Information Notice on the processing of personal data by SISSA Medialab S.r.l.
Purpose and Legal Basis of the Processing
Purpose |
Participation in activities related to the scientific community such as, for example:
|
|
Legal Basis |
|
Purpose | Process payment in favour of the Data Subject and perform the ensuing tax activities. | |
Legal Basis |
|
Purpose | Publication of personal data and/or images of the data subject. | |
Legal Basis | Consent with retention until the exercise of a legitimate right of the data subject which revokes the legal basis, alternatively, in relation to the legitimate interest of the Controller balanced between the needs to pursue the stated purposes and the fundamental rights of the data subject. |
Purpose | Use of contact and identification data (such as name, surname and e-mail address, etc.) for project-related activities involving the data subject. | |
Legal Basis |
|
Purpose | Establishment and execution of a contractual relationship. | |
Legal Basis |
|
Purpose | Fulfilment of obligations under applicable regulations and legislation. | |
Legal Basis |
|
Purpose | Administrative-accounting obligations. | |
Legal Basis |
|
Purpose | If necessary, to ascertain, exercise or defend the Controller’s rights in judicial or extrajudicial proceedings. | |
Legal Basis | Legitimate Interest of the Controller. |
Purpose | Efficient management of the contractual relationship and handling of data subjects’ requests. | |
Legal Basis |
Depending on the contexts in which the data subject’s personal data are processed:
|
Purpose | Commercial Communications. | |
Legal Basis | Consent of the data subject required where and if necessary. |
Purpose | Cooperation with law enforcement agencies. | |
Legal Basis | Statutory obligation. |
Legitimate interests pursued by the Controller
The controller may use its legitimate interest as the legal basis for a given purpose by balancing its rights with those of the data subject, taking into account his or her “reasonable expectations” in view also of the existing relationship with the controller. When the processing is based on the legitimate interest of the controller, it is not necessary to request the data subject’s consent to pursue that specific purpose. The processing must not adversely affect the rights and freedoms of the data subject. Some examples of legitimate interest:
|
Data recipients (by categories)
The Controller will not sell or pass on personal data of data subjects to third parties to be used for marketing purposes. |
Transfers to third countries pursuant to Articles 46, 47, 49 GDPR
Transfers to third countries will take place in accordance with current legislation:
Further details on the location, appropriate safeguards and copy of the data can be requested from the Controller and/or will be provided in special reference notices. Data intended for publication on Internet sites will be accessible to any user visiting the site that published them. Such processing will have an appropriate legal basis and will be carried out on data for which the data subject has been informed of the specific purpose. |
Criteria for determining the data retention period
The Controller applies the principle of data minimisation for all processing. For some processing, the retention period can be determined more precisely than others, for example:
For other processing operations, the criteria for determining the retention period is assessed on a case-by-case basis, sometimes in view of regulatory indications (e.g. Covid), others on the basis of balancing the legitimate interests of the Controller, contractual obligations, and the rights of the data subjects. Where possible, the retention period set or at least the criteria used will be indicated in a separate notice. |
Rights of Data Subjects
|
|
Requests can be addressed to the Controller via the contact details in page footer, via email privacy@medialab.sissa.it or to the Data Protection Officer at: LawOneTax Legal Associates | Viale Bianca Maria, 45 - 20122 Milano – Italy | dpo@medialab.sissa.it Communications with the data protection officer are confidential. |
|
Data subjects also have the right to:
|
Consent
Where required, consent is free, optional and revocable on the part of the data subject. It is collected for processing that requires it in a specific location for specific types of data or purposes. |
Compulsory conferment
The disclosure of certain personal data is a statutory or contractual obligation or a necessary requirement for the conclusion of a contract. Where the data subject is under an obligation to provide personal data and does not do so, it will be impossible to pursue the purposes for which the data are requested, including, by way of example:
|
Categories of personal data concerned
For some of the Controller’s activities, the personal information collected relates to common data (this could include name, address, email address, IP address, affiliation, payment information, place and date of birth, ORCID ID), and sometimes to data belonging to special categories under Article 9 of the GDPR (only where there is an appropriate legal basis, for example where the Controller needs to exercise employment and social security law rights or the data subject has given consent). In connection with site navigation, information is collected on which pages are visited and when. |
Source of origin of personal data
Personal data are generally collected from the data subject but, in some cases, may come from third parties who provide them to the Controller having a legitimate legal basis (e.g., University, institution or company to which the data subject belongs, employer or colleagues of the data subject). If the data subject also provides data from third parties [e.g., family members, employees or colleagues], he/she will do so on the basis of a legal basis that enables the Controller to process those data. |
Further purposes
If the Controller intends to further process personal data for a purpose other than that for which they were collected, the Controller shall, prior to such further processing, provide the data subject with information about that other purpose and any further information relevant to the new purpose. Such communications may take place by updating the Information Notice and/or by contacting the person data subject. |
Version and date
Last modified April 2023 (v04-2023-en) |