Privacy Policy

RAFFLES MILANO — PRIVACY POLICY

Last updated: [                   ]

1. Introduction & scope

Raffles Milano — International Design Institute (“Raffles Milano”, “we”) processes personal data in the course of our educational, administrative, employment, financial and web-based activities. This Privacy Policy explains what personal data we collect, how we use it, the legal bases for processing, who we share it with, retention periods and your rights in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018. It applies to personal data processed through our website, forms, admissions and recruitment systems, student and staff administration, vendor management and related institutional services, and should be read together with our Cookie Policy and any specific notices provided at the time of data collection.

2. Data controller & contact details

  • Raffles Education Italy SRL –  operating as Raffles Milano
  • Registered office: Via Felice Casati 16, 20124 Milano, Italy
  • Official contact for privacy matters (PEC): rafflesitalyeducation@legalmail.it

Individuals may also contact us by post at the address above, marked “Privacy Enquiries”.

3. Scope: Who this Policy covers

This Policy applies to personal data relating to:

  • prospective, current and former students and applicants;
  • teaching staff, visiting lecturers, consultants and contractors;
  • vendors, suppliers and partner organisations;
  • employees, interns and job applicants;
  • website visitors and users of our online services;
  • other individuals whose data we process in connection with our institutional activities.

4. Categories of personal data we process

Depending on your relationship with Raffles Milano and the services you use, we may process the following categories of personal data:

  • Identity and contact information: name, surname, title, date/place of birth, address, telephone number and email addresses.
  • Official identification data: information contained in identity documents and other identifiers required for administrative, fiscal or regulatory purposes.
  • Financial and payment data: information necessary for processing payments, reimbursements, tuition fees or contractual obligations, which may include bank or billing details.
  • Employment, faculty and collaboration data: information provided during recruitment or collaboration, including qualifications, roles, contract terms, remuneration details and statutory employment documentation.
  • Academic and administrative data: information relating to applications, enrolment, attendance, assessments, academic progression and related institutional records.
  • Communications and interaction data: correspondence, enquiries, forms, requests and operational or contractual communications.
  • Technical and website data: IP addresses, device and browser identifiers, cookies and usage data, as described in our Cookie Policy.
  • Other information: photographs and materials provided for identification or institutional purposes, and documents voluntarily supplied in connection with our services.

Raffles Milano does not routinely process special categories of personal data (Article 9 GDPR). Where such data is required—for example, to support disability accommodations or to meet specific employment obligations—it is processed only with appropriate safeguards and on the relevant legal basis.

5. Purposes of processing & legal bases

  • manage applications, enrolment, academic activities and student services;
  • administer employment, faculty and collaborator relationships;
  • manage vendors, suppliers and contractual obligations;
  • operate and secure IT, email and communication systems;
  • send institutional and marketing communications (with consent where required);
  • comply with tax, accounting, regulatory and administrative obligations;
  • ensure the security of persons, premises and IT systems;
  • operate and improve our website, including cookie-based analytics.

Processing is carried out on the legal bases set out in the GDPR: performance of a contract (or pre-contractual steps), compliance with legal obligations, legitimate interests, or consent where required. Raffles Milano maintains internal documentation identifying the specific legal basis for each processing activity.

6. Recipients and Categories of Recipients

Personal data may be shared with the following categories of recipients, strictly on a need-to-know basis:

  • Internal departments such as academic administration, HR, accounting, legal, marketing and IT.
  • External service providers acting as data processors, including cloud hosting services, student information systems, payroll and accounting providers, CRM and marketing platforms, and email or collaboration tool providers (e.g., Microsoft).
  • Public authorities and judicial bodies, where required by EU or Italian law.
  • Other third parties, where necessary for the performance of a contract or where the data subject has provided consent.

Raffles Milano ensures that external service providers who process personal data on its behalf are bound by appropriate contractual safeguards, including data-processing agreements where required under the GDPR, to ensure the protection and lawful processing of personal data.

7. Cross-border Transfers

Some personal data may be transferred to, or accessed from, countries outside the European Economic Area (“EEA”). Such transfers may occur, for example, when certain administrative, accounting, technical or support activities are carried out by group entities or service providers located outside the EEA, or where cloud and technology providers operate on a global basis.

When international transfers take place, Raffles Milano takes steps to ensure that they are carried out in accordance with the requirements of the General Data Protection Regulation (GDPR). Where required, we adopt appropriate safeguards to protect personal data, which may include the use of the Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms permitted under the GDPR.

Further information on international transfers, including the countries involved and the safeguards applied, may be requested at: rafflesitalyeducation@legalmail.it

8. Data Retention Periods

Personal data is retained only for the time necessary to fulfil the purposes for which it was collected and to comply with legal, accounting and regulatory requirements. Retention periods vary depending on the category of data and are defined in our internal retention schedule.
Data no longer required is securely deleted, anonymised or archived in accordance with our procedures.

9. Data subject rights

Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018), individuals whose personal data we process have the following rights. Some rights may be subject to conditions or statutory limitations based on the specific processing activity.

You may exercise the following rights:

  • Right of access (Art. 15 GDPR): obtain confirmation as to whether we process your personal data and receive a copy of such data.
  • Right to rectification (Art. 16 GDPR): request the correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17 GDPR): request the deletion of your personal data where legally permitted (“right to be forgotten”).
  • Right to restriction of processing (Art. 18 GDPR): request that we restrict the processing of your data in specific circumstances.
  • Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller where the processing is based on consent or contract.
  • Right to object (Art. 21 GDPR): object to processing carried out on the basis of our legitimate interests, including profiling and direct marketing.
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making (Art. 22 GDPR): request not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at rafflesitalyeducation@legalmail.it. We may request proof of identity to verify your request. We will respond within the timelines set by the GDPR (generally within one month, with the possibility of extension for complex or numerous requests).

10. Cookies & online tracking

We use cookies and similar technologies. Our Cookie Policy describes details: types of cookies (strictly necessary, preferences, statistics, marketing), purposes, providers, duration and how to manage consent. Non-essential cookies are used only with your prior consent; essential cookies are necessary for site operation.

Cookie banner: the cookie banner displayed on our website links to this Privacy Policy and the Cookie Policy, and allows users to manage their cookie preferences.

11. Security & organisational measures

We implement appropriate technical and organisational measures to safeguard personal data, taking into account the nature of the processing, the associated risks and industry best practices. These measures include access controls, security monitoring, secure storage and procedures for managing incidents and data breaches.

12. Data breach notification

If a personal data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will notify the Garante per la Protezione dei Dati Personali without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to individuals, we will also communicate the breach to the affected data subjects, unless an exemption applies. Our incident response and breach management procedure documents roles, escalation, investigation and notification processes.

13. Children & minors

Our services are not generally directed to children under 16. Where we process data relating to minors; for instance, in admissions, we obtain parental/guardian authorisation where required by law and apply enhanced protections.

14. Links to third-party sites

Our website may contain links to third-party sites. We are not responsible for the privacy practices of those third parties. Check their privacy policies before providing personal data.

15. Changes to this Policy

We may update this Privacy Policy periodically. The “Last updated” date indicates the latest revision. Where changes materially affect personal data processing, we will take reasonable steps to inform individuals.

16. How to contact us / complaints

Data protection and general privacy enquires: rafflesitalyeducation@legalmail.it
Postal contact: Raffles Education Italy SRL, Via Felice Casati 16, 20124 Milano

If you consider your rights under GDPR have been infringed, you can lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).
Facebook Youtube Linkedin Instagram