Privacy Notice
INFORMATION ON THE PROCESSING OF PERSONAL DATA – WEBSITE AND SOCIAL MEDIA
Pursuant to Articles 13 – 14 of EU Regulation 2016/679
With this information notice, we provide you with the information required by Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, the “GDPR”) regarding the processing of Data, as defined below, collected through the website https://www.isturin.it/it and its related subdomains (hereinafter, the “Website”) by the International School of Turin, with registered office at Strada Pecetto 34 – 10023 – Chieri (TO), as the data controller (hereinafter also referred to as the “Controller” or the “School”), and through the School’s pages on social networks (hereinafter, the “Social Media”), as well as, more generally, in all activities described in this Information Notice.
This Information Notice may be modified, supplemented, or updated periodically, also in consideration of any changes in applicable legislation or measures issued by the Data Protection Authority and/or the European Data Protection Board. Substantial changes and updates to this Notice will be communicated to the data subjects as soon as they are adopted, by updating the link to the Privacy Notice in the footer of the Website and via email communications. Therefore, data subjects are encouraged to consult this Information Notice regularly to be informed of its latest updated version, ensuring they are always aware of the methods of collection and processing of their personal data.
The processing of personal data carried out for the pursuit of the Controller’s institutional purposes, including the admission and enrollment procedures at the School as well as within the scope of student services, is described in the “Information Notice – Students and Parents”, which is shared with families and available at the School.
Similarly, the processing of data carried out for the purposes of staff recruitment and selection is described in a specific notice, also available in the “Work with Us” section of the Website.
1. WHICH PERSONAL DATA CONCERNING YOU MAY BE PROCESSED
For the purposes of this information notice, all information relating to you that is suitable to directly or indirectly identify you (hereinafter collectively referred to as “Personal Data” or “Data”), including, where applicable, Special Categories of Data as defined below and within the limits specified herein, are considered Personal Data. These are described in more detail below:
· Contact data, such as first name, last name, residential/address of domicile, any affiliated organization, email addresses, and any other contact details you may have voluntarily provided when requesting information from the School (hereinafter, “Contact Data”);
· Data regarding your use of the Website, such as pages visited, your choices regarding cookies, technical connection data (including IP addresses or domain names of the computers used to connect to the Website, URI addresses of requested resources, time of the request, method used to submit the request to the server, file size obtained in response, numeric code indicating the status of the server’s response, etc.), including information collected through cookies, for which the notice is available on the Website (hereinafter, “Usage Data”);
· Data related to Social Media accounts you may use to access Social Media, as well as other data you have provided to such social networks, which may be shared based on the privacy settings you have configured on them (hereinafter, “Social Data”);
· Other data, not related to contact, that you may have voluntarily transmitted when submitting requests, including requests for information, to the School (hereinafter, “Other Data”).
The Personal Data processed by the School for the purposes described below will generally not include personal beliefs, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information relating to health, sexual life, or sexual orientation (hereinafter, “Special Categories of Data”). Furthermore, as a rule, the Data processed will not include any criminal convictions and/or offenses that may have been committed, as evidenced by criminal record certificates and/or other appropriate documents (“Data relating to Criminal Convictions and Offenses”). In the event that it becomes necessary to process Special Categories of Data and/or Data relating to Criminal Convictions and Offenses, the School will process such data in accordance with applicable law.
The School may need to process, within the scope of its institutional purposes, data relating to your family members, whether minors or adults (such as, for example, their personal details and/or contact information – hereinafter, “Family Data”), to which this information notice applies, where relevant. It is your responsibility to communicate the contents of this information notice to your family members.
2. FOR WHAT PURPOSES YOUR PERSONAL DATA MAY BE USED AND ON WHAT LEGAL BASIS
Your Data will be processed for the following purposes:
a. Use of the Website
Your Usage Data will be processed by the School to ensure the proper functioning of certain features of the Website and to analyze web traffic related to the Website, also to improve your experience and that of other users.
Legal basis for processing: The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject’s request (Art. 6(1)(b), GDPR).
Providing Usage Data is mandatory with regard to data processed through so-called “technical cookies” (as further described in the Cookie Policy) and technical connection data. It is optional with respect to any additional Usage Data that depend on your consent to the installation of cookie categories other than “technical cookies.” Failure to provide such optional data may make it more difficult for the School to analyze web traffic on the Website.
b. Analysis of Website Usage
Your Usage Data will be processed by the School to analyze web traffic on the Website, also to improve your experience and that of other users.
Legal basis for processing: Consent of the data subject (Art. 6(1)(a), GDPR). Providing Usage Data that depends on your consent, as requested through the Website’s “cookie banner,” is optional. Failure to provide such optional data may make it more difficult for the School to analyze web traffic on the Website.
c. Requests for information / interactions, including on Social Media
Your Contact Data and Other Data will be processed to provide you with assistance in relation to your interactions with the School and/or to respond to your requests for information or reports, including those submitted via the Website’s forms.
Furthermore, if you interact with the School’s Social Media pages, your Social Data will be processed solely to manage such interactions (likes, comments, posts, messages, etc.) and/or to respond to requests submitted via the Social Media themselves.
Legal basis for processing: The legitimate interest of the School in managing relationships with users (Art. 6(1)(f), GDPR). Providing Contact Data and Other Data is optional, but failure to provide them will prevent the School from providing assistance and/or responding to your requests.
d. Management of Visits
Your Contact Data and Other Data will be processed to allow the Controller to manage and organize visits, including by appointment, to its premises.
Legal basis for processing: The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the data subject’s request (Art. 6(1)(b), GDPR). Providing Personal and Contact Data is optional, but failure to provide them may prevent the Controller from allowing you to visit its premises.
e. Institutional / service communications
Your Contact Data will be processed for institutional/service communication purposes, for example, to notify you of updates to contractual conditions, websites, or information notices.
Legal basis for processing: The legitimate interest of the School in managing relationships with users (Art. 6(1)(f), GDPR). In this case, you are not required to provide new or specific data, as the School will pursue this additional purpose, where necessary, by processing data already collected for other purposes deemed compatible with this one (taking into account the context in which such data were collected, the relationship between you and the School, the nature of the data itself, the safeguards in place for their processing, and the connection between the above-mentioned purposes and this additional purpose).
f. Aggregated analysis and service improvement
Your Usage Data will be processed in aggregated form, in a way that excludes your personal identification, to analyze, review, and improve the School’s services and/or to conduct surveys aimed at measuring overall satisfaction, as well as for the efficient management of its resources and for further internal statistical analyses, including those related to perceptions of the School.
Legal basis for processing: The legitimate interest of the School in improving its services and managing relationships with users (Art. 6(1)(f), GDPR). In this case, you are not required to provide new or specific data, as the School will pursue this additional purpose, where necessary, by processing data already collected for other purposes deemed compatible with this one (taking into account the context in which such data were collected, the relationship between you and the School, the nature of the data itself, the safeguards in place for their processing, and the connection between the above-mentioned purposes and this additional purpose).
g. Purposes related to the protection of rights, including those of the data subject
Your Data will be processed by the School to protect its rights, including in relation to any claims, or to take legal action, including asserting claims against you or third parties, as well as to provide evidence that it has responded to any requests to exercise one or more of the data subject’s rights, described in detail in point 7) of this information notice.
Legal basis for processing: The legitimate interest of the School in protecting its rights (Art. 6(1)(f), GDPR). In this case, you are not required to provide new or specific data, as the School will pursue this additional purpose, where necessary, by processing data already collected for other purposes deemed compatible with this one (taking into account the context in which such data were collected, the relationship between you and the School, the nature of the data itself, the safeguards in place for their processing, and the connection between the above-mentioned purposes and this additional purpose).
h. Compliance with legally binding requests to fulfill legal obligations, regulations, or requests/orders from competent authorities, including supervisory authorities
Your Data may be processed to comply with a legal obligation and/or with requests/orders from competent authorities, including supervisory authorities.
Legal basis for processing: Legal obligations to which the School is subject (Art. 6(1)(c), GDPR). In this case, you are not required to provide new or specific data, as the School will pursue this additional purpose, where necessary, by processing data already collected for other purposes deemed compatible with this one (taking into account the context in which such data were collected, the relationship between you and the School, the nature of the data itself, the safeguards in place for their processing, and the connection between the above-mentioned purposes and this additional purpose).
3. SOURCES FROM WHICH DATA MAY BE COLLECTED AND METHODS OF COLLECTION
Data may be collected by the Controller directly from you, through the provision of such Data by yourself.
In particular, the School may collect Data through:
a. your use of the Website and/or your interactions with the Social Media pages;
b. forms you complete online, or other communications you send, including for requests for assistance and/or information, via the Website or Social Media.
Data may be updated and/or supplemented based on information publicly available and/or collected from third parties, and/or provided directly by you.
4. HOW WE KEEP YOUR PERSONAL DATA SECURE AND FOR HOW LONG
The processing of your Data will be guided by the principles of fairness, lawfulness, and transparency, and may also be carried out through automated means.
Processing will in any case be conducted using tools suitable for ensuring confidentiality, including procedures designed to prevent the risk of loss, unauthorized access, unlawful use, and dissemination, as well as security measures appropriate to the level of risk. Access to your Data is limited only to those who need it to carry out relevant purposes.
We retain your Data only for the period strictly necessary to achieve the purposes for which they were collected or for any other legitimate related purpose. Therefore, if Data are processed for two different purposes, we will retain such Data until the purpose with the longest retention period ceases; however, we will no longer process the Data for the purpose for which the retention period has ended. Data that are no longer necessary, or for which there is no longer a legal basis for retention, are either irreversibly anonymized (and may thus be retained in anonymized form) or securely destroyed.
Below we indicate the retention periods in relation to the different purposes listed above:
a. Use of the Website
Data processed for this purpose will be retained for the period specified in the Cookie Policy.
b. Analysis of Website Usage
Data processed for this purpose will be retained for the period specified in the Cookie Policy.
c. Requests for information / interactions, including on Social Media
Data processed for this purpose will be retained for no longer than one year from the conclusion of the individual activity related to managing the request for information, without prejudice to your right to object as described in point 7 of this information notice.
With specific regard to Social Data related to your interactions on Social Media, such Data will be retained for the period determined by each social platform for the storage of posts, comments, and, in general, user interactions, in accordance with their respective privacy policies.
d. Institutional / service communications
Data processed for this purpose will be retained for no longer than one year from the sending of each individual communication, unless the processing of such communications is also necessary for the pursuit of other purposes (e.g., contractual) described in this information notice, without prejudice to your right to object as described in point 7.
e. Management of visits
Data processed for this purpose will be retained for no longer than six months from your visit, without prejudice to your right to object as described in point 7.
f. Aggregated analysis and service/product improvement
Data processed for this purpose will be retained in aggregated and anonymized form for the time necessary to achieve the purposes described in this information notice.
g. Purposes related to the protection of rights, including those of the data subject
Data processed for this purpose will be retained for the duration of the relevant proceedings, and in any case for the period reasonably necessary for the School to protect its rights, also in relation to the applicable limitation periods.
Specifically, with regard to data retained to provide evidence of a response to the data subject, such Data will be retained for ten years from the last request by the data subject, or from the last communication interrupting the limitation period, in accordance with the limitation periods provided under the Civil Code.
h. Compliance with legally binding requests to fulfill legal obligations, regulations, or requests/orders from competent authorities
Data processed for this purpose will be retained for the entire duration of proceedings before the relevant competent authorities, in addition to the applicable limitation periods.
5. WITH WHOM WE MAY SHARE YOUR PERSONAL DATA
Authorized and trained personnel of the School may have access to your Data.
In particular, for the performance of certain processing activities, the School may disclose your Data to the following categories of external parties, who will process such Data either as independent data controllers or as data processors, duly appointed by the School in accordance with applicable law (depending on the role they perform in relation to the processing):
- Consultants and external providers such as cloud service providers, IT providers, or hosting providers;
- Professional firms, especially where necessary to protect the rights of the School;
- Police forces and other public administrations, in compliance with obligations under laws, regulations, or applicable legislation.
In any case, access to your Data is limited to those who need to know it in order to fulfill their professional responsibilities, under a specific authorization letter.
Regarding the processing of personal data carried out by Social Media platform operators as data controllers, reference should be made to the information provided by them through their respective privacy policies. The School processes personal data provided by users through Social Media for the purposes described in this information notice and in compliance with applicable law.
You may contact the School using the methods indicated in the “Contacts” section if you wish to request to view the list of data processors and other parties to whom we disclose Data.
6. INTERNATIONAL TRANSFERS
The School does not transfer your Data to countries outside the European Economic Area (EEA) (hereinafter, “Third Countries”) whose data protection laws may provide standards different from those of the EEA. Should such a transfer take place, the School will ensure that all your Data accessible outside the EEA is processed with appropriate safeguards.
The School will provide adequate guarantees and safeguards for such cross-border transfers, in accordance with applicable data protection law; these may include the use of Standard Contractual Clauses approved by the European Commission, codes of conduct, and/or Binding Corporate Rules. Such clauses impose similar data protection obligations directly on the recipient, unless the applicable data protection law permits transfers without such formalities.
Some Third Countries, identified in the official list available on the European Commission’s website, have been deemed adequate by the European Commission, as they provide protection equivalent to that of EEA data protection law, and therefore no additional legal safeguards are required for such countries.
Currently, for specific purposes related to the processing activities described in this information notice, the School also uses providers, included in the categories listed in section 5, located in Third Countries outside the EEA. In particular, the School may need to transfer your Data to the United States, especially for processing involving Vimeo and/or Google, under the conditions set out in the Adequacy Decision of 10 July 2023 and subsequent amendments, pursuant to Art. 45 GDPR.
Without prejudice to the above, should it become necessary to transfer Data to other Third Countries, the School will specify in advance the destination Third Country and the specific mechanism adopted for the transfer of Data to that country.
7. YOUR DATA PROTECTION RIGHTS AND YOUR RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
You have the right to request from the School, in accordance with the conditions set out in the GDPR:
- Access to the Data concerning you, as well as their rectification;
- Deletion of the Data;
- Restriction of processing;
- To the extent that Data are processed for contractual purposes and/or based on your consent, and processed in an automated manner, the receipt of such Data in a structured, commonly used, and machine-readable format (portability) and/or the transmission of such Data to another data controller (so-called “portability”).
To exercise your rights, you may contact the School at the following email address: ist.privacy@isturin.it.
Right to object: You have the right to object at any time, for reasons related to your particular situation, to the processing of Data by the School for the pursuit of its legitimate interest, for the purposes indicated in sections 2.b, 2.c, 2.d, 2.e, and 2.f above. Requests to object should be addressed to: ist.privacy@isturin.it.
The exercise of the data subject’s rights is subject to certain exceptions, particularly those aimed at safeguarding the public interest (e.g., prevention or detection of offenses) and/or protecting the rights of the School. Should you exercise any of the aforementioned rights, it will be the School’s responsibility to verify your entitlement to exercise them, and you will generally receive a response within one month.
The School will carefully consider any complaints or reports regarding the processing of your personal data and will make every effort to respond to your requests. However, you may lodge complaints or reports with the competent Supervisory Authority, namely the Italian Data Protection Authority (Garante per la protezione dei dati personali), using the references available on its website www.gpdp.it, or pursue the appropriate judicial remedies.
8. CONTACTS
The contact details of the Controller, as the data controller, are as follows: ist.privacy@isturin.it.
The contact details of the Data Protection Officer (DPO) of the Controller are as follows: ist.dpo@isturin.it.