Discover the next Open Days Milano · Firenze · London · Paris · Dubai Register nowDiscover the next Open Days
EN
MENU
Close
<— Back

Privacy Policy

Information pursuant to Article 13 of EU Regulation 2016/679 (GDPR)

Request for Recognition of Exceptional Status

1) Why you are receiving this communication

Istituto Marangoni S.r.l. wishes to inform you about the processing of your personal data (hereinafter, "Data") collected during the application process for the recognition of one of the statuses provided for by the "Regulations for the recognition of the status of working student, student athlete or para-athlete, student caregiver, student with disabilities - SLD, ADHD or SEN, student parent or pregnant student" (hereinafter also referred to as the "Academic Regulations"), in order to guarantee respect for your fundamental rights and freedoms as a data subject (hereinafter referred to as the "Data Subject"), with particular reference to the confidentiality and security with which the Data is processed.

2) Data Controller

The data controller is Istituto Marangoni S.r.l. – Via Meravigli, 7, 20123 Milan (MI), e-mail address: privacy@istitutomarangoni.com (hereinafter, "Data Controller" or simply "Controller").

The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following e-mail address: dpo@istitutomarangoni.com.

3) What Data we collect

The Data Controller processes the following Data:

a) First name, surname, email address, Student ID, tax code, year and academic course attended, provided by the Data Subject via the request form.

b) Data of a special nature pursuant to Article 9 of the GDPR required by the Academic Regulations for the allocation of dispensatory and/or compensatory measures to students belonging to the categories provided for in the Academic Regulations (i.e. 'working student', 'student athlete or para-athlete', "Caregiver student", "Parent student or pregnant student", "Disabled student", "Student with specific learning disorders, ADHD or BES") from which it is possible to obtain information relating to the state of health of the Data Subject making the request.

4) For what purposes do we use the Data and on what legal basis

The Data Controller processes the Data for the following purposes:

a) to submit to the Academic Council the request for the allocation of dispensatory and/or compensatory tools for appropriate evaluation and possible approval of the same;

b) to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their jurisdictional functions.

 

For the purpose described in point a) above, the processing of Data is carried out on the following legal basis:

  • the express consent of the Data Subject, which may be revoked at any time, for the statuses provided for in the Academic Regulations (i.e. 'Working Student ', 'Athlete or Para-athlete Student', 'Caregiver Student', 'Parent Student', 'Pregnant Student ' and 'Student with Disabilities') (Art. 9, para. 2, letter a) of the GDPR).

 

On this point, it should be noted that the voluntary provision of Data belonging to particular categories of data by filling in the form must be considered as the provision of express and specific consent to the processing of such Data for the above-mentioned purpose (i.e. obtaining dispensatory and/or compensatory tools). The provision of such Data belonging to particular categories of data is therefore optional and does not in any way preclude the possibility of using the services offered by the Data Controller. However, failure to provide such Data will not allow you to take advantage of the benefits (exemptions and/or compensatory measures) recognised for certain statuses provided for in the Academic Regulations.

The Data Subject may withdraw consent at any time in the manner indicated below in this policy; however, the withdrawal of consent shall not affect, in any case, the lawfulness of the processing carried out on the basis of consent prior to the withdrawal. It should be noted that, in the event of withdrawal of consent during the academic year, the Data Subject will lose the benefits recognised for their status under the Academic Regulations.

With reference, however, to the purpose referred to in letter b) above, the processing is based on the legitimate interest of the Data Controller or third parties (Article 6, paragraph 1, letter f) of the GDPR).

With particular reference to this purpose, it should be noted that the legitimate interest of the Data Controller in processing the personal data of the Data Subject is fairly balanced with the interests, rights and fundamental freedoms of the Data Subject. Processing based on legitimate interest is not mandatory and the data subject may object to such processing in the manner described in this policy and, in this case, the Data Controller may not process the Data for this purpose, unless it can demonstrate the existence of legitimate reasons that prevail.

5) How long we keep the Data

The Data Controller processes the Data for a maximum period of three (3) years from collection, unless the Data Subject revokes their consent in advance in the manner indicated in paragraph 10 below.

With particular reference to the processing of Data for the purposes referred to in point 4(b) above, the Data will be processed for the period of time strictly necessary to allow the Data Controller to defend its rights and legitimate interests in and out of court.

After these periods, the Data will be deleted or anonymised.

6) How we process the Data

The Data Controller processes the Data using IT tools and personnel authorised to carry out collection, use, recording, consultation, storage, deletion, extraction, communication and restriction operations.

In order to ensure an adequate level of protection, the Data Controller processes the Data by adopting technical and organisational security measures such as:

  • a cloud platform with a double authentication system for the receipt, consultation, management and storage of requests from data subjects.
  • access to Data reserved exclusively for authorised and specifically appointed personnel.

The Data will not be subject to automated decision-making processes pursuant to Article 22 of the GDPR.

7) Who can access the Data

Only persons authorised and appointed by the Data Controller and/or any external Data Processors may access the Data, exclusively for the purposes indicated in the previous paragraph4) and who have committed themselves to confidentiality or are subject to an adequate legal obligation of confidentiality.

The Data may also be processed by suppliers appointed as external Data Processors (such as IT service companies), which the Data Controller uses to receive and manage your request, as well as by any sub-suppliers appointed by the external Data Processors to enable the provision of the service.

In addition to the above, the Data may also be disclosed to persons, entities or authorities to whom disclosure is mandatory under the provisions of the law or orders of the competent authorities.

8) Where the Data is stored

The Data is stored on servers located within the European Economic Area (EEA). If, for technical and/or operational reasons, it is necessary to use entities located outside the EEA, the processing of the Data will be regulated in accordance with the provisions of the GDPR: therefore, all necessary precautions will be taken to ensure the protection of the Data, in accordance with Articles 44 et seq. of the GDPR.

9) Nature of the provision of Data

The provision of Data is optional, however, failure to provide such Data will not allow the Data Subject to take advantage of the benefits (exemptions and/or compensatory measures) recognised for certain statuses provided for in the Academic Regulations.

10) What are the rights of the Data Subject in relation to the GDPR?

In accordance with the provisions of the GDPR, in relation to the processing in question, the Data Controller guarantees the Data Subject the following rights:

  • Withdraw consent at any time [Conditions for consent, Art. 7].

Note: the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It should be noted that, in the event of withdrawal of consent during the academic year, the Data Subject will lose the benefits recognised for their status under the Academic Regulations.

  • Right of access [Art. 15 of the GDPR] (right to obtain confirmation of the existence or otherwise of the Data Subject's Data and a copy thereof in an intelligible form);
  • Right to rectification [Art. 16 of the GDPR] (right to obtain from the Data Controller the rectification of inaccurate Data concerning the Data Subject without undue delay);
  • Right to erasure [Art. 17 of the GDPR] (right to erasure of the Data Subject's data).

Note: if it is impossible to proceed with the erasure of the Data in accordance with the above, the Data Controller shall inform the Data Subjects of the reasons why it is impossible to do so ;

  • Right to restriction of processing [Art. 18 of the GDPR] (right to obtain restriction of processing, for example, in the event of a dispute over the accuracy of the Data or in the event of unlawful processing);
  • Right to data portability [Art. 20 of the GDPR] (to receive, in a structured, commonly used and machine-readable format, the personal data concerning the Data Subject that has been provided, and the Data Subject has the right to transmit those data to another Data Controller, without hindrance from the Data Controller to whom the data were provided);
  • Right to object [Art. 21 of the GDPR] (to object to processing based on legitimate interest pursuant to Art. 6, para. 1, letter f) of the GDPR).
  • Right not to be subject to automated decision-making [Art. 22 of the GDPR] (right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects the data subject).

The above rights may be exercised in writing by sending an email todpo@istitutomarangoni.com orprivacy@istitutomarangoni.com .

Further information regarding the processing of Data may be requested at any time from the same contacts. It should also be noted that the exercise of one's rights must not prejudice and/or infringe the rights and freedoms of others.

The Data Controller undertakes to respond to requests within one (1) month, except in the case of particularly complex requests, for which a maximum of three (3) months may be required. In any case, the Data Controller will explain the reason for the delay within one (1) month of the request.

The outcome of the request will be provided in writing (at the request of the Data Subject) or in electronic format (and, in this case, free of charge). The Data Controller specifies that the Data Subject may be asked to contribute to the costs if their requests are manifestly unfounded, excessive or repetitive: in this regard, the Data Controller will keep track of the requests.

The Data Controller, in accordance with Article 19 of the GDPR, undertakes to inform the recipients to whom the Data Subject's Data has been disclosed of any corrections, deletions or restrictions on processing requested by the Data Subject, where possible.

11) Right to lodge a complaint (Article 77 of the GDPR)

If the Data Subject believes that their rights have been compromised or infringed, or that the processing of the Data is contrary to current legislation, they have the right to lodge a complaint with the Data Protection Authority in accordance with the procedures indicated at the following web address: https://www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo.

12) Updates to this policy

This policy is subject to change. Any substantial changes will be communicated by e-mail or through our institutional website.