Privacy Policy

General information on the processing of personal data carried out by the University of

This information has been prepared pursuant to Art. 13 of Regulation (EU) 2016/679 – European Parliament and Council of 27 April 2016 (General Data Protection Regulation, hereinafter also referred to as “GDPR”) as well as art. 13 of Law no. 171/2018 of the Republic of San Marino (hereinafter also "RSM Law").

The regulations indicated in the subject govern and impose a series of obligations on the subject who carries out the processing of personal data. Among the obligations to be respected is that of informing the person to whom the data refer.

1. IDENTITY AND CONTACT DETAILS OF THE HOLDER OF THE TREATMENT
The Data Controller of personal data is the University of the Republic of San Marino, in the person of the Magnificent Rector as Legal Representative, with headquarters in Contrada Omerelli, 20 —Republic of San Marino, hereinafter also referred to as the "Data Controller" or "Data Controller of the treatment".

The Data Controller can be contacted for more information on the treatments at the following e-mail address: rettorato@unirsm.sm‎ or on 0549 882541

2. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
The University of the Republic of San Marino has appointed a (Data Protection Officer or DPO) domiciled at the headquarters of the Data Controller, and can be contacted by sending an e-mail to the following address: dpo@unirsm.sm

3. PURPOSE OF THE TREATMENTS AND LEGAL BASES
The processing of personal data carried out by the University of the Republic of San Marino in its capacity as Data Controller is mainly necessary for the execution of a task of public interest which the Data Controller is entrusted with (reference Article 5, paragraph 1, letter e) Law 171/2018 and Law No. 25 of 2014 April 67 (Framework law on university education). Additional legal bases are identified for specific processing purposes such as:

1. Reasons of significant public interest for the processing of particular data in the context of education and training activities (Reference Article 9, paragraph 2, letter r) Law 171/2018.
2. Reasons of relevant public interest for the processing of particular data in the context of requests for access to administrative documents and civic access.
3. Reason of public interest for the treatments carried out in the context of administrative processes.
4. Contractual and legal obligations in the context of treatments that are based on legal acts and contracts or on specific legal provisions.
5. Explicit and preventive consent for one or more processing purposes in all cases where this is required by law.

The main treatments carried out by the Data Controller are highlighted below:
Main treatments related to students

• Necessary treatment for university orientation.
• Processing aimed at providing entry tests or verifying access requirements.
• Treatment aimed at providing the training course and managing the entire university career (from enrollment to graduation).
• Treatment for internship activities.
• Processing aimed at statistical surveys and teaching evaluation.
• Treatment for tutoring services.
• Treatment aimed at the management of degrees.
• Processing aimed at providing services and activities for the right to study.
• Treatment for distance learning activities.

Main treatments relating to employees and/or collaborators

• Treatment aimed at personnel selection.
• Treatment necessary for the management of the employment relationship.
• Processing for training and professional updating purposes.
• Treatment necessary for the management of research projects.
• Treatment necessary for the use of concessions.
• Treatments for the health and safety of people in the workplace.

General treatments

• Processing in the context of university administrative processes.
• Treatment for space management (classrooms, study rooms).
• Treatment for the management of fixed and mobile workstations.
• Treatment for management activities of university bodies.
• Injury management treatment.
• Treatment for the management of the library service.
• Treatment in the context of protocol services and document conservation.
• Processing in compliance with the provisions on transparent administration.
• Treatment in the context of the purchase of goods and services, stipulation of contracts, debt collection, dispute management.
• Processing in the context of email services and work tools.

For further information on the aforementioned treatments, see the detailed information

4. NATURE AND TYPE OF PERSONAL DATA
With regard to the type of personal data processed, reference is made to the detailed information and to the documentation used in the administrative processes.

5. METHOD OF TREATMENT
The Owner processes personal data, by means of paper, magnetic, electronic and telematic supports, guaranteeing their security and confidentiality, as well as their accuracy, updating and pertinence with respect to the aforementioned purposes. Adequate security measures are adopted to limit the risk of loss of confidentiality, integrity and availability of data. No fully automated treatments are carried out on which decisions affecting the legal sphere of natural persons are based, except for specific cases identified in the detailed information.

6. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA
Personal data, for exclusive organizational reasons, will be brought to the attention of the subjects designated as data processors and persons in charge of processing, i.e. employees and collaborators of the Data Controller and also, for exclusive functional reasons, to:

1. Subjects to whom the Data Controller entrusts the creation and maintenance of the website, IT/telematic systems and network connections.
2. Researchers, fellows and professors, who act under the authority of the Data Controller, in relation to the different activities envisaged by the processing of competence.
3. San Marino and foreign public administrations if it is necessary in the context of the administrative process or when it is required in order to fulfill legislative prescriptions.
4. Other Universities or training institutes for carrying out teaching activities by virtue of specific agreements between the parties.
5. Subjects to whom the Data Controller relies for assistance in technical-administrative or legal activities.

Some personal identification data may be published on the Data Controller's website in compliance with the provisions on transparent administration.

7. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANIZATION
It should be noted that the data will be processed by the Data Controller within the territory of the Republic of San Marino, a third country, which does not benefit from an adequacy decision by the European Commission pursuant to art. 45 of the GDPR. The Republic of San Marino has legislation on the protection and protection of personal data which guarantees adequate guarantees and is inspired by the principles prescribed by the GDPR. The Data Controller does not transfer personal data to third countries or international organizations, unless this is required for educational reasons or legislative requirements or to exercise, ascertain or defend one's right in court.

8. PERIOD OF CONSERVATION OF PERSONAL DATA/CRITERIA USED TO DETERMINE THIS PERIOD
The University of the Republic of San Marino retains personal data for a period of time not exceeding the achievement of the purposes for which they were collected or subsequently processed, as well as for the period established by the laws and regulations of the University as well as by the related legislation administrative purposes, management of any complaints, disputes or criminal proceedings.

9. EXERCISEABLE RIGHTS
It is specified and reminded that, in addition to being able to lodge a complaint or report to the Supervisory Authority, it is possible to exercise a series of rights, provided for by current legislation both at European level (GDPR) and at national level (Law n. RSM) which, in synthesis, the articles are cited below according to the uniform numbering reported in both regulations:

• right to request confirmation of the existence of a treatment, or to obtain access to personal data and detailed information (references art.15);
• right to rectification of inaccurate personal data (reference art.16);
• right to cancellation (“right to be forgotten”) only for personal data processed on the basis of consent, a contract or a specific legislative provision (reference art.17);
•  right to limitation of treatment (reference articles 18-19) or right to oppose the treatment at any time (reference article 21);
• right to data portability, only in cases where the treatments are based on consent or on a contract and are carried out by automated means (reference art.20);
• right not to be subjected to an automated decision-making process, including profiling, except in cases where the decision is necessary for the conclusion or execution of a contract between the parties or is based on explicit consent (reference art.22)
• right to revoke the consent originally given, without prejudice to the treatments that took place previously (reference art.7 GDPR and art.6 Law 171/2018).

The right to erasure and data portability does not apply to personal data processed for the performance of a task in the public interest or connected to public authorities.

10. NATURE OF THE PROVISION
The provision of personal data for the purposes indicated is optional only if it is not expressly required by law for the processing carried out in the context of university administrative processes. Failure to provide data in cases where it is optional affects subsequent activities related to data collection.

11. CHANGES AND UPDATES
This information was prepared on 1 December 2020 and may undergo changes and updates as a result of organizational or regulatory changes.