information for IT and information processing relating
to authentication, authorisation, and accounting
In compliance with article 13 of Regulation (EU) 2016/679 General
Data Protection Regulation (hereinafter GDPR), the users who
have access to authentication, authorisation, and accounting services are
provided with the information described below.
– definitions (article 4 of GDPR)
– data
controller and data protection officer
– purpose
of processing and legal basis of processing
– categories
and types of data
navigation data
data provided
voluntarily by the user
– access to
information by third parties
data controller and
data protection officer
The data controller is Universitą Iuav di
Venezia, Santa Croce 191, 30135 Venezia
e-mail: privacy@iuav.it
The data protection officer’s
contacts are the following:
e-mail: dpo@iuav.it
PEC
(certified e-mail) dpo@pec.iuav.it
purpose of processing
and legal basis of processing
Universitą Iuav di Venezia processes personal data in the frame of the
performance of the tasks carried out in the public interest, in the field
of education, scientific research and administration pursuant to article 6,
paragraph 1, letter e) of GDPR and especially, to provide and
improve the web services it offers.
categories and types
of data
The personal data collected by the University - in its role as Data
Controller (hereinafter “university” or “Controller”) -
are processed for the proper and complete performance of services (hereinafter
“services”) provided to users through the university IT and
information systems that require authentication, authorisation, and accounting
(registration).
A non-comprehensive list of provided services includes:
– the digital identity
release and account management service of the Google Apps for Education
platform, including institutional e-mail;
– the access service to
wired or Wi-Fi networks that can be entered also via personal devices such
as laptops, tablets, smartphones, etc.;
– the access service to the
fixed and mobile computer workstations provided to administrative/teacher
staff or used by students and visitors, where necessary;
– fixed and mobile phone
systems;
– single sign-on service.
navigation data
This data category includes:
– IP addresses or domain names of the computers connected to the
website by users;
– addresses in URI (Uniform
Resource Identifier) of the requested resources;
– time of the request;
– method used to submit the request to the server;
– size of the file received in response to the above-mentioned
request;
– numeric code indicating the status of the response given by the
server (successful, error...);
– other parameters relating to the operating system and the user's
IT environment.
data provided
voluntarily by the user
The user's data, provided voluntarily or otherwise collected for the use
of the services - upon request for consent, where necessary - is processed by
the Controller for the following purposes:
a) for institutional and administrative purposes;
b) to comply with any specific and general legal obligations connected
with the user’s relationship with the university;
c) purposes related to the provision of the requested services (e.g.
registration to the university portal, access to the reserved area, use of the
university Wi-Fi networks)
d) purposes of statistical research/analysis on aggregated or anonymous
data, without the possibility to identify the user, aimed at measuring the
functioning of the service;
e) to comply with the university internal regulations;
f) to ensure the protection of data and/or information systems or to
support activities of configuration and diagnosis of services or for
technical/system constraints;
g) to assert or defend rights in legal proceedings or preliminary stages
in the event of abuse and/or illegal activities carried out by the persons
concerned or by third parties in the context of the activities referred to in
points (a), (b), (c), (d), (e), (f).
The provision of data is necessary for the purposes a), b), c), e), and
f).
Any failure to provide the above-mentioned data would prevent the
Controller from providing the services and fulfilling the obligations laid down
by law, regulation or EU legislation.
The processing of aggregate or
anonymous data, mentioned in letter
d), does not require the application of
the Privacy Code and GDPR.
For further details, please refer to the following section “data
processing terms".
access to information
by third parties
Iuav relies on the assistance of third parties or organisations,
including suppliers, web hosting or others.
During the period in which the university provides its services, it may
delegate its authority to collect, access, use and disseminate users’
information.
Iuav services use Google
Analytics, a data analysis service provided by Google Inc.
("Google"), to improve the usability of web services and
communication with users, estimate the level of users' internationalisation and
promote institutional activities according to the various types of users.
Google may transfer the collected data to third parties if required by
law.
Data are collected for institutional purposes only, and are never
transferred for commercial purposes.
More information about Google Analytics service is available on this page.
Iuav services use Cineca.
It provides services in hosting (SaaA software as a Service)
Some data may be stored on such servers.
More information about Cineca service is available on this page.
Iuav services use Microsoft Azure.
It provides services and Cloud servers.
Some data may be stored on such servers.
More information about Microsoft Azure service is available on this page.
Iuav services use Google Apps for
Education.
It provides services and Cloud servers. In particular, e-mail services,
shared-drive storage, and apps.
Some data may be stored on such servers.
More information about Google Apps for Education service is available on this page.
Iuav services use technical cookies and third-party cookies.
Cookies are activated whenever data is entered in forms, including login
data, and at each interaction with the websites.
Most cookies are technical cookies, which are necessary to correctly use
all the features of the websites; some cookies are not essential and are only
aimed at improving the browsing experience.
More information about the use of technical cookies and third-party
cookies is available on this page.
nature of data
provision
Data provision is essential to
use the services offered by the University.
In case of failure to provide the above-mentioned data, Iuav cannot
grant access to its services.
The withdrawal of consent may only be exercised for any optional
processing.
data processing terms
Personal data is processed through manual, IT and telematics-based tools
suitable to guarantee the security and confidentiality of the data themselves.
Specific security measures are
in place to prevent the loss of data, illicit or incorrect use and unauthorised
access in full compliance with the provisions of articles 31 et seq. of the Privacy
Code and the Technical Specifications - Annex B to the Privacy
Code - regarding minimum security measures and article 32 of GDPR.
Regarding employees and collaborators, the accounting files of the
activities carried out through the IT tools made available by Iuav are processed and stored in all evidence and
for all purposes related to the employment relationship, as provided for in the
university
regulations for the processing of personal data.
With reference to all users, accounting
files (related to the activities carried out through the services) can be extracted, also by
cross-referencing and processing of such data to identify those responsible for
abuse and/or illegal activities carried out by the parties concerned or third
parties.
During their normal activity, the university IT systems, software
procedures and applications that support their functioning and the provision of
services acquire some personal data on the use of the applications made
available by the university.
The above data are not collected to be placed in relation to the
activities of identified subjects, nor is any automated decision-making process
carried out.
However, by their own nature, through subsequent processing and possible
integration with data held by third parties, they could be associated with
users, for example, in response to specific requests or reports by legal
authorities.
Session cookies are used
to manage the single sign-on services.
When the user logs in to the
network services (authenticated wired/wireless data network connection, use
of supervised workstations, dynamic assignment of an IP address, remote access
via VPN, use of proxy), some specific technical data related to the accessed
service, such as the user's IP address, date and time of connection, MAC
address and name of the device from which the access is made, user ID, the type
of network used, are recorded in the accounting data generated by the systems
and equipment.
data recipients
Depending on the processing, the personal data may be brought to the
attention of the Controller's employees or collaborators, belonging to the
administrative, commercial, legal, accounting or IT system administration
categories. Operating under the direct authority of the Controller, they shall
be appointed as data processors or persons in charge of the processing pursuant
to articles 29 and 30 of the Privacy
Code or else contact persons pursuant to articles 28 and 29 of GDPR,
and they shall receive appropriate operating instructions in this regard.
Personal data is not communicated to third parties except for the
following:
– persons, entities or authorities to whom disclosure is required
by law or regulations;
– service providers limited to the needs strictly related to the
provision of the above services.
period of data storage
Collected data are stored (in addition to the aspects regulated by the
type of relationship between Iuav and the person concerned) for the period established by the
regulations in force (see Law
no. 167 of 20 November 2017, article 24 Terms of storage of
telephone and telematics-based traffic data: «[omissis] is established in
72 months [omissis]»).
interested
party’s rights
The user, as an interested party, has the right to request at any time
the Controller to exercise the rights referred to in articles 15 et seq. of GDPR
and, in particular:
– access to his/her personal data;
– correction, integration, deletion;
– restriction of the processing concerning the interested party
himself/herself or to object to their processing.
Pursuant to Article 17, paragraph 3, letter b) of GDPR,
the right to cancellation does not apply
to data whose processing is necessary for the performance of the
Controller’s public interest tasks.
To exercise his/her rights, the user may contact the Data Controller
and/or the Data Protection Officer at the contacts mentioned above.
However, the right to lodge a complaint with the Data Protection
Supervisor remains unaffected.