Privacy and data protection
Intro
This page describes the processing of personal data by Università di Genova (UniGe).
Legislation references
Since May 25, 2018, the Regulation (EU) 2016/679, "General Data Protection Regulation" (GDPR), has been fully applicable.
With Legislative Decree No. 101 August 10, 2018, the Italian legislator adapted the regulations contained in Legislative Decree No. 196 of June 30, 2003 (Personal Data Protection Code) to the GDPR.
In implementation, the Regulations of the University of Genoa on the processing of personal data (UniGe privacy regulation) were adopted.
Data controller
The Data controller (Titolare del trattamento) is Università di Genova in the person of its Rector, the pro tempore legal representative.
The Data controller, aware of the importance of adopting policies for the protection of personal data processed in the exercise of its institutional duties, undertakes to carry out the treatment in application of the principles of lawfulness, correctness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability.
Contacts
- Rettorato
- Via Balbi, 5 - Genova
- +39 010 209 9221
+39 010 209 51929 - rettore@unige.it
- protocollo@pec.unige.it
Data protection officer
The Data Protection Officer (DPO) is Liguria Digitale Spa, appointed by Rectoral Decree 2407 of 13.05.2022.
Contacts
- +39 338 5021237
- dpo@unige.it
- protocollo@pec.liguriadigitale.it
- Support office
- Transparency, anti-corruption and privacy office
- privacy@unige.it
Privacy in UniGe
Personal data are processed and accessible by UniGe employees and collaborators, assigned to the competent offices, in their capacity of authorized persons to the processing adequately instructed by the Data controller, according to the Authorization and confidentiality agreement.
The data will also be processed by third parties who, on the basis of specific agreements/contracts, operate for supply, development and maintenance activities in compliance with institutional purposes and, therefore, will be appointed as data processors pursuant to art. 28 of GDPR.
Roles
Referent
Person identified by the Data controller among the heads of administrative and educational structure. He is trained by the Data controller regarding his role (ex art. 9 of the UniGe Privacy Regulation) and collaborates functionally with the DPO.
The persons responsible for the processing of personal data are those listed in Annex A of the UniGe Privacy Regulations.
Sub-referent
In order to carry out its duties, each referent may identify one or more sub-referent(s) among the staff, teaching or technical-administrative personnel affiliated to the same structure of which the referent is head.
Authorized
Subject who operates under the direct authority of the contact person and carries out, with regard to the activities for which he/she is responsible, the processing of personal data in compliance with the security measures provided for and the instructions received (ex art. 10 of the UniGe Privacy Regulations). In the absence of formal designation, those who process personal data as part of their relationship with the University are in any case considered authorized to process data and are obliged to:
- observe the provisions of the UniGe Privacy Regulations
- read the instructions to authorized persons to the processing of personal data and accept the confidentiality agreement.
Co-Data controller
External entity, public or private, that determines the purposes and means of data processing jointly with the University through a specific agreement, the essential contents of which are made available to the data subject.
Responsible
External party, natural or legal person, who processes personal data on behalf of the University (ex art. 8 of the UniGe privacy regulation).
The appointment of the external data processor shall be made by a written measure, by the owner or the contact persons, which identifies the nature, purpose and duration of the processing, the type of personal data processed and the categories of data subjects and defines the obligations of the processor, in accordance with the provisions of Article 28(3) of the GDPR.
Legal acts
- Authorization and confidentiality agreement
- Appointment of External Data Processor (ex art. 28 GDPR)
UniGe's Information notices
The principles of fair and transparent processing imply that the data subject is informed of the existence of the processing and its purposes and methods (ex art. 13 of EU Reg. n. 2016/679). The information must be provided at the time of collection from the data subject or, if the data is obtained from another source (ex art. 14 of EU Reg. n. 2016/679), within a reasonable time depending on the circumstances of the case and in any case within the time limits set out in art. 14 par. 3 of EU Reg. n. 2016/679.
Consent to processing is represented by any free, specific, informed and unambiguous manifestation of will by which the data subject expresses his or her consent, by means of a statement or unambiguous positive action, that personal data concerning him or her be processed (ex art. 14 of EU Reg. n. 2016/679).
If the object of the processing is special personal data (ex art. 9 and 10 of EU Reg. n. 2016/679), the consent must be explicit.
Access to University Buildings (Covid-19 emergency)
Due to the Covid-19 emergency, please read the University of Genoa Building Access Policy.
Web and automated tools
Students
- Information for pre-enrollment, students and those enrolled in educational activities of the University
- Information for students with disabilities with disabilities and/or specific learning disabilities
- Information for the services of orientation for prospective students, during the study, for tutoring and Career advising
- Information for easylesson, easystaff and easyacademy services
Staff
- Authorization to process personal data and related instructions
- Information for staff and collaborators
- Information for easylesson, easystaff and easyacademy services
- Information for psychological counseling service
- Information for communication to covid@unige.it e-mail address
Research
Images, video and video surveillance
- Information and Release images (photos and videos)
- Information on video surveillance (ALL. B)
- ALL. A Signage
- ALL. C Authorized Letter of Appointment
- Rector's note dated 11.06.2019 regarding video surveillance
Misc
- Information for the presentation of candidacies to University bodies
- Information for UniGe stakeholders personal data collection
- Information for the payment portal service
- Information for "Iris" repository
Rights of the data subject
The data subject has the right to obtain from the owner the information and access to the processing of their personal data, confirmation of their existence, verify the accuracy, to request the integration, updating, change, limitation, revocation of consent, opposition or cancellation by writing to privacy@unige.it.
Legislation references
Articles 15-22 Reg. UE 2016/679
Internal use acts
- Documents, acts and models
- Rector's note of 12.3.2020 Directions for the publication of acts and documents in Transparent Administration - CV
- Rector's note dated 11.06.2019 regarding video surveillance
Report a personal data breach
A data breach is a security breach that results in the accidental or unlawful destruction, loss, modification, disclosure of or access to personal data transmitted, stored, or otherwise processed by the University.
UniGe has adopted a personal data breach management procedure.
Types of violations
Confidentiality Breach
Unauthorized or accidental disclosure of or access to personal information.
Integrity Breach
Changing personal information accidentally or without authorization.
Availability Breach
Accidental or unauthorized loss, access or destruction of personal data. The inability to access the data even temporarily is still a violation.
When to report a data breach
You must report a data breach in case of:
- loss or theft of computer devices (e.g. pc, laptops, USB flash drive, external hard disk, smartphone, etc...) in which personal data are stored
- loss or theft of paper documents containing personal data
- access or acquisition of personal data by unauthorized third parties
- loss or destruction of personal data due to accidents, adverse events, flooding, fire, or other calamities
- violation of physical security measures (for example forcing doors or windows of security rooms or archives)
- inability to access your personal data due to accidental causes or external attacks, such as viruses, malware, or other attacks on your computer system or corporate network
- the documents containing personal data are altered compared to the originals without authorization issued by their owner
- unauthorized (even involuntary) disclosure of personal data to mailing lists
- unavailability, even if only temporary, of waiting lists for medical examinations or medical treatments.
What to do
If you detect a concrete, potential or suspected violation of your personal data, you must:
- report it within 24 hours and without justified delay to abuse@assistenza.unige.it
- fill in the form for reporting a security incident and potential personal data breach that you will receive by email.
The DPO evaluates the report and verifies that the reported facts actually constitute a data breach and, if so, starts the data breach management phase.
Contacts
- DPO
protocollo@pec.liguriadigitale.it
- Support office