MILAN/FLORENCE - Video Surveillance Cameras

Istituto Marangoni S.r.l. would like to inform you about what data it collects and how it does so through the video surveillance system in its schools located in Milan and Florence, in order to ensure that your fundamental rights and freedoms as a visitor are respected, with particular reference to the confidentiality and security with which the data is processed.

The data controller is Istituto Marangoni S.r.l. – Via Pietro Verri, 4, 20121 Milan MI, email address: privacy@istitutomarangoni.com (hereinafter the "Data Controller" or just the "Controller").

The Controller has appointed a Data Protection Officer (DPO), who can be contacted at the following email address: dpo@istitutomarangoni.com.

The Data Controller collects and stores your following data:

• Images taken from the video surveillance cameras installed at its above-mentioned schools.

Data is collected at the time of recording by the video surveillance system as permitted by the locally competent Labour Inspectorates through specific authorisation provisions.

The Data Controller uses your data for the following purposes:

• To ensure the safety of work, people on the premises and the protection of company assets through the video surveillance system;
• If necessary, to protect its own rights before the authorities.

For the purposes described above, the processing of your data is carried out to exercise the legitimate interest of the Data Controller, to ensure the safety of students and staff at its schools as well as to protect its company assets (Article 6(1)(f) of the GDPR).

N.B. The Controller does not carry out any monitoring of work activity: the positioning of the cameras has been specially arranged to avoid filming sensitive and irrelevant areas such as, by way of example, workstations and, therefore, to avoid any type of control concerning employees' work activity.

Video surveillance cameras are switched on 24 hours a day, 365 days a year and retain images for a period of 72 hours from the time of recording, after which they are automatically overwritten.

N.B. If, in the event of litigation, it is necessary to ascertain, exercise or defend the rights of the Controller, the retention period of the data collected, for the above-mentioned purposes, may be extended due to the possibility that it may be necessary to prepare defence elements within this timeframe. In this case, the data will only be kept until the conclusion of the litigation.

The Controller processes the images taken by the cameras by computerised means via personnel authorised to carry out collection, use, recording, consultation, storage, deletion, extraction, communication and restriction.

The images are saved in the cloud on the online platform provided by Cisco Meraki as External Data Processor, which can only be accessed by authorised persons appointed by the Controller.

Access to the cloud platform by authorised parties is also technically protected by strong authentication requirements as well as logical access control that prevents access by unauthorised users.

Only authorised persons specifically appointed by Istituto Marangoni may access your data and, therefore, the images captured by the cameras.

Access to the data by the above-mentioned parties, however, may only take place when strictly necessary to pursue the above-mentioned purposes.

If it is strictly necessary to ensure the safety of work and people on the premises or to protect company assets, the data may be shared with the competent authorities as autonomous data controllers.

In addition, in the event of a request for support to the supplier Cisco Meraki from Istituto Marangoni to resolve any issues related to the cloud platform, the supplier may be allowed access to the images for a period of time strictly necessary to resolve the issue.

In any case, the data in question will not be disseminated and, therefore, will not be made available to unspecified parties.

The images captured by the cameras are kept on the servers of the supplier Cisco Meraki located within the European Economic Area (EEA). If, for technical and/or operational reasons, it is necessary to use parties located outside the EEA, data processing will be regulated in accordance with the provisions of the GDPR, therefore all necessary precautions will be taken to ensure data protection, in accordance with Articles 46 et seq. of the GDPR (e.g., the "Data Privacy Framework").

The use of video surveillance cameras is necessary to guarantee the safety of the persons concerned and to protect the company assets of the Controller. Therefore, the provision of data for the above purposes is necessary. Failure to provide the data will make it impossible to access the Controller's premises.

According to the provisions of the GDPR, in connection with the processing in question, the Data Controller guarantees the following rights:

• Right of access [Article 15 of the GDPR] (right to obtain confirmation of the existence or non-existence of the data subjects' personal data and a copy thereof in intelligible form);
• Right to erasure [Article 17 of the GDPR] (right to erasure of data subjects' data.

Note: should it prove impossible to proceed with the deletion of data by virtue of the above, the Data Controller will inform the data subjects of the reasons why it is impossible to do so);

• Right to restriction of processing [Article 18 of the GDPR] (right to obtain restriction of processing, e.g., if the accuracy of the data is contested or in the event of unlawful processing);
• Right not to be subjected to automated decision-making [Article 22 of the GDPR] (right not to be subjected to a decision based solely on automated processing that produces legal effects or similarly significantly affects data subjects).

The aforementioned rights may be exercised in writing by sending an email to dpo@istitutomarangoni.com or privacy@istitutomarangoni.com.

Further information on the processing of personal data may be requested at any time via the same contact details. It should also be noted that the exercise of one's rights must not prejudice and/or infringe the rights and freedoms of others.

The Data Controller undertakes to reply to requests within a period of one (1) month, except in the case of particularly complex requests, for which it may take up to three (3) months. In any event, the Data Controller will explain the reason for the wait within one (1) month of the request.

The outcome of the request will be provided in writing (at the request of the data subject) or electronically (and, in this case, free of charge). The Data Controller specifies that a possible contribution may be requested from the data subject if your requests are manifestly unfounded, excessive or repetitive: in this regard, the Data Controller will keep track of the requests.

The Controller, in accordance with Article 19 of the GDPR, undertakes to inform the recipients to whom the data subject's personal data have been disclosed of any rectification, erasure or restriction of processing requested by the data subject, where possible.

You also have the right to object to processing based on legitimate interest (Article 6(1)(f), EU Regulation), by contacting the Controller at the contact details given in the previous paragraph.

If you believe that your rights have been compromised or infringed, or that the processing of data is contrary to the legislation in force, you have the right to lodge a complaint with the Italian Data Protection Authority in the manner indicated at the following web address: https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali.

This information may be subject to change. Any substantial changes will be communicated by email or through our institutional website.