surely you have heard of the new EU Regulation on data protection (2016/679, better known as GDPR).
In compliance with articles 13 and 14 of this legislation (also referred to the national one in force), below we provide you with the information necessary to understand how the data you provide through the use of our APP is processed.
We invite you to read the document as if you were the one asking the questions shown in the following paragraphs and we will provide you with the related answers: if you have any further doubts, do not hesitate to contact us, we are here for you.
You are the Data Subject to be protected, and we want to show you our transparency in doing so.
- Who is the Data Controller of data processed on Edu Enhancement APP?
Pursuant to the art. 4, n. 7) 2016/679 EU Regulation, the Data Controller is Edu Enhancement, with registered office in Via Salvo d’Acquisto 6, Borgo San Dalmazzo, 12011, Italy, and it could be contacted at the e-mail address firstname.lastname@example.org or by phone +39 3408855648 (hereinafter “Edu” and/or the “Data Controller”).
Pursuant to the present policy, Data Subject means every User that registers a profile on the APP, has access, interacts and uses the products and/or services in the APP.
- What data is processed on Edu Enhancement APP?
On the Edu Enhancement APP, Edu process Data Subject’s data; in particular, when the User signs up, they provide:
- Personal data:
- Name and surname;
- University e-mail address;
- Password to log in into the APP;
The data processed by Edu and listed above will be jointly referred to and defined as “data“.
- For what purposes is data processed?
The processing of data provided by the Data Subject will be performed by Edu for the following purposes:
a. Contractual Purposes:
- allow the Data Subject to register a profile on the APP, have access, interact and use the products and/or services in the APP;
- fulfil the pre-contractual, contractual and tax obligations related to any relationships established with the Data Subject;
- fulfil the obligations established by law, by a regulation, by national and international legislation or by an order of the Authority (such as for example in the matter of anti-money laundering);
- exercise the rights as Data Controller, such as, for example, the right to defence in court.
b. Legitimate interest Purpose:
- for carrying out activities functional to any securitizations, assignments of credit and issue of securities, disposals of companies and business units, acquisitions, mergers, demergers or other transformations of Edu and for the execution of such operations;
- for carrying out checks aimed at preventing any fraud.
c. Marketing purposes:
- for the promotion of products and services offered by Edu, also through the sending of advertising material, commercial communications, the execution of market research and direct sales activities, both through traditional communication tools, such as paper mail, that through remote communication tools, such as email, chat, newsletter, telephone, SMS, video call, automatic call, instant message, chatbot, intelligent interactive automated communication systems, banners, social networks, search engines, notification systems and others remote communication tools.
- What are the legal bases to process the data?
The Data Controller can process the data provided by the Data Subject with the use of Edu APP because, in compliance with the conditions of lawfulness referred to the art. 6 of 2016/679 EU Regulation:
The processing of data for Contractual Purposes is mandatory: if the Data Subject does not provide such data, the Data Controller does not guarantee the correct provision of the services offered by Edu APP.
- may need to treat them for the Legitimate Interest purposes referred to in art. 3, lett. b), nos. 1) and 2), pursuing its legitimate interest or that of third parties: according to art. 6, lett. f) of the 2016/679 EU Regulation, the processing is necessary for the pursuit of the legitimate interest of the Data Controller or third parties, adequately balanced with the interests of the Data Subject in light of the limits imposed on such treatment and the specific circumstances in which the processing takes place illustrated in the same paragraph 3.
The processing of data for Legitimate Interest purposes is not mandatory and the Data Subject may object by contacting the Data Controller directly: if the Data Subject opposes said processing, his data cannot be used for Legitimate Interest purposes, except that the Data Controller demonstrates the presence of prevailing binding legitimate reasons or the exercise or defence of a right pursuant to Article 21 of the 2016/679 EU Regulation.
- does not need to process them for the Marketing Purposes referred to in art. 3, lett. c), no. 1) and can only do so with the previous consent of the Data Subject.
The processing of data for Marketing Purposes is optional and, if the Data Subject refuses his consent, he will not receive any commercial communications, will not participate in market research and will not receive communications and services adapted to his profile. The lack of consent for Marketing Purposes does not in any way affect the contractual relationships established with the Data Controller and the provision of the services offered by them.
- How is Data processed?
The processing of the data is carried out by Edu with the operations indicated in art. 4 no. 2) of the 2016/679 EU Regulation and precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The data can be processed with manual or IT tools, suitable to guarantee its security, confidentiality and to avoid unauthorized access.
The data storage is carried out with cloud computing tools on servers located within the territory of the EU (Sweeden): for more information on the safety, compliance and compliance standards required by the GDPR adopted by the chosen external providers, consult the web page https://aws.amazon.com/it/privacy/. You can also consult the following document explaining the compliance to GDPR of AWS: https://d1.awsstatic.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
- To whom is data communicated?
Data may be disclosed for Contractual Purposes to subjects that perform services connected and functional to the management of the relationship in place or to be entered into with the Data Subject and, in particular, to the following categories of subjects located within the European Union and, within the limits set out in paragraph 7 of this statement, outside the European Union:
- service providers connected to the activities of the Data Controller;
- assistance, tax and legal advice, including debt collection companies;
- providers of IT or archiving services, such as, among others, the company that issues and manages the digital signature certificate in the event that the digital signature is used by the Data Subject to signing the contract.
Data may be disclosed for the purposes of Legitimate Interest to suppliers of assistance services, technical, tax and legal consultancy, assignees of receivables in the context of credit securitization or credit assignment operations for purposes strictly connected and instrumental to the management of the relationship with the transferred Data Subject, as well as the issue of securities, company assignees or business units, potential purchasers of the data controller and companies resulting from possible mergers, divisions or other transformations, also in the context of activities functional to these operations, and to competent authorities.
Finally, data may be communicated for Marketing Purposes to service providers such as external data processors and with the prior consent of the Data Subject, to the third parties referred to in paragraph 3, lett. c), no. 1).
The subjects indicated above may act, as appropriate, as external Data Processors or independent Data Controllers.
- Will data be transferred abroad?
Data may be freely transferred outside the national territory to countries located in the European Union,
but could also be transferred outside the European Union. (updated on 20/10/2020) Any transfer of the data related to the Data Subject to countries located outside the European Union will take place, in any case, in compliance with the appropriate and appropriate guarantees for the purposes of the transfer itself in accordance with the applicable legislation and in particular with articles 45 and 46 of the 2016/679 EU Regulation. (updated on 20/10/2020)
- What are the rights of the Data Subject?
The Data Subject, pursuant to the Articles from 15 to 22 of the 2016/679 EU Regulation, has the right to:
- obtain confirmation from the Data Controller that processing of Data concerning them is in progress;
- obtain access to Data and information relating to the processing of Data concerning them;
- obtain from the Data Controller the correction of inaccurate Data concerning them without undue delay;
- obtain the integration of incomplete Data, also by providing an additional declaration;
- obtain from the Data Controller the cancellation of the Data concerning them without undue delay;
- obtain the limitation of processing from the Data Controller:
- for the period necessary to verify the accuracy of such Data by the Data Controller, when the Data Subject disputes its accuracy;
- when the processing is unlawful and the Data Subject opposes the deletion of the Data, requesting instead that its use be limited;
- when the Data are necessary for the Data Subject to ascertain, exercise or defend a right in court, although the Data Controller no longer needs it for processing purposes;
- when the Data Subject has opposed the processing pursuant to Article 21, paragraph 1 EU/2016/679 Regulation and for the whole period in which it remains pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the Data Subject;
- receive in a structured format, commonly used and readable by an automatic device, the Data concerning them provided to the Data Controller;
- transmit this Data to another Data controller without hindrance by the Data Controller to whom it has provided them;
- obtain the direct transmission of Data from one Data Controller to another, if technically feasible;
- object at any time, for reasons connected with your particular situation, to the processing of the Data that concern you pursuant to Article 6, paragraph 1, letters e) or f), including profiling;
- not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects that concern them or which similarly significantly affects their person;
- propose a complaint directly to the Guarantor Authority if there is a violation of the data protection legislation by the Data Controller.
- Who are the external Data Processor?
- What is the data retention period?
Data processed by Data Controller:
- for the Contractual Purposes and Legitimate Interest Purposes set in paragraph 3, lett. b) n. 1), will be stored during:
- the use of our APP; and
- the relationship between the Data Subject and the Data Controller for any product and/or service offered (renewal included) and for 10 years from the expiration date, termination or withdrawal of the same, except in cases where storage for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;
- for the Legitimate Interest Purposes referred to in paragraph 3, lett. b) no. 2), will be kept for the duration strictly necessary to ensure the reliability of the checks indicated therein;
- for the Marketing Purposes referred to in paragraph 3, lett. c), no. 1) of this information, will be kept for a period equal to the duration of the Contract and/or the service offered (including any renewals) and for a maximum period equal to 24 months from the expression of the consent by the Data Subject.
- Modifications and updates