Privacy Policy

Pursuant to article 13 of Regulation (EU) 2016/679 

Dear Data Subject,

ICS Milano has always considered the protection of its old, current and potential clients’ personal data to be of fundamental importance.

This letter (the Privacy Policy) reconfirms our commitment to guaranteeing that the processing of personal data, using any means, whether automated or manual, takes place in full compliance with the safeguards and rights expressed in Regulation (EU) 2016/679  (the “GDPR” or “Regulation) and in other applicable regulations regarding the protection of personal data.

For the meaning of the term personal data, reference should be made to the definition contained in article 4.1 of the Regulation; that is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (the “Personal Data”).

The Regulation establishes that, before processing personal data - the term processing having the meaning given in article 4, point 2) of the Regulation, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (the “Processing”) - the subject to whom the Personal Data belongs must be informed of the reasons for which the data are requested and of how the data will be used.

In this respect, this Privacy Policy - drawn up in accordance with the principle of transparency and with all the requirements set forth in article 13 of the Regulation - has the aim of providing, in a simple and intuitive way, all useful and necessary information so that you can provide your personal data in a conscious and informed way and, at any moment, request and obtain clarifications and/or rectifications.

A.    THE CONTROLLER AND CO-CONTROLLERS

Pursuant to article 26 of the Regulation, the companies that process your personal data and that therefore hold the role of controller or, in some cases, co-controllers, are:

  • Ludum S.r.l., with registered office in Via Pietrasanta no. 14, 20141 – Milan
  • KC School S.r.l., with registered office in Via Tenca n. 2, 20124 – Milan

(severally the “Controller”, jointly the “Co-controllers” or “ICS Milan”).

The Co-controllers have signed a co-controller agreement under which they undertake to:

  • jointly define some purposes and methods for the processing of your personal data;
  • jointly define, in a clear and transparent way, the procedure for responding in a timely way to any requests made to exercise your rights as of articles 15, 16, 17, 18 and 21 of the Regulation, and requests for portability of the personal data as of article 20 of the Regulation, described in greater detail in the pertinent section of this Privacy Policy;
  • jointly define the parts of common interest of this Privacy Policy, indicating all the information as established in the Regulation.

The essential content of the agreement is available at the the Co-controllers’ offices and can be obtained by data subjects when requested and with same request sent to the contacts indicated in Section G. 

B.    CONTACT DETAILS OF THE PERSONAL DATA PROTECTION MANAGER

In order to facilitate relationships between you, the data subject, that is the “identified or identifiable natural person” to which the personal data refer pursuant to article 4, point 1) of the Regulation (the “Data Subject”) and the Co-controllers, the Regulation sets forth, in some specific cases, the appointment of a Data  Protection Officer who, among the various tasks assigned, acts also as a focal point for the data subject.

in accordance with article 37 of the Regulation, the Co-controllers have jointly decided to appoint as Data Protection Officer SAPG Legal Tech S.r.l. (the “DPO”).

In accordance with article 39 of the Regulation, the DPO is called on to carry out, inter alia, the following tasks:

  • inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  • monitor and oversee compliance with the Regulation, with applicable regulations concerning the protection of personal data and the policies and procedures adopted by the Co-controllers;
  • provide support to the Data Subject’s requests;
  • cooperate with the supervisory authority.

As established in article 38 of the Regulation, you may freely contact the DPO with regard to all issues related to the processing of your personal data and/or to exercise your rights under this Regulation, sending  written communication to dpo.privacy@sapglegal.com.

C.    PURPOSE AND LEGAL BASIS OF THE PROCESSING

To enable navigation in the website and your registration (the “Website” - in the section where you can register and/or send  requests for information using the contact form and/or subscription to the newsletter service - the co-controllers collect some personal and navigation data (using cookies), in accordance with the policies in the systems that manage preferences that are displayed on first access to the websites.   You can modify your cookie preferences at any time by clicking here.

The processing of your personal data will take place by each controller to allow you to contact ICS Milano, send requests for information, apply for jobs, download free resources and use all the services provided by the website.  

To allow the Controllers to carry out the processing activities for the above-stated purposes, the fields  marked with an asterisk  [*] are compulsory.

The processing will be legitimate under article 6.1 sub-paragraph b) of the Regulation.

Non-provision of even just one of the data marked with an asterisk will make it impossible for us to process your personal data and, consequently, it will not be possible to fulfil your requests and/or use the services (provided by the website) for which the provision of personal data is required.

The personal data requested for the fulfilment of the above-stated purposes will be those indicated in the registration and/or contact form; that is, by way of non-limiting example only: given name, surname, email address, mobile phone numbers. Personal data of potential students such as, by way of non-limiting example, given name, surname, age, nationality, class at school and any schools attended previously may also be requested.

In all these cases, you will be able to consult the privacy policy in the Privacy Policy section of the website.

In the “Working with us” section of the website, if you decide to apply for a job, we will process the data and information in your CV. In this case, the legal basis of the processing will be the performance of pre-contractual activities as of article 6, sub-paragraph b) of the GDPR.

Besides the above-stated purposes, your personal data may be processed in order to provide you with a better service and to promote products and services offered and/or marketed by ICS Milano that may be of interest to you.
As regards direct marketing purposes, it should be noted that, under article 6.1, sub-paragraph f) of the Regulation and article 130, sub-paragraph 4 of the Privacy Code (so-called soft spam exception), the co-controllers may carry out this activity based on their legitimate interests,  regardless of your express consent and in any case until you object or request restriction (in accordance with the provisions of Section F, sub-paragraphs d) and f) of the Privacy Policy) of the processing, as described in more detail in Recital 47 of the Regulation which states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.

This will be possible following assessments made by the controller concerning any possible prevalence of your fundamental interests, rights and freedoms that require protection of the personal data over the controller's legitimate interest to send direct marketing communications.

Moreover, you can legitimately object to receiving promotional communications at any moment, without this negatively affecting processing for the other purposes in any way.

D.    SUBJECTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED

Your personal data may be communicated to specific subjects considered recipients of such personal data. 
Indeed, article 4, point 9) of the Regulation defines as recipient of personal data “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not” (the “Recipients”).

In this light, in order to correctly carry out all the processing activities required to pursue the purposes as outlined in this Privacy Policy, the following recipients may process your personal data:

  • Third parties that perform processing activities and/or related and relevant activities on behalf of a controller or the co-controllers. These subjects have been appointed as processors, such term meaning, in the singular, in accordance with article 4, point 8) of the Regulation, “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (the “Processor”);
  • Individuals, employees and/or contract staff of a controller or the co-controllers, to whom specific and/or various processing tasks concerning your personal data have been assigned. These subjects have been given specific instructions regarding the security and correct use of personal data and are defined, in accordance with article 4, point 10 of the Regulation, “subjects authorised to process personal data under the direct authority of the controller or processor” (the “Authorised Persons”).

Where  required by law and to prevent or avoid the commission of a crime, your personal data may be communicated to public or legal authorities without same being regarded as recipients. Indeed, in accordance with article 4.9 of the Regulation, “public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients”.

E.    PROCESSING PERIOD

One of the principles applicable to the processing of personal data concerns the limitation of the storage period, regulated in article 5.1, sub-paragraph e) of the Regulation which states that“personal data shall kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89, sub-paragraph 1, subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”.

In light of this principle, your personal data will be processed by the co-controllers solely for the period required to fulfil the purposes as of Section C of this Privacy Policy.

Specifically, your personal data will be processed for a period limited to a strict minimum, as indicated in Recital 39 of the Regulation; that is, until termination of the contract you have entered into with the controller and/or co-controller, without prejudice to a further storage period that may be imposed by law as set forth in Recital 65 of the Regulation.

As regards processing carried out to fulfil other purposes as of this Privacy Policy, the co-controllers may legitimately process your personal data until you communicate your intention to restrict or object to the processing, in one of the ways indicated in this Privacy Policy.

F.    RIGHTS

As established in article 15 of the Regulation, you may access your personal data, request rectification, if incomplete or inaccurate, request erasure if the collection of the data has taken place in breach of a law or the Regulation and object to the processing for specific and legitimate reasons.

Specifically, the rights that you may exercise, at any moment, with a controller and/or co-controllers are outlined below.

a.    RIGHT TO ACCESS

You shall have the right, in accordance with article 15.1 of the Regulation, to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where the personal data are not collected from the data subject, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to in Article 22, sub-paragraphs 1 and 4 of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
All this information can be found in this Privacy Policy which is always available for consultation in the Privacy Policy section of the websites.

b.    RIGHT TO RECTIFICATION

You shall have the right, in accordance with article 16 of the Regulation, to obtain the rectification of inaccurate personal data.  Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

c.    RIGHT TO ERASURE

You shall have the right, in accordance with article 17.1 of the Regulation, to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) you have withdrawn the consent on which the processing is based and there there is no other legal ground for the processing; c) you object to the processing pursuant to Article 21, sub-paragraph 1 or 2 of the Regulation and there are no overriding legitimate grounds for the processing; d) the personal data have been unlawfully processed; e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

In some cases, as established in article 17.3 of the Regulation, the Controller is entitled not to erase your Personal Data where their processing is necessary, for example, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, for the establishment, exercise or defence of legal claims.

d.    RIGHT TO RESTRICTION OF PROCESSING

You shall have the right, in accordance with article 18 of the Regulation, to obtain from the controller restriction of processing where one of the following applies: a) you contest the accuracy of the personal data (for a period enabling the controller to verify the accuracy of the personal data); b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; c) the controller no longer needs the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims; d) you have objected to processing pursuant to Article 21.1 of the Regulation pending the verification of whether the legitimate grounds of the controller override yours.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. In any case, we will inform you before such restriction is revoked.

e.    RIGHT TO DATA PORTABILITY

You shall have the right, at any time, to request and receive, in accordance with article 20.1 of the Regulation, all your personal data processed by the  controller and/or co-controllers in a structured, commonly used and machine-readable format or their transmission to another controller without hindrance. In this case you must send us accurate details of the new controller to whom you intend to transfer your personal data, giving us written authorisation to transfer them.

f.    RIGHT TO OBJECT

In accordance with article 21.2 of the Regulation and as set forth in Recital 70, where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling, to the extent that it is related to such direct marketing.

g.    RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Notwithstanding your right to raise claims with other administrative or legal entities, if you believe that the processing of your personal data by the controller and/or co-controllers breaches the Regulation and/or applicable standards, you can raise an objection with the competent Supervisory Authority for the Protection of Personal Data.

G.    CONTACTS

To exercise your rights as described above, contact ICS Milano by mail to privacy@icsmilan.com.

Remember that you can contact the DPO of ICS Milano at any time in the ways established in Section B of this Privacy Policy.

H.    PLACE OF PROCESSING

Your personal data will be processed by the controller and/or co-controllers within the territory of the European Union.

If, for technical and/or operating reasons, it is necessary to use subjects located outside the European Union, we hereby inform you that these subjects will be appointed  as processors pursuant to article 28 of the Regulation and the transfer of your personal data to these subjects, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of section V of the Regulation.

All the necessary precautions will be taken to ensure full protection of your personal data basing such transfer: (a) on decisions regarding the adequacy of the recipient third countries expressed by the European Commission; (b) on appropriate safeguards provided by the third party recipient in accordance with article 46 of the Regulation; (c) on the adoption of  binding corporate rules; (d) adopting standard contractual clauses approved by the European Commission.

In any case, you can ask ICS Milano for further information if your data are processed outside the European Union, requesting proof of the specific safeguards adopted. 


V. 24.06.2020