This Privacy Policy has been drafted pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter, the “Regulation” or “GDPR”) to inform you about the personal data processing activities carried out by the Università Campus Bio-Medico di Roma (hereinafter also referred to as the “University”) in relation to the interaction with the UCBM Academy website (ucbmacademy.unicampus.it, hereinafter the “Website”), both through simple consultation and through the use of specific services made available through the Website.

This information will also provide you with the necessary details to allow you to give explicit and informed consent to the processing of your personal data, where appropriate.

This information will also provide you with the necessary details to allow you to give explicit and informed consent to the processing of your personal data, where appropriate.

***

1. CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is the Università Campus Bio-Medico di Roma (hereinafter, “UCBM”, “University” or “Data Controller”), Tax Code 97087620585 with registered office in Rome, Via Álvaro del Portillo n. 21.

The Data Protection Officer (hereinafter referred to as the “Data Protection Officer” or “DPO”) can be contacted at the following addresses:

• by e-mail, to the address: : dpo@unicampus.it;
• by ordinary mail, to the address of the Università Campus Bio-Medico di Roma, based in Rome (RM) at via Alvaro del Portillo, n. 21, ZIP Code 00128, at the attention of the Data Protection Officer.

2. PERSONAL DATA SUBJECT TO PROCESSING AND SOURCE OF ORIGIN

We inform you that, by using the Website, the Data Controller may collect and process information and personal data relating to you. The personal data subject to processing belong to the category of “common” data (hereinafter also referred to as “Personal Data”) and, in particular, consist of:

a) Browsing Data

The Data Controller will process the Personal Data collected during your browsing on the Website. In particular, it is specified that the computer systems and software procedures used to operate the Website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the Website, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters related to the user’s operating system and computer environment. These data are used only to obtain anonymous statistical information on the use of the Website, to check its correct functioning, and to identify anomalies and/or abuses; the data are deleted after processing, unless it is necessary to identify the perpetrators in case of hypothetical computer crimes against the Website or third parties.

b) Data Voluntarily Provided by You

The Data Controller will process the Personal Data you may provide in the context of requests sent to the email addresses and assistance phone numbers available on the Website, as well as in the context of subscribing to the newsletter.

When sending requests for information to the email addresses and/or assistance phone numbers of the Data Controller available on the Website, we invite you to provide only the Personal Data strictly necessary to manage your request, excluding any excessive Personal Data.

c) Cookies

For more information on the Personal Data processed through cookies and other tracking tools, we invite you to consult the relevant Cookie Policy

d) Data processed for Online Services

Unless specific information is provided in the different sections of the Website, this Privacy Policy is also intended for the processing of data you provide for the execution of services rendered through the Website, with particular reference to the following services:

• – service for purchasing courses and conferences provided by UCBM Academy, including the execution of related administrative and accounting activities, within which personal data such as personal details (name, surname, place and date of birth, tax code, nationality, gender), contact details (email, certified email, and mobile phone number), billing address, personal information related to the profession, related discipline, and membership in the Scientific Society, payment data (e.g., bank account information in case of payment by bank transfer), including the receipt of payment possibly shared by the data subject and information related to the transaction carried out by bank transfer; in this regard, we inform you pursuant to Article 14 of the Regulation that, following your choice to use such payment methods, the bank, as independent data controllers, will communicate to UCBM the information related to the occurrence of the payment.

3. PURPOSE, LEGAL BASIS OF PROCESSING, AND NATURE OF PROVISION

Your Personal Data will be processed for the following purposes:

a) co allow navigation of the Website, including the management of website security, and to access the service for purchasing courses and conferences provided by UCBM Academy (Purposes of providing online services)

b) to respond to specific requests addressed to Data Controller, such as requests for assistance information, and/or reports sent to the email addresses and assistance phone numbers available on the Website (purposes of responding to requests);

The legal basis for the processing of your Personal Data for the purposes referred to in letters a) and b) is to be found in Article 6, paragraph (1), letter b) of the Regulation ([…] the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject), as the processing is necessary for interaction and navigation on the Website, including responding to specific requests addressed to the Data Controller. The provision of Personal Data for these purposes is optional, but failure to provide such data would make it impossible to purchase the related courses offered by the University and/or to receive a response to the requests made.

c) to send promotional and marketing communications regarding current and future initiatives promoted by the University, including the sending of newsletters, related to the University’s educational offerings, professional training and teaching activities (e.g., postgraduate courses; internships and training activities within specialization schools), invitations to events and initiatives, conducting market research and surveys, and satisfaction questionnaires, through automated tools (SMS, MMS, email, automated calling systems without an operator, use of social networks, WhatsApp) and non-automated tools (regular mail, operator-assisted phone calls) (Purpose of direct marketing);

d) to receive commercial, promotional, and direct marketing communications and information on email about services, courses, initiatives, and events promoted and offered by the University (Purpose of newsletter subscription);

e) to analyze your personal data, including aspects related to your academic and professional career, your personal preferences, and interests, in order to create your profile and send you personalized promotional communications more in line with your needs and profile (Purpose of profiling with personalized impacts).

The legal basis for the processing of your Personal Data for the purposes referred to in letters c), d), and e) is to be found in Article 6, paragraph (1)(a) of the Regulation, i.e., in your specific consent given for each of the individual purposes.

You may withdraw your consent pursuant to Article 7 of the GDPR at any time without affecting the lawfulness of the processing based on the consent given before its withdrawal.

It is specified that for the purpose of direct marketing, the Data Controller collects specific consent that includes both the use of automated and non-automated tools, pursuant to the General Provision of the Data Protection Authority “Guidelines on promotional activities and combating spam” of July 4, 2013, for which it will be possible for you to exercise the right to object pursuant to Article 21 of the Regulation or to withdraw the consent given pursuant to Article 7 of the Regulation, even in part, i.e., by objecting or withdrawing consent, for example, only to the sending of communications made with automated tools. If you wish to object to the processing of your data for the purposes indicated above, including the receipt of newsletters, you may do so at any time by contacting the DPO at the contact details indicated in paragraph 1 of this information notice or also by using the link you will find at the bottom of each of these emails.

We also inform you that you have the right to object at any time and without any justification to the processing of personal data for the profiling purpose indicated in letter e).

The consents given can be revoked at any time without prejudice to the lawfulness of the processing carried out before the revocation.

The provision of personal data for the purposes referred to in letters c), d), and e) above is optional and, in case of refusal, there will be no consequences, and the interaction with the Website and the purchase of courses provided by UCBM will not be affected in any way.

Once provided, Personal Data may also be processed for the following purposes:

f) to fulfill any obligations provided by current laws, regulations, or community legislation, or to satisfy requests from competent authorities (Purpose of compliance);

g) to meet any defensive needs related to the detection, prevention, mitigation, and verification of fraudulent or illegal activities in connection with the use of the Website (Purpose of defensive needs).

The purpose referred to in section g) represents a legitimate processing of personal data pursuant to Article 6, paragraph 1, letter c) of the Regulation ([…] the processing is necessary for compliance with a legal obligation to which the controller is subject) as, once provided, the processing of your Personal Data may be necessary to comply with legal obligations and/or orders from authorities to which the Data Controller is subject.

The processing carried out for the purpose referred to in letter h) is based on the legitimate interest of the Data Controller pursuant to Articles 6, paragraph 1, letter f) and 9, paragraph 2, letter a) of the Regulation.

4. RECIPIENTS OF PERSONAL DATA

Your Personal Data may be shared, for the purposes indicated in paragraph 3 of this Privacy Policy, with:

• persons authorized by the Data Controller, pursuant to Articles 29 and 32 of the Regulation and Article 2-quaterdecies of Legislative Decree 196/2003 (the “Privacy Code”), to process Personal Data necessary to carry out activities strictly related to the use of the Website, who have committed to confidentiality or have an adequate legal obligation of confidentiality;

• subjects who typically act as data processors pursuant to Article 28 of the Regulation on behalf of the Data Controller, in particular subjects responsible for providing services necessary for the usability of the Website (e.g., hosting providers, technical maintenance service providers, providers of services related to the management of the Website, etc.). The complete list of data processors is available by sending a written request to the DPO at the contact details indicated in paragraph 8 of this notice;

• subjects, entities, or authorities to whom the communication of Personal Data is mandatory by virtue of legal provisions or orders of the authorities. These subjects will process Personal Data as independent data controllers

These subjects are collectively referred to as “Recipients”.

5. DATA TRANSFERS

Your Personal Data will not be shared with recipients located outside the European Economic Area. Should this occur, the Data Controller ensures that the processing of your Personal Data will comply with the regulations or according to one of the methods permitted by law pursuant to Articles 44-49 of the GDPR, such as the consent of the data subject, the adoption of Standard Clauses approved by the European Commission, the selection of subjects adhering to international data transfer programs, in compliance with the Recommendations 01/2020 adopted on November 10, 2020, by the European Data Protection Board. Further information regarding the data transfers carried out and the guarantees adopted for this purpose can be requested from the DPO at the contacts provided in paragraph 8 of this Privacy Policy.

7. DATA RETENTION

The Personal Data processed for the purposes indicated in paragraph 3, letters a) and b) of this Privacy Policy will be retained for the time strictly necessary to achieve these purposes, in accordance with the principles of data minimization and storage limitation provided for in Article 5, paragraph 1, letters c) and d) of the Regulation.

The Personal Data, particularly identification and contact data, processed for the purposes indicated in paragraph 3, letter c) of this Privacy Policy will be processed until the withdrawal of the consent you have given pursuant to Art. 7 of the Regulation and/or until your objection to the processing pursuant to Art. 21 of the Regulation; it should also be noted that the Personal Data relating to the details of the products purchased and the services used will be retained for this purpose for a period of 24 (twenty-four) months from their registration, subject to the possible withdrawal of consent, if earlier than the expiry of this period.

The Personal Data, particularly identification and contact data, processed for the purposes indicated in paragraph 3, letter e) of this Privacy Policy will be processed until the withdrawal of the consent you have given pursuant to Art. 7 of the Regulation and/or until your objection to the processing pursuant to Art. 21 of the Regulation; it should be noted that the Personal Data relating to the details of the products purchased and the services used and the data relating to your profile will be processed and retained for this purpose for a period of 12 (twelve) months from collection, subject to the possible withdrawal of consent or objection to the processing if earlier than the expiry of this period.

The Personal Data processed for the purposes indicated in paragraph 3, letter g) of this Privacy Policy will be retained for the time required by the specific applicable legal obligation or regulation.

The Data Controller also reserves the right to retain Personal Data for the time necessary to establish and exercise a right and/or meet any defensive needs in court as well as out of court and in the pre-litigation phases.

Further information regarding the data retention period and the criteria used to determine this period can be requested by writing to the DPO at the contact details indicated in paragraph 8.

8. RIGHTS OF THE DATA SUBJECT

As a data subject, you may, at any time, exercise the following rights:

• Right to withdraw consent (Art. 7 of the GDPR) – You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• Right of access (Art. 15 of the GDPR) – You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, as well as the right to receive all information regarding such processing;
• Right to rectification (Art. 16 of the GDPR) – You have the right to obtain the rectification of your personal data if it is incomplete or inaccurate; it should be noted that, with respect to personal data collected through audio and video recording systems, the right to rectification cannot be practically exercised due to the intrinsic nature of such data, which pertains to an objective and determined fact.
• Right to erasure (Art. 17 of the GDPR) – In certain circumstances, you have the right to obtain the erasure of your personal data from our records;
• Right to restriction of processing (Art. 18 of the GDPR) – Upon the occurrence of certain conditions, you have the right to obtain the restriction of the processing of your personal data;
• Right to data portability (Art. 20 of the GDPR) – You have the right to obtain the transfer of your personal data to a different data controller, as well as the right to receive your data in a structured, commonly used, and machine-readable format;
• Right to object (Art. 21 of the GDPR) – You have the right to object to the processing of your personal data by providing reasons that justify the objection; the Data Controller reserves the right to evaluate this request, which may not be accepted if there are compelling legitimate grounds for processing that override your interests, rights, and freedoms. You also have the right to object at any time and without any justification to the sending of promotional and marketing communications carried out through automated and non-automated tools. Regarding such communications, you may exercise this right even partially, for example, by objecting only to the sending of promotional communications carried out through automated tools. Additionally, you have the right to object at any time and without any justification to profiling.
• Right to lodge a complaint with a supervisory Authority (Art. 77 of the GDPR) – As indicated in the following paragraph, if you believe that the processing of your personal data violates data protection regulations, you can lodge a complaint with the supervisory authority of the Member State where you habitually reside, work, or where the alleged violation occurred;
• Right to an effective judicial remedy (Art. 79 of the GDPR).

To exercise the above rights, you can write to the DPO at the registered office in Rome, Via Álvaro del Portillo n. 21, c.a. of the Data Protection Officer or at the email address dpo@unicampus.it.

9. CHANGES

The Data Controller reserves the right to modify or simply update the content of this Privacy Policy, in whole or in part, also due to changes in the applicable legislation. Therefore, the Data Controller invites you to regularly visit this section to become aware of the most recent and updated version of the Privacy Policy in order to always be informed about the data collected and its processing by the Data Controller.