Welcome to Erasmus Student Network Perugia - ETS. In order to proceed with your membership registration and participation in our activities, we need to process some of your personal data. Here we explain how we do so. The Data Controller is Erasmus Student Network Perugia - ETS, with registered office at Piazza Fortebraccio n. 4 – 06123 – Perugia (PG), Italy. You may contact us regarding any privacy-related matter at: perugia@esn.it To manage your membership registration, we collect: To register you in the members’ register, issue your digital/physical ESNcard, and activate mandatory insurance coverage. Legal Basis: performance of the membership agreement (Art. 6(1)(b) GDPR). Your data are registered on the Jupiter/Galaxy platform, shared with ESN International and ESN Italia, in order to allow you to use the ESNcard throughout Europe. Other platforms may also be used for registration to association events, such as Jupiter/Gomry. Legal Basis: performance of the contract, necessary for the ESNcard service (Art. 6(1)(b) GDPR). We will provide you with a voluntary access link to messaging groups for logistical coordination and safety management during the events for which you register. Legal Basis: legitimate interest of the association in the safe management of activities (Art. 6(1)(f) GDPR). We may send you emails regarding upcoming events similar to those you have attended and publish photos and videos on the Association’s social media channels and websites to document and promote activities. Legal Basis: consent of the data subject (Art. 6(1)(a) GDPR), revocable at any time. Legal Basis: consent of the data subject (Art. 9(2)(a) GDPR). Your personal data may initially be communicated to us by public institutions with which the Data Controller actively collaborates, such as universities and related entities. Your personal data (or those of the person you legally represent or protect) are not subject to public disclosure, but may be communicated to public and private subjects, entities, and institutions for the achievement of the purposes specified above and in cases provided for by law or regulation. In particular, your data may be communicated to: Your data are not transferred outside the EU territory. However, they may be transferred outside the European Economic Area where necessary for managing your relationship with the Data Controller, for example through the use of platforms located in the USA, such as Google Drive. In such cases, transfers will take place in compliance with the Data Privacy Framework or through Standard Contractual Clauses. In such cases, recipients of the data will be subject to protection and security obligations equivalent to those guaranteed by the Data Controller. In any event, only the data strictly necessary for the specified purposes will be communicated, and the safeguards required for transfers to third countries will be applied where necessary. Your data are processed lawfully and fairly, in compliance with Articles 5 and 6 of the Regulation, for the purposes indicated above and in accordance with the fundamental principles established by applicable legislation. The processing of personal data may be carried out using manual, IT, and telematic tools, always subject to appropriate technical and organizational measures to ensure security and confidentiality, especially in order to reduce the risks of destruction or loss, including accidental loss, unauthorized access, or unlawful or non-compliant processing. Personal data will be processed by the Data Controller only for the time necessary to provide the requested services. Generally, the retention period is 10 years, unless longer retention is required by laws, regulations, EU legislation, or for the resolution of disputes or judicial investigations. In the case of promotional activities, unless consent is withdrawn at any time, the data will be retained for 2 years. Your data must be provided in order to carry out pre-contractual or contractual measures with the Data Controller or to comply with legal obligations incumbent upon the Controller, such as invoicing activities. Without the provision of such data, no services may be performed. Where the provision of data is based on consent, the provision of personal data is optional, and refusal to provide consent will not affect contractual relationships. You may exercise at any time the rights granted to you, including the right to: a) access your personal data, obtaining information regarding the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom they may be communicated, the applicable retention period, and the existence of automated decision-making processes; b) obtain without undue delay the rectification of inaccurate personal data concerning you; c) obtain, where applicable, the deletion of your data; d) obtain restriction of processing, where possible; e) request portability of the data provided to specifically indicated third parties, or receive them in a structured, commonly used, and machine-readable format, including for transmission to another Data Controller, where required by law; f) lodge a complaint with the Italian Data Protection Authority. The exercise of the above rights is subject to the limits, rules, and procedures provided for by EU Regulation 679/2016, which the data subject must be aware of and comply with. In accordance with Article 12(3) GDPR, the Data Controller shall provide information regarding the action taken without undue delay and, in any event, no later than 30 days from receipt of the request. This period may be extended by 60 days if necessary, taking into account the complexity and number of requests. The Data Controller shall inform the data subject of any such extension and the reasons for the delay within 30 days of receipt of the request. To exercise these rights, you may send a written request to the Data Controller using the appropriate forms available at the registered office or on the institutional website. The Data Controller has not appointed a Data Protection Officer (DPO), as this is not required under the applicable legislation. I declare that I have received and read the Privacy Notice for Ordinary Members provided by Erasmus Student Network Perugia - ETS as Data Controller, that I understand my data will be processed for the management of association activities (including the use of platforms such as Jupiter/Gomry and organizational WhatsApp groups), and that I am aware of my rights. As an Ordinary Member, I hereby authorize Erasmus Student Network Perugia - ETS, free of charge and without time limitation, pursuant to Articles 10 and 320 of the Italian Civil Code, Articles 96 and 97 of Law no. 633 of 22 April 1941 (Copyright Law), and Article 6(1)(a) of EU Regulation 2016/679, to use, publish, and/or disseminate in any form my images on the Data Controller’s website, in printed materials, documents, brochures, and booklets intended for external distribution for informational and/or promotional purposes, as well as on any digital and/or paper-based media and within the IT archives of ESN Perugia. I acknowledge that the purpose of such publications is purely informational and, where applicable, promotional.
PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13-14 GDPR
Data Controller
What Data We Process
Why We Process Your Data (Purpose of Processing and Legal Basis)
Membership Registration (Mandatory)
Member Management Through Digital Platforms (Mandatory)
Event Coordination – WhatsApp/Telegram
Promotional Communications
Event Safety Management (Health-related Data Concerning Intolerances)
Source of Data and Categories of Recipients
Transfer of Data Abroad
Methods of Processing and Data Retention Periods
Nature of Data Provision
Your Rights
Data Protection Officer (DPO)
IMAGE AND VIDEO RELEASE
A) Privacy Section
B) Release Section