EU Regulation 679/2016 (“GDPR”)
Up School S.r.l. Impresa Sociale (hereinafter, the “School” or the “Owner” or “Up School”) is committed to protecting the Personal Data entrusted to it. Therefore, their management and security are guaranteed with the utmost attention, in compliance with the privacy regulations of EU Regulation 679/2016 (hereinafter, the “Regulation”).
This information refers to the use of the website www.upschool.it (hereinafter also the “Site”) aimed only at presenting and promoting the services offered by the School and its educational projects.
Therefore, the only data we will process, in addition to cookies, will be those you wish to communicate to us through the appropriate contact form available at the bottom of the opening page of the website www.upschool.it.
1. Who will process my data?
Your data will be processed, as the Data Controller, by:
UP SCHOOL S.R.L. IMPRESA SOCIALE
Viale Trento no. 50
09123 Cagliari (CA)
VAT number 03610230926
The list of external Data Processors is available at the headquarters of the Data Controller.
2. What data do we ask for?
We only ask for your email address or phone number to send service or commercial communications. However, during communications, you may communicate additional personal data to us, even if not requested by us.
3. Why do you need my data and what are the legal bases for processing?
The Owner will use Your data exclusively for the following purposes and according to the following legal bases:
The partial or total failure to provide the data may result in the partial or total impossibility of providing the above services.
The extent and adequacy of the data provided will be assessed from time to time, in order to determine the resulting decisions and avoid the processing of data exceeding the purposes pursued.
We will not use Your personal data for purposes other than those described in this statement, unless we inform you in advance and, where necessary, obtain Your consent.
4. Processing of data of minors under Article 8 of the Regulation.
The services offered by the School, being aimed at underage students, are provided only after approval by the parents of the pupils of the privacy notice dedicated to them, available at the School Secretary’s Office.
However, in order to provide more complete information, we inform you of the following.
The provision of personal data – to be valid – must come from persons over the age of majority, i.e., from minors who have already reached the age of 16: under Article 8 of the Regulation, a minor who has reached the age of sixteen can give his or her own consent to the processing of his or her personal data in relation to the services offered on www.upschool.it.
Also under Article 8 of the Regulation, the processing of personal data of a minor who has not yet reached the age of sixteen may be based on validly given consent by the minor only if he or she has been authorized by the person exercising parental responsibility to give consent or if the consent is given directly by the person exercising parental responsibility. The registration of unauthorized users under the age of sixteen is not allowed. By browsing or otherwise providing their personal data on www.upschool.it, the data subject confirms that he or she meets the aforementioned age requirements.
5. How will you use my data?
Up School aims to protect the data of its users, guiding their processing by the principles of correctness, lawfulness, and transparency.
We inform you that your personal data will be processed through the use of appropriate tools and procedures to ensure maximum security and confidentiality, by means of paper archives and supports, with the help of digital media, computer and telematic means.
Communications as referred to in point 2) above may be made in traditional methods (e.g., postal mail, telephone calls with operator), automated methods (e.g., telephone calls without operator) and similar methods (e.g., fax, email, SMS, MMS).
Up School may send service communications and, if you have given separate consent, commercial and promotional communications, by means of e-mail, fax, SMS, MMS, telegram chat, WhatsApp, automatic systems without the intervention of an operator and similar, including electronic platforms and other telematic means, as well as by postal mail or telephone calls through an operator.
However, you have the right to object, which, in the absence of your contrary indication, will be referred to both traditional and automated communications.
6. How long will you keep my information?
Your personal data will be kept, from their receipt/update, for a reasonable period of time with respect to the processing purposes mentioned above.
Below is the duration of the various treatments:
7. Will you share my information with others?
Your data may be communicated to Up School partner companies for the management of contracts with you, and to third parties (including credit recovery companies, professionals, public entities, auditing or supervisory bodies) to comply with obligations arising from law, regulations, community regulations, or aspects concerning the management and execution of the contractual relationship.
Your personal data will not be transferred to third parties for marketing purposes unless you have expressly consented to such transfer.
For all the purposes indicated in this information, your data may also be communicated abroad, inside and outside the European Union, in compliance with the rights and guarantees provided by current legislation, after verifying that the country in question guarantees an “adequate” level of protection.
The data will also be processed by internal resources of Up School offices, adequately trained, who operate as authorized personnel for the processing of data in accordance with Article 29 GDPR.
Access to the archived data can only be made by public authorities, in the cases and modalities provided for by current laws, in the event of judicial disputes.
Your personal data will not be subject to disclosure.
The list of data processors pursuant to Article 28 GDPR is available at the company’s headquarters or via email request to firstname.lastname@example.org.
8. Do you transfer my data outside the European Union?
The personal data is processed by the School mainly within the European Union. For some services, we use tools (Dropbox, Mozilla Thunderbird, Apple mail) of companies headquartered in the United States of America and partly adhering to the Privacy Shield, which ensures that the processing of personal data is in line with European legislation on the protection of personal data.
For a better and more detailed information, it is noted that the email service at the email addresses related to the School is based on the email service made available by Mozilla Thunderbird managed by Mozilla Corporation, with registered office in Montain View, California, 331 E. Evelyn Ave.
If the data subject does not intend to share personal information and data through Mozilla Thunderbird, they are kindly requested not to send such information and data to the aforementioned email address and to agree with the Company on another method of sharing.
For the sending of service or periodic mass communications, including commercial and promotional ones, the data subject’s email address is added to a contact list through the same email service provided by Mozilla Thunderbird, for which specific information is referred to as mentioned above.
For the management, storage, and sharing of collected data, the Company also makes use, albeit marginally, of services provided by www.dropbox.com, owned by Dropbox Inc. (hereinafter referred to as “Dropbox”), based in San Francisco, California.
https://www.dropbox.com/privacy/. Dropbox states that it respects the principles established by the GDPR and the so-called Privacy Shield, the regulatory framework defined by the United States and the European Commission. Currently, Dropbox is listed among the companies covered by the Privacy Shield, which is available at the following link:
https://www.privacyshield.gov/participant?id=a2zt0000000GnCLAA0&status=Active Data controllers connected to cloud services.
Personal data is processed by companies that take care of the updating and maintenance of the website, the email service, and the storage of electronic documents or that provide other services to the Data Controller, formally appointed as data processors, and bound to respect technical and organizational security measures that guarantee the protection of the personal data of the data subjects.
9. What are my rights?
At any time, you will have the right to request:
a) access to your personal data;
b) their correction in case of inaccuracies;
d) limitation of their processing.
You will also have:
- the right to object to their processing:
- if processed for Up School’s legitimate interest, subject to legal exceptions;
- if processed for direct marketing purposes;
- the right to portability, that is, to receive the personal data provided by you in a structured, commonly used, and machine-readable format.
We will take your request with the utmost commitment to guarantee the effective exercise of your rights. Finally, you will have the right to file a complaint with the national supervisory authority (Garante Privacy).
To exercise your rights, please write to email@example.com.
10. Can I withdraw my consent after giving it?
Yes, you can withdraw your consent at any time, without prejudice to:
- the lawfulness of the processing based on the consent given before the revocation;
- further processing of the same data based on other legal bases (e.g. contractual obligations or legal obligations to which Up School is subject).
11. I still have some questions…
For further information on this policy or any privacy-related matter, or if you wish to exercise your rights or withdraw your consent, you can contact firstname.lastname@example.org directly or visit the website of the Garante Privacy www.garanteprivacy.it.
Summary information on other data subject rights.
The GDPR grants the data subject a number of rights that, according to the Transparency Guidelines WP 260, must be summarized in their main content within the policy. Below are these rights summarized and synthesized:
- Right of access (to one’s own personal data only): the right to obtain from the data controller confirmation as to whether or not personal data concerning the data subject are being processed, and, where that is the case, access to the personal data and information on the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Right to rectification and integration: the data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. The data controller shall communicate any rectification made to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.
- Right to erasure: the data subject has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay (and where the specific reasons of Article 17(3) of the GDPR do not apply which instead relieve the controller of the obligation to erase) if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; if the data subject withdraws consent and there is no other legal ground for the processing; if the data subject objects to the processing for direct marketing purposes, including profiling, or if the personal data have been unlawfully processed or relate to information collected from children in breach of Article 8 of the GDPR. The data controller shall communicate any erasure made to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.
- Right to limitation of processing: the data subject has the right to obtain from the data controller the limitation of processing (i.e., according to the definition of “limitation of processing” provided by Article 4 of the GDPR: “the marking of stored personal data with the aim of limiting its processing in the future”) when one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use; although the data controller no longer needs the personal data for the purposes of processing, the personal data are required by the data subject for the establishment, exercise, or defense of legal claims; the data subject has objected to processing for marketing purposes pending the verification whether the legitimate grounds of the data controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. The data subject who has obtained the restriction of processing shall be informed by the data controller before the restriction of processing is lifted. The data controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.
- Right to object: the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
- Right not to be subject to a decision based solely on automated processing, including profiling: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except as necessary for entering into, or performance of, a contract between the data subject and a data controller; is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.
For convenience, the link to Articles 15 to 23 of the GDPR on data subject rights is also provided.
Definition of “cookie”.
Cookies are small pieces of text (letters and/or numbers) that allow the web server to store information on the client (the browser, e.g. Internet Explorer, Chrome, Firefox, Opera…) to be reused during the same visit to the site (session cookies) or later, even after days (persistent cookies). Cookies are stored, according to user preferences, by the individual browser on the specific device used (computer, tablet, smartphone).
Similar technologies, such as web beacons, transparent GIFs, and all forms of local storage introduced with HTML5, can be used to collect information about user behavior and service usage.
A cookie cannot retrieve any other data from the user’s hard drive or transmit computer viruses or acquire email addresses. Each cookie is unique to the user’s web browser. Some cookie functions may be delegated to other technologies. The term “cookies” refers to cookies and all similar technologies.
Strictly necessary technical cookies. These are cookies essential for the proper functioning of a website that are used to manage various website-related services (such as login or access to reserved functions on websites). The duration of cookies is strictly limited to the work session or may use a longer stay time in order to remember the visitor’s choices. Disabling strictly necessary cookies can compromise the user experience and navigation of the website.
Analytics and performance cookies. These are cookies used to collect and analyze traffic and usage of a website anonymously. These cookies, without identifying the user, allow, for example, to detect if the same user reconnects at different times. They also allow monitoring of the system and improving its performance and usability. Disabling such cookies can be done without any loss of functionality and will be discussed in detail later.
Profiling cookies (not operational on this Website). These are permanent cookies used to anonymously and non-anonymously identify user preferences and improve their browsing experience. For more information on these cookies not used by the Website, please visit the relevant section of the website www.garanteprivacy.it/cookie.
Purpose of processing and purposes of session technical cookies.
- cookies with data filled in by the user (session ID), lasting for a session or persistent cookies limited to a few hours in some cases;
- authentication cookies, used for authenticated services, lasting for a session;
- user-focused security cookies, used to identify authentication abuses, with a limited persistent duration;
- session cookies for multimedia players, such as “flash” player cookies, lasting for a session;
- load-balancing session cookies, lasting for a session;
- persistent cookies for user interface customization, lasting for a session (or a little more);
- cookies for content sharing through third-party social plug-ins, for members of a social network who have logged in.
Therefore, the Data Controller informs that only technical cookies (such as those listed above) necessary for browsing the Site are operational on the Site, as they allow essential functions such as authentication, validation, management of a browsing session, and fraud prevention, and allow, for example, to identify if the user has regularly accessed the areas of the site that require prior authentication or user validation and management of sessions related to various services and applications, or the storage of data for secure access or control and fraud prevention functions.
For maximum transparency, below is a list of technical cookies and specific operational cases on the Site:
- cookies implanted directly in the user’s/contractor’s terminal (which will not be used for further purposes), such as session cookies used to “fill the cart” in online reservations on the Site, authentication cookies, cookies for multimedia content such as flash players that do not exceed the duration of the session, and personalization cookies (for example, for the choice of the navigation language, recall of ID and password complete with the typing of the first characters, etc.);
- cookies used to statistically analyze accesses/visits to the site (so-called “analytics” cookies) that exclusively pursue statistical purposes (and not profiling or marketing) and collect information in an aggregated form without the possibility of identifying the individual user. In these cases, since current legislation requires that clear and adequate indications of the simple methods for opposing (opt-out) their implantation be provided to the data subject for analytics cookies (including any anonymization mechanisms of the cookies themselves), we specify that it is possible to disable analytics cookies as follows: open your browser, select the settings menu, click on internet options, open the privacy tab, and choose the desired level of cookie blocking. If you want to delete cookies already saved in memory, simply open the security tab and delete the history by checking the “delete cookies” box.
When visiting a website, cookies can be received from sites managed by other organizations (“third parties”) that may reside in Italy or abroad.
An example present on most websites is represented by the presence of YouTube videos, Google APIs, the use of Google Maps, and the use of “social plugins” for Facebook, Twitter, Google+, and LinkedIn. These are parts of the visited page generated directly by these sites and integrated into the hosting site’s page. The most common use of social plugins is aimed at sharing content on social networks in order to enhance the visitor’s user experience.
The presence of these plugins involves the transmission of cookies to and from all sites managed by third parties. The management of information collected by “third parties” is governed by their respective policies, to which reference should be made. To ensure greater transparency and convenience, the web addresses of the different policies and cookie management methods are reported below, specifying that the Data Controller is not responsible for the operation of third-party cookies on this Site.
Google policy: on the use of data at the link http://www.google.com/policies/technologies/cookies/ and complete policy at the link http://support.google.com/analytics/answer/6004245
Google (configuration): the guide on the general opt-out for Google services (Maps, YouTube…) is available at the web address http://support.google.com/accounts/answer/61416?hl=en
Facebook (configuration): access your account. Privacy section. Or follow the various guides available on the web, for example, https://support.mozilla.org/en-US/kb/disable-third-party-cookies
Twitter policy: https://support.twitter.com/articles/20170514
LinkedIn policy: https://www.linkedin.com/legal/cookie-policy
LinkedIn (configuration): https://www.linkedin.com/settings/
Google+ policy: http://www.google.it/intl/it/policies/technologies/cookies/
Google+ (configuration): http://www.google.it/intl/it/policies/technologies/managing/
As clarified by the General Provision of the Privacy Guarantor on cookies of May 8, 2014, analytics cookies are assimilated to technical cookies where used directly by the site manager to collect, in an aggregate form, information on the number of users and how they visit the site: this is precisely the functionality and purpose of the processing on this Site.
However, you can opt-out by visiting the website http://tools.google.com/dlpage/gaoptout?hl=en and performing the opt-out. Moreover, you can deny consent and block third-party cookies through plugins for browsers, by searching on Google for “blocking and deleting third-party cookies,” there are many guides that differ depending on the operating system and browser used.
Responsibility for the operation of third-party cookies.