Pursuant to art. 13 EU Regulation No. 2016/679 (hereinafter “GDPR"), we inform you that processing of the data provided by you will be carried out using methods and procedures aimed at guaranteeing that the Personal Data will be processed respecting the fundamental rights and freedom and dignity of the data subject, with special concern for confidentiality and security, personal identity and right to protection of personal data.
We remind you that processing means any operation or set of operations, carried out with or without the use of automatic processes and applied to personal data or to the sets of personal data, such as collecting, recording, organising, structuring, retaining, adapting or modifying, extracting, using, communicating by transmission, dissemination or any other way of making them available, comparing or interconnecting, limiting, erasure or destruction (art. 4 GDPR).
1 - Subject matter of the processing of processing and origin of the data
The data handled by Scuola Leonardo da Vinci are collected directly from the data subject and refer to:
- personal data (for example: first name, family name, place and date of birth);
- contact data;
- data about their country of origin.
The Data Controller may also process specific categories of data pursuant to art. 9 of the GDPR, for example data referring to the state of health (specific allergies or food intolerance).
2 - Legal grounds for the processing and origin of the data
The legal grounds for the processing are to be found in:
- performance of obligations arising from the contract signed (pursuant to art. 6.1 lett. b) of the GDPR);
- the legitimate interest of the Data Controller (pursuant to art. 6.1 lett. f) of the GDPR;
- express and unmistakeable consent (pursuant to Art. 6.1, lett. a) of the GDPR).
The personal data held by the Data Controller are collected directly from the data subject.
3 - Purpose of the processing
The personal data and any changes which you may notify in the future to Scuola Leonardo da Vinci are collected and processed exclusively for the following purposes:
3.1 WITHOUT EXPRESS CONSENT, for purposes related to performance of the contract
- Carrying out educational activity at Scuola Leonardo da Vinci;
- Issuing attendance certificates;
- Managing the accommodation services also with host families
3.2 WITH YOUR SPECIFIC AND SEPARATE EXPRESS CONSENT
- Using pictures of you for advertising leaflets or advertising images of the Data Controller;
- Publishing pictures of you or films on websites of the Data Controller;
- Publishing pictures of you or films on social media pages of the Data Controller;
- Emailing information about our events and initiatives, advertising offers also from our schools.
4 - Manner of processing
The processing is limited to the following operations and methods:
- Collection of data from the data subject, by filling out online forms;
- Recording and processing on computer;
- Organising the files mainly automatically, using company applications and IT databases;
- Communicating your data to third parties, duly authorised by the Data Controller.
Data processing will be carried out using tools which guarantee confidentiality, integrity and availability, in compliance with suitable technical and organisational measures of security provided for by the GDPR.
Processing is carried out using IT and/or automatic systems and will include all the operations or sets of operations laid down under Art. 4 of the GDPR and necessary for such processing, including communication to the parties appointed to carry out the processing.
The data will not be disseminated, but will or may be communicated to public or private parties acting within the context of the purposes described above.
5 - Data retention
The Data Controller will keep your personal data for the time needed to fulfil the purposes above, and in any case for no more than 20 years after their collection and for no more than 2 years for marketing purposes.
6 - Access to processing
The data will be made accessible, for the purposes under item No. 3:
- to employees/collaborators in their role as people in charge of processing, after having been properly appointed;
- to third parties, identified as Data Processors by the Data Controller.
Your data will not be communicated to any unauthorised third parties.
Your data will not be disseminated in any way. To this end, the data will be processed using security measures suitable for preventing unauthorised access to the data by third parties and guaranteeing confidentiality.
7 - Transfer of the data
The personal data will be processed and retained on servers located within the European Union belonging to the Data Processor and/or to third party companies appointed and duly named as Data Processors.
The data will not be transferred outside the European Union.
8 - Nature of the data provided and consequences of refusal to answer
Providing the data for the purposes under item 3.1 above is obligatory. Lacking such data, it will not be possible to proceed with accepting and answering your request for contact.
On the contrary, provision of the data for the purposes under item 3.2 is optional, and they will be processed by the Data Controller only with your explicit consent.
9 - Rights of the data subject
According to the provisions of the GDPR, the data subject has the following rights against the Data Controller:
- To obtain confirmation that his data are being processed, and in such case, obtain access to the personal data (Right of access Art. 15);
- To obtain rectification of inaccurate data concerning him/her without undue delay (Right to rectification Art. 16);
- To obtain erasure of personal data without unjustified delay; the data Controller has the obligation to erase without unjustified delay the personal data, if certain conditions exist (so-called “right to be forgotten”, art. 17);
- To obtain limitation of processing in certain cases (right to limitation of processing, art. 18);
- To receive in a structured format, of common use and readable from an automatic device, the personal data which concern him, and has the right to obtain direct transmission to another data Controller, without hindrance from the data Controller to whom he has provided the data, in certain cases (Right to data portability art. 20);
- To object at any time for reasons related to his special situation, to processing of personal data concerning him (Right to object, Art. 21);
- To receive without undue delay communication of breach of personal data incurred by the Data Controller (Art. 34);
- To recall at any time the consent expressed (Conditions for consent art. 7).
Where applicable, the data subject also has the rights under Articles 16-21 of GDPR (right to rectification, so-called “right to be forgotten”, right to limitation, right to portability of the Data, right to object), as well as the right to lodge complaint to the Authority for the Protection of Personal Data
10 - How to exercise your rights
11 - Data Controller
The Data Controller is Scuola Leonardo da Vinci s.r.l. – Via Bufalini 3, 50122 Florence – Tel. 055-261181 – C.F. 01454960483.
The list of data processors and of those in charge of processing can be consulted at the offices of the data controller as defined above.
12 -Updates to this information notice
This Information notice may undergo changes. Any substantial change will be notified to the data subjects by notice or publication on the website.
Information updated on 2018 May 22nd