Processing of personal data

Privacy statement pursuant to art. 13 and 14 of Regulation (EU) 2016/679


Through this document (“Privacy Statement”), the company ISD ECOLE FRANCAISE INTERNATIONALE DE ROME Srl
(“Holder”), as defined below, wishes to inform you of the purposes and methods of processing your data, and of your minor
children, personal and the rights granted to you under Regulation (EU) 2016/679 on the protection of individuals with regard to
the processing of personal data and on the free movement of such data (“GDPR” – General Data Protection Regulation) and
the Personal Data Protection Code governed by Legislative Decree [Italian] n. 196/2003, as amended by Legislative Decree
[Italian] n. 101/2018.
The processing of personal data relating to your family members will be based on the principles of lawfulness and transparency,
in order to protect your confidentiality and your rights.


1. Definition of the Data Controller, its Representative and the Data Protection Officer (DPO) – Useful contact details
The Data Controller is ISD ECOLE FRANCAISE INTERNATIONALE DE ROME Srl with registered office in Via Igino Lega n.
5, 00189 – Roma (RM), in the person of the legal representative pro tempore
The Data Controller has appointed a Data Protection Officer (“DPO”), whom you will be able to contact in order to exercise the
rights provided for by the GDPR in art. from 12 to 22 and to receive any information relating to these rights and/or to this privacy
statement, domiciled for this function at the registered office of ISD ECOLE FRANCAISE INTERNATIONALE DE ROME Srl a
socio unico
In order to receive additional information on data processing, you can use the following contact details of the Data Controller:
• Via Igino Lega n. 5, 00189 – Roma (RM).
• Email address:
• Certified email message:
The Data Controller has appointed a Personal Data Protection Officer (RPD or Data Protection Officer – DPO) whom you can
contact for any information and request concerning the exercise of your rights at the address of following email:
The Holder and the DPO, including through the designated structures, will take charge of your request and will provide you with
it without undue delay and, in any case, at the latest within one month from receipt of your request, the information relating to
the actions put in place to respond to it.


2.Purposes and legal bases of the processing to which the personal data are subject
Personal data may be processed for: i) the execution of pre-contractual measures and the subsequent execution of the contract;
ii) the institutional and general interest purposes of the Data Controller, even when they come from other sources (for example
public bodies, public administrations, establishments with which the Institute cooperates in the activities and projects planned
in the Training Offer Plan), within the limits permitted by law; iii) the management of the training offer, registration, participation
and possible granting of financial aid; (iv) the application of site security measures and the management of insurance files,
including in relation to accidents; v) the possibility of accessing the ISD infirmary service and compliance with the resulting
administrative obligations; vi) for the use of the canteen service vii) the administrative and institutional obligations in terms of
vaccination on the basis of the provisions in force; viii) management of school activities and events, private events; ix) ensure
the regular progress of the training course.
With regard to the use of images and video recordings of students, it may possibly be possible that photographs of work and
didactic activities related to the institutional activities of the Institute are inserted in the Training Offer Plan (as per (e.g.
photographs relating to laboratory activities, guided tours, award ceremonies, participation in sports competitions, etc.) or
published on the Institute’s website ; that class photos are taken during the year; that video
recordings of didactic and institutional activities be made by the Institute.
The carrying out of these treatments is a necessary condition for the interested party to benefit from the related services. In the
case of continuous processing, the institutions involved may be appointed external data controllers, for the services rendered
The legal basis for this processing is the need to comply with legal obligations, pre-contractual and contractual obligations and
conditions, legitimate interest and consent.
With reference to the declarations of consent, recipients are invited to read the corresponding sections of the online platform
dedicated to student registration.


3. Methods of processing your personal data
The processing of personal data for the methods set out will be carried out using automated methods, on electronic or magnetic
support, or non-automated, on paper support, in compliance with the rules of confidentiality and security provided for by law,
regulations and internal arrangements. The treatment for the realization of distance learning will be carried out through the
modality of online video-conferencing.
Personal data falling within the “special categories of personal data” defined by art. 9 of the GDPR will be processed exclusively
by the staff of the Institute in compliance with the principle of the strictly indispensable nature of the processing;
The data will be retained according to the indications of the Technical rules for the electronic preservation of documents, within
the periods and according to the methods indicated in the Guidelines for Schools and in the Plans for the retention and disposal
of school archives defined by the General Directorate of Archives at the Ministry of Cultural Heritage [Italian];
The data subject to processing will not be subject to dissemination, some of which may however be communicated to other
public entities to the extent strictly necessary in order to carry out the institutional activities provided for by the provisions in
force in matters of health, social security, taxation, justice and education, within the limits provided for by Ministerial Decree
[Italian] 305/2006, published in the Official Gazette [Italian], n.11 of 15-01-07. In this regard, it is clarified for your information
that the subjects carrying out the processing of the data placed under the Authority of the Holder have been expressly


4. Entities to which your personal data may be communicated and entities which may become aware of it
For the pursuit of the purposes described in paragraph 3 above, your personal data will be known to employees, assimilated
personnel, collaborators and those who operate as data controllers.
The Data Controller may also need to communicate your personal data to third parties belonging, for example, to the following
– travel agencies and reception structures (exclusively in connection with school outings, study trips and school trips);
– insurance companies (in relation to accident policies);
– companies providing other services (such as school catering services, management software, electronic register,
electronic services, online conferencing services, etc.);
– personal data may be communicated to public entities (such as, for example, ASL [local health establishment], local
and regional bodies, regional registration office, regional school office, authorities at territorial level, administrative
authorities and courts, embassies) within the limits provided for by the legal and regulatory provisions in force and the
resulting obligations for this school;
– the school may communicate or distribute, even to individuals and electronically, data relating to the academic results
of pupils for the purposes of guidance, training and professional integration, only at the request of the interested parties;
– the holder can send personal data (civil status data, e-mail, telephone) to the APE (parents’ association) for the
publication of the directory of families of the Institute and for possible communications from the APE as well as to the
class representatives in order to allow the exchange of information and communications between all the families of the
pupils of the different classes.
The data relating to the academic results of the pupils may be published by posting on the notice board of the Institute within
the limits provided for by the provisions in force in the matter.


5. Transfer of data
The data provided is managed and stored in paper archives and on the server of the Holder and/or of third-party companies.
The servers on which the data is archived are located in Italy and on the European territory. The data provided may be
transferred for the purposes mentioned above, to a Member State of the European Union, in compliance with the applicable
regulations on the protection of personal data. In the event of transfer to countries outside the European Union, the Holder
guarantees from now on that the transfer of such data will be carried out in accordance with the provisions provided for in EU
Regulations, adopting with foreign companies, or the Organizations receiving this data, the specific agreements that provide
for the appropriate and standard protection measures regarding confidentiality, approved by the European Commission.


6. Your rights as a data subject
In relation to the processing described in this privacy statement, you may, as a data subject, under the conditions provided for
by the GDPR, exercise the rights set out in articles 15 to 22 and by art. 34 GDPR and, in particular, the following rights:
Right of access – article 15 GDPR: right to obtain confirmation that processing of personal data concerning you is or is not in
progress and, if necessary, to obtain access to your data at personal character and the following information:
– the purposes of the processing;
– the categories of personal data in question;
– the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular
if they are recipients from third countries or international organisations;
– where possible, the retention periods for personal data or, if this is not possible, the criteria used to determine these
– the existence of your right to request (from the Data Controller) the rectification or erasure of personal data or the
limitation of the processing of personal data concerning you or to oppose their processing;
– the right to lodge a complaint with a supervisory authority;
– if the data was not collected from you, all available information on its origin;
– the existence of an automated decision-making process, including profiling and, at least in these cases, significant
information on the logic used, as well as the importance and consequences of this treatment foreseen for the interested
A copy of the personal data being processed will be provided. If you request additional copies, you may be charged a
reasonable fee based on administrative costs. The request may be made electronically and, unless you specify otherwise, the
information will be provided in a commonly used electronic format.
Right to rectification – Article 16 of the GDPR: right to obtain, without undue delay, the rectification of inaccurate personal
data concerning you and/or the integration of incomplete personal data, including by providing an additional declaration;
Right to erasure (right to be forgotten) – article 17 GDPR: right to obtain, without undue delay, the erasure of personal data
concerning you, if one of the following reasons exists:
– the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– you revoke your consent on which the processing is based and there is no other legal basis for the processing;
– you object to the processing and there is no overriding legitimate reason for carrying out the processing;
– the personal data has been unlawfully processed;
– the personal data must be erased to satisfy the legal obligation provided for by the laws of the Union;
– the personal data has been collected in relation to an offer of information society services.
Right to restriction of processing – article 18 GDPR: right to obtain restriction of processing when:
a) the interested party disputes the accuracy of the personal data, for the time necessary for the holder to verify the
accuracy of such data;
b) the processing is unlawful and the interested party opposes the erasure of the personal data and requests, on the
contrary, that their use be restricted;
c) the personal data is necessary for the interested party for the verification, exercise or defence of a right in legal
d) the interested party has objected to the processing pursuant to art. 21 GDPR, during the waiting period for the
verification of the preponderance of the legitimate reasons of the holder of the treatment over those of the interested
Obligation to notify in the event of rectification or erasure of personal data or limitation of processing – Article 19
GDPR: the data controller informs each of the recipients to whom the personal data is transmitted of any rectifications or
erasures or limitations processing, unless this proves impossible or requires a disproportionate effort. The data controller
communicates these recipients to the interested party if the interested party so requests.
Right to data portability – article 20 GDPR: right to receive, in a structured format, of common use and readable by an
automatic device, the personal data concerning you provided to the Holder and right to transmit them to another holder
unhindered, if the processing is based on consent and is carried out by automated means. In addition, the right to have your
personal data transmitted directly by ISD ECOLE FRANCAISE INTERNATIONALE DE ROME Srl a socio unico to another
holder if this is technically feasible. The right to transmit data does not apply to the processing necessary for the performance
of a duty of public interest or related to the exercise of public powers with which the Data Controller would be invested. This
same right must not infringe the rights and freedoms of others.
Right to object – Article 21 GDPR: right to object, at any time, to the processing of personal data concerning you for reasons
relating to your particular situation based on the condition of lawfulness of the legitimate interest, the performance of a task in
the public interest or the exercise of public powers, including profiling, unless there are legitimate reasons for the continuation
of the treatment by the Holder which would prevail over the interests, rights and freedoms of the interested party or in the case
of the verification, exercise or defence of a right during legal proceedings.
In addition, the right to object at any time to processing if the personal data is processed for direct marketing purposes, including
profiling, insofar as it is related to such direct marketing.
Automated decision-making relating to natural persons, including profiling – Article 22 GDPR: right not to be subject to
a decision based solely on automated processing, including profiling, which would produce legal effects concerning you or
which would have an impact significant analogue on your person.
You may be subject to automated processing if the decision:
a) would be necessary for the conclusion or performance of a contract between the interested party and a data controller;
b) would be authorized by the regulations to which the Data Controller is subject, which also specifies suitable measures for
the protection of rights, freedoms and legitimate interests;
c) would be based on your explicit consent.
The aforementioned decisions do not apply to special categories of personal data unless suitable measures for the protection
of rights, freedoms and legitimate interests are in force.
Communication of a breach of personal data to the interested party – Article 34 GDPR: when the breach of personal data
is likely to present a high risk for the rights and freedoms of natural persons, the data controller communicates the violation to
the person concerned without undue delay.
The communication to the interested party describes in simple and clear language the nature of the personal data breach and
contains at least the following information:
– the name and contact details of the data protection officer or other point of contact from which to obtain further information;
– the likely consequences of the personal data breach;
– the measures adopted or which the data controller proposes to adopt in order to remedy the breach of personal data and
even, where appropriate, to mitigate its possible negative effects.
The communication to the interested party described above is not required when one of the following conditions is met:
a) the data controller has put in place appropriate technical and organizational protection measures and these measures had
been applied to the personal data which is the subject of the breach, in particular the measures intended to make the personal
data incomprehensible to anyone without access permissions, such as encryption;
b) the data controller has subsequently adopted measures likely to prevent a high risk to the rights and freedoms of the
interested parties from arising;
(c) such communication would require disproportionate effort. In this case, a public communication or a similar measure with
similar effectiveness is put in place to inform the interested parties.
In the event that the data controller has not yet communicated the breach of personal data to the interested party, the control
authority may require, after having assessed the likelihood that the breach of personal data poses a risk high, that said
communication is put in place or decide that one of the conditions described above is met.
Right to revoke consent – right to revoke consent to the processing of your data at any time, without prejudice to the lawfulness
of processing based on consent prior to revocation;
Right to file a complaint with the Guarantor Authority for the protection of personal data, Piazza Venezia n. 11, 00187, Roma
(RM). The procedures for filing a complaint with the Guarantor Authority for data protection are indicated on the website of the
Guarantor Authority, accessible at the following address:
According to art. 140-bis of Legislative Decree [Italian] n. 196/2003 as subsequently amended and supplemented, the interested
party may lodge a complaint with the Guarantor Authority or lodge an appeal with the Judicial Authority.
The rights referred to in the previous points may be exercised against the Holder, through the reference details indicated in the
previous paragraph 1.


7. Updates and Changes
ISD ECOLE FRANCAISE INTERNATIONALE DE ROME Srl a socio unico informs that the possible entry into force of new
standards, regulations and/or measures falling under the control authorities, as well as updates of a management and
organizational nature, may include changes to this privacy statement. Therefore, the Company reserves the right to make
changes at any time, communicating them to interested parties and/or third parties, through communications, publications in
different areas of the company, websites, or by e-mail.
Date of update of the privacy statement: 31.03.2023

The Data Controller