The following provisions are made in accordance with the EU General Data Protection Regulation 2016/679 and Article 13 of Italian Legislative Decree No. 196/20
This statement sets out the provisions governing the processing and use of any personal data you provide to the Institute for Educational Technology, CNR (ITD-CNR), including to whom and where those data can be transferred. It also specifies your rights with respect to those data.
In accordance with provisions for the protection of personal data of individuals and of other entities set out in Article 13 of Italian Legislative Decree No. 196/2003 (henceforth “Italian Privacy Code”) and in Article 13 of the EU General Data Protection Regulation 2016/679 (henceforth “GDPR 2016/679”), we hereby inform you that any personal data you provide will be processed in accordance with the abovementioned regulations and with the privacy provisions that ITD-CNR is required to observe.
The Data Controller and Processor
The Data Controller is the National Research Council – Consiglio Nazionale delle Ricerche (CNR), with registered offices at Piazzale Aldo Moro 7, 00185 Rome (IT).
Data Protection Officer (DPO)
The officially designated DPO’s Certified Email Account is email@example.com.
Where authorised by the Data Controller / Processor, the DPO may appoint one of more intermediary service providers. Where any managing officers are appointed by such providers, the personal data of those officers are to be made available to all interested parties.
Purposes and obligations of personal data management
ITD-CNR will manage your personal data in accordance with the purposes set out in GDPR 2016/679. Specifically, these concern the performance of ITD-CNR’s public functions and/or activities related to the exercising of its public duties. This includes archiving, search and analysis of data for statistical purposes.
Your personal data are needed to fulfil legal requirements, including those concerning communications with the National Research Council (CNR).
Data processing and storage
ITD-CNR endeavours to protect all personal data it is provided with, and to process that data in accordance with the principles of fairness, lawfulness and transparency.
Personal data entrusted to ITD-CNR will be processed and transmitted for the most part in digital form, in accordance with the provisions of Article 32 of GDPR 2016/679, of Annex B, and of Articles 33-36 of the Italian Privacy Code concerning safety measures carried out by specifically designated persons, as stipulated by Article 29 of GDPR 2016/679.
We inform you that, in accordance with the principles of lawfulness, purpose limitation and data minimisation stipulated in Article 5 of GDPR 2016/679, your data will be held only for the period of time necessary to fulfil the purposes for which they have been gathered and processed.
Collected data are processed on the premises of the Data Controller and in all other places in which those involved in processing the data are located.
All data provided will be managed by ITD-CNR personnel, in accordance with current regulations.
Data transfer and transmission
Your personal data will not be transferred or transmitted without your explicit consent, with the sole exception of communications requiring the transfer of data to public organisations, consultants or other bodies for the purposes of fulfilling legal obligations.
Transfer of personal data
Your data may be transferred to other Member States of the European Union but will not be transferred to third countries outside the EU.
Automatic decision-making process
ITD-CNR has not activated any automated decision-making, including profiling, as specified in Article 22, Paragraphs 1 and 4 of GDPR 2016/679.
All data provided will be stored exclusively within Member States of the EU and only for the period required for their processing. At the conclusion of that period, some data will continue to be stored in accordance with Article 18 of GDPR 2016/679. This will be done to allow for any verification, exercising or defence of legal rights in a court of law, or for protecting the rights of another individuals or legal entities, or for important public interest of the EU or an EU Member State.
Withdrawal of consent
You have the right to withdraw consent to processing at any time. Withdrawal of consent shall not affect (a) the lawfulness of processing based on consent before its withdrawal or (b) further processing of the same data on other legal bases (for example, contractual or legal requirements that the Data Controller is subject to).
In accordance with Article 7 of the Privacy Code and Articles 15 and 22 of GDPR 2016/679, you have the right at any time to:
- request confirmation regarding the storage and processing of any personal data about you;
- obtain communication regarding the purposes of processing, the category of personal data in question, the recipient or category of recipient to whom the data have been or will be communicated, and, where possible, the period of storage;
- have personal data rectified or deleted;
- impose limits on data processing;
- obtain data portability, namely the right to receive any personal data about you in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance;
- object to automated individual decision-making, including profiling;
- request access to personal data, have personal data rectified or deleted, impose limits on or object to data processing, in addition to data portability;
- withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
- lodge a complaint with a supervisory authority.
You can exercise your rights by making a written request to ITD-CNR at the email address firstname.lastname@example.org, attaching a scan of your passport, driver’s licence, or similar document as proof of identity.
Your request with be handled with due diligence to ensure your rights are exercised within the limits set by these regulations. You also have the right to lodge a complaint with the Italian privacy authorities (“Garante Privacy”).