Privacy and data protection IntroThis page describes the processing of personal data by Università di Genova (UniGe).Legislation referencesSince May 25, 2018, the Regulation (EU) 2016/679, "General Data Protection Regulation" (GDPR), has been fully applicable.With Legislative Decree No. 101 August 10, 2018, the Italian legislator adapted the regulations contained in Legislative Decree No. 196 of June 30, 2003 (Personal Data Protection Code) to the GDPR.In implementation, the Regulations of the University of Genoa on the processing of personal data (UniGe privacy regulation) were adopted.Data controllerThe Data controller (Titolare del trattamento) is Università di Genova in the person of its Rector, the pro tempore legal representative.The Data controller, aware of the importance of adopting policies for the protection of personal data processed in the exercise of its institutional duties, undertakes to carry out the treatment in application of the principles of lawfulness, correctness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability.ContactsRettoratoVia Balbi, 5 - Genova+39 010 209 9221+39 010 209 51929rettore@unige.itprotocollo@pec.unige.itData protection officerThe Data Protection Officer (DPO) is Liguria Digitale Spa, appointed by Rectoral Decree 2407 of 13.05.2022.Contacts+39 338 5021237dpo@unige.itprotocollo@pec.liguriadigitale.itSupport officeTransparency, anti-corruption and privacy officeprivacy@unige.itPrivacy in UniGePersonal data are processed and accessible by UniGe employees and collaborators, assigned to the competent offices, in their capacity of authorized persons to the processing adequately instructed by the Data controller, according to the Authorization.The data will also be processed by third parties who, on the basis of specific agreements/contracts, operate for supply, development and maintenance activities in compliance with institutional purposes and, therefore, will be appointed as data processors pursuant to art. 28 of GDPR.RolesReferentPerson identified by the Data controller among the heads of administrative and educational structure. He is trained by the Data controller regarding his role (ex art. 9 of the UniGe Privacy Regulation) and collaborates functionally with the DPO.The persons responsible for the processing of personal data are those listed in Annex A of the UniGe Privacy Regulations.Sub-referentIn order to carry out its duties, each referent may identify one or more sub-referent(s) among the staff, teaching or technical-administrative personnel affiliated to the same structure of which the referent is head.AuthorizedSubject who operates under the direct authority of the contact person and carries out, with regard to the activities for which he/she is responsible, the processing of personal data in compliance with the security measures provided for and the instructions received (ex art. 10 of the UniGe Privacy Regulations). In the absence of formal designation, those who process personal data as part of their relationship with the University are in any case considered authorized to process data and are obliged to:observe the provisions of the UniGe Privacy Regulationsread the instructions to authorized persons to the processing of personal data.Co-Data controllerExternal entity, public or private, that determines the purposes and means of data processing jointly with the University through a specific agreement, the essential contents of which are made available to the data subject.ResponsibleExternal party, natural or legal person, who processes personal data on behalf of the University (ex art. 8 of the UniGe privacy regulation).The appointment of the external data processor shall be made by a written measure, by the owner or the contact persons, which identifies the nature, purpose and duration of the processing, the type of personal data processed and the categories of data subjects and defines the obligations of the processor, in accordance with the provisions of Article 28(3) of the GDPR.Legal actsAuthorizationAppointment of External Data Processor (ex art. 28 GDPR)UniGe's Information noticesThe principles of fair and transparent processing imply that the data subject is informed of the existence of the processing and its purposes and methods (ex art. 13 of EU Reg. n. 2016/679). The information must be provided at the time of collection from the data subject or, if the data is obtained from another source (ex art. 14 of EU Reg. n. 2016/679), within a reasonable time depending on the circumstances of the case and in any case within the time limits set out in art. 14 par. 3 of EU Reg. n. 2016/679.Consent to processing is represented by any free, specific, informed and unambiguous manifestation of will by which the data subject expresses his or her consent, by means of a statement or unambiguous positive action, that personal data concerning him or her be processed (ex art. 14 of EU Reg. n. 2016/679).If the object of the processing is special personal data (ex art. 9 and 10 of EU Reg. n. 2016/679), the consent must be explicit.Access to University Buildings (Covid-19 emergency)Due to the Covid-19 emergency, please read the University of Genoa Building Access Policy.Web and automated tools Information on cookies and the processing of personal data in the UniGe federated websites Students Information for pre-enrollment, students and those enrolled in educational activities of the UniversityInformation for students with disabilities with disabilities and/or specific learning disabilitiesInformation for the services of orientation for prospective students, during the study, for tutoring and Career advisingInformation for easylesson, easystaff and easyacademy services Staff Authorization to process personal data and related instructionsInformation for staff and collaboratorsInformation for easylesson, easystaff and easyacademy servicesInformation for psychological counseling serviceInformation for communication to covid@unige.it e-mail address Research Information for participants in research projectsInformation for research grants Images, video and video surveillance Information and Release images (photos and videos)Information on video surveillance (ALL. B)ALL. Signage with image recordingALL. Signage without image recordingALL. C Authorized Letter of AppointmentRector's note dated 11.06.2019 regarding video surveillance modified attachments see above Misc Information for the presentation of candidacies to University bodiesInformation for UniGe stakeholders personal data collectionInformation for the payment portal serviceInformation for "Iris" repository Rights of the data subjectThe data subject has the right to obtain from the owner the information and access to the processing of their personal data, confirmation of their existence, verify the accuracy, to request the integration, updating, change, limitation, revocation of consent, opposition or cancellation by writing to privacy@unige.it.Legislation referencesArticles 15-22 Reg. UE 2016/679Internal use actsDocuments, acts and modelsRector's note of 12.3.2020 Directions for the publication of acts and documents in Transparent Administration - CVRector's note dated 11.06.2019 regarding video surveillanceReport a personal data breachA data breach is a security breach that results in the accidental or unlawful destruction, loss, modification, disclosure of or access to personal data transmitted, stored, or otherwise processed by the University.UniGe has adopted a personal data breach management procedure.Types of violationsConfidentiality BreachUnauthorized or accidental disclosure of or access to personal information.Integrity BreachChanging personal information accidentally or without authorization.Availability BreachAccidental or unauthorized loss, access or destruction of personal data. The inability to access the data even temporarily is still a violation.When to report a data breachYou must report a data breach in case of:loss or theft of computer devices (e.g. pc, laptops, USB flash drive, external hard disk, smartphone, etc...) in which personal data are storedloss or theft of paper documents containing personal dataaccess or acquisition of personal data by unauthorized third partiesloss or destruction of personal data due to accidents, adverse events, flooding, fire, or other calamitiesviolation of physical security measures (for example forcing doors or windows of security rooms or archives)inability to access your personal data due to accidental causes or external attacks, such as viruses, malware, or other attacks on your computer system or corporate networkthe documents containing personal data are altered compared to the originals without authorization issued by their ownerunauthorized (even involuntary) disclosure of personal data to mailing listsunavailability, even if only temporary, of waiting lists for medical examinations or medical treatments.What to doIf you detect a concrete, potential or suspected violation of your personal data, you must:report it within 24 hours and without justified delay to abuse@assistenza.unige.itfill in the form for reporting a security incident and potential personal data breach that you will receive by email.The DPO evaluates the report and verifies that the reported facts actually constitute a data breach and, if so, starts the data breach management phase.ContactsDPOdpo@unige.itprotocollo@pec.liguriadigitale.itSupport officeTransparency, anti-corruption and privacy office