according to the European Regulation no. 679/2016 (“GDPR”)
Categories of data subjects | Subjects interested (hereinafter “Subjects”) in Masters, Programs or events organized by the Data Controller |
Data Controller | “Bologna University Business School” (hereinafter “BBS” or “Data Controller”) Villa Guastavillani, Via degli Scalini 18, Bologna (BO-Italy) Entry in Reg. Legal Persons at the Prefecture of Bologna No. 729, p. 118 vol. 5. VAT No. 02095311201 |
Data Protection Officer | BBS has appointed its Data Protection Officer, who can be contacted at the following e-mail address: dpo@bbs.unibo.it |
1. INFORMATION ON THE PROCESSING OPERATIONS PERFORMED
SECT. A
Purposes
Establishing and managing the contractual relationship or pre-contractual measures to which you are a party and to enable you to take advantage of the requested service or activity, including participation in classes, events or meetings carried out also in streaming or remotely.
Legal basis
Performance of a contract/service or pre-contractual measures – Art. 6.1 b) GDPR.
Personal data collected | Data retention period |
Personal identification, contact, and, where provided, educational qualification, curricular and professional data. Required provision: a refusal to provide the above data, as well as a request to obtain their erasure, would make it impossible for BBS to fulfill your request and provide (or continue to provide) the service you requested. | Data processed: • for the performance of the contractual relationship are retained for the time necessary for the performance of the contract. • for the performance of pre-contractual measures are kept for a period not exceeding 6 months. |
SECT. B
Purposes
Management of tax, accounting and administrative obligations required by law.
Legal basis
Fulfillment of legal obligations – art. 6.1(c) GDPR.
Personal data collected | Data retention period |
Personal identification, contact, and contract data. | Data processed for the management of tax, accounting and administrative obligations required by law are retained for the term stipulated by law: the term for the retention of accounting records is 10 years, as stipulated in Article 2220 of the Italian Civil Code. |
SECT. C1
Purposes
Sending information and/or invitations regarding events organized by BBS, news and services through newsletters.
Legal basis
Consent – Art. 6.1(a) GDPR. The consent is optional and revocable at any time.
Personal data collected | Data retention period |
First and last name and e-mail address provided by you in order to receive information/invitations regarding events organized by BBS, services and news by newsletter. | Data used for purposes of information about events organized by BBS and newsletter subscription are retained until you request to revoke the consent provided or unsubscribe from the newsletter. You may unsubscribe by clicking on the unsubscribe link in our e-mails (so-called opt-out) or by communication to be sent to BBS at its references indicated in this notice. |
SECT. C2
Purposes
Marketing and promotional purposes.
To contact you for the aforementioned purposes, we may use both automated contact methods such as, for example, e-mail, mms and sms, instant messaging and social platforms (e.g. WhatsApp), and traditional contact methods such as paper mail and calls with operator intervention.
Legal basis
Consent – Art. 6.1(a) GDPR. Consent for each of the above purposes is optional and revocable at any time.
Personal data collected | Data retention period |
Personal identification data and contact details. In the absence of your consent, BBS will not be able to process your data for marketing purposes and send you commercial and promotional offers dedicated to you. | Data used for marketing and promotional purposes are retained for a maximum period of two years starting from the issuance of your consent or otherwise from the acquisition of your data unless you revoke your consent. |
SECT. D
Purposes
Ascertaining, exercising or defending the Data Controller’s rights in judicial proceedings
Legal basis
Legitimate interest – Art. 6.1(f) GDPR
Personal data collected | Data retention period |
Personal data collected under the other purposes above. | Data used to ascertain, exercise or defend the rights of the Data Controller in judicial proceedings shall be retained for 10 years from the termination of the relationship, which coincides with the ordinary period of admissibility of the judicial action and, in case of initiation of litigation, for the entire duration of the litigation itself and in any case until the period of admissibility of the appeal actions has been exhausted. |
2. FOCUS: MARKETING AND PROMOTIONAL PURPOSES – SECT. C2
If you wish to stay in touch with BBS in order to be informed about the events organized, activities, services, commercial and promotional offers of BBS, we ask you to grant your consent to the processing of your personal and contact data for marketing and promotional purposes.
In addition, we would like to inform you that BBS uses third-party vendors such as Google Ad and Meta Ad in order to improve the measurement of online and offline actions that come from a lead or visitor to its own website.
How the mechanism works: BBS ads are published on the SERP (Search Engine Results Page) and via Google’s display network and Meta’s proprietary platforms (Facebook and Instagram). The user clicks on a BBS ad and lands on the BBS’s website. If the user fills out an information request form on BBS’s website, the user becomes a lead for BBS and the information he or she has provided is stored in BBS’s CRM/database. Contextually with the receipt of the lead or subsequently (example: when the lead is judged as “interesting” by a BBS operator, or when the lead decides to enroll in a BBS program or event) BBS follows this process: BBS communicates to Google and Meta the lead’s information protected by the SHA256 hashing algorithm, an irreversible one-way hashing mechanism. Through the received hashed data Google and Meta independently verify whether they are able to associate the information with a user and what ads that user has seen or clicked on. No non-hashed data is shared with Google or Meta, i.e., if the user has not previously provided name, email or phone number to the aforementioned platforms (Google or Meta), the platforms are unable to reconstruct them from the hash received. The data is always sent to Google and Meta’s servers securely and encrypted via HTTPS. If the hashed value matches a hashed value of Google or Meta user data, Google or Meta will record a conversion and the information provided will be attributed to the BBS ad campaign. Only anonymized data is listed in the BBS account. Matching data is encrypted. Hashed data that do not match Google or Meta are deleted.
Users can disable Google’s use of cookies or device identifiers by accessing Google’s Ad Settings, or they can control the use of device identifiers through their device settings.
Users can disable Meta’s use of cookies or device identifiers by accessing Cookies on Meta’s Products | Facebook Help Center, Meta users can use the Ads Settings features to restrict the use of their personal information for marketing purposes.
Users can change their choices regarding the use of cookies on the BBS platform by accessing the “Cookie Preferences” section of https://www.bbs.unibo.eu
3. PROCESSING METHOD
The processing of personal data is carried out by BBS using paper and computerized methods.
4. AUTOMATED DECISION-MAKING ACTIVITIES
BBS excludes the use of any decision-making activity based on automated processing that produces legal effects or similarly significantly affects you pursuant to Article 22 of the European Regulation 679/2016.
5. FATE OF DATA AT THE END OF THE RETENTION PERIOD
After the above retention periods have elapsed, the Data will be destroyed, erased, or anonymized, consistently with technical procedures for erasure and backup.
6. DATA PROCESSORS. THIRD PARTIES RECIPIENTS OF DATA
The subjects or categories of subjects indicated on the website http://www.bbs.unibo.eu, in the section Privacy are appointed as data processors pursuant to Article 28 of the aforementioned European Regulation No. 679/2016 and may therefore process and become aware of the data you have provided.
Those appointed as data processors by BBS are used to:
a) to manage relations with Subjects and more generally with third parties, including for accounting and administrative purposes, including legal defense;
b) to manage communications, including those of a commercial and promotional nature, and to provide information and promotional services;
c) to manage its archives, also in a computerized manner.
Data may also be transmitted to the judicial authorities and other public entities entitled to request them, in cases provided for by law or as a result of the order of a judicial authority.
7. PLACE OF PROCESSING AND DATA TRANSFER TO NON-EU COUNTRIES
BBS may transfer your personal data to data processors located outside the EU (e.g. WhatsApp), in which case the transfer of personal data will take place in accordance with the provisions of the GDPR, title V, articles 44 et seq. In particular, if the transfer takes place to a third country, the transfer will take place pursuant to Article 46 of the GDPR in accordance with the decision adopted by the Court of Justice of the European Union or in the presence of adequate safeguards and subject to verification that the third country guarantees an adequate level of protection of personal data. For further information on this matter, please send an email to the addresses below.
8. YOUR RIGHTS. LODGING A COMPLAINT WITH THE SUPERVISORY AUTHORITY
You can exercise the rights granted to you by law and, in particular, the right to revoke your consent (art.7 GDPR), the right to obtain from BBS access to your personal data (art. 15 GDPR), rectification and/or supplementation (art. 16 GDPR) and erasure (art. 17 GDPR) of your personal data, restriction of processing (art. 18 GDPR), the right to receive notification of rectification, erasure or restriction of processing carried out (art. 19 GDPR), the right to data portability (art. 20 GDPR), and the right to object to processing (art. 21 GDPR). These rights may be subject to certain exceptions and/or limitations (e.g., revocation of consent does not affect the lawfulness of processing based on consent prior to revocation, the right to erasure cannot be exercised for those data with respect to which BBS demonstrates the existence of overriding legitimate grounds for processing, the right to portability applies with respect to processing based on contract or consent, the right to object applies for processing based on legitimate interest or public interest grounds).
Data subjects also have the right to lodge a complaint with the competent Supervisory Authority (Art. 77 GDPR), which in Italy is the Garante per la protezione dei dati personali (Piazza Venezia, 11 – 00187 Roma – PEC: protocollo@pec.gdpr.it).
9. DATA PROTECTION OFFICER
BBS appointed its data protection officer, who can be contacted at the following address: dpo@bbs.unibo.it
You may contact the Data Protection Officer for all matters related to the processing of your personal data and the exercise of your rights under the European Regulation No. 679/2016 and the Privacy Code.
10. CONTACTS AND DISPUTES
If you have any question or complaint, regarding this Privacy Notice or BBS’s data processing practices or for requests regarding updating/rectification/erasure of personal data or the exercise of your privacy rights you may contact the Data Controller or Data Protection Officer.
For this purpose you may send a communication to the e-mail address gdpr@bbs.unibo.it, from which you will be answered by the person appointed by BBS to provide feedback to the data subject, that is the Privacy coordinator, or to the Data Protection Officer e-mail address dpo@bbs.unibo.it