), f (legitimate interest) and paragraph 1 of EU Regulation as well as subpart (a) of Art. 9, paragraph 2 of EU Regulation.
Similarly to the above, no explicit consent is required from the concerned party for the disclosure of personal data to private and/or public entities for the purpose of complying with a legal duty. The persons or categories that may require access to your personal data as data supervisors or processors include:
- employees/associates of AUR appointed as Data Processors;
- third parties engaged by AUR to institute/manage the current relationship with a student, appointed as Data Supervisors/Processors;
- Co-Data Controllers, if any;
- The Data Protection Officer (DPO).
Outside of the foregoing cases, disclosure of personal data to third parties shall only take place with the student's express consent.
Please note, furthermore, that personal data shall not be subject to dissemination, unless specifically authorized by statute and/or regulations, or with the student's express consent.
If the concerned party does not wish to provide the requested data for the purposes described above, or does not wish the data to be disclosed to the data processors, controllers and protection officers, it may be impossible to put in place or execute the relationship established between AUR and the student.
For the purposes referred to in point 2. Sub-parties (i) and (j) or for other and distinct reasons, the processing of personal data can only be carried out with the express consent of the interested party.
4. PROCESSING METHOD
Processing shall be completed manually and/or using automation, including with the support of electronic/online and automated instruments, in compliance with the security criteria set forth under Art. 32 of GDPR 2016/679, and Attachment B to the Privacy Act (Art. 33-36 of the Act), and shall be performed by duly appointed persons, in compliance with Art. 29 of GDPR 2016/679.
Personal data shall be included in any Registers required by law for the aforementioned purposes.
5. RETENTION OF DATA AND OTHER INFORMATION
Pursuant to Art. 13, paragraph 2, subpart (a) of the GDPR, please be advised that, in compliance with the principles of lawfulness, purpose limitation, and data minimization set forth in Art. 5 of GDPR 2016/679, for the purposes appearing in point 2 subparts (a) to (d) and (f), the retention period shall be for no longer than the time required to achieve the purposes for which they were collected and processed, in accordance with any periods set by law. Such retention shall be without prejudice to any statutory five- or ten-year retention terms as may apply to a civil, accounting, or tax-related duties.
For the purposes set forth in point 2. subpart (e), the retention period is forty-eight (48) hours from recording;
Personal data related to the student’s university career will be kept indefinitely in protected archives and according to the current legislation. Data gathered for the university’s access to services and for communications will be kept for the time necessary to the execution of the service.
For the purposes set forth in point 2. subpart (g), (h), the retention period is 10 years following the end of the relationship between AUR and the student. For the purposes set forth in point 2. subparts (i) and (j) the retention period is 10 years from consent.
Pursuant to Art. 13, paragraph 1, subpart (f) of the DPR, please be advised that data collected may be transferred to an EU member state, to a non-EU country (especially the U.S.), to international organizations, only insofar as permitted by Art. 44 (“General Principles for Transfer” et seq. of the GDPR).
6. DATA CONTROLLER AND DATA SUPERVISORS
Identifiers for the Data Controller are as follows:
- THE AMERICAN UNIVERSITY OF ROME, by and through its pro-tempore legal representative, with registered office in Rome, at Via Pietro Roselli n. 4, e-mail: privacy@aur.edu.
- the DPO (Data Protection Officer): Quorum Studio Legale e Tributario Associato, with offices in Rome, via degli Scipioni 281, e-mail: info@quorumlegal.com.
7. DATA-SUBJECT RIGHTS
You may exercise your rights under Art. 7 of the Privacy Act and under Art. 15-22 of the GDPR at any time. You have the right to:
A. Access your personal data; B. Obtain information on processing purposes, the categories of personal data, the recipients or categories of recipients to whom personal data are or shall be disclosed, and if possible the retention period for the same; C. Secure data correction. Secure data erasure, except for data contained in documents which must be kept by the university as part of its activity, and only in the case of a legitimate reason for requesting erasure; D. Secure processing limitation(s); E. Be alerted by Data Controller in instances of personal-data correction or cancellation; F. Data Portability: obtain your data from a data controller in a structured, machine-readable, commonly used format, and have them forwarded to another data controller without delay; G. Object to processing at any time, including for direct-marketing data processing; H. Object to decisions being predicated on data mining, including profiling, on any natural person. I. File a complaint with the Data Protection Authority, following the procedure and instructions posted to the Authority's official website: www.garanteprivacy.it.
You may exercise your rights under Art. 7 of the Privacy Act and Art. 15-22 of the GDPR by sending a written request to the registered address, or to the DPO via email.
For your convenience, please find the full text of Art. 7 of the Privacy Act below. Articles 15-22 of the GDPR may be viewed here: https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=celex%3A32016R0679
FULL TEXT OF ARTICLE 7 OF THE PRIVACY ACT Art. 7 (Rights to access personal data and other rights)
1. The data subject has the right to have confirmation on whether his/her personal data exists, even if not yet recorded, and to have them provided in an intelligible format. 2. The data subject has the right to know: a) The source of the personal data; b) the purposes and methods for processing; c) the logic applied - in cases where processing is performed with the aid of electronic instruments; d) identifiers for the data controller, data supervisors, and the data protection officer appointed under Article 5, paragraph 2; e) the persons/entities, or categories of persons/entities to whom personal data may be disclosed or who may have access to the same in their role as Data Protection Authority, data supervisors, or data processors. 3. The data subject has the right to secure: a) updates, corrections, or should the circumstances warrant, supplementation of their data; b) erasure, pseudonymization, or blocking of any unlawfully processed data, including those whose retention is not necessary given the purposes for which they were collected and thereafter processed; c) an affidavit that the operations appearing in points (a) and (b) hereof were (including their content) disclosed to those to whom data were disclosed or disseminated, except in cases where discharging such duty would be impossible, or require the use of resources that clearly outweigh the right sought to be protected. 4. The data subject has the right to object, in whole or in part: a) for legitimate reasons, to the processing of their personal data, even if germane to the purpose for which they were collected; b) to the processing of their personal data for marketing or direct-sales, or market research and promotional mailings.
Information collected on this website and how it is used
The AUR website automatically collects general information that does not identify you personally. This includes the Internet Protocol (IP) address of the computer you are using; the web page from which you entered our website; the web pages you visited and for how long; browser used; date and time. To collect this data, we use Google Analytics, a web analytics service that provides statistics and tools that help us focus on the needs and interests of our visitors and improve the overall functionality of the website. Learn more about the Google Analytics Terms of Use.
Cookies
When you view our website, we may store some information on your computer in the form of a cookie, or small data file. Cookies enable the website to remember your actions and preferences over a period of time so that you don’t have to keep re-entering them whenever you come back to the site or browse from one page to the other. Usage of a cookie is in no way linked to any of your personally identifiable information while on our site. You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience all features and content of our website. Learn how to disable cookies in your browser.
Google
Google's advertising requirements can be summed up by Google's Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en
We do not use Google AdSense Advertising on our website.
We have implemented the following cookies:
• Remarketing with Google AdSense
We, along with third-party vendors such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.
Opting out:
Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.
Security
At The American University of Rome we are committed to ensuring the security of your information and have put in place the necessary physical, technical, and administrative safeguards to prevent unauthorized access to any information we collect. All information gathered on the AUR website is encrypted using 128-bit Secure Sockets Layer (SSL) and public-key encryption.
Third Party Sites
The AUR website provides links to external sites as a convenience. Please note that the University is not responsible for the content or privacy practices of other sites linked within our website.
Contacting Us
If there are any questions regarding this privacy policy, you may contact us using the information below.
The American University of Rome
Via Pietro Roselli 4
00153 Rome,
Italy