The University for Foreigners of Perugia recognizes the importance of protecting personal data and, in its role as data controller, is committed to handling such data appropriately and transparently towards the data subject, that is, the person to whom the personal data refer.
Privacy notices are one of the tools of this transparency because they provide a comprehensive overview of data processing activities, the purposes pursued, and the methods used: when new services or purposes are introduced, the notices are updated, so we invite you to periodically read the notices published in this section.
It is important to know that the University for Foreigners of Perugia, hereinafter referred to as “the University”, established by Royal Decree-Law of 29 October 1925, no. 1965, is a public institution of higher learning with a special status pursuant to Law 17 February 1992, no. 204. It promotes and organizes training and scientific research activities aimed at the knowledge and dissemination of the Italian language, culture, and civilization, intercultural dialogue, communication, and international cooperation, in connection with the region and its representative institutions, as well as with national and international institutions pursuing similar purposes (art. 1 of the Statute), and it is regarded as equivalent to public administrations in exercising its functions (art.1, paragraph 2, of Legislative Decree 30 March 2001, no. 165).
For these reasons, its processing activities may be, pursuant to Article 6, paragraph 1 of the General Data Protection Regulation “EU Regulation 679/2016” or GDPR:
- processing necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (letter b)
- processing for compliance with a legal obligation (letter c)
- processing for reasons of public interest (letter e)
- processing for the legitimate interests of the University, provided these do not override the interests, rights and fundamental freedoms of the data subject, especially if a minor (letter f)
If processing does not fall under these legal bases, even by virtue of regulations or calls for applications issued by the University, data may only be processed with the consent of the data subject (art. 6 par. 1.a). Exceptionally, in special emergency situations, the University may process personal data acquired in any way, in order to safeguard the data subject or another individual (art. 6, par. 1.d).
Main treatments carried out by the University for Foreigners of Perugia
- Processing aimed at university orientation (also addressed to minors)
- Processing aimed at the administration of entrance exams or verification of admission requirements
- Processing aimed at providing the educational path and managing the academic career (from enrollment to degree completion, including teaching delivery, administrative procedures, management of tuition fees and refunds)
- Processing aimed at the dissemination of the final thesis or related elements
- Processing aimed at providing services and benefits for the right to education
- Processing aimed at curricular and extracurricular internship activities
- Processing aimed at research activities in which the data subject participates
- Processing aimed at job placement activities
- Processing aimed at statistical surveys and assessment of teaching
- Processing aimed at tutoring, assistance, and social inclusion services
- Processing aimed at fundraising, institutional communication and information, and community development activities
- Processing aimed at managing the active and passive electorate for representation in university bodies
- Processing for safety in university premises and insurance coverage
- Cross-cutting processing or processing connected to transversal activities (listed below)
- Processing aimed at holding competitive exams/selections
- Processing aimed at managing the employment relationship
- Processing of personal data for training and professional development purposes
- Processing of personal data for the management of the educational offering and assignment coverage
- Processing of personal data necessary for the management of research projects
- Processing of personal data in order to ensure research monitoring and evaluation
- Processing of personal data within the scope of technology transfer activities
- Processing necessary for Welfare policies and for the access to benefits
- Processing for health and safety of people in workplaces
- Processing of personal data as part of the provision of fixed and mobile telephony services
- Processing of data for staff evaluation
- Processing of data related to disciplinary procedures
- Cross-cutting processing or activities connected to cross-cutting activities (listed below)
- Data processing in the context of facility management, including video surveillance systems
- Processing of personal data for the management of workstations, access, and use of university services, including online services
- Processing for the management of institutional bodies and positions
- Processing for accident management
- Processing for the use of library services
- Data processing in the context of protocol services and document preservation
- Processing aimed at the purchase of goods and services, contract stipulation, debt collection, and litigation management
- Data processing within the scope of email services and collaboration tools
- Processing of personal data within the scope of federated service delivery
When providing IT services to university users, secondary personal information is collected and processed, meaning information that can be linked to personal data, not as a result of direct collection from the individual, but rather to enable IT processing (e.g. the user ID or the IP address of the device used to connect).
A specific information notice has been prepared regarding the processing of data of those browsing the university’s web portal, which can be found in the section below.
Further information
The collected data will be kept for the time necessary to achieve the purposes for which it was collected and as established by current legislation or university regulations.
Specifically, please note that personal data related to your university career will be stored indefinitely, in compliance with the retention and archiving obligations imposed by current regulations.
The regulation grants several rights to the individual to whom the data refers:
- right of access to personal data
- right to rectification
- in cases provided for by law and in the absence of overriding legitimate interests of the University, the right to erasure of data (so-called right to be forgotten)
- in cases provided for by law, the right to restriction of data processing
- in cases provided for by law and if processing is based on consent, the right to data portability
- in cases provided for by law and if processing is based on consent, the right to object to processing activities
- in the case of processing based on consent, the possibility to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
To exercise these rights, you can send a request to the Data Controller’s contact, rettore@unistrapg.it or, via certified email (PEC), protocollo@pec.unistrapg.it and to the Data Protection Officer’s contact rpd@unistrapg.it, or also to protocollo@pec.unistrapg.it using the dedicated form.
In relation to processing that you believe does not comply with the regulations, you may contact the Data Protection Officer at rpd@unistrapg.it and/or lodge a complaint with the competent supervisory authority, which in Italy is the Data Protection Authority. Alternatively, you may lodge a complaint with the Data Protection Authority of the EU Member State where you reside or usually work, or where the alleged violation occurred.
In the case of minors, before providing data to the University, it is necessary that the privacy notices are read carefully together with the parents or legal guardians. Parents or any legal representatives of minors may exercise the rights as indicated in the previous section.
The privacy notice, drawn up pursuant to Art.13 of the EU Regulation 679/2016, contains a great deal of information which we list below:
- The data and contact details of the Data Controller and Data Protection Officer, which for the University of Perugia are as follows:
- The Data Controller is the University for Foreigners of Perugia, represented by the Rector as legal representative
- The contact for the Data Controller is: rettore@unistrapg.it or, via PEC, protocollo@pec.unistrapg.it
- The contact for the Data Protection Officer is: rpd@unistrapg.it, tel. 075 57 46 1
- the purposes and legal bases of the processing of personal data, and if a legitimate interest of the Controller exists
- the nature (personal/special category) and type of data processed (personal, contact data, etc.)
- whether providing the data is mandatory or not and the consequences of failure to provide the data
- in cases where consent has been requested for processing certain special category data, the existence of the right to withdraw consent and the ways and conditions for exercising that right
- the methods by which processing will be carried out, whether profiling is involved (fully automated decision-making based on certain data of the individual), the data retention period or the retention logic applied
- whether it is possible for data to be processed by other administrations or external companies, transferred outside the European Union, and what guarantees are provided by the Controller
- the rights that can be exercised (detailed above), the ways and contacts to submit a request, and the right to lodge a complaint with the supervisory authority
In some cases, processing involves certain obligations to transmit or exchange personal data with other Public Administrations, while some processing is carried out with the support of specialized companies that become external data processors: these processing methods are also specified in the privacy notices.
It is understandable that the completeness of the privacy notice requires time to read, so in some cases a simplified privacy notice is provided, which will refer to the full notice for those who wish to learn more.
Updated Privacy Notices
(being published)
- Privacy Notice for candidates admitted to the eligibility exam, held online, for the creation of a ranking list of external experts for the correction of DILS-PG papers
- Privacy Notice for members of the DILS-PG remote exam committee
- Privacy Notice for the processing of personal data during the period of epidemiological emergency from Covid-19
- Privacy Notice for additional personal data processing for the resumption of in-person teaching activities - phase 3
- Privacy Notice for processing related to the signing of procurement contracts
- Privacy Notice for processing related to the signing of self-employment contracts
- Privacy Notice for the processing of personal data of participants in the "Memory Train" initiative
- Privacy Notice for the processing of personal data of teaching and research staff
- Privacy Notice for the processing of personal data of technical-administrative staff and CEL with an employment contract
- Privacy Notice for the processing of personal data for the purpose of verifying compliance with the vaccination obligation of teaching, research, and technical-administrative staff
- Privacy Notice for the processing of personal data during audio recording of meetings of the Academic Senate and the Board of Administration of the University for Foreigners of Perugia
- Privacy Notice for enrolled and graduate students, and for users intending to enroll in courses at the University for Foreigners of Perugia
- Privacy Notice for video surveillance systems installed at facilities of the University for Foreigners of Perugia
- Privacy Notice for the processing of personal data regarding the production of video, photographic, multimedia, journalistic, promotional, and informational materials
- Privacy Notice on the processing of non-primary information within the scope of IT services pursuant to the General Data Protection Regulation
- Privacy Notice on the processing of personal data of students with disabilities or SLD intending to access tutoring, assistance, and social inclusion services
- Privacy Notice on the processing of personal data for students enrolled and graduated from the University for Foreigners of Perugia who participate in the Erasmus+ mobility program
- Privacy Notice on the processing of personal data for registration to CVCL courses and exams
- Privacy Notice on the processing of data collected within the scope of initiatives promoted by the University for Foreigners of Perugia
- Privacy Notice for students participating in the 150-hour competition announcement
- Privacy Notice for candidates in recruitment procedures for teaching and research staff
- Privacy Notice for candidates for DILS-PG distance exams
- Privacy Notice on the processing of data provided via the online form for information about courses requested by the University
- Privacy Notice on the processing of personal data of institutional users of the University Library and Documentation System (SBDA)
- Privacy Notice on the processing of personal data of candidates for competitions and selection procedures for technical-administrative staff and language experts and collaborators
- Privacy Notice on the processing of personal data of members of competition or selection commissions relating to technical-administrative staff and CEL
- Privacy Notice on the processing of personal data of individuals reporting violations pursuant to Legislative Decree 24/2023 (Art. 13, EU Regulation 2016/679 - GDPR)
- Privacy Notice on the processing of personal data for access to a postgraduate course at the University for Foreigners of Perugia
- Privacy Notice on the processing of data provided via the University's online event registration forms
- Privacy Notice for users of the University Web Portal
Personal data may be processed by technical-administrative and teaching staff or by collaborators of the Data Controller who, operating under the direct authority of the latter, are authorized for processing or appointed as external data processors, receiving appropriate training and operational instructions for this purpose, in relation to the different activities required for their area of responsibility.
Personal data may also be communicated to other public administrations if these need to process the data for procedures within their own institutional competence. In some cases, the University makes use of external companies for the provision and management of specific services. These companies may come into knowledge of the personal data processed solely for the purposes of the requested service, and therefore will be qualified as external data processors, contractually bound to the Controller to ensure the processing of personal data in accordance with the procedures set forth by the GDPR.
Personal data may also be communicated to public authorities or private entities where educational, research, or internship activities related to the chosen course of study or professional activity may take place, as well as to judicial authorities upon their request.
Personal data for research and educational activities may be subject to international transfer to other universities and/or research institutions, or as part of international mobility projects. The safeguards provided by the Controller will comply with the requirements set out in Chapter V of the GDPR, the provisions of the Ministry of Education, University and Research (Miur), or sector regulations.
Here are links to documents that may be of interest for further information on the processing of personal data:
Any breach of the security of IT systems or the processing of personal data that accidentally or unlawfully results in access to, destruction, loss, alteration, or unauthorized disclosure of personal data stored, transmitted, or otherwise processed by the University must be considered a personal data breach.
In the event of a suspected and/or confirmed personal data breach, it is extremely important to ensure that it is addressed immediately and correctly, to minimize the consequences of the breach and prevent recurrence. For example, in cases involving unauthorized access to email or restricted areas, one of the immediate measures to take is to change the password for accessing such services.
If a breach has occurred or you have knowledge of a suspected personal data breach, you must fill out a form to be sent to databreach@unistrapg.it as soon as possible, considering the following two scenarios:
- notification of credentials breach for university services
to be used if the breach consists of third-party awareness or improper use of access credentials to the University’s services - personal data breach notification
for reporting any breach not included in the previous case
The use of the form is mandatory to ensure the University has immediate access to a set of information necessary to adequately assess the risk situation created.
Breaches can occur for a wide range of reasons, including:
- loss or theft of data or devices (laptops, smartphones, USB drives, etc.) on which they are stored or made accessible
- viruses, malware, or other attacks on your work computer, IT system, or the university network
- disclosure of confidential data to unauthorized persons (for example, in attachments accidentally sent to the wrong email recipient or accessed through a breached email account)
- loss or theft of paper documents containing confidential personal data
- unauthorized or otherwise unlawful access to IT systems, hacking
- workplace databases altered, rendered unusable, or destroyed without authorization
- breach of physical security measures intended to protect archives containing confidential information
- loss of security of university service access credentials, through phishing or third-party awareness
When this breach may pose a risk to the rights and freedoms of individuals, the Data Controller (the University) is required to notify the Garante authority no later than 72 hours from when it became aware of the breach. The University is also required to communicate the breach to the data subject in accordance with Article 34 of Regulation (EU) 679/2016.