PRIVACY POLICY
Updated as of September 2023
​
The American University of Rome respects and protects your privacy.
Notice pursuant to the European Data Protection Regulation No. 679/2016 ("GDPR")
The American University of Rome ("AUR", the "University" or the "Data Controller"), headquartered in Rome, Via Pietro Roselli n. 4, is committed to respecting and protecting your privacy and wants you to feel secure both while simply browsing the site and if you decide to provide personal data to receive information about the University's activities. On this page, AUR intends to provide some information on the processing of personal data related to users who visit or consult the website accessible by electronic means from the address https://aur.edu and https://aur.edu/benvenuti-alluniversita-americana-di-roma and https://www.auralumni.com (hereinafter jointly the "Site").
The information is provided only for the AUR website and not also for other websites that may be consulted by the user through links (for which please refer to their respective privacy policies/policies). The reproduction or use of pages, materials and information contained within the Site, by any means and in any medium, is not permitted without the prior written consent of AUR. Copying and/or printing for personal and non-commercial use only is permitted (for inquiries and clarifications contact AUR at the contact information below). Other uses of the content, services and information on this site are not permitted.
With respect to the content offered and information provided, AUR will endeavor to keep the contents of the Site reasonably up-to-date and revised, without offering any warranty as to the adequacy, accuracy, or completeness of the information provided by explicitly disclaiming any liability for any errors of omission in the information provided on the Site.
​
1. TYPES OF PERSONAL DATA
AUR must acquire (or already holds) certain data concerning you. Such data may also be those belonging to special categories only insofar as they are instrumental and/or useful to the management of the existing relationship with the student and/or the performance of services instrumental to it or related to it.
The categories of data that we may process are as follows:
- Personal identifying and biographical data: First and last name; social security number; date and place of birth; residential address; e-mail address; telephone number; passport number; IP address; messaging services (e.g., Teams, WhatsApp); picture; credit card number; AUR account name or nickname; data related to the degree(s) earned for access to a university course; grades and GPA (Grade Point Average) and other academic data; income data; etc.);
- Special data: Racial or ethnic origin; health status (mental or physical), information about physical or learning disabilities for which express consent to processing is required;
- Judicial data: convictions, criminal records, restrictions on freedom.
2. THE PROCESSING OF PERSONAL DATA AND ITS PURPOSES
"Data processing" means the performance of any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collecting, recording, organizing, structuring, storing, adapting or modifying, extracting, consulting, using, communicating by transmission, dissemination or any other form of making available, comparing or interconnecting, limiting, erasing or destroying.
All data will be processed by AUR for institutional/administrative/didactic/service purposes, payments and grants, related or related to activities undertaken by the University to perfect and manage the relationship with the student.
Personal data supplied or collected by AUR shall be processed for the following purposes:
LEGAL OBLIGATIONS
a) Fulfilment of regulatory or legal obligations (Italian or EU), including those of an accounting and fiscal nature.
CONTRACTUAL/INSTITUTIONAL OBLIGATIONS
(b) Handling of requests for contact or information through the Site (which may include the transmission of promotional materials); finalizing the application for enrollment; fulfilling any obligations arising from the student's enrollment and matriculation at the AUR (e.g., administrative, educational and pedagogical management, election of student offices, student health and safety protection, etc.); managing donations; managing campus visits;
(c) Provision of services (library, sports, trips, housing, internships, psychological counseling, invitations to AUR events and programs, etc.), financial aid, scholarships, grants and contributions requested by the student.
For the above-mentioned services we may also need to process special categories of personal data (e.g., health-related data) instrumental to their provision. In this circumstance you will be asked for your express consent.
d) Use of photos on student IDs in order to verify the identity of individuals authorized to access AUR premises.
(e) Security alerts (text messages, e-mail).
SOCIAL ENGAGEMENT/PROMOTION (AUR’s legitimate interest)
(f) Sending of AUR newsletters, AUR commercial and promotional communications and correspondence;
(g) Promotion of job placement, post-graduation and vocational training programs or courses both during the student's academic career at AUR and thereafter;
USE OF PHOTOS and VIDEOS
(h) Printing or posting on the AUR Site and social media any image/photo/video/audio taken or recorded during any institutional, educational, academic, training, promotional conference or event of AUR or any related activity;
SENSITIVE INFORMATION
i) processing of any sensitive personal information (that reveal my ethnic or racial origin, data related to health, medical history and conditions, criminal history and records, in the pursuit of those purposes set forth in point 2, subparts (a), (b), (c), (d), (e) and (f) and of the privacy policy.
3. LEGAL BASIS FOR DATA PROCESSING
AUR uses the student's personal data only when there is a valid legal basis for doing so.
For the purposes outlined in Section 2 letters (a) to (e), and pursuant to the GDPR, the Data Controller is not required to acquire explicit consent to process the student's personal data because such processing is, pursuant to Art. 6 of the GDPR ("Lawfulness of Processing"): 1) necessary to comply with an obligation of law or regulation (Italian or EU), and 2) necessary for the execution and management of AUR's contract with the student, or to comply with a specific request of the data subject, or because such processing is carried out for institutional activities related to the management of AUR's relationship with the student or for administrative-accounting purposes or to respond to a legitimate need of AUR in the pursuit of its mission, it being understood that in the latter circumstance the processing will be carried out taking into consideration the interests, rights and expectations of the students.
Therefore, if the data subject does not wish to provide the requested data for the purposes described above, AUR may be prevented from establishing or executing its relationship with the student.
For the purposes mentioned in point 2 letters (f), (g) and (h) or for other and distinct reasons, personal data may be processed only with the express consent of the data subject.
Likewise, any processing of special data may be, pursuant to Article 9(2) of the GDPR, carried out only with the express consent of the data subject.
Such consent to data processing by the data subject is free and optional and always revocable without consequences on the existing relationship with AUR except for the impossibility for AUR to provide certain ancillary services.
4. RECIPIENTS OF PERSONAL DATA
For certain processing, we use trusted parties who perform tasks of a contractual, technical or organizational nature on our behalf. Some of these subjects are also operating abroad. These parties are our direct collaborators and perform the function of the "controller" or authorized entity for data processing, or they operate completely independently as separate "controllers" of the processing.
These are, specifically:
- employees/partners of AUR authorized to process and/or appointed as Data Processors;
- third parties appointed by AUR, in compliance with Art. 29 of the GDPR, to establish/manage the existing relationship with the student, appointed as Data Processors/Authorized Persons;
- the Data Protection Officer (DPO).
Outside of these cases, disclosure of personal data to third parties will only occur with the explicit consent of the student.
It should also be noted that personal data will not be subject to disclosure unless specifically authorized by laws and/or regulations, or with the express consent of the student, nor will it be subject to any fully automated decision-making process, including profiling.
5. TRANSFER ABROAD OF DATA
Your personal data collected by the Data Controller for the purposes set out in point 2 of this Notice, may be transferred by AUR, pursuant to Articles 44 et seq. of the GDPR, on the basis of adequate safeguards to ensure the protection of personal data, to entities located outside the European Union, specifically to American university institutions and/or American government authorities. Such transfer will take place under the exemption provided for in Article 49(1)(b) only if necessary for the performance of the relationship established between AUR and the student.
Under no circumstances will AUR transfer your personal data to parties not authorized to process such personal data.
6. METHOD OF PROCESSING
Your personal information is used only in ways and procedures strictly necessary to provide you with the services, products and information you have requested, including through the use of paper mail, electronic mail, other remote communication techniques, telematic, automated and computerized tools, and forms and questionnaires.
7. RETENTION OF DATA AND OTHER INFORMATION
Pursuant to Art. 13, paragraph 2, letter (a) of the GDPR, we inform you that, in compliance with the principles of lawfulness, purpose limitation and minimization of data set forth in Art. 5 of the GDPR, for the purposes referred to in point 2, subsections (a) to (e), the period of data retention will be for a period not exceeding that necessary to achieve the purposes for which the data were collected and processed, in compliance with any terms established by law. Such retention shall be without prejudice to any five- or ten-year retention periods that may be provided by law for civil, accounting or tax obligations.
Personal data related to the student's university career will be kept indefinitely in protected files and in accordance with current regulations. Data collected for access to University services and communications will be retained for as long as necessary to perform the service.
For the purposes referred to in point 2. subsection (f), (g) and (h), the retention period is 2 years from the date of giving consent.
8. DATA CONTROLLER AND DATA PROCESSORS
The Data Controller is:
- THE AMERICAN UNIVERSITY OF ROME, in the person of its pro-tempore legal representative, with registered office in Rome, Via Pietro Roselli No. 4, e-mail: privacy@aur.edu.
-The current DPO (Data Protection Officer) is Quorum Studio Legale e Tributario Associato, with registered office in Rome, Via degli Scipioni 281, e-mail: info@quorumlegal.com.
9. RIGHTS OF THE DATA SUBJECT
Pursuant to and in accordance with Articles 15-22 of the GDPR, you are granted the following rights as a data subject that you may exercise against the Data Controller:
- Right of access: to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to receive information regarding, in particular, the purposes of the processing, categories of personal data processed and the period of storage, and recipients to whom the data may be disclosed (Article 15, GDPR);
- Right to rectification: to obtain, without undue delay, rectification of inaccurate personal data concerning you and supplementation of incomplete personal data (Article 16, GDPR);
- Right to deletion: to obtain, without undue delay, the deletion of personal data concerning you, where one of the cases referred to in Article 17 applies (Article 17, GDPR);
- Right to restriction: to obtain from the Data Controller the restriction of processing, in the cases provided for in the GDPR (Article 18, GDPR);
- Right to portability: to receive in a structured, commonly used and machine-readable format the personal data concerning you provided to the Controller, as well as to obtain that the same be transmitted to another controller without hindrance, in the cases provided for by the GDPR (Article 20, GDPR);
- Right to object: object to the processing of personal data concerning you, unless there are legitimate reasons for the Controller to continue the processing (Article 21, GDPR);
- Right to complain to the Supervisory Authority: complain to the Data Protection Authority, Piazza Venezia 11, 00187, Rome (RM).
It should be noted that revocation of consent for the processing of data for which the same is required does not affect the lawfulness of the processing based on the consent before revocation.
The above rights may be exercised by request sent by registered letter with return receipt or email, to the above addresses, using the appropriate form available on the website of the Guarantor for the Protection of Personal Data https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/doc....
Use of the Site implies full knowledge and acceptance of the content and any indications included in this notice. AUR informs you that this policy may be modified without prior notice and therefore recommends periodic reading.
​
Contacting Us
If there are any questions regarding this privacy policy, you may contact us using the information below.
The American University of Rome
Via Pietro Roselli 4
00153 Rome,
Italy