ISI Abroad

GDPR Data Protection & Privacy

Privacy protection – Student notice pursuant to Article 13 and 14 of EU Regulation 679/16.

The data requested from you, as an interested party, is processed by The International Studies Institute LLC (VAT number 06820750484), with registered office in Delaware-Dover, Kent County, Green, Ste A 8 (USA) with European-based branch offices in Florence, Italy in Via della Vigna Nuova n.18, Florence, Italy and in Piazza IV Novembre 23, Perugia, Italy with data controller (pec: isiflorence@pec.it, e-mail address: info@isiflorence.org – Tel. 055 2645910), hereinafter also referred to as ISI Abroad. The Data Protection Officer (DPO) is engr. Marco Turri (VAT number 04854420488 – registered email address (pec) ingmarcoturri@pec.creabit.it, email address marco.turri@creabit.it)

The processing of personal data by our EU-based entities is carried out in full compliance with current legislation (Legislative Decree No. 196 of June 30, 2003 and EU Regulation 679/16), is executed for the management of the contractual relationship between the parties and, in particular, for the preparation of; use of mobile app, academic services, cultural and volunteering initiatives, assistance with bureaucratic procedures related to entry and permanence in the Italian State, billing of payments, communications by print, IT and via telephone, for the management of the student’s needs and the satisfaction of all contractual and legal obligations. In relation to the contractual relationship, ISI Abroad may also process data relating to legal matters, for the sole purpose of ensuring the safety and security of the students and remaining in compliance with current legislation. (Purpose of the processing).

ISI Abroad will therefore treat the identification data (e.g. name and surname, social security, residence/domicile address, telephone number, e-mail address, references of identity documents, bank details, data relating to the university of origin, GPS locations services, and other data provided), for the aforementioned purposes, as these data are necessary to provide the required services including the sharing of all information provided with relevant personnel including but not limited to university advisors and administrators and emergency contacts. The legal basis of the related treatment is therefore the execution of the contractual relationship and the fulfillment of the related legal obligations (e.g. of an accounting and fiscal nature). In the event of disputes regarding this relationship, the legal basis is the legitimate interest of the Data Controller in the right of defense.

ISI Abroad may also process photographic images and videos depicting your person for the purpose of information, promotion, and/or enhancement of the activities carried out by students and teaching staff at ISI Abroad and/or performed by the Data Controller in the presence of the aforementioned people. The legal basis of the processing is the required consent of the interested party, which is a condition of participation in our programs and rendering of services in the EU, and in the absence of this ISI Abroad will not use these images (except in any case of the provisions of Art. 96 and 97 of Law n. 633/1941).

In relation to the contractual relationship, ISI Abroad may also process data belonging to “special categories of data” pursuant to Article 9 of EU Regulation 679/16, such as data relating to health status (e.g. in the case of pathologies and/or allergies) with the purpose of guaranteeing special conditions in relation to housing and/or academic activities that guarantee the parties’ health and safety, as well as assistance from ISI Abroad employees and/or collaborators to accompany them to medical examinations or public institutions. The legal basis for processing data belonging to “particular categories of data” is the consent of the interested party.

Personal data may be, even partially, provided by the student’s home university. Personal data may also be processed to share (via e-mail or telephone), newsletters and communications regarding ISI Abroad initiatives and services (so-called direct marketing). The legal basis of the processing is the consent of the interested party.

The International Studies Institute, LLC
@Palazzo Rucellai
Via della Vigna Nuova, 18
50123 Firenze (Italy)
Fax +39 055 2646721

@Palazzo Bargagli
Lungarno delle Grazie, 22
50122 Firenze (Italy)
Phone +39 055 5359751

@ISi Perugia (The Umbra Institute)
Piazza IV Novembre 23
60123 Perugia (Italy)
Phone: +39 075-7750101

Cod. Fisc. 94084400483
Partita IVA: 06820750484
Codice SDI: M5UXCR1

The processing of personal data will consist in the collection, recording, organization, structuring, storage, adaptation or modification, extraction, selection, consultation, use, communication by transmission or other forms, comparison or interconnection, the limitation, cancellation or destruction of the same.

Personal data is processed in written form, on paper, magnetic and telematic format, with appropriate tools to guarantee the security of the same and entered in the data bank of the data controller.

The provision of personal data does not constitute a legal obligation, but is contractually necessary, as such, it is mandatory for our company to carry out the aforementioned services and for the purposes indicated above. In the event of refusal to provide such information, ISI Abroad will not be able to perform the requested contractual service.

Your data may also be processed for the purpose of protecting people, property and company assets, through a video surveillance system of some areas of the building, identifiable by the presence of appropriate signs. This treatment pursues our legitimate interest in protecting people and property against possible assaults, thefts, robberies, damages, vandalism and for purposes of fire prevention and safety. (Legal basis of the treatment: legitimate interest of the Data Controller to safeguard people and company assets). Personal data are processed exclusively by subjects appointed by the Data Controller, who is specially trained in the field.

Recipients. Personal data can be communicated to all the subjects whose access is recognized by current legislation and for purposes related to legal obligations (e.g. Guarantor Authority, Public Authorities, Public Administrations), as well as public and private entities (e.g. hospitals, private clinics, insurance companies, accommodation and travel organizations, owners of housing properties, voluntary organizations, intermediary companies for student services), in addition to the emergency contacts, employees and collaborators appointed for data processing by ISI Abroad, to whom communication is necessary for the purposes indicated above.

Personal data may also be communicated to professionals, IT experts, companies that manage cloud and telephone services, companies and credit institutions in charge of data processing, connected with the fulfillment of administrative, accounting and managerial obligations linked to the ordinary performance of our business (e.g. accounting and tax compliance, verification of economic relations). These individuals may be designated Data Processors pursuant to Article 28 of EU Regulation 679/16. The list of individuals appointed as data processors is available at our registered office.

The personal data will also be communicated to the universities of origin (in particular the data contained in the certificates issued by ISI Abroad at the end of the academic course), for the purposes indicated above.

Personal data (for example relating to any academic questions) also belonging to “special categories of data” (e.g. relating to legal issues, medical conditions, safety and security, etc.) may eventually be communicated to the emergency contacts, parent, family member, legal guardian indicated to us, always for the purposes described above. Such communications may involve the transfer of data to the student’s country of origin.

Personal data will not be disseminated, except as specified below. With your consent as part of the application process and conditions, and as part of the processing activities, the photographic and video images in which you are depicted in and collected for the purposes described above may be published in print material, digital material and on the web channesl managed by ISI Abroad (e.g. website, social network).

Images recorded using a video surveillance system are not communicated to third parties, except for specific investigative requests by judicial authorities or judicial police.

Personal data is also stored on servers located in Italy, within the European Union.

ISI Abroad uses the Google Drive service. The data is therefore also processed by the Google Inc data processor, 1600 Amphitheater Parkway Mountain View, CA 94043 USA, at its operating offices, in compliance with the applicable legal provisions, and with the provisions of the articles 44 and following of EU Regulation 679/16.

ISI Abroad uses the Cloudflare service. The data is therefore also processed by the Cloudflare Data Processor, Inc.101 Townsend St. San Francisco, CA 94107 (represented in Europe by Cloudflare Germany GmbH Rosental 7 – 80331 München under Art 27 GDPR), at its operating offices, in compliance with the applicable legal provisions, and with the provisions of articles 44 and following of EU Regulation 679/16.

ISI Abroad uses HubSpot’s (2 Canal Park, Cambridge, MA, United States) product infrastructure is hosted on Amazon Web Services (AWS) in the United States East region or AWS in the Germany region in compliance with the applicable legal provisions, and with the provisions of articles 44 and following of EU Regulation 679/16.

In any case, it is understood that the undersigned Data Controller, if necessary, will have the right to move servers (and data) even outside the EU. In this case, the extra-EU data transfer will take place in compliance with the applicable legal provisions, and with the provisions of articles 44 and following of EU Regulation 679/16.

Pursuant to EU Regulation 679/16, you can exercise the following rights as an interested party:

  1.  the right to obtain confirmation from the Data Controller that the processing of personal data concerning you is underway and, in this case, to obtain access to personal data and information provided by art. 15 (e.g. information relating to the purposes of the processing, to the categories of personal data in question, to the recipients or categories of recipients to whom the personal data have been or will be communicated, to the retention period, to their own rights, to the origin of the data where not collected from the interested party, to the existence of an automated decision-making process, etc);
  2.  the right to obtain, if inaccurate, the correction of personal data concerning you, as well as the integration of the same if deemed incomplete, always in relation to the purposes of the processing (art. 16);
  3.  right to delete data (“right to be forgotten”), if any of the cases referred to in art. 17 applies;
  4.  right to limit the treatment, in the cases provided for by art. 18;
  5.  data portability right, pursuant to art. 20;
  6.  right to object to the processing, pursuant to art. 21;
  7.  where the legal basis for the processing is consent, the right to revoke the consent at any time without jeopardizing the lawfulness of the processing based on the consent given before the revocation.

The Data Controller does not adopt automated decision-making processes; the rights pursuant to Article 22 of the EU Regulation 679/16 apply to the interested party.

The interested party is also entitled to be informed, where applicable, of the intention of the Data Controller to transfer the data to a third country or to an international organization and the existence or absence of a decision of adequacy of the Commission or in the hypothesis of transfers pursuant to art. 46, 47 and 49 c.2, reference to appropriate guarantees and the means to obtain a copy of such data or the place where they were made available.

All the aforementioned rights can be exercised through a request addressed to the Data Controller (e.g. by contacting us by e-mail or by telephone).

The interested parties are always entitled to lodge a complaint with a supervisory authority (Article 77 EU Regulation 679/16 – Art 140 bis and following Legislative Decree 196/2003).

Personal data will be stored only for the time necessary to carry out the aforementioned purposes and to fulfill the obligations provided for by law (e.g. for administrative, fiscal and accounting purposes up to ten years pursuant to art. 2220 and 2946 of the Italian Civil Code), without prejudice to any issues of an accounting or contentious nature that may extend this period.

Any “special data pursuant to Article 9 of EU Regulation 679/16” will be kept exclusively for the time necessary, therefore for the period of the student’s stay at ISI Abroad and as necessary records for maintaining transcripts for archiving purposes. Personal data will be stored for the aforementioned direct marketing purposes during the student’s stay at ISI Abroad.

Images recorded by means of an Institute video surveillance system are canceled after 30 days, except holidays, closure of the financial year or at the request of the judicial police. In hypotheses related to specific needs, according to the indications of the Guarantor Authority, a storage period not exceeding one week may be considered legitimate.


The International Studies Institute LLC
(DBA: ISI Florence, Umbra Institute, ISI Abroad)