PRIVACY POLICY

Updated as of September 2023

The American University of Rome respects and protects your privacy.

Notice pursuant to the European Data Protection Regulation No. 679/2016 ("GDPR")

The American University of Rome ("AUR", the "University" or the "Data Controller"), headquartered in Rome, Via Pietro Roselli n. 4, is committed to respecting and protecting your privacy and wants you to feel secure both while simply browsing the site and if you decide to provide personal data to receive information about the University's activities. On this page, AUR intends to provide some information on the processing of personal data related to users who visit or consult the website accessible by electronic means from the address https://aur.edu and https://aur.edu/benvenuti-alluniversita-americana-di-roma (hereinafter jointly the "Site").

The information is provided only for the AUR website and not also for other websites that may be consulted by the user through links (for which please refer to their respective privacy policies/policies). The reproduction or use of pages, materials and information contained within the Site, by any means and in any medium, is not permitted without the prior written consent of AUR. Copying and/or printing for personal and non-commercial use only is permitted (for inquiries and clarifications contact AUR at the contact information below). Other uses of the content, services and information on this site are not permitted.

With respect to the content offered and information provided, AUR will endeavor to keep the contents of the Site reasonably up-to-date and revised, without offering any warranty as to the adequacy, accuracy, or completeness of the information provided by explicitly disclaiming any liability for any errors of omission in the information provided on the Site.

1. TYPES OF PERSONAL DATA

AUR must acquire (or already holds) certain data concerning you. Such data may also be those belonging to special categories only insofar as they are instrumental and/or useful to the management of the existing relationship with the student and/or the performance of services instrumental to it or related to it.

The categories of data that we may process are as follows:

- Personal identifying and biographical data: First and last name; social security number; date and place of birth; residential address; e-mail address; telephone number; passport number; IP address; messaging services (e.g., Teams, WhatsApp); picture; credit card number; AUR account name or nickname; data related to the degree(s) earned for access to a university course; grades and GPA (Grade Point Average) and other academic data; income data; etc.);

- Special data: Racial or ethnic origin; health status (mental or physical), information about physical or learning disabilities for which express consent to processing is required;

- Judicial data: convictions, criminal records, restrictions on freedom.

2. THE PROCESSING OF PERSONAL DATA AND ITS PURPOSES

"Data processing" means the performance of any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, communicating by transmission, dissemination or any other form of making available, comparing or interconnecting, limiting, erasing or destroying.

All data will be processed by AUR for institutional/administrative/didactic/service purposes, payments and grants, related or related to activities undertaken by the University to perfect and manage the relationship with the student.

Personal data supplied or collected by AUR shall be processed for the following purposes:

LEGAL OBLIGATIONS

a) Fulfilment of regulatory or legal obligations (Italian or EU), including those of an accounting and fiscal nature.

CONTRACTUAL/INSTITUTIONAL OBLIGATIONS

(b) Handling of requests for contact or information through the Site (which may include the transmission of promotional materials); finalizing the application for enrollment; fulfilling any obligations arising from the student's enrollment and matriculation at the AUR (e.g., administrative, educational and pedagogical management, election of student offices, student health and safety protection, etc.); managing donations; managing campus visits;

(c) Provision of services (library, sports, trips, housing, internships, psychological counseling, invitations to AUR events and programs, etc.), financial aid, scholarships, grants and contributions requested by the student.

For the above-mentioned services we may also need to process special categories of personal data (e.g., health-related data) instrumental to their provision. In this circumstance you will be asked for your express consent.

d) Use of photos on student IDs in order to verify the identity of individuals authorized to access AUR premises.

(e) Security alerts (text messages, e-mail).

SOCIAL ENGAGEMENT/PROMOTION (AUR’s legitimate interest)

(f) Sending of AUR newsletters, AUR commercial and promotional communications and correspondence;

(g) Promotion of job placement, post-graduation and vocational training programs or courses both during the student's academic career at AUR and thereafter;

USE OF PHOTOS and VIDEOS

(h) Printing or posting on the AUR Site and social media any image/photo/video/audio taken or recorded during any institutional, educational, academic, training, promotional conference or event of AUR or any related activity;

SENSITIVE INFORMATION

i) processing of any sensitive personal information (that reveal my ethnic or racial origin, data related to health, medical history and conditions, criminal history and records, in the pursuit of those purposes set forth in point 2, subparts (a), (b), (c), (d), (e) and (f) and of the privacy policy.  

 

3. LEGAL BASIS FOR DATA PROCESSING

AUR uses the student's personal data only when there is a valid legal basis for doing so.

For the purposes outlined in Section 2 letters (a) to (e), and pursuant to the GDPR, the Data Controller is not required to acquire explicit consent to process the student's personal data because such processing is, pursuant to Art. 6 of the GDPR ("Lawfulness of Processing"): 1) necessary to comply with an obligation of law or regulation (Italian or EU), and 2) necessary for the execution and management of AUR's contract with the student, or to comply with a specific request of the data subject, or because such processing is carried out for institutional activities related to the management of AUR's relationship with the student or for administrative-accounting purposes or to respond to a legitimate need of AUR in the pursuit of its mission, it being understood that in the latter circumstance the processing will be carried out taking into consideration the interests, rights and expectations of the students.

Therefore, if the data subject does not wish to provide the requested data for the purposes described above, AUR may be prevented from establishing or executing its relationship with the student.

For the purposes mentioned in point 2 letters (f), (g) and (h) or for other and distinct reasons, personal data may be processed only with the express consent of the data subject.

Likewise, any processing of special data may be, pursuant to Article 9(2) of the GDPR, carried out only with the express consent of the data subject.

Such consent to data processing by the data subject is free and optional and always revocable without consequences on the existing relationship with AUR except for the impossibility for AUR to provide certain ancillary services.

4. RECIPIENTS OF PERSONAL DATA

For certain processing, we use trusted parties who perform tasks of a contractual, technical or organizational nature on our behalf. Some of these subjects are also operating abroad. These parties are our direct collaborators and perform the function of the "controller" or authorized entity for data processing, or they operate completely independently as separate "controllers" of the processing.

These are, specifically:

- employees/partners of AUR authorized to process and/or appointed as Data Processors;

- third parties appointed by AUR, in compliance with Art. 29 of the GDPR, to establish/manage the existing relationship with the student, appointed as Data Processors/Authorized Persons;

- the Data Protection Officer (DPO).

Outside of these cases, disclosure of personal data to third parties will only occur with the explicit consent of the student.

It should also be noted that personal data will not be subject to disclosure unless specifically authorized by laws and/or regulations, or with the express consent of the student, nor will it be subject to any fully automated decision-making process, including profiling.

5. TRANSFER ABROAD OF DATA

Your personal data collected by the Data Controller for the purposes set out in point 2 of this Notice, may be transferred by AUR, pursuant to Articles 44 et seq. of the GDPR, on the basis of adequate safeguards to ensure the protection of personal data, to entities located outside the European Union, specifically to American university institutions and/or American government authorities. Such transfer will take place under the exemption provided for in Article 49(1)(b) only if necessary for the performance of the relationship established between AUR and the student.

Under no circumstances will AUR transfer your personal data to parties not authorized to process such personal data.

6. METHOD OF PROCESSING

Your personal information is used only in ways and procedures strictly necessary to provide you with the services, products and information you have requested, including through the use of paper mail, electronic mail, other remote communication techniques, telematic, automated and computerized tools, and forms and questionnaires.

7. RETENTION OF DATA AND OTHER INFORMATION

Pursuant to Art. 13, paragraph 2, letter (a) of the GDPR, we inform you that, in compliance with the principles of lawfulness, purpose limitation and minimization of data set forth in Art. 5 of the GDPR, for the purposes referred to in point 2, subsections (a) to (e), the period of data retention will be for a period not exceeding that necessary to achieve the purposes for which the data were collected and processed, in compliance with any terms established by law. Such retention shall be without prejudice to any five- or ten-year retention periods that may be provided by law for civil, accounting or tax obligations.

Personal data related to the student's university career will be kept indefinitely in protected files and in accordance with current regulations. Data collected for access to University services and communications will be retained for as long as necessary to perform the service.

For the purposes referred to in point 2. subsection (f), (g) and (h), the retention period is 2 years from the date of giving consent.

8. DATA CONTROLLER AND DATA PROCESSORS

The Data Controller is:

- THE AMERICAN UNIVERSITY OF ROME, in the person of its pro-tempore legal representative, with registered office in Rome, Via Pietro Roselli No. 4, e-mail: privacy@aur.edu.

-The current DPO (Data Protection Officer) is Quorum Studio Legale e Tributario Associato, with registered office in Rome, Via degli Scipioni 281, e-mail: info@quorumlegal.com.   

9. RIGHTS OF THE DATA SUBJECT

Pursuant to and in accordance with Articles 15-22 of the GDPR, you are granted the following rights as a data subject that you may exercise against the Data Controller:

- Right of access: to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to receive information regarding, in particular, the purposes of the processing, categories of personal data processed and the period of storage, and recipients to whom the data may be disclosed (Article 15, GDPR);

- Right to rectification: to obtain, without undue delay, rectification of inaccurate personal data concerning you and supplementation of incomplete personal data (Article 16, GDPR);

- Right to deletion: to obtain, without undue delay, the deletion of personal data concerning you, where one of the cases referred to in Article 17 applies (Article 17, GDPR);

- Right to restriction: to obtain from the Data Controller the restriction of processing, in the cases provided for in the GDPR (Article 18, GDPR);

- Right to portability: to receive in a structured, commonly used and machine-readable format the personal data concerning you provided to the Controller, as well as to obtain that the same be transmitted to another controller without hindrance, in the cases provided for by the GDPR (Article 20, GDPR);

- Right to object: object to the processing of personal data concerning you, unless there are legitimate reasons for the Controller to continue the processing (Article 21, GDPR);

- Right to complain to the Supervisory Authority: complain to the Data Protection Authority, Piazza Venezia 11, 00187, Rome (RM).

It should be noted that revocation of consent for the processing of data for which the same is required does not affect the lawfulness of the processing based on the consent before revocation.

The above rights may be exercised by request sent by registered letter with return receipt or email, to the above addresses, using the appropriate form available on the website of the Guarantor for the Protection of Personal Data https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/doc....

Use of the Site implies full knowledge and acceptance of the content and any indications included in this notice. AUR informs you that this policy may be modified without prior notice and therefore recommends periodic reading.

INFORMATION COLLECTED ON THIS WEBSITE AND ITS USE

The Site automatically collects general information that does not identify you. This information includes the Internet Protocol (IP) address of the computer you are using, the web page from which you entered the Site, the web pages you visited and for how long, the browser you are using, and the date and time. This data is collected and used through Google Analytics, for the sole purpose of deriving information and statistics that help us focus on the needs and interests of our visitors and improve the overall functionality of the Site. Learn more about the terms of use for Google Analytics.

Cookies

Cookies are small text files that sites visited by users send to their terminals, where they are stored and then transmitted back to the same sites on the next visit. Cookies are distinguished by their duration, origin and type.

Duration

The duration of cookies can be either session or persistent. The first type of cookie is automatically deleted after the browser is closed, while the second type remains on the user's device until a predetermined expiration date.

Provenance

Cookies may be "first-party", when they report the visited website as the domain, or "third-party" if they are sent from sites or web servers different (so-called "third parties") from the visited one and on which some elements (such as images, maps, specific links to pages of other domains) present on the visited site may reside.

Types of cookies according to their function

Cookies can have different functions and according to function they are distinguished in:

- technical cookies which are those necessary for the functioning of the website itself and in turn are distinguished in:

1. navigation or session cookies: i.e. those cookies that allow normal navigation and use of the site (allowing, for example, to authenticate to access restricted areas);

2. functionality cookies: i.e. those cookies that, in order to improve the browsing experience, store the customizations chosen by the user (e.g. language);

3. analytics cookies from third-party services: these cookies are used in order to collect information on the use of the Site by users in an anonymous form such as: pages visited, time spent, source traffic origins, geographical origin. These cookies are sent from third-party domains (specifically Google Analytics) external to the Site; the management of the information collected by "third parties", as autonomous data controllers, is governed by the different disclosures shown in the table below, to which please refer.

- profiling cookies, which are those that allow the creation of user profiles in order to send advertising messages in line with the preferences expressed by the same in the context of web browsing; the user's consent is required for the use of these cookies.

In particular, the cookies used by AUR on the Site are identified below, as well as how we manage your preferences regarding them.

Types of Cookies We Use

The Site uses the following cookies:

- Yandex cookies.

We, along with third-party vendors such as Google, use first-party cookies (such as Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers to collect data about users' interactions with ad impressions and other advertising service features in connection with our Site.

Opting out

You can change your cookie preferences at any time by clicking the button above. This will allow you to review the cookie consent banner and change your preferences or withdraw your consent immediately. In addition:

(a) you can manage, disable and delete all types of cookies by changing your browser settings;

(b) you can set your preferences regarding how Google advertises by using the Google Ads settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out browser add-on.

Please note: By blocking the receipt of all cookies, including technical cookies, without providing a specific exception for the Site, you may no longer be able to browse the Site or take advantage of some or all of its features.

Security

The American University of Rome is committed to ensuring the security of your information and has put in place the necessary physical, technical and administrative security measures to prevent unauthorized access to the information collected. All information collected on the AUR website is encrypted using 128-bit Secure Sockets Layer (SSL) and public key cryptography.

Third-party sites

The Site provides links to external sites for your convenience. Please note that the University is not responsible for the content or privacy practices of other sites linked to the Site.

Contacting Us
If there are any questions regarding this privacy policy, you may contact us using the information below.

The American University of Rome
Via Pietro Roselli 4
00153 Rome, 
Italy

privacy@aur.edu