Privacy Policy pursuant to Article 13 of EU Regulation 2016/679

WHY AM I SEEING THIS NOTICE?

In compliance with the provisions of Article 13 of EU Regulation 2016/679 (hereinafter, the 'EU Regulation') on the protection of individuals with regard to the processing of personal data and on the free movement of such data, this policy is provided to users of the website https://www.domusacademy.com/ (hereinafter, the 'Site').

It is understood that the Controller makes further detailed information available for specific situations.

IDENTITY OF THE DATA CONTROLLER AND DATA PROTECTION OFFICER

Pursuant to Article 4, no. 7, of the EU Regulation, Nuova Accademia S.r.l., with registered office at Via Carlo Darwin 20, 20143, Milan (MI), Telephone: 02 973721, is the Data Controller (hereinafter also only 'Controller') and can be contacted at privacy@naba.it. Nuova Accademia S.r.l. has appointed a Data Protection Officer (DPO), who can be contacted by email at dpo@naba-da.com.

TYPES OF DATA PROCESSED

To pursue the purposes set out below, the Controller will, as appropriate and where necessary, process personal data belonging to the following categories:

- Common personal data such as personal data, contact data relating to initiatives, courses, events offered by the Data Controller

- Browsing data (common personal data): data belonging to this category are collected via cookies. For detailed information on the cookies used, please refer to the specific cookie policy.

COOKIES

For more information on the use of cookies within the Website, see the Cookie Policy.

PURPOSES OF PROCESSING AND RETENTION PERIOD

The purposes of the processing are as follows:

1.       Purposes on the basis of the data subject's consent (Article 6 par. 1 letter a GDPR)

a)       Send you notices about Campus initiatives, our Scholarships, courses and events that might interest you

b)      Aggregate and analyse the information collected to offer you customised content in order to improve the educational offer

Data processed for the above-mentioned purposes will be stored for three years; however, the data subject is given the opportunity to withdraw consent at any time (Article 7 par. 3 GDPR)

2.       Purposes for the protection of a legitimate interest of the Data Controller (Article 6 par. 1 letter f GDPR)

c) Management of the Data Controller's website

d) Contacting you and sending you information about our courses via email, telephone and WhatsApp/SMS/chat channels as a result of your requests received by filling in the forms on our website

e) Accreditation at events promoted by our Campus such as the Domus Academy Open Day

Data processed for purpose c) will be stored in accordance with the Cookie Policy

Data processed for purposes d) and e) will be stored for five years.

LEGAL BASES OF PROCESSING

The processing of the above-mentioned personal data is based on the following legal basis:

• Consent of the data subject (Article 6 par. 1 letter a GDPR)

• Legitimate interest of the Data Controller (Article 6 par. 1 letter f GDPR)

CATEGORIES OF RECIPIENTS

The data acquired by the Controller, within the scope of the above-mentioned purposes, may be disclosed to one or more of the categories of parties set out below, e.g.:

• Group companies

• Third parties (by way of example, external collaborators and companies providing specific instrumental services) carrying out outsourced activities on behalf of the Controller, in their capacity as external data processors

• Hosting service providers

• Parties carrying out management activities on the Controller's computer system

• Judicial authorities as well as those to whom communication is mandatory by law These parties will process the data in their capacity as autonomous data controllers.

The complete and up-to-date list of Autonomous Data Controllers, Appointed Data Processors and Data Recipients in any capacity (pursuant to Article 4 no. 9 of the EU Regulation) may be obtained from the offices of the Data Controller or by email: privacy@naba.it.

TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

The management and storage of personal data will take place on servers located within the European Union of the Controller and/or third-party companies assigned and duly appointed as Data Processors. Transfers to countries that do not provide the same level of protection under the GDPR or applicable law may occur. Domus Academy will ensure that each of these recipients undertakes specific contractual obligations in accordance with applicable data protection legislation (including the signing of Standard Contractual Clauses approved by the European Commission), unless the Data Controller can refer to any other legal basis for the transfer of such information. In any case, the data subject may always request further information, including the countries to which the personal data are to be sent, by writing to the email address privacy@naba.it.

For details on transfers via cookies, please consult the Cookie Policy.

METHODS OF PROCESSING

Personal data will be processed in both paper and electronic and/or automated form. It is possible to carry out operations of collection, recording, organisation, storage, consultation, processing, modification, extraction, comparison, use, interconnection, communication, erasure and destruction and any other appropriate operation, including automated operations, in compliance with the provisions of the law necessary to ensure, inter alia, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data to the stated purposes.

RIGHTS OF THE DATA SUBJECT

In relation to the personal data provided, the data subject has the right to exercise, at any time and in accordance with the provisions of the EU Regulation, the rights established in the latter and set out below:

- Right to withdraw consent (Article 7 par. 3 of the EU Regulation): right to withdraw consent given. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal

• Data subject's right of access (Article 15 of the EU Regulation): the right to obtain confirmation of the existence or non-existence of personal data relating to him/her and a copy thereof in intelligible form

• Right of rectification (Article 16 of the EU Regulation): right to rectification of inaccurate personal data concerning him/her

• Right to erasure 'right to be forgotten' (Article 17 of the EU Regulation): right to erasure of one's own data

• Right to restriction of processing (Article 18 of the EU Regulation): right to obtain the restriction of processing, e.g. if the accuracy of the data is contested or in case of unlawful processing

• Right to data portability (Article 20 of the EU Regulation): the right to receive in a structured, commonly used and machine-readable format the personal data concerning him/her that has been provided to the Data Controller, and the right to transmit such data to another data controller without hindrance where the processing is carried out on the basis of consent or a contract and is carried out by automated means

• Right to object (Article 21 of the EU Regulation): the right to object to the processing of one's own personal data

• Right not to be subject to automated decision-making (Article 22 of the EU Regulation): right not to be subject to a decision based solely on automated processing

We inform you that the Company undertakes to reply to your requests within one month, except in the case of particularly complex requests, for which it may take up to three months. In any event, the Company will explain to you the reason for the wait within one month of your request.

The outcome of the request will be provided in writing (at the request of the data subject) or electronically (and, in this case, free of charge). The Controller specifies that a possible contribution may be requested from the data subject if the requests made are manifestly unfounded, excessive or repetitive: in this regard, Domus Academy will keep track of the requests. In compliance with Article 19 of the EU Regulation, Domus Academy undertakes to inform the recipients to whom the data subject's personal data have been disclosed of any rectification, erasure or restriction of processing requested by the data subject, where possible. Please note that revocation of consent does not affect the lawfulness of processing based on consent before revocation.

RIGHT TO LODGE A COMPLAINT (ARTICLE 77 OF THE EU REGULATION)

If data subjects consider that their rights have been compromised or infringed, or that the processing of their data is contrary to the legislation in force, they have the right to lodge a complaint with the Personal Data Protection Authority in accordance with the procedures indicated by it at the following link.

NATURE OF DATA PROVISION

For the purposes of d) and e), the provision of data by the data subject is necessary; failure to provide such data will not permit the proper handling of requests received from the data subject.

For the purposes of a) and b), the provision of data by the data subject is optional: the data subject's failure to provide data will make it impossible to receive communications relating to Campus initiatives, Scholarships, courses and events of interest, and impossible for the Controller to aggregate and analyse the information collected through the website in order to improve the educational offer.

For purpose c) the provision of data by the data subject is necessary; failure to provide such data will not allow proper navigation on this website.

CHANGES AND UPDATES

Domus Academy may also make changes and/or additions to this policy as a consequence of any subsequent regulatory changes and/or additions. In such cases, the new version of this policy will be communicated as soon as possible in such a way as to reach the data subjects as quickly as possible.

DATA CONTROLLER

The data controller is:
Nuova Accademia S.r.l.
Via Carlo Darwin, 20
20143 Milano MI
Tel.: (+39) 02 973721
privacy@naba-da.com

The data protection officer is the company:
Mazars Italia S.p.A
Via Ceresio 7
20154 Milano MI
E-mail: dpo@naba-da.com