Privacy Policy Statement

Regulation (EU) No 2016/679 of the European Parliament and the Council

Pursuant to European Regulation No. 697/2016, and subsequent amendments and addenda, I hereby authorize the processing of personal data for the purposes indicated in the privacy policy statement.

I hereby give my consent, in accordance with the Italian Privacy Law 196/03 and following amendments, to process my personal data for the purposes listed in the informative note.

 

The Processing of personal data supplied by you is carried out lawfully, fairly and in a transparent manner and according to the processing methods provided for by the European Regulations, as required by Article 5, in paragraph no. 1 which is reported below : "Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The Data Controller of your personal data is: President and Fellows of Harvard College in the person of the pro-tempore director in charge, based in Fiesole (FI), Via di Vincigliata n. 26.

Fellows

The "fellows" are the people who have applied for and/or obtained the fellowship. The Data Controller processes the data supplied by you and which fall under the category of "personal data" which, as defined by art. 4 of the European Regulation, are "any information concerning an identified individual" and, specifically: academic title, first name, last name, email address, home/residence address, gender, education, current job position at the time the data is collected, work history, nationality, first name and last name of the partner, first name and last name (including age) of the children, request for fellowships in progress or fellowships already obtained, any publication, foreign languages spoken, current project in progress for which you ask for access to Villa I Tatti, references, first name, last name and telephone number of the person to contact in case of emergency. 

Purposes of data processing: choice between the various fellowships applications received by Harvard University and subject to the Committee's decision, determination of the total remuneration to be awarded to the fellowship, identification of the most suitable accommodation based on the composition of the fellow's family, the best organization of events, parties, etc. in Villa I Tatti considering the presence of children following the fellow, for the purposes of historical/archival heritage, sending of any communications, access to the library, requests to photograph or reproduce, addition on our website and in I Tatti Newsletter, online and printed publications, social media (Facebook, Instagram, Twitter etc.), attainment of visa to entry into Italy.

Former fellows

The "former fellows" are those people who have already obtained and received a fellowship from Villa I Tatti. The Data Controller processes the data supplied by you and which fall under the category of  “personal data” which, as defined by art. 4 of the European Regulation, are "any information concerning an identified individual" and, specifically: academic title, first name, last name, email address, home/residence address, gender, education, current job position at the time the data is collected, work history, nationality, first name and last name of the partner, first name and last name (including age) of the children, request for fellowships in progress or fellowships already obtained, any publication, foreign languages spoken, current project in progress for which you ask for access to Villa I Tatti, references, first name, last name and telephone number of the person to contact in case of emergency. 

Purposes of data processing: allow the former fellow to use the academic resources made available by Villa I Tatti (lunches, access to the library, etc.) because, in order to do so, the person must be recognized by Villa I Tatti as an "ex-fellow", keeping of personal data for the purposes of historical/archival heritage, sending of any communications, etc., access to the library, requests to

photograph or reproduce, addition on our website and in the I Tatti Newsletter (with the clarification that any photograph or video in which the person is recognizable will be used exclusively for internal lists), online and printed publication, social media (Facebook, Instagram, Twitter etc.).

 

Visitors

The "visitor" is that person who requests to visit Villa I Tatti. The Data Controller processes the data supplied by you and which fall under the category of "personal data" which, as defined by art. 4 of the European Regulation, are "any information concerning an identified individual" and, specifically: first name, last name, e-mail address, telephone number, first name, last name and telephone number of the person to be contacted while in Italy, first name, last name and address of residence/domicile, e-mail address, of the persons who will participate to the tour of Villa I Tatti together with the visitor who submits the request. 

Purposes of data processing: insertion of personal data in the electronic calendar - for internal use only - to indicate the day set for the tour, data entry in internal database at Villa I Tatti, after the tour is finished, only for historical/statistical purposes in order to understand who passed through Villa I Tatti.

 

Readers

The "Reader" is the person who requests access to the Villa I Tatti library to consult, study and reproduce all the material. The Data Controller processes the data supplied by you and which fall under the category of "personal data" which, as defined by art. 4 of the European Regulation, are " any information concerning an identified individual" and, specifically: first name, last name, address of residence/domicile, e-mail address, work activity, telephone number. 

Purposes of data processing: allow access to the library, allow the use of academic resources made available by Villa I Tatti, manage requests to photograph or reproduce.

 

Fellows, Former Fellows, Visitors and Readers.

  • The Data Controller processes your personal data by consulting the documents manually and/or with electronic/automated procedures, in compliance with the principles referred to in art. 5 of the European Regulation and indicated above and carries out the processing through the collection, registration, organization, keeping, consultation, elaboration, modification, selection, extraction, comparison, use, interconnection, deletion and destruction of data.
  • Since the Data Controller is a department of the Harvard University, located in the United States of America, the Data Controller transfers/may transfer your personal data to the United States of America to the aforementioned university, by entering the personal data provided in a database shared between the Data Controller and the Harvard University. We inform you that this transfer is lawful thanks to the existence of a European Commission's decision on adequacy for the transfer of personal data to the United States of America. Said transfer takes place always for the purposes/aims of the processing indicated above. Your personal data may also be communicated to the Authorities and related Institutes for the purposes/aims of the processing, such as the Ministry of University, Institutes of Studies on the Italian Renaissance and other Institutes related to the activity carried out by the Data Controller and to those who, according to legal provisions, said data must be communicated. It is specified that the activity carried out by the Data Controller is about studies on the Italian Renaissance.
  • Your refusal to the processing of personal data prevents the Data Controller from executing the purposes of the processing indicated above.
  • With regard to the processing of your personal data, you have the right to lodge a complaint with a supervisory authority.
  • Your personal data will be kept for the period necessary to the performance of the purposes indicated in the previous points for each type of person mentioned above and will be kept for the purposes of the historical/archival/statistical heritage of Villa I Tatti.
  • Pursuant to art. 7 of the European Regulations, the provision of personal data is optional, as well as the consent to the processing and you have the right to revoke at any time the consent expressed today to the processing of your personal data, with the same ease with which it was lent, but the revocation must be communicated to the Data Controller.

We inform you that, in accordance with the provisions of the European Privacy Regulation, you have the right to know whether the Data Controller carries out the processing of your personal data, by exercising the right of access: Art. 15 "Right of access to the personal data "1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: a. the purposes of the processing; b. the categories of personal data concerned; c. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; d. where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period; e. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f. the right to lodge a complaint with a supervisory authority; g. where the personal data are not collected from the data subject, any available information as to their source; h. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to third country or to an international organization, the data subject shall have the right to be informed appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge to a reasonable fee based on administrative costs. Where the data subject does the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

 

  1. Once you have exercised the right of access and verified that the Data Controller is processing your personal data, the European Regulations recognize the following rights to you:

 

Article 16 "Right to rectification" The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Article 17 “Right to erasure (‘right to be forgotten’)” 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b)the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or e) for the establishment, exercise or defence of legal claims.

Article 18 “Right to restriction of processing 1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. 2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. 3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 19 “Notification obligation regarding rectification or erasure of personal data or restriction of processingThe controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

  • Only in the event that the processing of personal data takes place through the exclusive use of automated means, with the exclusion of processing on paper through archives, the European regulation recognizes the right to data portability.

Article 20 “Right to data portability1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) b); and b)the processing is carried out by automated means. 2.  In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. 3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The Data Controller invites the interested party not to mistake the right of access (Article 15) for the portability right (Article 20). The Right of Access gives you the possibility to ask the Data Controller if it is in possession of your personal data and if it is processing them; the portability right presupposes that the Data Controller processes your personal data and means that you have the possibility to request your personal data to be transferred from one Data Controller to another, even through a direct transmission if this is technically possible.

Article 21 “Right to object”1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. 3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. 6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Article 22 “Automated individual decision-making, including profiling 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) is based on the data subject’s explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(2)1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

 

  • In case of breach of your personal data and only if said violation involves a high risk for the rights and freedoms of natural persons, the Data Controller will send you, without delay, a communication to inform you that there was a data breach, what is the nature of the breach and the following information: a) the name and contacts of the Data Controller and the Data Processor of the personal data violated, b) the probable consequences of the breach, c) the description of the measures adopted by the Data Controller or those it proposed to adopt to remedy the breach of personal data.
  • In order to exercise the rights granted to you by the European Regulations, you can contact the Data Controller by sending a registered letter with acknowledgement of receipt to - President and Fellows of Harvard College, Via di Vincigliata n. 26, 50014 Fiesole (FI).