Commitment to Privacy
The American University of Rome is committed to respecting and protecting your privacy. This statement describes our website information collection practices and explains how we use and protect your personal information. Should you choose to provide us with any personal information, you can be assured that it will only be used by The American University of Rome to conduct official University business, in conformity with Italian law.

Information collected on this website and how it is used
The AUR website automatically collects general information that does not identify you personally. This includes the Internet Protocol (IP) address of the computer you are using; the web page from which you entered our website; the web pages you visited and for how long; browser used; date and time. To collect this data, we use Google Analytics, a web analytics service that provides statistics and tools that help us focus on the needs and interests of our visitors and improve the overall functionality of the website. Learn more about the Google Analytics Terms of Use

Cookies
When you view our website, we may store some information on your computer in the form of a cookie, or small data file. Cookies enable the website to remember your actions and preferences over a period of time so that you don’t have to keep re-entering them whenever you come back to the site or browse from one page to the other. Usage of a cookie is in no way linked to any of your personally identifiable information while on our site. You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience all features and content of our website. Learn how to disable cookies in your browser. 

Google
Google's advertising requirements can be summed up by Google's Advertising Principles. They are put in place to provide a positive experience for users. https://support.google.com/adwordspolicy/answer/1316548?hl=en 

We do not use Google AdSense Advertising on our website.

We have implemented the following cookies:
       Remarketing with Google AdSense

We, along with third-party vendors such as Google use first-party cookies (such as the Google Analytics cookies) and third-party cookies (such as the DoubleClick cookie) or other third-party identifiers together to compile data regarding user interactions with ad impressions and other ad service functions as they relate to our website.

Opting out:
Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.

Security
At The American University of Rome we are committed to ensuring the security of your information and have put in place the necessary physical, technical, and administrative safeguards to prevent unauthorized access to any information we collect. All information gathered on the AUR website is encrypted using 128-bit Secure Sockets Layer (SSL) and public-key encryption. 

Sharing your information
We will not share your personal information with unaffiliated third parties except for certain explicit circumstances in which disclosure is required by law.

Third Party Sites
The AUR website provides links to external sites as a convenience. Please note that the University is not responsible for the content or privacy practices of other sites linked within our website.

Confidentiality of Student Educational Records
All enrolled students at The American University of Rome are protected under the Family Educational Rights and Privacy Act (FERPA) and Italian privacy law. Read more about AUR’s Student Record confidentiality here.

Changes to this Statement
We reserve the right to modify this privacy statement at any time and will post the changes on this web page.

Fair Information Practices
The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

We will notify you via email
       Within 7 business days

We will notify the users via in-site notification
       Within 1 business day

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

Contacting Us
If there are any questions regarding this privacy policy, you may contact us using the information below.

The American University of Rome
Via Pietro Roselli 4
00153 Rome, 
Italy

privacy@aur.edu

PRIVACY POLICY G.D.P.R. 679/2016

Pursuant to Art. 13 of Legislative Decree no. 196/2003 and Art. 13 and 14 of EU Regulation 2016/679
The American University of Rome, with registered office in Rome, at Via Pietro Roselli n. 4, as Data Controller, pursuant to Articles 4 and 28 of Legislative Decree no. 196/2003 (hereinafter, the “Privacy Act”) and Articles 4, 7, and 24 of EU Regulation 2016/679 regarding the protection of personal data for natural persons (hereinafter, “EU Regulation”). Please be advised that pursuant to Art. 13 of the Privacy Act, and Art. 13 and 14 of the EU Regulation, we are the Data Controller for your persona data. As such, we shall process your data for the purposes, and using the methods indicated herein, in compliance with the aforementioned laws and regulations, as well as the principles of lawfulness, ethics, minimization, integrity, transparency, accountability, and the duties of confidentiality to which the undersigned University is bound, in order to provide the utmost protection to your privacy.

The EU Regulation aims to ensure that personal-data processing takes place in a manner that respects the fundamental rights and liberties of natural persons, especially the right to personal-data protection.
“Data Processing” means any operation or set of operations, performed with or without the support of automated processes, and applied to personal data or to sets of personal data, including: collection, recording, organization, structuring, retention, adjustment or modification, excerpting, review, use, disclosure via submission, dissemination or any other means of making such data available, comparison or mining, limitation, erasure, or deletion.

  1. TYPES OF PERSONAL DATA

Some personal data (first and last name, email address, telephone number, mailing address, etc.) are collected and filed by the University pursuant to previous communications, personal contacts, terminated/completed academic enrollments or contracts, registrations on our website, voluntary email correspondence, published or public-domain mailing lists and services. These shall be processed in accordance with your wishes. 

Moreover, the University may process:

  • Identifying data (first and last name; tax ID number; place and date of birth; home address; email address; phone number; passport number; IP address; image/likeness; credit-card number; digital ID; account name or nickname; educational background; school/university record, etc.) 
  • Sensitive data that reveal: racial or ethnic background; political views, or religious or philosophical creed, union affiliation, health status, sexual orientation, etc...’
  • Court-related data (convictions; criminal record; restraints on liberty).

Personal data shall be accurate, complete, and tailored to the purposes for which they are collected and thereafter processed.

  1. DATA-PROCESSING PURPOSES

All data shall be processed for institutional and administrative purposes by The American University of Rome, connected or relating to activities undertaken by the University to manage its fundraising and development processes.
Personal data supplied or collected shall be processed for the following purposes:

  1. Compliance with regulatory or statutory duties (Italian or EU), and moreover for purposes relating to civil law, withholdings, accounting, or tax reporting;
  2. Register the user to access content and applications on the website;
  3. Handle informational requests on the University, contact requests, donation requests, providing services, including access to University facilities and alumni services (such as guidance on Transcript Requests, Declaration of Value and general Alumni inquiries of all sorts, post-graduate scholarships, post-graduate workinitiatives);
  4. Publishing the donor’s name;
  5. To send comunication and correspondence regarding any upcoming fundraiser or development effort and other University activities/events, seminars, informational, promotional and commercial communications, newsletters, surveys – including via automated instruments (e-mail, fax, sms, ..);
  6. profiling purposes aimed at identifying the characteristics and interests of the recipients in order to convey communication and promotion activities;
  7. For the preparation of studies and market research and for statistical purposes – including via automated instruments and profiling purposes.
3. LEGAL BASIS FOR PROCESSING

The lawfulness of Data Controller’s processing your personal information is ensured in that it is done in conformity with subparts (a), (b), (c) and (f) of Art. 6, paragraph 1 of  EU Regulation, with Art. 9, paragraph  2 of Regulation EU. 4.

4.  PROCESSING METHOD; DATA RETENTION      

Processing shall be completed manually and/or using automation (e.g. profiling), including with the support of electronic/online and automated instruments, in compliance with the security criteria set forth under Art. 32 of EU Regulation 2016/679, and Attachment B to the Privacy Act (Art. 33-36 of the Act), and shall be performed by duly appointed persons, in compliance with Art. 29 of EU Regulation 2016/679. 
Personal data shall be included in any Entries or Logs/Registers required by law for the aforementioned purposes.

5. DISCLOSURE AND DISSEMINATION OF PERSONAL DATA IN THE PURSUIT OF THE PROCESSING PURPOSES.

Personal data may be disclosed to third parties to whom disclosure is required to comply with a legal or statutory duty, as well activities otherwise related to the services provided (including but not limited to: persons, companies, or professional firms that provide support, consulting, or cooperation with bookkeeping, accounting, legal affairs, tax reporting, and finance, to third-party suppliers of services to the University, affiliated organizations and individuals which support and provide services to alumni and supporters (such as, donors of the University who have assigned a scholarship).

The following is a specific list of by category of persons who might have access to your personal data: 
- staff/associates of The American University of Rome appointed as Data Processors;
- persons engaged by The American University of Rome to execute and manage the services provided, appointed as Data Supervisors/Processors;
- Co-Data Controllers, if any;
- The Data Protection Officer (DPO).

Outside the foregoing cases, disclosure of personal data to third parties shall only take place with the data subject's express consent.
Please note, furthermore, that personal data shall not be subject to dissemination, unless specifically authorized by statute and/or regulations, or with the data subject's express consent.

6. OPTIONAL OR MANDATORY NATURE OF CONSENT FOR THE PURSUIT OF CERTAIN PURPOSES  

In those cases illustrated by points 2 subparts (a), (b), (c) and 5. (i.e. required third-party disclosures) and pursuant to the Privacy Act and the EU Regulation, the Data Controller is under no duty to acquire explicit consent to process the worker’s personal data. Such processing shall be for primary purposes under Art. 24 of the Privacy Code and Art. 6 of the EU Regulation. No explicit consent from the data subject shall be required, either because such processing is required to discharge a statutory, regulatory duty (Italian or EU), or because processing is necessary for contract performance and management, or to comply with a specific request submitted by the data subject or - finally, because such processing is done for administrative-accounting purposes.
Should the data subject not wish to submit such requested data (necessary for the reasons described supra), it may be impossible to fulfill its requests.
For the cases illustrated in point (2), subparts (d), (e), (f), (g), or for other, distinct reasons, personal-data processing may only be performed with the data subject's express consent.
 

7. RETENTION PERIOD FOR DATA AND OTHER INFORMATION

Pursuant to Art. 13, paragraph 2, subpart (a) of the EU Regulation, please be advised that, in compliance with the principles of lawfulness, purpose limitation, and data minimization set forth in Art. 5 of EU Regulation 2016/679, for the purposes appearing in point  2 subparts (a), (b), (c) the retention period shall be for no longer than required to achieve the purposes for which they were collected and processed, in accordance with any time periods set by law. 
Such retention shall be without prejudice to any statutory five- or ten-year retention terms as may apply to a civil, accounting, or tax-related duties.

For the purposes appearing in point 2, subpart (d), (e), (f), (g), the retention period shall be for twenty (20) years from the most recent consent;

Pursuant to Art. 13, paragraph 1, subpart (f) of the EU Regulation, please be advised that data collected may be transferred to an EU member state, to a non-EU country (especially the U.S.), to international organizations, insofar as permitted by Art. 44 et seq. of the EU Regulation.
 

8. DATA CONTROLLER AND DATA PROTECTION OFFICER.

Identifiers for the Data Controller are as follows:
- THE AMERICAN UNIVERSITY OF ROME, with registered office in Rome, at Via Pietro Roselli n. 4, e-mail: privacy@aur.edu .
The DPO (Data Protection Officer) presently in office is Ms. Loredana Passaretti, Esq., with offices in Rome at Via Flaminia n. 213, e-mail: legaleprivacy@gmail.com.
 

9.  DATA-SUBJECT RIGHTS

You may exercise your rights under Art. 7 of the Privacy Act and under Art. 15-22 of the EU Regulation at any time. You have the right to:
A. Access your personal data; B. Obtain information on processing purposes, the categories of personal data, the recipients or categories of recipients to whom personal data are or shall be disclosed, and if possible the retention period for the same; C. Secure data correction or erasure;  D. Secure processing limitation(s);  E. Be alerted by Data Controller in instances of personal-data correction or cancellation; F. Data Portability: obtain your data from a data controller in a structured, machine-readable, commonly used format, and have them forwarded to another data controller without delay;  G. Object to processing at any time, including for direct-marketing data processing;  H. Object to decisions being predicated on data mining, including profiling, on any natural person. I. File a complaint with the Data Protection Authority, following the procedure and instructions posted to the Authority's official website: www.garanteprivacy.it. 

You may exercise your rights under Art. 7 of the Privacy Act and Art. 15-23 of the EU Regulation by sending a written request to the registered address, or to the DPO via email.

For your convenience, please find the full text of Art. 7 of the Privacy Act below. Articles 15-22 of the EU Regulation may be viewed here: https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ITA.
 
FULL TEXT OF ARTICLE 7 OF THE PRIVACY ACT Art. 7 (Rights to access personal data and other rights)
1. The data subject has the right to have confirmation on whether his/her personal data exists, even if not yet recorded, and to have them provided in an intelligible format. 2. The data subject has the right to know:  a) The source of the personal data; b) the purposes and methods for processing; c) the logic applied - in cases where processing is performed with the aid of electronic instruments; d) identifiers for the data controller, data supervisors, and the data protection officer appointed under Article 5, paragraph 2; e) the persons/entities, or categories of persons/entities to whom personal data may be disclosed or who may have access to the same in their role as Data Protection Authority, data supervisors, or data processors.  3. The data subject has the right to secure:  a) updates, corrections, or should the circumstances warrant, supplementation of their data; b) erasure, pseudonymization, or blocking of any unlawfully processed data, including those whose retention is not necessary given the purposes for which they were collected and thereafter processed; c) an affidavit that the operations appearing in points (a) and (b) hereof were (including their content) disclosed to those to whom data were disclosed or disseminated, except in cases where discharging such duty would be impossible, or require the use of resources that clearly outweigh the right sought to be protected.  4. The data subject has the right to object, in whole or in part: a) for legitimate reasons, to the processing of their personal data, even if germane to the purpose for which they were collected; b) to the processing of their personal data for marketing or direct-sales, or market research and promotional mailings.