IntroductionOn this page you will find described the way in which personal data is processed by the University of Genoa (UniGe).References Since 25 May 2018 the Regulation (EU) 2016/679, "General Data Protection Regulation" (GDPR) has been fully applicable. With Legislative Decree no. 101 of 10 August 2018, the Italian legislator adapted the regulations contained in Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code) to the GDPR. In implementation, the Regulations of the University of Genoa on the processing of personal data (UniGe Privacy Regulations).Personal Data ControllerThe Data Controller is the University of Genoa in the person of the Rector pro tempore.The Data Controller, aware of the importance of adopting policies for the protection of personal data processed in the exercise of its institutional tasks, undertakes to carry out the processing in application of the principles of lawfulness, correctness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.ContactsRettoratoVia Balbi, 5 - Genova+39 010 209 9221 +39 010 209 51929rettore@unige.itprotocollo@pec.unige.itData Protection OfficerThe Data Protection Officer (DPO) is the company Liguria Digitale Spa, appointed by DR 2407 of 13.05.2022.Contacts+39 338 5021237dpo@unige.itprotocollo@pec.liguriadigitale.it Support OfficeOffice for Transparency, Anti-Corruption and Privacyprivacy@unige.itPrivacy at UniGePersonal data are processed and made accessible to UniGe employees and collaborators, assigned to the competent offices, in their capacity as authorised processors adequately instructed by the Data Controller for this purpose, in accordance with the authorisation to process personal data.The data are also processed by third parties who, on the basis of specific agreements/contracts, operate for supply, development and maintenance activities in compliance with the institutional purposes and, therefore, are appointed as data processors pursuant to Article 28 of the GDPR.RolesReferentSubject identified by the Controller among the heads of the administrative and teaching structure. He is trained by the Data Controller with regard to his role (ex art. 9 of the UniGe Privacy Regulation) and collaborates functionally with the DPO. The entities referred to in Annex A of the UniGe Privacy Regulation are the contact persons for the processing of personal data.SubreferentEach referee, in order to carry out his/her duties, may identify one or more sub-referents among the structured, teaching or technical-administrative staff belonging to the structure of which the referee is head.Authorised personSubject operating under the direct authority of the contact person and carrying out, with regard to the activities for which he/she is responsible, the processing of personal data in compliance with the security measures envisaged and the instructions received (ex art. 10 of the UniGe Privacy Regulations). In the absence of a formal designation, those who process personal data in the context of the relationship with the University are in any case considered authorised to process data and are obliged to:observe the provisions of the UniGe privacy regulationread the instructions to%20authorised%personal%data%processors ControllersExternal body, public or private, that determines the purposes and means of data processing jointly with the University through a specific agreement, the essential contents of which are made available to the interested party.Responsible personExternal subject, natural or legal person, who processes personal data on behalf of the University (ex art. 8 of the UniGe Privacy Regulation). The appointment of the external data processor shall be made by written measure, of the data controller or of the contact persons, identifying the nature, purposes and duration of the processing, the type of personal data processed and the categories of data subjects and defining the obligations of the processor, in compliance with the provisions of Art. 28(3) of the GDPR.ActsAct authorising the processing of personal dataInstructions and good practices for authorised persons on the use of IT toolsInstructions to contact persons on the processing of personal dataAppointment of Personal Data Processor (ex art. 28 GDPR) Information adopted by UniGeThe principles of fair and transparent processing imply that the data subject is informed of the existence of the processing and its purposes and methods (ex art. 13 of EU Reg. no. 2016/679). The information must be provided at the time of collection from the data subject or, if the data is obtained from another source (ex art. 14 of EU Reg. no. 2016/679), within a reasonable period depending on the circumstances of the case and in any case within the time limits set out in art. 14(3) of EU Reg. no. 2016/679.Consent to processing is any manifestation of the data subject's free, specific, informed and unambiguous will, whereby the data subject indicates his or her assent, by way of a statement or unambiguous affirmative action, to personal data concerning him or her being processed (ex art. 14 of EU Reg. no. 2016/679).If the subject of the processing is special personal data (ex art. 9 and 10 of EU Reg. no. 2016/679), the consent must be explicit.Access to University Buildings (Covid-19 Emergency)Because of the Covid-19 emergency, please read the Information for access to the buildings of the University of Genoa.Web and automated toolsInformation on cookies and personal data processing in the UniGe federated sitesStudentsInformation for pre-registered students, students and those enrolled in educational activities of the UniversityInformation for students with disabilities with disabilities and/or specific learning disordersInformation for incoming, in itinere, tutoring and outgoing guidance servicesService information easylesson, easystaff and easyacademyPersonalAuthorisation to process personal data and related instructionsInformativa per il personale e collaboratoriInformativa servizi easylesson, easystaff e easyacademyInformativa per il servizio di counseling psicologico a favore del personale dell'AteneoInformativa per chi trasmette certificazioni alla casella covid@unige.itScientific researchInformation for participants in research projectsInformativa per candidature a borse di ricercaImmagini, video e videoorveglianzaImage, event (photo and video) information and release) NEW Informativa videosorveglianza ALL. B.docx NEW CARTELLO VIDEOSORVEGLIANZA con reg - Modello semplificato.docx NEW CARTELLO VIDEOSORVEGLIANZA senza reg - Modello semplificato.docx ALL. C Authorized Letter of AppointmentRector's note dated 11.06.2019 regarding video surveillance various attachments see aboveOtherInformation for the submission of candidacies to bodies of the UniversityInformation for the collection of personal data for the stakeholders of the UniversityInformation for users of the "Payment Portal" service"Information for users who use the "Iris" repository"Rights of the interested partiesThe interested party has the right to obtain from the Data Controller the information and access to the processing of his/her personal data, confirmation of their existence, to verify their accuracy, to request their integration, update, change, limitation, revocation of consent, opposition or cancellation by writing to privacy@unige.it.References Articles 15-22 of Reg. EU 2016/679Acts for internal useRectoral Circular of 4.10.2018 for the correct citation of privacy legislation in documents, acts and modelsRectoral note of 12.3.2020 Directions for the publication of acts and documents in Transparent Administration - CVRectoral note of 11.06.2019 regarding video surveillanceReporting a personal data breach (data breach)Data breach is a security breach that accidentally or unlawfully results in the destruction, loss, modification, disclosure of or access to personal data transmitted, stored or otherwise processed by the University.UniGe has adopted a procedure for management of personal data breachesTypologies of BreachConfidentiality BreachAuthorized or accidental disclosure of or access to personal data.Integrity Breach)Accidental or unauthorised modification of personal data.Availability Breach)Accidental or unauthorised loss, access or destruction of personal data. The inability to access data even temporarily still constitutes a breach.When to report a data breachYou should report a data breach if:loss or theft of computing devices (e.g. PCs, laptops, USB sticks, external hard drives, smartphones, etc.) on which personal data are storedloss or theft of paper documents containing personal dataaccess to or acquisition of personal data by unauthorised third partiesloss or destruction of personal data due to accident, adverse event, flood, fire or other disasterviolation of physical security measures (e.g: forcing of doors or windows of security rooms or archives)inability to access personal data due to accidental causes or external attacks, such as viruses, malware, or other attacks on the company's computer system or networkdocuments containing personal data are altered from the originals without authorisation issued by the relevant ownerunauthorised (even unintentional) disclosure of personal data to mailing listsunvailability, even if only temporary, of waiting lists for medical examinations or health treatments.ReportingIf you detect a concrete, potential or suspected breach of your personal data, you must:report it within 24 hours and in any case without justified delay, to the email address abuse@assistenza.unige.itfill in the Reporting Form of a Security Incident and Potential Personal Data Breach that you will receive by email.The DPO assesses the report and verifies that the reported facts do indeed constitute a personal data breach and, if so, initiates the data breach management phase.ContactsDPOdpo@unige.itprotocollo@pec.liguriadigitale.itSupport OfficeTransparency, Anti-Corruption and Privacy Office
