Privacy Policy – Site

This privacy policy is intended to provide all information regarding the processing of personal data carried out by RUFA S.r.l. when the User accesses and browses this website and/or the social media pages connected to it (as better specified below).

1. INTRODUCTION – WHO WE ARE

Rome University of Fine Arts – RUFA S.r.l. with registered office at Via Giuseppe Gioacchino Belli, no. 86, 00193, Rome (RM), Tax Code/VAT no. 09227921005 and Companies’ Register number 09227921005 (hereinafter, the “Controller”), owner of the website www.unirufa.it and the social media pages connected to it (hereinafter, the “Site”), as the data controller of the personal data of users browsing the site (hereinafter, the “Users”), hereby provides this privacy policy pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter, the “Regulation”, or the “Applicable Law”).

2. HOW TO CONTACT US?

The Controller places the utmost importance on the right to privacy and the protection of its Users’ personal data. For any information regarding this privacy policy, Users may contact the Controller at any time using the following methods:

  • By sending a registered letter with acknowledgment of receipt to the Controller’s registered office at Via Giuseppe Gioacchino Belli, no. 86, 00193, Rome (RM);
  • By sending an email to privacy@unirufa.it.

The Controller has not appointed a Data Protection Officer (DPO), as it is not subject to the obligation of appointment set out in Article 37 of the Regulation.

3. WHAT WE DO? – PURPOSES OF PROCESSING AND LEGAL BASIS

By browsing the Site, as well as consulting the social media pages connected to it, the User may obtain information about the services offered by the Controller, the events organized (e.g. open days), educational offerings, and news relating to the school and its campuses. Through the social media pages, the User may also interact with the Controller and its community.

In addition, the User may:

  1. Access the reserved area and the Career System of the school in order to allow students to use online academic services, manage authentication credentials, ensure account security, and use teaching and administrative services connected with the student-school relationship (hereinafter, “Reserved Area and Career System Access”);
  2. Request information and guidance services, submit requests as well as participate in educational and professional activities promoted by the school, such as:
    • Submit requests relating to the publication of content, profiles or projects in the dedicated sections of the site (e.g. Alumni area or similar initiatives) and manage the resulting communications with the data subject
    • request information through the chat service available on the site, aimed at collecting requests and subsequent contact with a human operator (hereinafter, “Chat”)”
    • further information on the various courses offered by the school (hereinafter, “Course Information”);
    • book a guidance meeting to obtain detailed information or visit the campuses (hereinafter, “Guidance Meeting”);
    • request information on all scholarships (hereinafter, “Scholarships”);
    • participate in workshops organized by the Controller by filling in the form “Start your professional path in creativity” (hereinafter, “Join the Workshop”);
    • request specific services, such as, by way of example, participation in the Foundation Course, by filling in the relevant form “Application for admission to the Foundation Course” (hereinafter, “Foundation Course”);
    • submit a project of their own or become a mentor by filling in the form “Submit a Project” or “Become a Mentor or Mentee”;
    • submit an unsolicited application in the “Work with us” section through the form “Apply now”;
    • contact the Controller using the contact details provided or by filling in the form, both available in the “Contacts” section (hereinafter, “Contact the Controller”);
    • proceed with direct enrolment in a course (hereinafter, “Direct Enrolment”);
    • submit a direct enrolment application (for which reference should however be made to the relevant privacy policy, available through the dedicated form).

    3. Finally, the User may:

  3. Request a psychological support meeting by filling in the relevant form “Fill in the form and request a meeting”, (hereinafter, “Psychological counseling”);
  4. Interact with the Controller’s social community, (hereinafter, “Social Interaction”),

(hereinafter, all jointly referred to as the “Service” or the “Services”).

In relation to the Service, the Controller collects personal data relating to Users.

In particular, Users’ personal data will be lawfully processed by the Controller for the following processing purposes:

a) Provision of the Service: to allow the provision of the Service through the User’s browsing of the Site.

Depending on the specific aspect of the Service used, the Controller may process:

  • Browsing data: all personal data whose transmission is implicit in the use of Internet communication protocols, such as: IP addresses used by users connecting to the Site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, log files and other parameters relating to the User’s operating system and IT environment.
  • First name, last name, email address, telephone number, as well as any further personal information requested in the various forms and/or communicated in the chat, as well as any additional data that may be voluntarily communicated by the User, including, where deemed necessary by the data subject/functional to the request, any data belonging to special categories pursuant to Article 9 of the Regulation (e.g. health data).
  • (in the case of Social Interactions) the User’s nickname and contact details on the specific social network used, as well as comments and interactions with the content of the Controller’s social media pages.

Unless the User gives the Controller specific and optional consent to process their data for the additional purposes set out in the following paragraphs, the User’s personal data will be used by the Controller solely for the purpose of verifying the User’s identity (also by validating the email address), thus preventing possible fraud or abuse, and contacting the User only for service-related reasons (e.g. sending notifications relating to the services offered by the Controller). Without prejudice to what is provided elsewhere in this privacy policy, under no circumstances will the Controller make Users’ personal data accessible to other Users and/or third parties.

In some forms, the required data will be indicated with an asterisk: in the absence of such symbol, all requested data shall be deemed necessary.

b) administrative-accounting purposes, namely to carry out organizational, administrative, financial and accounting activities, such as internal organizational activities and activities functional to the fulfilment of contractual and pre-contractual obligations;

c) legal obligations, namely to comply with obligations laid down by law, by an authority, by a regulation or by European legislation.

The provision of personal data for the processing purposes indicated above is optional but necessary, since failure to provide them will make it impossible for the User to browse the site and use the Services offered by the Controller on the Site.

Without prejudice to what is provided elsewhere in this privacy policy, under no circumstances will the Controller make Users’ personal data accessible to other Users and/or third parties.

In relation to the purposes described, the following legal bases for the processing are identified:

  • Service management (as described in paragraph 3(a) above): the legal basis is Article 6(1)(b) of the Regulation, namely that the processing is necessary for the performance of a contract to which the User is party or in order to take steps at the User’s request prior to entering into a contract. In the event of processing of personal data belonging to special categories, the legal basis is Article 9(2)(a) of the Regulation, namely the explicit consent given by the data subject by voluntarily communicating such data to the Controller in the open fields of the forms or the chat.
  • Administrative-accounting purposes (as described in paragraph 3(b) above): the legal basis is Article 6(1)(b) of the Regulation, since the processing is necessary for the performance of a contract and/or for the implementation of pre-contractual measures adopted at the User’s request.
  • Legal obligations (as described in paragraph 3(c) above): the legal basis is Article 6(1)(c) of the Regulation, since the processing is necessary for compliance with a legal obligation to which the Controller is subject.

4. FURTHER PROCESSING PURPOSES

4.1 Marketing (sending advertising material, direct sales and commercial communication)
If the user registers through a dedicated webform and/or gives consent in connection with another request, some of the User’s personal data (namely first name, last name, email address and telephone number) may also be processed by the Controller for marketing purposes (sending advertising material, direct sales and commercial communication), so that the Controller may contact the User by email (newsletter), post, telephone (landline and/or mobile, with automated calling systems or call communication systems, with and/or without the intervention of an operator) and/or SMS and/or messaging services and/or for the purpose of creating custom audiences or lookalike audiences on the Controller’s social media pages, in order to propose services offered by the Controller itself and/or by partners, and present offers, promotions and commercial opportunities.

In the absence of consent, the possibility of registering on the Site will not in any way be affected.
If consent is given, the User may revoke it at any time by making a request to the Controller in the manner indicated in paragraph 8 below.

Specific information on email communications (newsletter): the User may also easily object to further sending of promotional communications by email by clicking on the specific link for withdrawing consent, which is included in each newsletter email. Should the User wish to withdraw consent to the sending of promotional communications by telephone while continuing to receive promotional communications by email, or vice versa, they are kindly requested to send a request to the Controller in the manner indicated in paragraph 8 below.

The Controller informs that, following the exercise of the right to object to the sending of promotional communications by email, it is possible that, for technical and operational reasons (e.g. contact lists having already been prepared shortly before the Controller receives the objection request), the User may continue to receive some additional promotional messages. Should the User continue to receive promotional messages after 24 hours have elapsed from exercising the right to object, they are kindly requested to report the problem to the Controller using the contact details indicated in paragraph 8 below.

Specific information on promotional activities through social networks: in particular with regard to interaction with social media pages, if the User has given consent to the use of profiling cookies on the Site, the Controller may also process the User’s contact details (in particular the email address) and the data communicated by the User during interaction with the social media pages – such as the information provided by the User to the social media platform according to the privacy settings selected on that platform – in order to show the User promotional advertisements and content consistent with their interests, on the basis of preferences and consumption habits identified through cookies and/or other tracking systems used by social media operators (whose terms and conditions apply) and/or following the analysis that the social media platforms themselves carry out on their users.

In particular, the Controller may display relevant marketing content and interest-based advertising through digital platforms, where information about the User’s preferences and interests, consumption habits, spending capacity, etc. has been acquired: (i) as a result of profiling activities carried out on the Site and shared (also via API) with digital platforms; or (ii) on the basis of the correspondence between the preferences and interests shown by the User who visited the Site and accepted profiling cookies and the cluster of users identified by the social platform (e.g. retargeting); (iii) by using the targeting tools made available by social platforms, defining the target of users potentially interested in the Controller’s services and addressing the social platforms in order to disseminate advertising messages in a targeted manner to their users who match the defined target. If the User interacts with that advertisement on the social platform, such interaction may be assessed for the purpose of measuring the effectiveness of the campaign itself, where the User has accepted the use of tracking tools, such as, by way of example, the Meta Pixel or Tik Tok Pixel, installed on the Site through cookie management tools (e.g. prospecting). Further information on processing carried out through tracking tools is available in the Cookie Policy.

5. PROCESSING METHODS AND DATA RETENTION PERIODS
The Controller will process Users’ personal data by means of manual and electronic tools, with logic strictly related to the purposes themselves and, in any case, in such a way as to ensure the security and confidentiality of the data.

The personal data of Users of the Site will be retained for the time strictly necessary to fulfil the primary purposes illustrated in paragraph 3 above, or in any case as necessary to protect the interests of both the Users and the Controller in civil proceedings.

In the cases referred to in paragraph 4 above, Users’ personal data will be retained for the time strictly necessary to fulfil the purposes illustrated therein and, in any event, until the User withdraws their consent.

6. SCOPE OF COMMUNICATION AND DISCLOSURE OF DATA
The User’s personal data may be transferred outside the European Union and, in such case, the Controller will ensure that the transfer takes place in compliance with the Applicable Law and, in particular, in accordance with Articles 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to appropriate safeguards) of the Regulation.

The Controller’s employees and/or collaborators in charge of managing the Site and Users’ requests may become aware of Users’ personal data. Such persons, who have been instructed accordingly by the Controller pursuant to Article 29 of the Regulation, will process Users’ data exclusively for the purposes indicated in this policy and in compliance with the provisions of the Applicable Law.

Third parties that may process personal data on behalf of the Controller as Data Processors may also become aware of Users’ personal data, such as, by way of example, IT and logistics service providers functional to the operation of the Site, outsourcing or cloud computing service providers, professionals and consultants. Specifically, with reference to the newsletter service, the data are also processed through the platform and IT tools offered by the “Benchmark Email” service of the American company Benchmark Internet Group, LLC, 10621 Calle Lee, Building 141 Los Alamitos, CA 90720.

Users have the right to obtain a list of any data processors appointed by the Controller by making a request to the Controller in the manner indicated in paragraph 8 below.

7. RIGHTS OF DATA SUBJECTS
Users may exercise the rights guaranteed to them by the Applicable Law by contacting the Controller in the following ways:

  • By sending a registered letter with acknowledgment of receipt to the Controller’s registered office at Via Giuseppe Gioacchino Belli, no. 86, 00193, Rome (RM);
  • By sending an email to: privacy@unirufa.it.

The Controller has not appointed a Data Protection Officer (DPO), as it is not subject to the obligation of appointment set out in Article 37 of the Regulation.

Pursuant to the Applicable Law, the Controller informs Users that they have the right to obtain indication of: (i) the source of the personal data; (ii) the purposes and methods of the processing; (iii) the logic applied in the event of processing carried out with the aid of electronic instruments; (iv) the identification details of the controller and processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them in their capacity as processors or persons in charge.

In addition, Users have the right to obtain:

  1. access to, updating, rectification or, where they have an interest, completion of the data;
  2. erasure, anonymization or restriction of data processed in breach of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
  3. certification that the operations referred to in letters a) and b) have been notified, including as regards their content, to those to whom the data have been communicated or disclosed, unless this proves impossible or involves a manifestly disproportionate effort compared to the right being protected.

In addition, Users have:

  1. the right to withdraw consent at any time, where the processing is based on their consent;
  2. the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format);
  3. the right to object:
    1. in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;
    2. in whole or in part, to the processing of personal data concerning them for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication;
    3. where personal data are processed for direct marketing purposes, at any time to the processing of their data carried out for such purpose, including profiling insofar as it is related to such direct marketing.
  4. if they believe that the processing concerning them infringes the Regulation, the right to lodge a complaint with a supervisory authority (in the Member State where they habitually reside, where they work or where the alleged infringement occurred). The Italian supervisory authority is the Garante per la protezione dei dati personali, with registered office at Piazza Venezia no. 11, 00187 – Rome (http://www.garanteprivacy.it/).

The Controller is not responsible for updating all links visible in this Policy; therefore, whenever a link is not working and/or updated, Users acknowledge and accept that they must always refer to the document and/or section of the websites referred to by such link.