In compliance with article 13 of Regulation (EU) 2016/679 General Data Protection Regulation (hereinafter GDPR), the users who have access to authentication, authorisation, and accounting services are provided with the information described below.

 

– definitions (article 4 of GDPR)

– data controller and data protection officer

– purpose of processing and legal basis of processing

– categories and types of data

            navigation data

            data provided voluntarily by the user

– access to information by third parties

– nature of data provision

– data processing terms

– data recipients

– period of data storage

– interested party’s rights

 

 

data controller and data protection officer

 

The data controller is Università Iuav di Venezia, Santa Croce 191, 30135 Venezia

e-mail: privacy@iuav.it

 

The data protection officer’s contacts are the following:

e-mail: dpo@iuav.it

PEC (certified e-mail) dpo@pec.iuav.it

 

back

 

 

purpose of processing and legal basis of processing

 

Università Iuav di Venezia processes personal data in the frame of the performance of the tasks carried out in the public interest, in the field of education, scientific research and administration pursuant to article 6, paragraph 1, letter e) of GDPR and especially, to provide and improve the web services it offers.

 

back

 

 

categories and types of data

 

The personal data collected by the University - in its role as Data Controller (hereinafter “university” or “Controller”) - are processed for the proper and complete performance of services (hereinafter “services”) provided to users through the university IT and information systems that require authentication, authorisation, and accounting (registration).

 

A non-comprehensive list of provided services includes:

– the digital identity release and account management service of the Google Apps for Education platform, including institutional e-mail;

– the access service to wired or Wi-Fi networks that can be entered also via personal devices such as laptops, tablets, smartphones, etc.;

– the access service to the fixed and mobile computer workstations provided to administrative/teacher staff or used by students and visitors, where necessary;

– fixed and mobile phone systems;

– single sign-on service.

 

navigation data

This data category includes:

– IP addresses or domain names of the computers connected to the website by users;

–  addresses in URI (Uniform Resource Identifier) of the requested resources;

– time of the request;

– method used to submit the request to the server;

– size of the file received in response to the above-mentioned request;

– numeric code indicating the status of the response given by the server (successful, error...);

– other parameters relating to the operating system and the user's IT environment.

 

data provided voluntarily by the user

The user's data, provided voluntarily or otherwise collected for the use of the services - upon request for consent, where necessary - is processed by the Controller for the following purposes:

a) for institutional and administrative purposes;

b) to comply with any specific and general legal obligations connected with the user’s relationship with the university;

c) purposes related to the provision of the requested services (e.g. registration to the university portal, access to the reserved area, use of the university Wi-Fi networks)

d) purposes of statistical research/analysis on aggregated or anonymous data, without the possibility to identify the user, aimed at measuring the functioning of the service;

e) to comply with the university internal regulations;

f) to ensure the protection of data and/or information systems or to support activities of configuration and diagnosis of services or for technical/system constraints;

g) to assert or defend rights in legal proceedings or preliminary stages in the event of abuse and/or illegal activities carried out by the persons concerned or by third parties in the context of the activities referred to in points (a), (b), (c), (d), (e), (f).

 

The provision of data is necessary for the purposes a), b), c), e), and f).

Any failure to provide the above-mentioned data would prevent the Controller from providing the services and fulfilling the obligations laid down by law, regulation or EU legislation.

The processing of aggregate or anonymous data, mentioned in letter d), does not require the application of the Privacy Code and GDPR.

 

For further details, please refer to the following section “data processing terms".

 

back

 

 

access to information by third parties

 

Iuav relies on the assistance of third parties or organisations, including suppliers, web hosting or others.

 

During the period in which the university provides its services, it may delegate its authority to collect, access, use and disseminate users’ information.

 

Iuav services use Google Analytics, a data analysis service provided by Google Inc. ("Google"), to improve the usability of web services and communication with users, estimate the level of users' internationalisation and promote institutional activities according to the various types of users.

Google may transfer the collected data to third parties if required by law.

Data are collected for institutional purposes only, and are never transferred for commercial purposes.

More information about Google Analytics service is available on this page.

 

Iuav services use Cineca.
It provides services in hosting (SaaA software as a Service)

Some data may be stored on such servers.
More information about Cineca service is available on this page.

 

Iuav services use Microsoft Azure.

It provides services and Cloud servers.
Some data may be stored on such servers.
More information about Microsoft Azure service is available on this page.

 

Iuav services use Google Apps for Education.
It provides services and Cloud servers. In particular, e-mail services, shared-drive storage, and apps.

Some data may be stored on such servers.
More information about Google Apps for Education service is available on this page.

 

Iuav services use technical cookies and third-party cookies.

Cookies are activated whenever data is entered in forms, including login data, and at each interaction with the websites.

Most cookies are technical cookies, which are necessary to correctly use all the features of the websites; some cookies are not essential and are only aimed at improving the browsing experience.

More information about the use of technical cookies and third-party cookies is available on this page.

 

back

 

 

nature of data provision

 

Data provision is essential to use the services offered by the University.

In case of failure to provide the above-mentioned data, Iuav cannot grant access to its services.

The withdrawal of consent may only be exercised for any optional processing.

 

back

 

 

data processing terms

 

Personal data is processed through manual, IT and telematics-based tools suitable to guarantee the security and confidentiality of the data themselves.

 

Specific security measures are in place to prevent the loss of data, illicit or incorrect use and unauthorised access in full compliance with the provisions of articles 31 et seq. of the Privacy Code and the Technical Specifications - Annex B to the Privacy Code - regarding minimum security measures and article 32 of GDPR.

 

Regarding employees and collaborators, the accounting files of the activities carried out through the IT tools made available by Iuav are processed and stored in all evidence and for all purposes related to the employment relationship, as provided for in the university regulations for the processing of personal data.

 

With reference to all users, accounting files (related to the activities carried out through the services) can be extracted, also by cross-referencing and processing of such data to identify those responsible for abuse and/or illegal activities carried out by the parties concerned or third parties.

 

During their normal activity, the university IT systems, software procedures and applications that support their functioning and the provision of services acquire some personal data on the use of the applications made available by the university.

 

The above data are not collected to be placed in relation to the activities of identified subjects, nor is any automated decision-making process carried out.

 

However, by their own nature, through subsequent processing and possible integration with data held by third parties, they could be associated with users, for example, in response to specific requests or reports by legal authorities.

 

Session cookies are used to manage the single sign-on services.

 

When the user logs in to the network services (authenticated wired/wireless data network connection, use of supervised workstations, dynamic assignment of an IP address, remote access via VPN, use of proxy), some specific technical data related to the accessed service, such as the user's IP address, date and time of connection, MAC address and name of the device from which the access is made, user ID, the type of network used, are recorded in the accounting data generated by the systems and equipment.

 

back

 

 

data recipients

 

Depending on the processing, the personal data may be brought to the attention of the Controller's employees or collaborators, belonging to the administrative, commercial, legal, accounting or IT system administration categories. Operating under the direct authority of the Controller, they shall be appointed as data processors or persons in charge of the processing pursuant to articles 29 and 30 of the Privacy Code or else contact persons pursuant to articles 28 and 29 of GDPR, and they shall receive appropriate operating instructions in this regard.

 

Personal data is not communicated to third parties except for the following:

– persons, entities or authorities to whom disclosure is required by law or regulations;

– service providers limited to the needs strictly related to the provision of the above services.

 

back

 

 

period of data storage

 

Collected data are stored (in addition to the aspects regulated by the type of relationship between Iuav and the person concerned) for the period established by the regulations in force (see Law no. 167 of 20 November 2017, article 24 Terms of storage of telephone and telematics-based traffic data: «[omissis] is established in 72 months [omissis]»).

 

back

 

 

interested party’s rights

 

The user, as an interested party, has the right to request at any time the Controller to exercise the rights referred to in articles 15 et seq. of GDPR and, in particular:

– access to his/her personal data;

– correction, integration, deletion;

– restriction of the processing concerning the interested party himself/herself or to object to their processing.

 

Pursuant to Article 17, paragraph 3, letter b) of GDPR, the right to cancellation does not apply to data whose processing is necessary for the performance of the Controller’s public interest tasks.

 

To exercise his/her rights, the user may contact the Data Controller and/or the Data Protection Officer at the contacts mentioned above.

 

However, the right to lodge a complaint with the Data Protection Supervisor remains unaffected.

 

back