NOTICE PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 ON THE PROCESSING OF PERSONAL DATA RELATING TO REGISTRATION, USE OF AN E-COMMERCE PROFILE, AND THE PURCHASE OF “ROMA TRE” BRANDED MERCHANDISING PRODUCTS

This notice is provided pursuant to Art. 13 of EU Regulation 2016/679 of 27 April 2016 (hereinafter the “EU Regulation”) on the protection of natural persons with regard to the processing of personal data and in compliance with the legislation on personal data processing, as well as the free movement of such data. In particular, it concerns information regarding the processing of personal data you provide for the purpose of reporting unlawful conduct to the administration.

Data Controller

The controller of the personal data is the University, as defined above, represented by the Rector pro tempore, domiciled for the office at the University’s registered office. The Controller can be contacted at:privacy@uniroma3.it and certified email (PEC) privacy@ateneo.uniroma3.it.

Università Roma Tre is the controller of the personal data and information it collects and processes as described in this Notice. This means it is responsible for safeguarding the information and ensuring that it is processed in accordance with personal data protection provisions and, in particular, those contained in the EU Regulation and Legislative Decree No. 196/2003 (“Personal Data Protection Code”), as amended and supplemented by Legislative Decree No. 101/2018.

In particular, Università Roma Tre undertakes to adopt all measures to ensure that the data processed are accurate and up to date; to provide clear information on data processing; to process data only for specific purposes; to share data only with expressly designated third parties; and to implement appropriate technical and security measures during processing activities.

Data Protection Officer

The Data Protection Officer (“DPO”) can be reached at: emailrpd@uniroma3.it and certified email (PEC) rpd@ateneo.uniroma3.it

Purposes of Processing, Legal Basis, Categories of Data

Personal data will be processed by the Controller to enable the purchase of products and access to services reserved for registered users on the e-commerce platform, to manage and fulfill user requests, to carry out direct marketing activities, to perform anti-fraud checks, and to protect the University’s rights, both in and out of court.

The University collects and processes the personal data of data subjects on the basis of needs connected with the performance of its institutional tasks in the public interest, pre-contractual and contractual requirements, as well as on the basis of the consent of individual data subjects.

For the purposes indicated in this notice, the Controller will process the personal data provided by the user at the time of registration on the e-commerce platform, as well as those relating to the purchase of “Roma Tre” branded merchandising products made through the platform.

a) Data for registration

When registering on the e-commerce platform, the Controller will collect personal and contact details, such as first name, last name, email address, and telephone and/or mobile number. At the time of registration, a customer number will also be assigned, necessary for authentication in the reserved area.

b) Data necessary for purchases and their management

When making a purchase on the e-commerce platform, additional information will be requested, such as the address for product shipping and invoicing, as well as data relating to the means of payment used. The Controller may also collect further personal data when it needs to contact the user and send requests in relation to the purchase of our products or the use of the e-commerce platform, using the addresses available on the site.

User data will be processed using IT and electronic tools and are protected by appropriate technical and organizational security measures designed to ensure their confidentiality, integrity, and availability.

Personal data will be processed by persons authorized and instructed to process data under the direct authority of the Controller, operating in accordance with the principles of fairness, lawfulness, and transparency, and protecting data confidentiality through technical and organizational security measures appropriate to ensure a level of protection adequate to the risk. In some cases, personal data will be disclosed to other entities acting on behalf of the University as processors, who have been given specific instructions on the processing of the user’s data; the list of such processors can be requested from the Controller.

Data Retention

Data will be retained only for the time necessary to achieve the purposes for which they were collected or for any other legitimate related purpose. Therefore, if personal data are processed for two different purposes, the Controller will retain such data until the purpose with the longer retention period ceases. In any case, data will no longer be processed for the purpose whose retention period has expired. Personal data that are no longer necessary, or for which there is no longer a legal basis for retention, will be irreversibly anonymized or deleted.

Personal data processed to manage and respond to requests for information or other communications are kept for the time necessary to handle and respond to the user’s requests and are subsequently deleted.

Data Transfer Abroad

The Controller will process personal data within the European Union.

Data Subject Rights

The data subject may exercise the rights provided by the GDPR with respect to the University, namely:

-receive confirmation of the existence of personal data and access their content (right of access);

-update, amend, and/or correct personal data (right to rectification);

-request the deletion or restriction of processing of data processed in violation of the law, including data for which storage is unnecessary in relation to the purposes for which the data were collected or otherwise processed (right to erasure/right to be forgotten and right to restriction);

-object to processing at any time where processing is based on a legitimate interest (right to object);

-in the cases provided for, receive a copy of the data in electronic format concerning them provided in the context of a contract and request that such data be transmitted to another controller (right to data portability).

With regard to processing based on consent, where given (for example: for marketing purposes), the user may withdraw such consent at any time without prejudice to the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, the data subject may contact the Data Controller by sending a request toprivacy@uniroma3.it.

RIGHT TO LODGE A COMPLAINT

Data subjects who believe that the processing of personal data concerning them carried out through this site is in breach of Regulation (EU) 2016/679 have the right to lodge a complaint, as provided for by Art. 77 of the Regulation, or to bring proceedings before the competent courts (Art. 79 of the EU Regulation). Further information regarding personal data protection rights can be found on the website of the Italian Data Protection Authority ​www.garanteprivacy.it