PRIVACY POLICY

Dear User,

This Privacy Policy contains information regarding the processing of your personal data resulting from browsing our web spaces and using the services made available to you through our Company's website.

You will be provided with specific and/or supplementary information on the processing of your personal data each time we collect it, during your interaction with the site or by virtue of contractual relationships established/to be established with our Company; you can consult all of them at any time by clicking on the links in the "Privacy Notices" section on our site.

Please note: This Privacy Policy does not concern web services provided by third parties, which you may use or consult and reach through hyperlinks. In this regard, we invite you to consult the privacy notices and privacy policies provided by said third parties in the appropriate locations.

DEFINITIONS

Privacy Regulations: The GDPR, the Privacy Code, the Provisions of the Data Protection Authority and in general all regulations regarding the protection of natural persons with regard to the processing of Personal Data.

GDPR or Regulation: European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation).

Services or Web Services: Services provided via the internet, accessed through the website and/or any APPs.

Data Subject or Interested Party: The identified or identifiable natural person to whom the Personal Data refers pursuant to art. 4(1) of the Regulation.

User: The data subject (natural person) who browses, consults, accesses or uses the Web Services.

Personal Data: Any information concerning an identified or identifiable natural person pursuant to art. 4(1) of the GDPR. This includes, where applicable, data provided by the User through forms present within individual areas of the Services, as well as browsing data and online identifiers (such as IP addresses and cookies), insofar as they allow, even indirectly, the identification of the data subject.

Browsing data: Data automatically acquired by computer systems and software procedures responsible for the operation of Web Services during their normal operation, the transmission of which is implicit in the use of Internet communication protocols. Such data, although not collected to be associated with identified data subjects, may by their very nature allow the identification of users through processing and association with data held by third parties. This category includes, by way of example, IP addresses, device identifiers, URIs (Uniform Resource Identifiers) of requested resources, the time of the request, the method used to submit the request to the server and other parameters relating to the user's operating system and computer environment. If browsing occurs after authentication (log-in), such data may be associated with the user's personal account.

Browsing data includes, by way of example:

IP addresses or domain names of computers used by users connecting to the site;
URI (Uniform Resource Identifier) addresses of requested resources;
time of request;
method used to submit the request to the server;
size of the file obtained in response;
numerical code indicating the status of the server's response (success, error, etc.);
other parameters relating to the User's operating system and computer environment.

Data provided by the User: This is data that the User voluntarily and consciously transmits by sending communications (e.g., via email, to addresses within the web domain) or by filling out appropriate forms, where present within the spaces provided by the Services. Data provided by the User is limited to what is strictly necessary for the purposes pursued by the requested Services. Examples of such data include:

identification data: nationality, name, surname, date of birth, address of residence and/or domicile, data on identity documents;
contact data: email and/or landline and/or mobile phone number;
other data relating to educational background such as qualifications and secondary school of origin;
data relating to the educational outcomes, intermediate and final, of the data subject, their portfolio and academic data;
geolocation data (if the User has consented to the collection of data relating to their location);
concerning the use of individual Services made available to the User;
concerning facts and circumstances set out by the User in their messages;
image of the data subject in passport photo attached to the enrollment form;
photographs and video recordings possibly depicting the data subject and collected during events organized by the Data Controller (info/open-days, masterclasses, workshops, etc.).

The Data Controller may also collect and process the following special categories of Personal Data pursuant to art. 9 of the GDPR, where provided by the Data Subject:

health data: found in any certificates, clinical examinations, surgeries, hospitalizations made available by the Data Subject to the Data Controller or requested by the latter for purposes related to the management of the contractual relationship (for example, regarding the justification of absences and the verification of the existence of specific learning disorders (DSA) or other conditions) and compliance with current regulations and specific health protocols for the containment of any health emergencies operating at the Data Controller's premises.

DPO: The Data Protection Officer, if appointed by the Data Controller. The interested User may request clarification regarding the processing of Personal Data or exercise their rights by contacting the DPO, in the manner and forms indicated in the section "How to exercise rights and/or request information on processing".

Data Protection Authority: The Italian Data Protection Authority, i.e., the national supervisory authority for the protection of personal data. Visit the Data Protection Authority website.

Cookies: Cookies are information stored on your device (e.g., in your browser memory) when you visit a website or use a web application. Each Cookie may contain various data, such as the name of the server it comes from, a numerical identifier, etc. Consult the Cookie Policy for more information.

Data Controller: The entity that decides on the purposes and methods of processing Personal Data. With reference to Web Services, the Data Controller is Accademia Italiana, with registered office at Piazza Pitti 15, 50125 Florence (Italy). You can contact the Data Controller by writing to the above address or by sending an email to: [email protected].

INFORMATION ON THE PROCESSING OF USER'S PERSONAL DATA

Below we provide useful information regarding the processing of Personal Data carried out through the Web Services. In particular, we wish to inform you:

of the contact details of the Data Protection Officer (DPO), if appointed;
of the categories of Personal Data processed through the Web Services;
of the purposes for which such Personal Data are processed from time to time;
of the legal bases that legitimize the processing of the aforementioned data;
of the duration of their retention;
of the categories of recipients of the data communication.

Summary table of data processing

Categories of Personal Data	Purpose of processing	Legal bases	Data retention periods
Browsing data / IP Address / technical and analytics cookie management	Enable web browsing and provision of Services	Necessity to perform a contract to which the data subject is party or to provide Services upon request	For the duration of browsing within the Services
	Obtain anonymous statistical information on the use of Web Services, solely to verify their correct functioning	Legitimate interest of the Company	Data collected is aggregated and no longer traceable to the individual user who browsed
	Ensure security and proper functioning of Web Services; ascertain any liability in case of hypothetical crimes; protect the Company's rights; analysis and problem resolution	Legitimate interest of the Company / Consent	According to IT security policies and subsequently for the time strictly necessary for any investigations, dispute resolution and protection of Company rights (maximum 12 months)
Data provided by User: provision of Web Services	Access to reserved area and functionalities connected to Web Services provision. Updating personal data. Sending and managing applications. Course enrollment, execution of service contract. Administrative and accounting management. Managing interviews requested by Data Subject. Sharing identification data with other schools in the group. Internal statistics. Consent management.	Necessity to perform a contract. Necessity to execute requests made by Data Subject (pre-contractual phase). Legitimate interest of Data Controller.	The time strictly necessary to provide Services. For Services connected to a contractual position, Personal Data may be retained for additional time for administrative-accounting purposes (generally, maximum 10 years).
	Information requests. Sending informational brochures.	Necessity to execute requests made by Data Subject (pre-contractual phase) or legitimate interest of Data Controller.	The time necessary to provide response and in any case maximum 24 months.
	Participation in events organized by the Company (masterclasses, workshops, etc.). Job placement services upon request. Communication of educational outcomes data. Sharing of identification data and photographs/videos with other schools in the group.	Consent	24 months from cessation of relationship with Company or until consent withdrawal
	Commercial and promotional communications, newsletters or content on educational activities, events, promotions, cultural initiatives (marketing purposes).	Consent	24 months from cessation of relationship with Company or until consent withdrawal
Health data	Manage contractual relationship (e.g., justification of absences). Verify existence of DSA or other conditions. Implement health protection protocols.	Consent	Maximum 5 years from cessation of relationship with Company.

Mandatory nature of data provision

The provision of your Personal Data is free and optional. However, we remind you that for the pursuit of certain purposes (to provide you with appropriate responses or for the provision of Services) it is essential; if not provided, in such cases, it may not be possible to proceed with the pursuit of said purposes.

Failure to provide your Personal Data (and related consent) for marketing purposes does not affect the other Services requested.

Processing methods and recipients of Personal Data communication

The Data Subject's Personal Data will be:

collected through manual, computerized and telematic tools;
recorded and stored by the Data Controller in digital format on cloud servers possibly located at third-party data processors, but in any case in Europe;
processed automatically only for sending email messages for the purposes indicated.

In relation to the purposes indicated, the processing of Personal Data will take place for the mere achievement of the purposes themselves and, in any case, in a manner that guarantees their security and confidentiality, in compliance with art. 32 of the GDPR regarding security measures.

The Data Controller may:

communicate the Data Subject's Personal Data only to third parties who collaborate with the Data Controller and who, as data processors pursuant to art. 28 of the GDPR, are responsible for processing specific phases of processes necessary for the proper performance of the Data Controller's activities;
communicate Personal Data to third parties to fulfill legal obligations or to comply with orders from public authorities, including the judicial authority.

Images and recordings collected by the Data Controller are subject to dissemination exclusively through public pages of corporate web channels, the Company's official website and social platforms or the official website and platforms of the AD Education international network of which the Data Controller is a partner.

Security and transfer of Personal Data to third countries

For the storage and management of certain Personal Data, the Data Controller uses Google Workspace for Education services, adopted with specific technical and organizational security measures.

Any transfers of Personal Data to third countries connected to the provision of services take place in compliance with articles 44 et seq. of the GDPR, on the basis of appropriate safeguards, such as: (i) the European Commission's adequacy decision relating to the EU-US Data Privacy Framework, and/or (ii) Standard Contractual Clauses adopted by the European Commission.

COOKIES

Web Services may use technical, analytical and profiling cookies, both first-party and third-party. Cookies are essential for improving Services and providing products in line with Users' preferences. Any use of profiling cookies and/or third-party cookies will always be subject to your prior consent.

For more information, consult the Cookie Policy.

Rights of the Data Subject

Pursuant to articles 15 et seq. of the GDPR, as a Data Subject you have the right to request from the Data Controller: access to your Personal Data, rectification or erasure thereof or restriction of processing concerning you, objection to processing, data portability, withdrawal of consent at any time without affecting the lawfulness of processing based on consent given prior to withdrawal.

Right	What does it consist of?	Prerequisites for exercise
Access to data	The Data Subject may request from the Data Controller: confirmation that data concerning them is being processed; a copy of data concerning them; information regarding data processing.	The Data Subject may always submit such request
Rectification or integration of data	The Data Subject may request the Data Controller to rectify, update, modify the Personal Data processed	Where the data processed is inaccurate or incomplete
Erasure of data	The Data Subject may request the Data Controller to erase the Personal Data being processed	Personal Data is no longer necessary; Data Subject withdraws consent; Data Subject objects to processing; Personal Data has been unlawfully processed; Personal Data must be erased to comply with a legal obligation
Restriction of processing	The Data Subject may request the Data Controller not to carry out, except for storage only, any processing operation on their Personal Data	Data Subject contests accuracy of Personal Data; processing is unlawful; Personal Data is necessary for Data Subject's defense in court
Objection to processing	The Data Subject may object to processing based on legitimate interest (including sending promotional communications)	There must be grounds connected to the Data Subject's particular situation
Data portability	The Data Subject has the right to receive in a structured, commonly used and machine-readable format the Personal Data concerning them	Personal Data was provided by Data Subject; processing is based on consent or contract; processing is carried out by automated means
Withdrawal of consent	The Data Subject may withdraw consent given. Withdrawal does not affect the lawfulness of processing carried out until that moment	Always

The above rights may be exercised by written request sent, without any formality, to the dedicated email address [email protected] or at the Data Controller's premises.

The Data Controller will respond to your request without undue delay and, in any case, within the legal time limits.

Without prejudice to any other administrative or judicial remedy, if as a Data Subject you believe that the processing concerning you violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you habitually reside, work or where the alleged violation occurred pursuant to art. 77 of the GDPR (the Italian supervisory authority is the Data Protection Authority).

Contact

Data Controller: Accademia Italiana

Registered office: Piazza Pitti 15, 50125 Florence (Italy)

VAT: 04705910489

Email: [email protected]

Website: https://www.accademiaitaliana.com