Privacy policy for referee


Luiss – Libera Università Internazionale degli Studi Sociali Guido Carli (hereinafter Luiss) – is an independent university with an advanced education model.
This privacy notice describes the characteristics of the treatments carried out by Luiss on the personal data of the teachers who forward a letter of reference for candidates for PhD courses and highlights their statutory rights in this regard.
The privacy notice is periodically updated to take account of regulatory developments and new methods of processing personal data.


What personal data do we collect?

 The Controller collects and processes the following personal data:

  1. identifying data (name, surname);
  2. contact data (residential address, e-mail address);
  3. title or charge;
  4. information relating to the Institute or the company firm of belonging.


Why do we collect your data and why is their processing lawful?

 The Controller collects and processes the data subject’s personal information in pursuit of the following purposes:

  1. to allow the interested party to insert the letter of reference relating to the candidate for the University’s PhD courses for the processing lies in the contract and the relevant law);
  2. to manage, also from an administrative point of view, the reference letter  (the legal basis for the

processing lies in the contract and the relevant law).


How does the Controller process your personal data and how long is the data stored for?

 The data subject’s personal data are processed both on paper and electronically (servers, cloud database, software, etc.).

The Controller stores the data subject’s data for a period of time consistent with what the law prescribes and
having regard to the time required to correctly achieve the purposes stated above.


To whom do we communicate your personal data?


Only employees and collaborators of the University who need it to offer the requested services and limited to the information that is instrumental and related to it, with particular reference to administrative staff and collaborators, can access the personal data of the interested party.
Our employees and other personnel have been informed and trained regarding the importance of observing the rules and principles governing the processing of personal data.


Data Controller shares the personal information of the interested parties with some suppliers who assist him in providing the requested services and who are specifically appointed for this purpose as Data Processors, with particular reference to the third parties which he uses for the management of the PhD courses.
Suppliers that access data do so in compliance with applicable data protection law and the instructions given by the Controller.
The Controller may not communicate personal data to third parties without the data subject’s consent unless
communication is mandated by law or by the authorities:

  1. should such prove necessary on grounds of national security;
  2. for reasons of general interest;
  3. on foot of a request made by public authorities.


Are your data transferred abroad?

The data of the interested party are not transferred outside the European Economic Area.


What are your rights as a data subject and how can you exercise them?

The European Union’s General Data Protection Regulation (GDPR) grants data subjects’ specific rights, in particular, regarding access to data, rectification of data, objection to processing of data for commercial purposes or automated processing of data, erasure of data, restrictions on processing of data and portability of data. Data subjects are also entitled to seek redress through the Data Protection Authority.
Any data subjects wishing to exercise their statutory rights may, without formality, send an e-mail to or write to the Controller Luiss Guido Carli at Viale Pola 12, 00198 Rome, Italy, setting out their request and furnishing the information necessary to identify them.
The references of the Responsible for the protection of personal data (RPD or Data Protection Officer, DPO) can be consulted on the website of the Owner
The Controller will reply within one month. Should the Controller be unable to reply by the above deadline, it will give you a detailed explanation as to why your request cannot be satisfied.


Click here for the Italian version of the privacy policy