Privacy Policy

PRIVACY POLICY

SITO WEB “SUMMER SCHOOL”

 

This Privacy Policy is drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter, the “Regulation” or “GDPR”) in order to provide information on how personal data are processed by Università Campus Bio-Medico di Roma (hereinafter also referred to as the “University”) in relation to the use of the website summerschool.unicampus.it (hereinafter, the “Website”).

The processing of personal data concerns both simple browsing of the Website and access to the services available, including the possibility of purchasing Summer School programs dedicated to students in the penultimate and third-to-last years of secondary school. Within this process, personal data of students and, in the case of minors, those of individuals exercising parental responsibility may also be processed, as necessary to complete the purchase, finalize registration, and enable participation in the Summer School organized by the University.

This Privacy Policy refers exclusively to the Website and does not extend to any third-party websites accessible via links on the Website; for such websites, please refer to their respective privacy policies.

 

***

1. 1. Data Controller and Data Protection Officer

The Data Controller is Università Campus Bio-Medico di Roma (hereinafter “UCBM” or the “University” or the “Controller”), with its registered office in Rome, Via Álvaro del Portillo no. 21. 21.

The Data Protection Officer (hereinafter the “DPO”) can be contacted at the following addresses:

• by email: [email protected];
• by regular mail: Università Campus Bio-Medico di Roma, Via Álvaro del Portillo no. 21, ZIP Code 00128 Rome (RM), Italy – to the attention of the Data Protection Officer.

2. Personal Data Processed And Source Of Data

 

We inform you that, by using the Website, the Controller may collect and process information and personal data relating to you. In particular, the personal data processed include:

 

a) Browsing data

 

The Controller processes personal data collected during your navigation of the Website. The IT systems and software procedures used to operate the Website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified individuals, but by its nature could, through processing and association with data held by third parties, allow users to be identified. This category includes IP addresses, domain names of users’ devices, URI addresses of requested resources, request time, method used to submit the request, size of the file obtained, server response status codes, and other parameters relating to the user’s operating system and IT environment.
These data are used solely to obtain anonymous statistical information on Website use, to check its correct functioning, and to identify anomalies and/or abuses. They are normally deleted after processing, except where needed to ascertain responsibility in case of cybercrimes.

 

b) Data voluntarily provided by you

This Privacy Policy also applies to personal data provided by users through contact forms on the Website. These may include:
identification data (name, surname)
contact details (email address, phone number)
educational information (school year, school attended)
information on how the user became aware of the University
selected Summer School course and additional notes

Users are advised to provide only necessary data and not to disclose special categories of personal data (Art. 9 GDPR), such as health data, ethnic origin, political opinions, religious beliefs, or sexual orientation. Any irrelevant data will be promptly deleted.

If users provide third-party data, they are responsible for ensuring compliance with data protection laws and agree to indemnify the University against any claims.

 

c) Cookies

 

For more information on personal data processed through cookies and similar tools, please refer to the Cookie Policy.

d) Data processed for online services

 

This includes data provided for:
registration and access to the personal area
purchase of Summer School courses
registration for Summer School Open Day

Processed data may include:
personal and contact data (name, surname, username, date of birth, email, phone)
login credentials
billing and shipping details
student data (including tax code, nationality, gender, residence, school details)
course preferences and participation mode (in-person/remote)

During Summer School activities, images and videos of students may be collected.

Special categories of data (e.g., health conditions, allergies, disabilities, learning disorders) may also be processed to ensure appropriate support.

Data of parents/guardians are also processed for purchase completion.

Payment data are processed directly by banks or PayPal, acting as independent controllers. The University only receives confirmation of payment.

3. Purposes, Legal Basis, And Nature Of Data Provision

Your personal data will be processed for the following purposes

a) to enable browsing of the Website, registration in the reserved area, and access to all services offered by the Controller, including, by way of example and not limitation, the online purchase of Summer School courses, the management of contractual and administrative-accounting relationships, as well as the provision of after-sales services. The processing also includes the measures necessary to ensure the security of the Website;

b) to respond to specific requests submitted by users through the contact form available on the Website;

c) to effectively manage the organization and participation in the University’s Open Day and Summer School courses, ensuring proper administration of teaching activities, services offered, and scheduled events. The processing also includes the management of meals during the Summer School and the sending of service communications strictly necessary for the proper conduct of the course;

d) to promote inclusion and ensure equal access to Summer School courses for students with disabilities or specific learning disorders (SLD), by providing appropriate support services and personalized assistance, so that all students can fully benefit from the educational experience.

 

The processing of personal data for the purposes indicated in points a), b), and c) is based on Article 6(1)(b) of the GDPR, as it is necessary for the provision of services requested by the user through the Website, to respond to requests submitted via contact forms, and to ensure proper participation in the Summer School by registered students.

Any processing of special categories of data pursuant to Article 9 of the GDPR, provided by the user when reporting allergies or food intolerances, is based on the user’s explicit consent pursuant to Article 9(2)(a) of the GDPR. Where health-related data concern a minor, consent must be provided by the holder of parental responsibility. It is specified that consent given for the processing of such data may be withdrawn at any time, without affecting the lawfulness of the processing carried out prior to withdrawal.

The legal basis for the processing of special categories of data for the purpose indicated in point d) is set out in Article 9(2)(g) of the GDPR and Article 2-sexies, paragraph 2, letter bb) of Legislative Decree no. 196/2003 (“Privacy Code”), as such processing is necessary to provide support to students with disabilities or SLD, within a task carried out in the public interest recognized by Union or Member State law.

The provision of personal data for the purposes indicated in points a), b), c), and d) is optional; however, in the absence of such data, the Controller may not be able to ensure the proper use of the Website and access to the available services, including the possibility of purchasing and participating in the Summer School course organized by the University.

 

Once provided, personal data may also be processed for the following purposes:

 

e) to send promotional and marketing communications relating to current and future initiatives promoted by the University, including the sending of newsletters concerning the University’s educational offer, professional training and educational activities (e.g., postgraduate courses, internships, and training activities within specialization schools), invitations to events and initiatives, the conduct of market research and surveys, and satisfaction questionnaires, through both automated tools (SMS, MMS, email, automated calling systems without an operator, use of social networks, WhatsApp) and non-automated tools (postal mail, telephone with an operator);

f) to analyze your personal data, including aspects relating to your educational background, your personal preferences, and your interests, in order to create a profile of you and send you personalized promotional communications more in line with your needs and profile;

The legal basis for the processing of your Personal Data for the purposes referred to in points e) and f) is Article 6(1)(a) of the Regulation, namely the specific consent given by the data subject for each individual purpose.

You may withdraw your consent pursuant to Article 7 of the GDPR at any time without affecting the lawfulness of the processing based on consent before its withdrawal.

It should be noted that, for direct marketing purposes, the Controller collects a specific consent covering both the use of automated and non-automated tools, in accordance with the General Provision of the Italian Data Protection Authority “Guidelines on promotional activities and combating spam” of July 4, 2013. Therefore, you may exercise your right to object pursuant to Article 21 of the Regulation or withdraw the consent given pursuant to Article 7 of the Regulation, even partially, for example by objecting to or withdrawing consent only to communications sent through automated means.
If you wish to object to the processing of your data for the above purposes, you may do so at any time by contacting the DPO using the contact details indicated in paragraph 1 of this notice or by using the link provided at the bottom of each such email.

We also inform you that you have the right to object at any time and without providing any justification to the processing of personal data for the profiling purpose referred to in point f).

g) for the direct sending by the University, via email, of commercial communications, advertising and promotional material for the direct sale of services similar to those you have already purchased, without your consent, pursuant to Article 130(4) of the Privacy Code and Article 6(1)(f) of the GDPR. Pursuant to Article 21 of the GDPR, you may object to the processing of your data for this purpose at any time, either initially or on the occasion of subsequent communications, easily and free of charge, including by writing to the DPO at the contact details indicated in paragraph 1 of this notice or by using the link included at the bottom of each such email communication;

 

h) subject to your consent and in compliance with the dignity and decorum of the minor, to take photographs and audio/video recordings during the delivery of Summer School activities and for their publication and dissemination through the University’s institutional communication channels, including, by way of example and not limitation, institutional websites, social media, television, communication channels and/or any other means of dissemination, whether currently known or developed in the future, including the Internet or other telematic networks, for the purpose of promoting and disseminating the University’s initiatives; the provision of the minor’s personal data for this purpose is optional, and failure to provide such data will prevent the Controller from taking photographs and/or audio-video recordings depicting the minor and from publishing them through the above-mentioned channels, but will not in any way prevent participation in the Summer School.

The legal basis for the processing of the minor’s personal data for the purpose referred to in point h) is the consent pursuant to Article 6(1)(a) of the Regulation given by the data subject or by the person exercising parental responsibility. The consent given may be withdrawn at any time pursuant to Article 7 of the Regulation, without affecting the lawfulness of the processing carried out prior to withdrawal;

i) to comply with obligations laid down by applicable laws, regulations, or EU legislation binding on the Controller, or to respond to requests from competent Italian, European and/or international authorities, pursuant to Articles 6(1)(c) and 9(2)(g) of the GDPR and Article 2-sexies, paragraph 2, letter bb) of the Privacy Code;

 

j) to establish, exercise, or defend a legal claim in judicial proceedings pursuant to Articles 6(1)(f) and 9(2)(f) of the GDPR.

 

4. 4. Recipients Of Personal Data
   

 

Your personal data may be shared, for the purposes indicated above, with the following parties (the “Recipients”):

 

i) entities that, in providing services to the University, process personal data on its behalf, typically acting as data processors pursuant to Article 28 of the Regulation; the full list of data processors is available upon written request to the DPO at the contact details indicated in paragraph 1 of this notice;

 

ii) entities, bodies or authorities, acting as independent data controllers, to whom it is necessary to communicate your data in order to carry out activities strictly related to the aforementioned purposes;

 

iii) persons authorized by the Controller, pursuant to Articles 29 and 32 of the Regulation and Article 2-quaterdecies of Legislative Decree no. 196/2003 (the so-called “Privacy Code”), to process personal data necessary to perform activities strictly related to the proper management and delivery of guidance programs, who have committed to confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., administrative staff, teachers, secretarial staff, etc.).

 

These parties are hereinafter collectively referred to as the “Recipients.”

 

5. 5. Data Transfers

Your Personal Data will not be shared with Recipients located outside the European Economic Area. Should this occur, the Data Controller ensures that your Personal Data will be processed in compliance with the law or according to one of the methods permitted by law pursuant to Articles 44-49 of the GDPR, such as the data subject’s consent, the adoption of Standard Clauses approved by the European Commission, the selection of entities participating in international programs for the free movement of data, in compliance with the provisions of Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board. Further information regarding the data transfers performed and the safeguards adopted for this purpose can be obtained from the DPO using the contact details provided in paragraph 1 of this Privacy Policy.

7. 6. Retention Of Personal Data

Personal data processed for the purposes indicated in paragraph 3, letters a), b), c), and d) of this Privacy Policy will be retained for the time strictly necessary to achieve those purposes, in accordance with the principles of minimization and storage limitation set out in Article 5(1)(c) and (d) of the Regulation.

 

Personal data, in particular identification and contact data, processed for the purposes referred to in paragraph 3, letter e) of this Privacy Policy will be processed until you withdraw your consent pursuant to Article 7 of the Regulation and/or until you object to the processing pursuant to Article 21 of the Regulation. Please also note that personal data relating to the details of products/courses purchased and services used, as well as your profile, will be retained for this purpose for a period of 24 (twenty-four) months from their registration, without prejudice to any earlier withdrawal of consent.

 

For the purpose referred to in paragraph 3, letter f) of this Privacy Policy, your identification and personal data will be processed until you withdraw your consent pursuant to Article 7 of the Regulation and/or until you object to the processing pursuant to Article 21 of the Regulation. Please note that personal data relating to the details of products purchased and services used, as well as data relating to your profile, will be processed and retained for this purpose for a period of 12 (twelve) months from their registration.

 

Personal identification and contact data processed for the soft-spam purpose referred to in paragraph 3, letter g) of this notice will be retained until you object to such processing through the link provided at the bottom of each soft-spam email or through the other methods indicated in paragraph 8 of this notice. Please also note that personal data relating to Summer School courses and purchased services, processed within the scope of defining soft-spam communications referred to in letter g), paragraph 3 of this notice, will be retained for this purpose for a period of 12 (twelve) months from their registration, without prejudice to any earlier objection to the processing.

 

In the case of photographs and video recordings processed for the purposes referred to in paragraph 3, letter h) of this Privacy Policy, such data will be retained for as long as there remains an interest in their storage in the University’s archives for its own promotional/institutional purposes, unless consent is withdrawn earlier.

 

 

Personal data processed for the purposes referred to in paragraph 3, letter i) of this Privacy Policy will be retained for the period required by the specific applicable legal obligation or regulation.

 

The Controller also reserves the right to retain personal data for the time necessary to establish and exercise its rights and/or to meet any defensive needs in judicial proceedings, as well as in out-of-court proceedings and in the stages preceding litigation.

 

Further information regarding data retention periods and the criteria used to determine such periods may be requested by writing to the DPO at the contact details indicated in paragraph 1.

 

 

8. 7. Data Subject Rights

As a data subject, you may, at any time, exercise the following rights:

• Right to withdraw consent (Art. 7 GDPR) – You have the right to withdraw any consent given at any time, without affecting the lawfulness of processing carried out prior to the withdrawal;
• Right of access (Art. 15 GDPR) – You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, as well as the right to receive any information relating to such processing;
• Right to rectification (Art. 16 GDPR) – You have the right to obtain the rectification of your personal data if they are incomplete or inaccurate; please note that, with regard to personal data collected through audio and video recording systems, the right to rectification cannot in practice be exercised due to the intrinsic nature of such data, which relate to an objective and determined fact;
• ìRight to erasure (Art. 17 GDPR) – In certain circumstances, you have the right to obtain the erasure of your personal data held in our records;
• Right to restriction of processing (Art. 18 GDPR) – Where certain conditions are met, you have the right to obtain the restriction of the processing of your personal data;
• Right to data portability (Art. 20 GDPR) – You have the right to obtain the transfer of your personal data to another data controller, as well as to receive the data concerning you in a structured, commonly used, and machine-readable format;
• Right to object (Art. 21 GDPR) – You have the right to object to the processing of your personal data by providing reasons justifying the objection; the Controller reserves the right to assess such request, which may not be accepted where there are compelling legitimate grounds for processing that override your interests, rights, and freedoms. You also have the right to object at any time and without any justification to the sending of promotional and marketing communications carried out through automated and non-automated tools. With regard to such communications, you may also exercise this right partially, for example by objecting only to communications sent through automated tools. We also inform you that you have the right to object at any time and without any justification to profiling;
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) – In the manner indicated in the following paragraph, if you believe that the processing concerning you violates data protection legislation, you may lodge a complaint with the supervisory authority of the Member State in which you habitually reside, work, or where the alleged violation occurred;
• Right to an effective judicial remedy (Art. 79 GDPR).

 

To exercise the above rights, you may write to the DPO at the registered office in Rome, Via Álvaro del Portillo no. 21, for the attention of the Data Protection Officer, or by email at [email protected].

9. Minors

If the user is under 16 years of age, it is recommended not to use the website contact forms, as data relating to minors must be provided by those exercising parental responsibility. If such data are provided directly by the data subjects, the data thus collected will be deleted and will not be processed in any way.

We do not knowingly collect personal information from minors under the age of 16, and therefore assume no responsibility in this regard.

 

 

10. Changes

The Controller reserves the right to amend or simply update the content of this Privacy Policy, in whole or in part, also as a result of changes in applicable legislation. The Controller therefore invites you to regularly visit this section in order to review the most recent and updated version of the Privacy Policy, so as to remain informed about the data collected and how they are processed by the Controller.