PRIVACY POLICY AND RELEASE OF PHOTOS AND VIDEOS

In compliance with the provisions of article 13 of the GDPR, Università Commerciale “Luigi Bocconi” (hereinafter also "University") informs the subject who has been filmed/photographed/recorded (hereinafter also the "Data Subject") during the activities and events organized by Alumni&Fundraising – Bocconi University (hereinafter also "the Event"), that the data collected will be processed through electronic and manual tools. This policy, drawn up on the basis of the principle of transparency and all the elements required by the GDPR, is divided into individual sections, each of which focuses on a specific topic in order to make for quicker, easier and more comprehensible reading (hereinafter the "Privacy Policy").

1. Data Controller and Data Protection Officer
The Data Controller is Università Commerciale “Luigi Bocconi”, with registered offices at Via Sarfatti 25, Milan.
In order to facilitate relations with the University, a Data Protection Officer (hereinafter, "DPO") has been appointed, who can be contacted at dpo@unibocconi.it.

2. Data Processed and Processing Purposes
The data that is subject to processing shall involve identification data, including photographs and/or video recordings of the Data Subject.
In compliance with the provisions of article 13 of the GDPR, Università Commerciale “Luigi Bocconi” (hereinafter also "University") informs the subject who has been filmed/photographed/recorded (hereinafter also the "Data Subject") during the activities and events organized by Alumni&Fundraising – Bocconi University (hereinafter also "the Event"), that the data collected will be processed through electronic and manual tools. This policy, drawn up on the basis of the principle of transparency and all the elements required by the GDPR, is divided into individual sections, each of which focuses on a specific topic in order to make for quicker, easier and more comprehensible reading (hereinafter the "Privacy Policy").

3. Legal Basis of the Processing
The legal basis of this processing lies in the consent provided by the Data Subject. The provision of consent is optional and failure to provide it will not allow the use of the images and/or audiovisual footage recorded during the Event for the purposes indicated in Section 2.

4. Data Processing Methods and Data Retention
The personal data collected will be subject to processing in compliance with current legislation and the principles of fairness, lawfulness, transparency and confidentiality, which are central to the Controller’s actions. These data shall be processed using electronic, hard copy and/or any other type of suitable medium, in compliance with the security measures provided for under the GDPR.
The personal data collected will be processed by the Data Controller for as long as necessary to pursue the purposes of information and dissemination.

5. Disclosure and Dissemination of Personal Data
Within the limits pertinent to the processing purposes indicated in Section 2, the personal data collected may be published, by way of example and not limited to, on television, company websites, all the Data Controller's social media platforms, magazines or any other any other medium, including those developed hereinafter, intended for the dissemination indicated in the consent form and used for information purposes of the activity carried out by the University.
Personal data collected in this way shall be processed exclusively:
- by persons authorized to process data, such as employees and contractors of the Data Controller, pursuant to and for the purposes of art. 29 GDPR and art. 2-quaterdecies of Legislative Decree no. 196/2003 and subsequent amendments;
- by persons appointed as Data Processors in compliance with art. 28 of the GDPR, such as third-party companies that carry out activities on behalf of the Data Controller.

6. Geographic Area of Processing
Your personal data will be processed by the Data Controller within the European Union. If it becomes necessary to rely on persons or entities located outside the European Union, the transfer of personal data to these persons or entities shall be limited to the performance of specific processing activities and regulated in accordance with the provisions of Articles 44 et seq. of the GDPR and current legislation.
In any case, the Data Subject may request more details from the Data Controller or the DPO using the contact details indicated above.

7. Data Subjects Rights
Data Subjects can assert their rights as expressed in articles 15 et seq. of the GDPR.
In particular, any Data Subject may obtain:
a) confirmation as to whether or not personal data concerning them are being processed, as well as access the data and the following information: the purposes of processing, categories of personal data, recipients and/or categories of recipients to whom the data have been and/or will be disclosed and the storage period;
b) correction of inaccurate personal data concerning them and/or the integration of incomplete personal data, including by means of providing a supplementary statement;
c) erasure of personal data, in the cases provided for by the GDPR;
d) limitation to processing in the cases provided for by current legislation;
e) the portability of the data concerning them, and more specifically the Data Subject can request to receive the personal data provided to the Data Controller and/or transmit those data to another data controller;
f) objection to the processing at any time, for reasons related to a particular situation, in full compliance with the current Privacy Regulations, as well as for any commercial purposes;
g) withdrawal of any consent given, without affecting the lawfulness of the processing based on consent prior to withdrawal.
Any Data Subject may exercise these rights by contacting the Data Controller or the DPO at the addresses indicated above.
If the Data Subject believes that the processing of their data is carried out in violation of the provisions of the GDPR and/or current legislation, they have the right to lodge a complaint with the relevant data protection authority (Italian Data Protection Authority), as provided for by art. 77 of the GDPR, according to the methods indicated at the following URL: https://www.garanteprivacy.it/i-miei-diritti or take appropriate legal action (art. 79 of the GDPR).