1. Privacy Policy

Università Vita-Salute San Raffaele, with registered office located in Milan, Via Olgettina no. 97187560152 (hereinafter referred to as “UniSR”) undertakes to constantly safeguard the privacy of its users. This information notice is aimed at disclosing the privacy policy implemented by UniSR in order to: (i) explain to the users the terms and conditions pursuant to which their personal data are processed; and (ii) allow the users to provide their explicit and conscious consent to the processing of their personal data. The above in compliance with the provisions set forth under both Article 13 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “Regulation”) and the Italian Legislative Decree 30 June 2003, no. 196 (hereinafter referred to as “Privacy Code”).

The information and the personal data supplied or otherwise collected shall be processed in accordance with the provisions of both the Regulation and the Privacy Code and in compliance with the confidentiality obligations inspiring UniSR activity.

According to the provisions of both the Regulation and the Privacy Code, any processing of personal data carried out by UniSR shall be lawful, fair and transparent and shall be consistent with the following principles: limitation of scopes and conservation, minimization of data, exactness, integrity and confidentiality.

2. Data Controller and Data Protection Officer

The controller of the personal data is Università Vita-Salute San Raffaele.

According to (i) Article 37 of the Regulation and (ii) the CODAU Guidelines, by resolution of the Board of Directors dated 22 January 2018, UniSR appointed GSD SISTEMI E SERVIZI S.C.A.R.L., with registered office located in Milan, Corso di Porta Vigentina no. 18, VAT no. 06959200962 (hereinafter referred to as “GSD”), as data protection officer (hereinafter referred to as the “DPO”).

The professional indicated by GSD for the purposes of the carrying out of the DPO activities is Mr. Gabriele Tettamanti.

The DPO is available for any information regarding the data processing carried out by UniSR.

The contact details of the Data Processor and of the DPO are the following: privacy@unisr.it

3. Purposes of the processed data

The personal data collected by UniSR will be processed for institutional purposes only and, in particular, for the purposes of all fulfilments necessary for the full implementation of UniSR scopes in compliance with the Regulation and the Privacy Code as well as with the aforementioned principles of

limitation of scopes and conservation, minimization of data, exactness, integrity and confidentiality in connection with the institutional purposes for which such data are processed.

For security and prevention against frauds purposes only, the Data Processor implemented all necessary data protection instruments.

The processing does not imply and automation decisional process (including profiling).

4. Legal basis – voluntary or mandatory processing

Please find below the main legal provisions justifying the data processing of sensitive and judicial personal data: Royal Decree no. 1592/1933 and subsequent amendments; Royal Decree no. 1269/1938 and subsequent amendments; Presidential Decree no. 382/1980; Law no. 168/1989;   Law no.  398/1989; Law no. 341/1990; Law no.  390/1991; Law no.  104/1992; Ministerial Decree no. 224/1999; Italian Legislative Decree no. 445/2000; Law no.  148/2002; Ministerial Decree no. 270/2004; Presidential Decree no. 334/2004; Ministerial Decree no. 142 of 25/3/1998 and Law 24 giugno 1997, no. 196; Presidential Decree 9 April 2001; Law no. 14 February 2003, no. 30; Contratto Istituzionale Socrates Erasmus; By-laws, UniSR Regulations; Regional Laws in force.

5. Transfer of personal data

The personal data collected online by UniSR shall not be transferred to any third country.

6. Keeping of personal data

Personal data processed according to Paragraph 4. above shall be kept for the time strictly necessary to achieve the purposes for which such data have been collected. Considering that the personal data are collected for UniSR institutional scopes only, UniSR shall process the personal data for up to the time limits provided under applicable laws. As an exemple, traffic data could be kept, for judicial reasons, for a period up to 6 years starting from their creation.

Further information request in respect to the above can be addressed to the Data Controller and the DPO.

Rights of the data subject

At any time you are entitled to ask UniSR to have access to your personal data, to modify or cancel the same or to object to their processing according to Article 20 of the Regulation. You are further entitled to request for a restriction of processing  according to Article 18 of the Regulation, and for the portability according to Article 20 of the Regulation.

Any request should be addressed in writing to the DPO.

You are always entitled to make a claim before the competent supervisory authority (Garante per la Protezione dei Dati Personali) according to Article 77 of the Regulation, should you consider any data processing being in breach of the applicable laws.

Amendments

This privacy policy applies as of 25 May 2018. UniSR shall have the right to totally or partially amend or update its contents, also as a consequence of any amendment regarding applicable laws. Should any amendment to this privacy policy trigger substantial modifications in the data processing or modifications that could have a relevant impact over the interested parties, UniSR shall notify such amendments to such interested parties.