Privacy Policy

SUMMER PEACE UNIVERSITY
PRIVACY POLICY 

Effective from: 20 January 2026

1. WHO WE ARE (JOINT CONTROLLERS)

The Summer Peace University (SPU) is jointly organised by two organisations acting as Joint Controllers pursuant to Article 26 of Regulation (EU) 2016/679 (“GDPR”).

Joint Controller 1
Associazione Culturale Pitagora Mundus
Via G. Barrio, 10 c/o FederTerziario – 87100 Cosenza (CS), Italy
Tax Code: 98140160783
Email: info@pitagoramundus.org

Joint Controller 2
IsCaPI – Istituto Calabrese di Politiche Internazionali
Via G. Barrio, 10 c/o FederTerziario – 87100 Cosenza (CS), Italy
Tax Code: 02700230788
Email: info@iscapi.org

Single contact point for privacy matters (for both Joint Controllers):
Email: privacy@iscapi.org

2. PRIVACY CONTACT POINT AND ADVISORY FUNCTION

To ensure efficiency, consistency, and timely handling of data subject requests, the Joint Controllers have appointed a Data Protection Officer (DPO) pursuant to Article 37 GDPR:

Data Protection Officer: Salvatore La Porta
Email: privacy@iscapi.org
The DPO serves as the single contact point for all privacy matters related to SPU. You may contact the DPO for any questions regarding the processing of your personal data or to exercise your rights under the GDPR.

3. SCOPE OF THIS NOTICE

This Privacy Notice explains how we collect, use, store, and protect your personal data when you:

  • apply to participate in the Summer Peace University;

  • enrol as a member of the Pitagora Mundus Association;

  • participate in SPU activities;

  • visit the SPU website.

This notice is drafted in accordance with:

  • Regulation (EU) 2016/679 (GDPR);

  • Italian Legislative Decree 196/2003 (Privacy Code), as amended;

  • applicable decisions and guidance issued by the Italian Data Protection Authority (Garante).

4. JOINT CONTROLLERS’ ARRANGEMENT (ART. 26 GDPR)

Participation in SPU requires membership in the Associazione Culturale Pitagora Mundus, according to the applicable enrolment procedures.

The Joint Controllers have entered into a joint controllership arrangement that regulates, among other matters:

  • transparency obligations;

  • security measures;

  • handling of data subject requests;

  • management of security events and personal data breaches.

Essence of the arrangement: an extract is provided in the Appendix below. The full arrangement is available upon request by emailing privacy@iscapi.org.

Exercise of rights: you may exercise your GDPR rights against each Joint Controller, without prejudice to the single contact point indicated above.

5. WHAT PERSONAL DATA WE PROCESS

5.1 Identification and contact data (mandatory)

By way of example: full name, date and place of birth, nationality, residence, address, email, phone number, passport data (number and expiry date).

Purposes: application/enrolment management, organisational communications, preparation of participation-related documentation (including, where necessary, invitation letters), essential logistics.
Legal basis: performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR).
Retention: as per Section 10.

5.2 Academic data (mandatory)

By way of example: home university, level of study, field of study, motivation letter, information necessary for certification.

Purposes: assessment of the application, inclusion in the educational pathway, issuance of certificates/attestations.
Legal basis: performance of pre-contractual/contractual measures (Art. 6(1)(b) GDPR).

5.3 Emergency contact data (mandatory)

By way of example: name, relationship, phone number and email of the emergency contact.

Purposes: protection of vital interests and emergency management during activities.
Legal basis: vital interests (Art. 6(1)(d) GDPR) and, where applicable, performance of organisational arrangements (Art. 6(1)(b) GDPR).
Data subject statement: by providing emergency contact details, you confirm you have informed the emergency contact that their data has been shared with SPU for the above purposes.

5.4 Health and dietary data (optional – special categories)

By way of example: allergies, intolerances, dietary restrictions, medical conditions relevant to safety and assistance.

Purposes: provision of safe meals, risk prevention, appropriate response in emergencies.
Legal basis: explicit consent (Art. 9(2)(a) GDPR), withdrawable at any time without affecting the lawfulness of processing based on consent before withdrawal.
Retention: deletion within 90 days after the programme ends, unless longer retention is required by law or necessary for legal defence.

5.5 Financial and administrative data

By way of example: payment confirmation (date, amount, method), transaction references, receipts.
The Joint Controllers do not store full payment card numbers, CVV codes, or banking credentials, except within strictly necessary limits and in accordance with the safeguards of the payment service provider.

Purposes: payments, accounting, fiscal and administrative compliance.
Legal basis: legal obligation (Art. 6(1)(c) GDPR) and, where relevant, contract performance (Art. 6(1)(b) GDPR).
Retention: 10 years, pursuant to applicable civil and tax obligations.

5.6 Participation and achievement data (necessary)

By way of example: attendance, completion of activities, outcomes required for certification, essential organisational notes.

Purposes: educational and organisational management, issuance of certificates, quality improvement.
Legal basis: contract performance (Art. 6(1)(b) GDPR) and legitimate interest in organisational integrity and quality (Art. 6(1)(f) GDPR), with appropriate safeguards and minimisation.
Retention:

  • Attendance and certification/verification data: long-term archival retention, as certificates may need to be verified or reissued throughout the participant’s lifetime (with access restrictions and minimisation).

  • Feedback and improvement documentation: 5 years.

5.7 Photos and videos (optional)

Photos and recordings may be made during SPU activities.

Purposes: institutional documentation, public communication, promotion (website, social media, informational materials), communications with partner universities and media.
Legal basis: consent (Art. 6(1)(a) GDPR), with differentiated options (full/limited/none).
Withdrawal: you may withdraw consent at any time by writing to privacy@iscapi.org; withdrawal applies to future uses. Content already shared on third-party platforms may be subject to technical removal times and re-sharing beyond the Joint Controllers’ direct control.

5.8 Website browsing data and cookies

By way of example: IP address, browser information, visited pages, time spent.

Purposes: website security, technical functioning, statistics and improvement of digital services.
Legal basis: legitimate interest for technical/strictly necessary cookies; consent for analytics and third-party cookies where required.
Technical configuration (where analytics are enabled): analytics tools are configured with measures aimed at minimising identification (e.g., IP-masking/anonymisation where available), in line with data protection by design principles (Art. 25 GDPR).
Retention: as indicated in the Cookie Policy and, for analytics data, up to 26 months, subject to declared technical settings.

6. MANDATORY VS OPTIONAL DATA – CONSEQUENCES OF NOT PROVIDING DATA

Identification/contact, academic, and emergency contact data are necessary for processing the application, enrolment and participation. If not provided, the application cannot be processed and participation cannot be finalised.

Health/dietary data and consent for photos/videos are optional and do not affect participation; however, they may affect the ability to provide specific measures (e.g., tailored meals or targeted assistance).

7. AUTOMATED DECISION-MAKING

SPU does not carry out decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

8. RECIPIENTS AND DATA DISCLOSURE

Data may be disclosed to:

  • Between the Joint Controllers, within what is necessary for their respective organisational and academic functions;

  • Service providers (e.g., accommodation, catering, hosting, IT tools, payments) appointed as processors and/or bound by contractual obligations and documented instructions;

  • Your university, exclusively upon your request or for academic recognition needs: minimum participation/completion data;

  • Public authorities, where required by law or valid lawful orders.

9. INTERNATIONAL DATA TRANSFERS

Processing is ordinarily carried out in Italy/EU.

Where certain technology providers may involve transfers or access from outside the EEA, the Joint Controllers ensure appropriate safeguards under Chapter V GDPR (e.g., adequacy decisions, Standard Contractual Clauses – SCCs, supplementary technical and organisational measures).

For health and dietary data, the Joint Controllers apply minimisation and EU/EEA localisation as a priority, limiting any transfers to strictly necessary cases and with enhanced safeguards.

10. RETENTION (SUMMARY)

Data Category Retention Period Legal Basis / Justification
Unsuccessful applications 24 months Legitimate interest (possible reapplication and continuity of management)
Contractual/administrative data 10 years Legal obligation (Italian civil and tax law)
Health/dietary data 90 days after programme completion Minimisation and necessity (Art. 5 GDPR); consent-based processing
Payments/accounting records 10 years Legal obligation (Italian tax law)
Attendance and certification data Long-term archival retention Legitimate interest (verification and possible reissuance of certificates over time)
Feedback and improvement data 5 years Legitimate interest (quality improvement)
Photos/videos (with consent) Until consent withdrawal Consent-based processing
Browsing/analytics data Up to 26 months Consent/legitimate interest (website improvement)

After the retention period, data is deleted or anonymised, unless retention is required by law or for legal defence.

11. YOUR RIGHTS (ARTS. 15–22 GDPR)

You may exercise the following rights:

  • Right of access (Art. 15): obtain confirmation of processing and a copy of your data

  • Right to rectification (Art. 16): correct inaccurate or incomplete data

  • Right to erasure (Art. 17): request deletion of your data (subject to legal exceptions)

  • Right to restriction (Art. 18): limit processing in certain circumstances

  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format

  • Right to object (Art. 21): object to processing based on legitimate interests

  • Right to withdraw consent: withdraw consent for health data or photos at any time

  • Right to lodge a complaint (Art. 77): file a complaint with the supervisory authority

How to exercise your rights:
Send your request to: privacy@iscapi.org

Response times:
We will respond within 30 days from receipt of the request. In complex cases, this period may be extended by a further 60 days (total: 90 days); in such cases, we will inform you of the extension and the reasons within the initial 30-day period, in accordance with Article 12(3) GDPR.

Complaint:
You may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) according to the procedures made available through its institutional channels.

12. SECURITY MEASURES

The Joint Controllers implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including:

Technical measures

  • SSL/TLS encryption in transit

  • Encryption of data at rest (where applicable)

  • Access controls and strong authentication where available

  • Protected backups

  • Logging and monitoring systems

Organisational measures

  • Operational instructions and staff training

  • Incident management procedures

  • Regular security assessments

  • Access limitation on a “need-to-know” basis

Data breach management:
In case of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you without undue delay and provide information about the nature of the breach, the likely consequences, and the measures taken or proposed to address it, in accordance with Article 34 GDPR. Where required, we will also notify the supervisory authority within 72 hours pursuant to Article 33 GDPR.

13. COOKIES

The website uses:

  • Strictly necessary/technical cookies for correct functioning and security (no consent required);

  • Analytics cookies and third-party cookies (including social plugins), managed according to applicable law through a consent banner.

You can modify or withdraw your cookie preferences at any time through the “Cookie Settings” function available on the website.

For detailed information about cookies used, their purposes, and retention periods, please see our Cookie Policy.

14. CHILDREN’S PRIVACY

SPU is reserved for adults (18+). Any data provided inconsistently with this requirement is handled according to minimisation and enhanced protection principles.

15. CONTACTS AND COMPLAINTS

Privacy Contact Point (SPU): privacy@iscapi.org

Postal contacts (for formal requests):

  • Associazione Culturale Pitagora Mundus – Via G. Barrio, 10 c/o FederTerziario – 87100 Cosenza (CS), Italy

  • IsCaPI – Istituto Calabrese di Politiche Internazionali – Via G. Barrio, 10 c/o FederTerziario – 87100 Cosenza (CS), Italy

Complaint to supervisory authority:
You may lodge a complaint with the Italian Data Protection Authority (Garante) in accordance with the procedures made available through its institutional channels.

16. CHANGES TO THIS NOTICE

Updates are published on the website and, where relevant for registered participants, communicated through appropriate channels. The date of the last update is indicated at the top of this notice.

APPENDIX – EXTRACT OF JOINT CONTROLLER ARRANGEMENT (ART. 26 GDPR)

Pursuant to Article 26(2) GDPR, we provide the following extract of our joint controllership arrangement.

Division of Responsibilities

Pitagora Mundus Association is responsible for:

  • Processing registration applications

  • Managing association membership

  • Handling payments and issuing receipts

  • Coordinating accommodation bookings

  • Organising cultural activities and excursions

IsCaPI is responsible for:

  • Managing the technical database and IT infrastructure

  • Ensuring IT security measures

  • Organising and delivering the academic programme

  • Coordinating with faculty and guest speakers

  • Issuing certificates of participation

  • Operating and maintaining the website

Both Joint Controllers together:

  • Ensure GDPR compliance and implementation of appropriate security measures

  • Respond to data subject requests in a coordinated manner (via privacy@iscapi.org)

  • Manage personal data breaches through coordinated procedures

  • Conduct Data Protection Impact Assessments where required

  • Implement data protection by design and by default principles

Contact Point for Data Subjects

Single contact point: privacy@iscapi.org

This contact point coordinates responses to all data subject requests, ensuring consistency and compliance with GDPR timelines. You may exercise your rights against either Joint Controller, who will coordinate internally to provide a unified response.

Data Sharing Between Joint Controllers

  • Pitagora Mundus shares registration data, payment confirmations, and membership details with IsCaPI for programme delivery.

  • IsCaPI shares attendance records and programme completion data with Pitagora Mundus for membership validation.

  • Data sharing occurs through secure channels with appropriate access controls.

Liability

Both Joint Controllers are jointly and severally liable towards data subjects for the overall processing. In their internal relationship, each Joint Controller is liable only for the damage caused by its own processing activities that violate the GDPR.

Full arrangement: available upon request at privacy@iscapi.org.