Information on personal Data processing

Information on the processing of personal data pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 GDPR

The SANT’ANNA INSTITUTE, as Data Controller, provides the following information in
compliance with Articles 13 and 14 of the European Regulation 206/679, hereinafter also referred to as
1) Data Controller and Data Protection Officer: the Data Controller is Sant’Anna Institute S.r.l. The Data
Protection Officer (or also “Data Processing Officer” – DPO) appointed by Sant’Anna Institute can be reached at
the following email address: the SME Service Centre barbara.bertoletti@apito.it
2) Purposes and legal basis of the handling of personal data; Personal data will be used solely for the
purposes of the execution of the contract and related pre-contractual measures, and in accordance with
the legal obligations to which the Data Controller is bound and, in particular, for the purpose of carrying out
teaching and project activities organised by the Istituto Sant’Anna and for providing a
hospitality and accommodation service for students requesting such services.
3) Categories of data The personal data processed will be of a ‘general’ nature; no personal data defined as
‘special’, nor data defined as ‘judicial’ by the aforementioned GDPR will be processed, except as specified
below in relation to special data. Particular personal data are those revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, as well as those relating to genetic
data and biometric data, or those relating to an individual’s health or sexual life or sexual orientation.
Judicial data is any data relating to criminal convictions or offences.
The “special” type of data that the Institute will be required to process are: i) those relating to a state of
health, with reference to the certification of a student as disabled or as having specific learning difficulties,
ii) those relating to sexual orientation necessary to meet the student’s particular needs in the event that he
or she wishes to make use of the accommodation service. These are data that the Institute must collect for
its own training activities and in the best interest of such students and for the management of the
hospitality contract if desired by the student (request for forms of support and other benefits provided by
law, preparation of individualised training plans, adoption of tools necessary for the management of the
implementation of the training contract, special accommodation). With regard to the data referred to in
point ii), the data will be handled only in accordance with the lawful informed and prior consent given by
the person concerned. It should be clarified as of now that, for the purposes set out in point 2), the Data
Controller may find it necessary and/or appropriate to process data relating to other family members (e.g.:
family nucleus composition and relevant personal data), in the case of minor students and/or students with
4) Source of the data Ordinary type data, with particular reference to: student identification data are
acquired from the interested party or the university to which the student belongs. Particular data, as
explained in the previous point, are obtained from the interested party or the university to which the
student belongs.
5) Processing methods The data are processed in paper form and/or with electronic and telematic tools.
The data are processed by in-house personnel appointed by the Data Controller and specifically authorised
to process the data or by external parties appointed as Data Processors pursuant to Article 28 of the GDPR.
The list of Data Processors appointed by Sant’Anna Institute is available at the registered
office and can be obtained by sending a request to the Data Controller. The processing is based on the
principles of correctness, lawfulness and transparency.
6) Effects of failure to provide data The provision of data is essential for all that is required by the legal
obligations to which the Data Controller is bound and for the purposes of the implementation of the
contract and pre-contractual measures connected with it. Therefore, any refusal to provide the data in
whole or in part may make it impossible for Sant’Anna Institute  to implement the training
7) Data storage The storage of the Interested Party’s data is limited to the period strictly necessary for the
execution of the contract, pre-contractual measures and legal obligations incumbent on the Data Controller
(10 years for data subject to tax and fiscal regulations).In addition to the above, any special data gathered is
deleted at the conclusion of the lessons of the educational relationship followed by the student and the
accommodation service.
8) Data profiling and disclosure Personal data are not subject to disclosure or to any fully automated
decision-making process, including profiling.
9) Transfer abroad The Data Controller does not transfer personal data to other countries or to
International Organisations. Should Sant’Anna Institute find it necessary to transfer data abroad, it will comply
with the following rules when transferring personal data abroad.
To countries belonging to the European Union. The laws of countries belonging to the European Union
(adopted in implementation of EU Directive 95/46/EC) are considered equivalent in relation to the
adequate protection of personal data. Transfer through or to these countries is therefore not subject to any
particular restrictions.
To countries outside the European Union. The transfer of personal data to countries outside the European
Union is possible when one of the conditions laid down in the following article is met:
http://www.garanteprivacy.it/garante/doc.jsp?ID=1311248 – Article43
10) Security measures. Security measures consist of technical and organisational measures taken to ensure
– data are not destroyed or lost, even accidentally;
– only authorised persons have access to the data;
– the data are not processed in breach of the law or for purposes other than those for which the data were
originally obtained. Sant’Anna Institute has adopted, in accordance with Article 32 of the
GDPR, a series of security, technical and organisational measures appropriate to protect data against
misuse, loss or unauthorised access. This includes measures to counter any suspected data breaches.
11) Rights of interested parties The rights granted by the GDPR to interested parties include the right to
request from the Data Controller
– access to personal data and information relating thereto;
– the rectification of inaccurate data or the integration of incomplete data;
– the deletion of personal data (upon the occurrence of one of the conditions indicated in Article 17(1) of
the GDPR and in compliance with the exceptions provided for in paragraph 3 of the same Article)
– the restriction of the processing of personal data ( in the event of the occurrence of one of the cases
indicated in Article 18(1) of the GDPR);
– to request and obtain – when the legal basis of the processing is a contract or consent, and the processing
is carried out by automated means
– personal data in a readily comprehensible and structured machine-readable format, also for the purpose
of communicating such data to another data controller (so-called right to data portability);
– object at any time to the processing of personal data in the event of the cases provided for in Article 21 of
the GDPR;
– revoke consent at any time, limited to cases where the processing is based on consent for one or more
specific purposes and concerns common personal data, or particular categories of data. . All of the above
rights may be exercised by sending a request to the Controller at valeria.formicola@santannainstitute.com
or also to the DPO at barbara.bertoletti@apito.it.
If the conditions are met, the interested party may lodge a complaint with a supervisory authority (Data
Protection Authority – www.garanteprivacy.it).