Discover the next Open Days Milano · Firenze · London · Paris · Dubai Register nowDiscover the next Open Days
marangoni logo reveal glitch

Privacy Policy

Information pursuant to Article 13 of EU Regulation 2016/679 (GDPR)

1) Why you are receiving this communication

Istituto Marangoni S.r.l. wishes to inform you about the processing of your personal data (hereinafter, "Data") collected during the application process for recognition of one of the statuses provided for in the "Regulations for the recognition of the status of working student, student athlete or para-athlete, student caregiver, student with disabilities - SLD, ADHD or SEN, student parent or pregnant student" (hereinafter also referred to as the "Academic Regulations"), in order to guarantee your fundamental rights and freedoms as a data subject (hereinafter referred to as the "Data Subject"), with particular reference to the confidentiality and security with which the Data is processed.

2) Data Controller

The Data Controller is Istituto Marangoni S.r.l. – Via Pietro Verri, 4, 20121 Milan, Italy, email address: privacy@istitutomarangoni.com (hereinafter, the "Data Controller" or simply the "Controller").

The Data Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following email address:dpo@istitutomarangoni.com .

3) What Data we collect

The Data Controller processes the following Data:

  1. Name, surname, email address, Student ID, tax code, year and academic course attended, provided by the Data Subject via the request form.
  2. Special categories of personal data pursuant to Article 9 of the GDPR requested by the Academic Regulations for the allocation of dispensatory and/or compensatory measures for students belonging to the categories “Working student”, “Athlete or Paralympic athlete student”, “Caregiver student”, 'Parent student or Pregnant student', "Disabled student", "Student with specific learning disorders, ADHD or BES" from which it is possible to obtain information relating to the state of health of the data subject who makes the request.
4) For what purposes do we use the Data and on what legal basis

The Data Controller processes the Data for the following purposes:

  1. To submit to the Academic Council the request for the allocation of dispensatory and/or compensatory measures for appropriate assessment and possible approval

 

For the purpose described above, the processing of Data is carried out on the following legal basis:

  • Your express consent, which can be withdrawn at any time, for the statuses “Working student”, “Athlete or  Paralympic athlete student”, “Caregiver student”, “Parent student”, " Pregnant Student" and "Student with Disabilities" in the case of certified disability of less than 66% as well as students with Specific Learning Disorders (Art. 9, para. 2, letter a) of the GDPR).
  • Fulfilment of a legal obligation of the Data Controller in relation to labour law and social security and social protection with regard to the status of " Student with Disabilities " (Article 9, paragraph 2, letter b) of the GDPR) in the case of certified disability equal to or greater than 66% and students with SLD.
5) How long we keep the Data

The Data Controller processes the Data for a maximum period of three (3) years from collection, unless the Data Subject revokes their consent in advance in the manner indicated in paragraph 10 below.

After this period, the Data will be deleted or anonymised.

6) How we process the Data

The Data Controller processes the Data using IT systems and authorised personnel who are authorised to collect, use, record, consult, store, delete, extract, communicate and restrict the Data.

In order to ensure an adequate level of protection, the Data Controller processes the Data by adopting technical and organisational security measures such as:

  • Cloud platform with double authentication system for the receipt, consultation, management and storage of requests from data subjects.
  • Access to Data is restricted to authorised and specifically appointed personnel.
7) Who can access the Data

Only persons authorised and appointed by the Data Controller may access the Data, exclusively for the purposes indicated in the previous paragraph 4).

The Data may also be processed by appointed suppliers acting as external Data Processors (IT service companies), which the Data Controller uses to receive and manage your request, as well as by any sub-suppliers appointed by the external Data Processors to enable the provision of the service.

8) Where the Data is stored

The Data is stored on servers located within the European Economic Area (EEA). If, for technical and/or operational reasons, it is necessary to use entities located outside the EEA, the processing of the Data will be governed in accordance with the provisions of the GDPR: therefore, all necessary precautions will be taken to ensure the protection of the Data, in accordance with Articles 46 et seq. of the GDPR.

9) Nature of the provision of Data

The provision of Data is necessary for the purposes indicated above in the paragraph 4).

For , the statuses "Working Student", "Student Athlete or Paralympic Athlete", "Caregiver Student", "Student with Disabilities" (disability of less than 66% or BES), "Student Parent" and "Pregnant Student" , the Data Subject may revoke their consent to processing at any time as indicated in paragraph 10 below. However, in this case, the Data Controller will no longer be able to grant the benefits provided for the recognition of the requested status.

10) What are the rights of the Data Subject in relation to the GDPR?

In accordance with the provisions of the GDPR, in relation to the processing in question, the Data Controller guarantees the exercise of the following rights to the Data Subject:

  • Withdraw consent at any time [Conditions for consent, Art. 7]
  • Right of access [Art. 15 of the GDPR] (right to obtain confirmation of the existence or otherwise of the Data Subject's Data and a copy thereof in an intelligible form);
  • Right to rectification [Art. 16 of the GDPR] (right to obtain from the Data Controller the rectification of inaccurate Data concerning the Data Subject without undue delay);
  • Right to erasure [Art. 17 of the GDPR] (right to erasure of data subjects' data).

Note: if it is impossible to proceed with the erasure of the Data in accordance with the above, the Data Controller will inform the Data Subjects of the reasons why it is impossible to do so ;

  • Right to restriction of processing [Art. 18 of the GDPR] (right to obtain restriction of processing, for example, in the event of dispute over the accuracy of the Data or in the event of unlawful processing);
  • Right to data portability [Art. 20 of the GDPR] (to receive personal data concerning him or her in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided);
  • Right not to be subject to automated decision-making [Art. 22 of the GDPR] (the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects the Data Subjects).

The above rights may be exercised in writing by sending an email todpo@istitutomarangoni.com orprivacy@istitutomarangoni.com .

Further information regarding the processing of data may be requested at any time by contacting the above addresses. It should also be noted that the exercise of one's rights must not prejudice and/or infringe the rights and freedoms of others.

The Data Controller undertakes to respond to requests within one (1) month, except in cases of particularly complex requests, for which a maximum of three (3) months may be required. In any case, the Data Controller will explain the reason for the delay within one (1) month of the request.

The outcome of the request will be provided in writing (at the request of the Data Subject) or in electronic format (and, in this case, free of charge). The Data Controller specifies that the Data Subject may be asked to contribute to the costs if their requests are manifestly unfounded, excessive or repetitive: in this regard, the Data Controller will keep a record of the requests.

The Data Controller, in accordance with Article 19 of the GDPR, undertakes to inform the recipients to whom the Data Subject's Data has been disclosed of any rectifications, erasures or restrictions on processing requested by the Data Subject, where this is possible.

11) Right to lodge a complaint (Article 77 of the GDPR)

If the Data Subject believes that their rights have been compromised or infringed, or that the processing of the Data is contrary to the legislation in force, they have the right to lodge a complaint with the Data Protection Authority in accordance with the procedures indicated at the following web address: https://www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo.

12) Updates to this policy

This policy may be subject to change. Any substantial changes will be communicated by email or through our institutional website.