Foreword

The Luiss Business School S.p.A. SB (hereinafter “LBS” or “Controller”) is a Management School of Luiss – Libera Università Internazionale degli Studi Sociali Guido Carli, and offers an advanced training model aimed at the development of initiatives training with a strong executive connotation and a large catalog of course.

This privacy notice describes the characteristics of the processing activity undertaken by LBS in relation to the personal data of students of the LBS and highlights the students’ statutory rights in this regard.

The privacy notice is periodically updated to take account of regulatory developments and new methods of processing personal data.

What personal data do we collect?

The Controller collects and processes the following personal data:

• identifying data (name, surname, place and date of birth, personal tax number and citizenship);
• contact data (residential address, e-mail address and telephone number);
• data relating to academic record;
• data relating to knowledge of foreign languages;
• data relating to employment history;
• data relating to educational interests;
• data relating to attendance at courses and feedback on
• educational activities.

Why do we collect your data and why is the processing lawful?

The Controller collects and processes the data subject’s personal information in pursuit of the following purposes:

• manage, also from an administrative point of view, the relationship with the student by organizing the complex of training activities, of teaching support and assessment of skills acquired, through final exams and intermediate verification tests as well as for the activities necessary for the issue of qualifications with legal value by Luiss (the legal legitimacy of the processing can be found in contract signed between the LBS and the student);
• to manage –from an accounting and tax point of view– the relationship with the registered student (the legal basis for the processing lies in the contract and the relevant law);
• to manage the possible granting of scholarships (the legal basis for the processing lies in the pre-contractual and/or contractual arrangements between the School, the student and the scholarship providers);
• to comply with the accreditation criteria provided by scholarship providers, with reference to all registered students by communicating the information required by the call for applications to the providers concerned (the legal basis for the processing lies in the precontractual and/or contractual arrangements between the School, the student and the scholarship providers);
• record the attendance of the students enrolled in the scholarships and administer questionnaires to them regarding the satisfaction of lessons to communicate them to the grant provider (the legal bases of the processing can be found in the signed contract between the School, the student and the grant provider of the scholarship);
• to take attendance regarding scholarship holders and to administer questionnaires to them to obtain feedback about lessons, said information to be communicated to the scholarship provider (the legal bases of the processing can be found in the signed contract between the School, the student and the grant provider of the scholarship);
• to offer and manage, also through the university Luiss Guido Carli placement and internship services (the legal basis for the processing lies in the contract signed between the School and the student);
• to send commercial communications and newsletters relating to the services offered and the initiatives promoted as well as to invite the student to take part in events or training sessions or to participate in courses pertinent to the student’s education and employment records (the legal basis for the processing lies in the consent given by the student-data subject).

How does the Controller process your personal data and how long are the data stored for?

The data subject’s personal data are processed both on paper and electronically (servers, cloud database, software, etc.). The Controller stores the data subject’s data for a period of time consistent with what the law prescribes and having regard to the time required to correctly achieve the purposes stated above.

To whom do we communicate your personal data?

Internally

The personal data of registered students can be accessed solely by the Controller’s employees and other personnel so as to provide the students with the requested services and limited solely to the data necessary to that end, in particular:

• administrative staff;
• collaborators;
• academic staff

Our employees and other personnel have been informed and trained regarding the importance of observing the rules and principles governing the processing of personal data.

Externally

The Controller shares the personal data of registered students with some suppliers that play a role in providing the requested services and that have been specifically appointed as external Processors to that end, in particular:

• third parties whose services the Controller avails of to handle tax and accounting aspects of the relationship (for example, banks);
• third parties whose services the Controller avails of to provide insurance;
• third parties whose services the Controller avails of to manage the overall relationship with data subjects;
• third parties whose services the Controller avails of for the purposes of the granting of scholarships;
• third party scholarship providers for the purposes of correctly handling accreditation procedures.

The Controller may share the personal data of the interested parties with partners and sponsors according to specific agreements signed with the Luiss University. These entities, as independent data controllers, will submit their privacy policy and regulations to the attention of the interested parties, to fulfil all the obligations set forth in the relevant legislation. Suppliers that access data do so in compliance with applicable data protection law and the instructions given by the Controller. The Controller may not communicate personal data to third parties without the data subject’s consent unless communication is mandated by law or by the authorities:

• should such prove necessary on grounds of national security;
• for reasons of general interest;
• on foot of a request made by public authorities.

Are your data transferred abroad?

The data of the students are not transferred outside the European Economic Area. In the event that this transfer is necessary the institutes provided for by Title V of the GDPR will be applied.

What are your rights as a data subject and how can you exercise them?

The European Union’s General Data Protection Regulation (GDPR) grants data subjects’ specific rights, in particular, regarding access to data, rectification of data, objection to processing of data for commercial purposes or automated processing of data, erasure of data, restrictions on processing of data and portability of data. Data subjects are also entitled to seek redress through the Data Protection Authority.

Any data subjects wishing to exercise their statutory rights may, without formality, send an e-mail to privacybs@luissbusinessschool.it write to the Controller LUISS BUSINESS SCHOOL -rif. privacy, Via Nomentana 216 – 00162 – Rome, setting out their request and furnishing the information necessary to identify them. To contact the Data Protection Officer (DPO) the data subject can use the same mail: privacybs@luissbusinessschool.it

The Controller will reply within one month. Should the Controller be unable to reply by the above dead line, it will give you a detailed explanation as to why your request cannot besatisfied.