Articles 13 and 14 EU Regulation 2016/679
PremiseThe Accademia Europea di Firenze (AEF) is an International School of Italian Arts and Culture. AEF offers to its’ students formative educational programs aimed at preparing artists and professionals for the working world through a unique combination of academic excellence, cultural immersion and experiential learning. This website offers the possibility of consulting the school's educational program, proceeding with the application for enrollment, contacting the school and subscribing to the newsletter. AEF, in pursuing its objectives complies with the provisions on the protection of personal data in particular of its students, teachers, employees and all the subjects that collaborate within its activity or navigates on this site. AEF informs, pursuant to EU Regulation 2016/679 and applicable law, that:
1. Data controllerThe data controller is the Accademia Europea di Firenze srl - based in Florence Via Cavour n. 37, in the person of its legal representative pro tempore firstname.lastname@example.org. For any communication, please include in your request your contact details and the subject of the request, essential elements to be able to contact you again.
2. Type of data, purposes and legal basis, necessity of conferment and methods of data processing
TYPE OF DATA PROCESSED
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (success, error, etc.) and other parameters related to the operating system and the user's computer environment. This information is not collected in order to be associated with identified data subjects, as the data are used only for the purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning.
Data provided voluntarily by the user
To access some services reserved for users, it is necessary to register and enter some personal data. The provision of some identification data is necessary in order to authenticate and verify the legitimacy of access to the reserved areas, to the subjects that access it. The optional, explicit and voluntary sending of e-mails to the addresses indicated on this site entails the subsequent acquisition of the sender's address, necessary to respond to requests, as well as any other personal data included in the message.
The data you provide via this site may be processed in order to:
a) proceed the navigation of this website;
b) register online for the courses, their payment and for the management of the contractual relationship (including the treatment of medical certificates necessary to justify any absence of the student, that is, of particular personal data pursuant to Article 9 of the GDPR);
c) register with the site in order to receive the AEF newsletter or promotional communications relating to services offered by the Accademia Europea and / or affiliated and / or subsidiaries or commercial partners and outsourcers, without any transfer of data to third parties;
d) provide, to those who request it, through the appropriate contact form made available on the site, information relating to the services offered by AEF and its activities or also through the online chat on the website;
e) access the area reserved for partners of the Accademia Europea;
f) process statistical data of the site on the basis of anonymous data;
g) process personal data of registrees, or future registrees, in order to point out to them, nearby and available accommodation where they can possibly stay during their study period or, always for the same purpose, communicate the data of the person concerned (telephone or email) to providers of such services (companies or individuals).
The processing of your data is permitted pursuant to the provisions of art. 6 of the GDPR and in particular:
1. For the purposes referred to in points a) and f) no personal data is required from the user and any cookies used by the Data Controller do not involve any processing of personal data (Article 4 of the GDPR), as better indicated in the appropriate policy. As anonymous data, data from which it is not possible to re-identify, even indirectly, a physical person, such data are not personal data and therefore their treatment is subtracted from the application of privacy legislation and a particular legal basis is not necessary;
2. For the purposes referred to in points b), d) and e) the legal basis of the treatment is for the data of common type, as required by art. 6 paragraph 1 letter b) of the GDPR, the necessity to execute "to a contract of which the interested party is a party or to the execution of contractual measures adopted at the request of the same" the categories of data processed are common data (ex. Registry, academic, bank). For the particular data (see Article 9 of the GDPR) collected and processed according to the contract, the legal basis is the explicit consent of the interested party. For the purposes referred to in point d), the legal basis of the processing is the need to execute "a contract of which the interested party is a party or to execute contractual measures adopted at the request of the same".
3. For the purposes referred to in paragraph c) and g), specific consent will be requested to the interested party, is at any time by the latter revocable, and in this case only contact address will be asked for.
Necessity of the conferment
For the pursuit of the purposes referred to in points b), d), e) and g) the provision of data is necessary for the execution of the contract and in the absence of the indication of the necessary data requested by the Data Controller it will not be possible to execute it. For all other purposes, conferment is optional.
Method of treatment
All data will be processed in mainly electronic format. Personal data as well as any other information that can be associated, directly or indirectly, to a specific user, are collected and processed applying technical and organizational security measures that guarantee a level of security appropriate to the risk, taking into account the state of the art and implementation costs. Precisely with reference to the personal data protection aspects, the user is invited, pursuant to art. 33 of the GDPR, to report to the Controller any circumstances or events from which a potential "violation of personal data (data breach) may arise in order to allow an immediate evaluation and the adoption of any action aimed at combating such event, by sending a specific communication to the email address shown in the previous section: Contact details of the Controller. We remind you that personal data breach means, "the security breach that involves accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed". The security measures adopted by the Controller do not exempt the user from paying the necessary attention to the use, where required, of a password / PIN of adequate complexity, which must carefully guard and make inaccessible to others, in order to avoid improper use and unauthorized.
3. Categories of recipients of personal dataThe personal data provided may be disclosed to recipients, named ex art. 28 of EU Reg. 2016/679, which will process data as managers and / or as individuals acting under the authority of the Data Controller and the Data Processor, in order to comply with contracts or related purposes.
Precisely, the data may be disclosed to recipients belonging to the following categories:
- Subjects that provide services for the management of the information system and communication networks (including e-mail);
- Internal structures of the Accademia (eg Management, Administration, communication structures, enrollment etc.) or external service providers (ex. accountants, analysts, auditing or audit companies, etc.);
- Authorities competent for fulfilling legal obligations;
In no case will the data be disseminated to the public.
As foreseen by the GDPR, the Controller shall appoint as third parties responsible for the processing of personal data the third-party companies that carry out all or part of the activities in question exclusively on behalf of the Data Controller (as an example and not sole example: the company that manages the IT services of the Controller). In the case of involvement of third parties established in foreign countries with respect to the European Union, for the relative transfer of data abroad appropriate measures are adopted corresponding to the adequacy decisions issued by the European Commission and / or by the National Guarantor Authority for the protection of personal data for each specific case. Further information regarding the cases of possible transfers of data to foreign countries with respect to the European Union and the relative guarantees adopted, as well as information regarding the companies appointed as personal data processing managers, may be requested from the Controller. In the same way, for the pursuit of the purposes indicated, the Data Controller may use its own employees, who will be authorized to carry out their personal data, depending on their duties. The data provided by the interested party for the purposes referred to in paragraph g) may be communicated to the accommodation providers that should be identified by the Data Controller and the data subject consenting to the processing also accepts that the Data Controller transmits to his subjects his full name and contact information (telephone and/or email).
4. Retention periodIn compliance with the principles of the new regulation and the provisions of art. 5 paragraph 1 letter e) of Reg. UE 2016/679 the personal data collected will be stored in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which the personal data are processed. Personal Data collected for the purposes referred to in points b), d), and e) will be kept for a period of 10 years from the termination of the contractual relationship, barring events interrupting the limitation period. The data collected for the purposes referred to in point c) will be retained for 24 months from the provision of consent and at the end of this period will be deleted, unless consent is renewed by the party concerned. Personal data collected for the purposes referred to in point g) will be used for as long as necessary for the pursuit of the purpose of pointing out accommodations. As this is a processing activity connected to the registration, the data collected for this purpose will be subject to the same period of retention of registration data, ie for 10 years starting from the provision of consent, barring events interrupting the limitation period.
5. Rights of the interested partiesIn relation to the processing of your personal data, the Accademia Europea informs you that, at any time, as an interested party you can exercise your rights under the GDPR. In particular, you may:
• access your personal data, obtaining evidence of the purposes pursued by the Controller, the categories of data involved, the recipients to whom they may be communicated, the applicable retention period, the existence of automated decision-making processes, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and possible consequences for the data subject, if not already indicated in the text of this Policy;
• obtain, immediately, the correction of inaccurate personal data concerning you;
• obtain, in the cases foreseen by the law, the cancellation of your data;
• obtain the limitation of the treatment or oppose the same, when admitted based on the provisions of law applicable to the specific case;
• in the cases foreseen by the law, request the portability of the data that you provided to the holder, i.e. to receive them in a structured format, commonly used and readable by automatic device, and also request to transmit this data to another owner, if technically feasible;
• if you deem it appropriate, propose a complaint to the supervisory authority.
In particular, the following rights are recognized: art. 15 - "Right of access of the interested party", 16 - "Right of rectification", 17 - "Right to cancellation", 18 - "Right to limit the processing", 20 - "Right to data portability", 21 - " Right of opposition "GDPR within the limits and under the conditions provided for by art. 12 GDPR. For the processing of personal data for which the legal basis is the consent, this may be revoked.
To exercise these rights, you must contact the Data Controller referring to the contact details given at the beginning of this Policy. In this regard, we point out that the Authority has prepared on its site a special form that you can use in whole or in part to describe what rights you intend to exercise, said form can be found at the web address: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9401345.
To receive further information regarding your rights and privacy regulations in general, we invite you to visit the website of the Authority for the protection of personal data, at http://www.garanteprivacy.it/.