Scuola Nazionale dell'Amministrazione

Regulation (EU) 2016/679

INTRODUCTION

The National School of Administration, with registered office in Rome, Via dei Robilant, 11, in the person of its current legal representative, acting as Data Controller (hereinafter the “Data Controller” or the “School”), pursuant to Regulation (EU) 2016/679 (hereinafter also the “Regulation”), considers the confidentiality and protection of Personal Data a fundamental objective of its institutional activities.

We therefore invite data subjects whose personal data are processed by the School and/or other entities with which the School maintains relationships, to carefully read this Policy before communicating any personal data to the Data Controller.

“Personal Data” means any information relating to an identified or identifiable natural person (the “data subject”).

This Policy represents a general overview of the School’s privacy policy and:

• refers to the processing of data carried out in the performance of the School’s institutional activities, without prejudice to specific privacy notices provided on an ad hoc basis;
• is provided to natural persons, pursuant to Article 13 of the Regulation, and to other subjects, in the latter case for information purposes only, who interact with the activities of the Data Controller;
• is also deemed to apply to the School’s institutional website (https://sna.gov.it).

From the institutional website, it is possible to access additional websites such as https://didattica.sna.gov.it and https://learninglab.sna.gov.it/moodle/, which are managed by duly appointed external service providers.

The Data Protection Officer (DPO), Lawyer Eugenio Cipolla, duly appointed by the School, can be contacted at the following email address: privacy.sna@governo.it.

This document has been drawn up to enable data subjects and other parties having dealings with the School to understand the School’s privacy policy and the manner in which personal data are processed.

The information and data provided directly by the data subjects or otherwise acquired, used in the context of the Services offered by the School – for example, for participation in events or training courses – will be processed in compliance with the provisions of the Regulation, in particular with reference to the principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality.

1. Data Controller

The Data Controller is the National School of Administration, with registered office in Rome, Via dei Robilant, 11, acting through its current legal representative.

2. Personal Data subject to processing

The School processes the personal data necessary for the performance of its institutional activities, including:

• the implementation of training programmes for civil servants and executives of the Public Administration through educational offerings structured into different thematic areas;
• the management of the competitive recruitment and training procedure for access to senior management positions in the Italian civil service.
• the development of international relations and cooperation, through participation in sector networks, agreements with foreign institutions and training activities for employees and diplomats of other countries;
• the management of research projects aimed at improving training quality and promoting innovation within the Public Administration;
• the organisation and management of institutional meetings, conferences, open lectures, training workshops, book presentations and dissemination of publications on topics relevant to the Public Administration;
• administrative, accounting and human resources management, teaching staff management and budget preparation;
• the development of IT infrastructure and digital transformation;
• the management of procurement, logistics and School-owned properties, as well as agreements related to training activities and connected events.

Following navigation on the institutional website, the School will process personal data provided by the data subject that are necessary for such navigation. Such data may include personal details, identification numbers, online identifiers or other elements suitable for identifying the data subject.

Additional Personal Data may be processed when freely provided by the data subject through information request forms (e.g. requests for information on courses or enrolment in training activities).

Any special categories of personal data, pursuant to Article 9 of Regulation (EU) 2016/679, will be processed only with the explicit consent of the data subject:

a. Data provided voluntarily by the data subject

The School may process personal and contact data such as name, surname, email address and telephone number; data relating to educational qualifications and training contained in CVs; data relating to training courses and services, including test and examination results and information on dates, times and methods of service delivery; and data relating to payments and other banking information, such as information contained in receipts for payment of training course fees.

Where the data subject provides the School with Personal Data relating to third parties, the data subject undertakes full responsibility for ensuring the existence of an appropriate legal basis pursuant to Article 6 of the Regulation for such disclosure and related processing.

b. Browsing data

The IT systems and software procedures used to operate the Website acquire, during normal operation, certain Personal Data whose transmission is implicit in the use of Internet communication protocols. These data are not collected to be associated with identified data subjects but may, by their nature, allow user identification through processing and association with data held by third parties.

This category includes IP addresses, domain names of devices used to access the Website, URI addresses of requested resources, request times, request methods, file sizes, server response status codes and other parameters relating to the user’s operating system and IT environment.

Such data are used exclusively to obtain anonymous statistical information on Website usage, to ensure proper functioning and to detect anomalies or abuses and are deleted immediately after processing. The data may be used to ascertain liability in the event of computer-related offences; except for this circumstance, web contact data are retained for no longer than seven days.

3. Purposes of processing

The processing of personal data carried out by the School may pursue the following purposes:

a. to enable the School to carry out its statutory and institutional activities (research, training, etc.) and the transversal activities necessary for its proper functioning (procurement, personnel management, etc.);

b. to enable the provision of the Services offered by the School;

c. in relation to the services offered by the School through its website(s), to enable:

• registration on the website;
• subscription to email newsletters;
• enrolment in training courses;
• sharing of content available on the website;
• submission of general information requests;
• registration for events and initiatives organised by the School;
• the collection and analysis of CVs for the purposes of collaboration or recruitment by the School and for the appointment of selection board members within public selection or procurement procedures.

4. Legal bases and mandatory or optional nature of processing

The legal basis for the processing of Personal Data, depending on the purposes of such processing, may be:

• the data subject’s consent;
• the performance of a contract;
• compliance with a legal obligation;
• the performance of a task carried out in the public interest or in the exercise of official authority.

With reference to personal data entered on the Website, processing is necessary for the provision of the Services or to respond to requests submitted by the data subject.

The School will provide specific privacy notices in relation to the processing activities falling within its statutory functions, identifying one or more relevant legal bases, unless the data collected are anonymised.

5. Recipients of Personal Data

For the purposes indicated in section 3 above, the Personal Data of the data subject may be disclosed to:

• entities that typically act as Data Processors pursuant to Article 28 of the Regulation, including:i) persons, companies or professional firms providing assistance and consultancy services to the School; ii) entities with whom interaction is necessary for the performance of the School’s institutional activities; iii) entities entrusted with technical maintenance activities (including maintenance of network devices and electronic communication networks).

The list of Data Processors may be requested from the Data Controller.

• natural persons, legal entities, bodies or public authorities, as well as independent Data Controllers, where disclosure of Personal Data is required by law or by orders of competent authorities;
• personnel expressly authorised by the School (e.g. employees and collaborators).

6. Data retention

Personal Data processed for the purposes set out in section 3 of this Policy shall be retained only for the period strictly necessary to achieve such purposes, in accordance with the principles of data minimisation and storage limitation pursuant to Article 5(1)(e) of the Regulation.

Specific privacy notices will indicate the applicable retention periods for the various categories of processed data.

Further information regarding data retention periods and the criteria used to determine them may be requested by contacting the Data Protection Officer appointed by the School (see section 8).

7. Transfer of data outside the European Economic Area

In the event that platforms such as Microsoft Teams or Zoom are used for live streaming of lessons and/or for the provision of educational content and materials, such use may involve the transfer of Personal Data outside the European Economic Area (EEA), including identification data, contact details, and data and metadata relating to dates, times and content of training sessions.

Such transfer is based on the derogation provided for in Article 49(1)(b) of the Regulation, as it is occasionally necessary for the performance of the training service.

In any event, the School will assess whether adequate safeguards or equivalent levels of data protection are ensured in relation to the destination country.

8. Rights of the data subject

Pursuant to Articles 15 et seq. of the Regulation, the data subject has the right, where the relevant conditions are met, to request at any time:

• access to their Personal Data;
• rectification or erasure thereof;
• restriction of processing in the cases provided for in Article 18 of the Regulation;
• data portability, pursuant to Article 20 of the Regulation, i.e. to receive the data concerning them in a structured, commonly used and machine-readable format.

Where processing is based on consent, the data subject may withdraw such consent at any time, pursuant to Article 7 of the Regulation, without affecting the lawfulness of processing carried out prior to withdrawal.

The data subject may also lodge a complaint with the Supervisory Authority pursuant to Article 77 of the Regulation (Italian Data Protection Authority – for further information: www.garanteprivacy.it), should they consider that the processing of their personal data violates the applicable legislation.

Where applicable, the data subject may object to the processing of Personal Data pursuant to Article 21 of the Regulation, stating the grounds for the objection. The Data Controller shall assess the request, which may be refused where compelling legitimate grounds for processing override the interests, rights and freedoms of the data subject.

Any request relating to the exercise of the above rights may be addressed to the DPO appointed by the School (Lawyer Eugenio Cipolla) at privacy.sna@governo.it.

9. Amendments

The School reserves the right to amend or update this Policy, in whole or in part, including as a result of changes in applicable legislation, without prejudice to the specific privacy notices provided for individual processing activities.

Data subjects are therefore invited to consult this section regularly in order to remain informed of the most recent and updated version of the general privacy policy.

10. Cookies and Online Tracking

This cookie policy refers exclusively to the institutional website.

a. Definitions, characteristics and legal framework

Cookies are small text files that websites visited by the user send and store on their computer or mobile device, to be retransmitted to the same websites on subsequent visits. Thanks to cookies, a website can remember the user’s actions and preferences (such as login data, chosen language, font size, and other display settings) so that they do not need to be re-entered when the user returns to the website or navigates from one page to another.

Cookies are therefore used to perform computer authentication, monitor sessions, and store information regarding users’ activities on a site. They may also contain a unique identification code that allows the user’s navigation within the website to be tracked for statistical or advertising purposes.

While browsing a website, users may also receive cookies from websites or web servers other than the one they are visiting (so-called "third-party cookies"). Certain operations could not be performed without the use of cookies, which in some cases are therefore technically necessary for the website to function properly.

There are different types of cookies depending on their characteristics and functions, and these may remain on the user’s computer or mobile device for different periods of time. For example:

• Session cookies, which are automatically deleted when the browser is closed;
• Persistent cookies, which remain on the user’s device until a preset expiry date.

Under current Italian law, the use of cookies does not always require the user’s express consent. In particular, consent is not required for technical cookies, i.e., those used solely to transmit a communication over an electronic communications network or strictly necessary to provide a service expressly requested by the user. In other words, these are cookies essential for the website to function or necessary to perform activities requested by the user.

According to the Italian Data Protection Authority (in the Provision “Identification of simplified procedures for disclosure and acquisition of consent for the use of cookies” of 8 May 2014, hereinafter the “Provision”), technical cookies, which do not require express consent for their use, also include:

• Analytics cookies, insofar as they are used directly by the site operator to collect information, in aggregate form, on the number of users and how they visit the site;
• Navigation or session cookies, which allow users to navigate and use the website normally (e.g., to make a purchase or authenticate to access restricted areas);
• Functional cookies, which allow users to navigate according to a set of selected criteria (e.g., language, products selected for purchase) in order to improve the service provided.

For profiling cookies, i.e., those aimed at creating user profiles and used to send advertising messages in line with the user’s expressed preferences during web browsing, prior user consent is required.

b. Types of cookies used by the Website

The above-mentioned Website uses only technical cookies – navigation or session cookies – strictly necessary for the functioning of the Website or to allow the user to access the content and/or services requested.

PLEASE NOTE: by disabling technical and/or functional cookies, the Website may become inaccessible, or some services or functionalities of the Website may not be available or may not function properly, and users may be required to modify or manually enter certain information or preferences each time they visit the Website.

SNA uses third-party cookies, i.e., cookies from websites or web servers other than those of the Data Controller, used for the purposes of such third parties, including analytics and profiling cookies. Please note that these third parties, listed below with links to their respective privacy policies, act as independent data controllers of the data collected through the cookies they send, and users should refer to their information on the processing of Personal Data, their privacy notices, and any consent forms (selection and deselection of the respective cookies).

Below are links to the respective cookie policies and consent forms (as required by the Ordinance):

• Google: https://www.google.it/intl/it/policies/technologies/types/
• Google Analytics: https://tools.google.com/dlpage/gaoptout?hl=it-IT

c. Managing cookies through browser settings

Users may select which cookies to authorise through the specific procedure available in the Cookie Settings section and may also authorise, block or delete cookies (in whole or in part) through the relevant settings of their browser. However, where all or some cookies are disabled, the Website may not be accessible or certain services or functionalities of the Website may be unavailable or may not function properly, and users may be required to modify or manually enter certain information or preferences each time they visit the Website.

Further information on how to manage cookie settings through browsers is available at the following links:

• Internet Explorer
• Firefox
• Chrome
• Safari