Privacy Policy for Library services

Articles 13 and 14 Reg. EU 2016/679

Foreword

Luiss, Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter Luiss) is an independent university with an advanced education model.

This privacy notice describes the characteristics of the processing undertaken by Luiss in relation to the personal data of patrons who want to use Luiss Library services and highlights the patrons’ statutory rights in this regard.

The privacy notice is periodically updated to take account of regulatory developments and new methods of processing personal data.

What personal data do we collect?

The Controller collects and processes the following personal data:

  • identifying data (name, surname, place and date of birth, personal tax number and citizenship);
  • contact data (residential address, e-mail address and telephone number);
  • data relating to the type of user (professors, students, collaborators, external subjects).

Why do we collect your data and why is their processing lawful?

The Controller collects and processes the data subject's personal information in pursuit of the following purposes:

  • to manage, from an administrative point of view, the relationship with the registered student (the legal basis for the processing lies in the contract and the relevant law);
  • to manage the circulation of print material (the legal basis for the processing lies in the contract and the relevant law);
  • to create the personal account for Library services (the legal basis for the processing lies in the contract and the relevant law);
  • to send communications relating to the management of Library services (the legal basis for the processing lies in the contract and the relevant law);
  • to allow and manage the sending of suggestions, complaints and reports (the legal basis for the processing lies in the contract and the relevant law);
  • to allow the request of books and journals (the legal basis for the processing lies in the contract and the relevant law);
  • to assist the user in the use of services through the possibility to formulate requests for assistance, purchase, research for monographs, periodicals (the legal basis for the processing lies in the contract and the relevant law);
  • to assist the user in providing inclusion services (the legal basis lies in the contract and consent between the Data Controller and the data subject);
  • to book Library terminals for Library services (the legal basis for the processing lies in the contract and the relevant law).

How does the Controller process your personal data and how long are the data stored for?  

The data subject’s personal data are processed both on paper and electronically (servers, cloud databases, software, etc.).

The Controller stores the data subject’s data for a period of time consistent with what the law prescribes and having regard to the time required to correctly achieve the purposes stated above.

The Controller stores the data subject’s data acquired for providing the inclusion library services for 12 months.

To whom do we communicate your personal data?

  • Internally

The personal data of registered students can be accessed solely by the University’s employees and other personnel so as to provide the students with the requested services and limited solely to the data necessary to that end.

Our employees and other personnel have been informed and trained regarding the importance of observing the rules and principles governing the processing of personal data.

  • Externally

The Controller shares the personal data of registered students with some suppliers that play a role in providing the requested services and that have been specifically appointed as external Processors to that end, in particular:

  • third parties whose services the Controller avails of to provide Library services and to manage the overall relationship with data subjects (EasyStaff s.r.l., Formstack, Ex Libris …).

Suppliers that access data do so in compliance with applicable data protection law and the instructions given by the Controller.

The Controller may not communicate personal data to third parties without the data subject’s consent unless communication is mandated by law or by the authorities:

  • should such prove necessary on grounds of national security;
  • for reasons of general interest;
  • on foot of a request made by public authorities.

Are your data transferred abroad?

The data of registered students will be transferred to third parties (Ex Libris, Formstack) that provide services dedicated to the Library, as external Processors and located, respectively, in Israel, to which the transfer is legitimized by the relative decision of adequacy of the European Commission, and in the United States. In these cases, the transfer is carried out through adequate guarantees or situation of derogation expressly identified pursuant to articles 46 and 49 of the GDPR. 

What are your rights as a data subject and how can you exercise them?

European legislation, GDPR 2016/679, guarantees specific rights. For each data transfer, users have the following rights: 

  • Access rights: users have the right to obtain a copy of their personal data that has been processed;
  • the right to modify: users have the right to modify personal data to either update or correct when necessary;
  • the right to refuse the use of data for commercial purposes: users may ask Luiss to stop sending commercial communications at any moment;
  • the right to refuse decisions based exclusively on automated processes: users may request to not be subject to decisions made based exclusively on automated processes, including profiling activity;
  • the right to revoke previously granted consent: users have the right to revoke permissions previously granted for any transmitted data at any time;
  • the right to contact the Italian Data Protection Authority: users have the right to contact the agency with any doubts regarding the processing of personal data at Luiss.

Users may also exercise the following rights under certain circumstances:

  • the right to delete data: users may ask Luiss to delete personal data when it is no longer required to provide a service, is not needed for any legitimate purposes and there are no laws that require its continued storage;
  • the right to refuse data processing: users may ask Luiss to cease processing of personal data;
  • the right to limit processing: users have the right to ask Luiss to limit the use of personal data;
  • the right to data portability: users have the right to receive personal data in a structured, commonly used and machine-readable format that may be transmitted to another controller.

Any data subjects wishing to exercise their statutory rights may, without formality, send an e-mail to privacy@luiss.it or write to the Controller Luiss Guido Carli, ref. Privacy – DPO, at Viale Pola 12, 00198 Rome, Italy, setting out their request and furnishing the information necessary to identify them.

The contact details of the Data Protection Officer (DPO) can be viewed on the Controller’s website at www.luiss.it.

The Controller will reply within one month. Should the Controller be unable to reply by the above deadline, it will give you a detailed explanation as to why your request cannot be satisfied.

How can Luiss be contacted?

The information presented on this page is intended to inform users on which types of data are collected by Luiss and how the data is processed. Users requiring additional information or clarification can contact us at:

Luiss Guido Carli, ref. Privacy – DPO, Viale Pola, 12 – 00198 – Roma – M: privacy@luiss.it.