Anyone who uses University services and tools or contributes to the implementation of institutional activities

Processing of personal data related to scientific research and to maximising the benefits of scientific research and/or of other cultural activities of the University

Processing for the purposes of devising strategies and priorities with regard to research, internationalisation and development cooperation with third parties, with a view to increasing opportunities in the field of science and technology

Purposes of processing personal dataSpecific processing purposes and methods

Personal data that do not fall within the special categories of data are processed for the purposes of devising strategies and priorities with regard to research, internationalisation and development cooperation with third parties, with a view to increasing opportunities in the field of science and technology. They are processed, for example, through the sharing and exchange of best practices within the partnerships, networks and associations to which the University belongs.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • art. 6, paragraph 1, letter e) (processing necessary for the performance of a task carried out in the public interest) of Regulation (EU) 2016/679;
  • art. 100 of Legislative Decree 196/2003, as amended;
  • Law 240/2010 "Provisions governing the organisation of universities, academic staff and recruitment, as well as the Government mandate to incentivise the quality and efficiency of the university system".

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy, the data may also be sent to:

  • the Executive Agency, public/private funding body (MIUR, Regions, EU, etc.) that announces a call for applications or bodies involved in the promotion of European programmes;
  • public or private parties with whom collaboration regarding research, internationalisation and development cooperation has been initiated.

Transfer abroad of personal dataTransfer of data outside of the EU and the conditions applicable to the transfer

In addition to the cases provided for in the general privacy policy, the personal data collected may be transferred to a country outside of the European Economic Area (EEA, namely the EU + Norway, Liechtenstein and Iceland) in cases in which the partner companies or organisations are resident outside of the EU. This transfer is provided for, in the absence of an adequacy decision pursuant to article 45, paragraph 3, or of adequate guarantees pursuant to article 46, when it is necessary for reasons of substantial public interest (art. 49, paragraph 1, letter d) of Regulation (EU) 2016/679) and/or in application of art. 100 of Legislative Decree 196/2003, as amended.

Data retention periodData retention period

All documents containing the personal data of teachers, researchers, research fellows, professional staff and collaborators that are necessary in order to have a record of important legal, organisational and economic events concerning anyone who works or has worked for the University are retained indefinitely. The retention period for the remaining data depends on the administrative documents in which they are contained and/or on the relative legal requirements (for example, ten years in order to comply with statutory tax and accounting requirements).

Processing of personal data in relation to technological transfer activities

Purposes of processing personal dataSpecific processing purposes and methods

Personal data and any special categories of data (that may relate to the patient in cases of biotechnological inventions) are processed in relation to the protection, promotion and valorisation of research results, as well as in relation to agreements for the transfer of the University's intellectual property rights.

With regard to data relating to patent applications, the author’s details (name, surname, and organisation to which he/she belongs) are made public following submission of said applications:

  • by the Authorities responsible;
  • on the University website.

The data may also be processed for monitoring, assessment and third mission purposes.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the above data processing is found in:

  • article 6, paragraph 1, letter b) (processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract) and letter e) (processing necessary for the performance of a task carried out in the public interest) and article 9, paragraph 2, letter a) (processing based on the consent of the data subject), letter g) (processing necessary for reasons of substantial public interest) and letter j) (processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes) of Regulation (EU) 2016/679;
  • articles 17, 23, 37, 54, 56, 151 of the intellectual property code (Legislative Decree no. 30 of 10 February 2005, as amended);
  • international agreements on patents and trademarks, in particular: the European Patent Convention of 5 October 1973 and the Act revising the EPC of 1991; the Patent Cooperation Treaty concluded in Washington on 19 June 1970 and last amended on 3 October 2001;
  • Legislative Decree no. 175 of 19 August 2016, Consolidated Act on public companies;
  • Ministerial Decree no. 168 of 10 August 2011, “Regulation on the definition of criteria for the investment by university professors and researchers in spin-off or start-up companies in implementation of the provisions of article 6, paragraph 9 of Law no. 240 of 30 December 2010”;
  • the Regulations of the Alma Mater Studiorum - University of Bologna concerning industrial and intellectual property R.D. 269/2014, as amended.

The provision of personal data is mandatory. Any refusal to provide the data will make it impossible to achieve the aforementioned purposes.

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy, the data may also be sent to:

  • public and private persons who are joint data controllers, licensors and licensees of the University’s intellectual property rights;                                                                                                     
  • government bodies responsible for the protection of intellectual property (for example: Wipo, Epo, Uibm);
  • investors;

collaborators and external organisations to which work is outsourced, appointed as Data Processors pursuant to art. 28 of Regulation (EU) 2016/679, that support the University in performing the activities relating to which the data is processed

Transfer abroad of personal dataTransfer of data outside of the EU and the conditions applicable to the transfer

If the above recipients operate outside of the European Union, the data may occasionally be transferred abroad:

  • based on an adequacy decision of the European Commission pursuant to art. 45 of Regulation (EU) 2016/679;
  • by adopting one of the safeguards indicated in art. 46 of Regulation (EU) 2016/679 (for example, the clauses adopted by the European Commission on the type of data protection);
  • in the absence of the above, by adopting the conditions referred to in art. 49 of Regulation (EU) 2016/679 (for example, where the transfer is necessary for the establishment, exercise or defence of legal claims).

Data retention periodData retention period

All documents containing personal data are kept indefinitely, also for historical and archival purposes. Data processed during the accreditation of spin-off and start-up companies are kept only for the period during which the relationship is active. 

Processing for the purpose of participating in an event in which promotional and information videos and multimedia materials may be produced

Purposes of processing personal dataSpecific processing purposes and methods

The aim of this document is to provide all the information necessary to take part in events run by Alma Mater Studiorum - University of Bologna for which information different to that specified below has not been provided. When registering for an event, if a different privacy policy pursuant to articles 13 and 14 of Regulation (EU) 2016/679 is provided, the data subject must refer exclusively to the content of the specific privacy policy provided at the registration stage.

More specifically, the personal data collected when participating in an event may be processed for the following purposes:

  1. to guarantee and manage participation in the event concerned. The data will be processed in order to register data subjects for the event, to contact them with regard to information strictly related the event and, where applicable, to monitor the University’s learning, project and/or research activities;
  2. to create informational and promotional multimedia materials and videos. The personal data, and in particular the data subject’s image, may be processed in order to create videos and multimedia materials to be used for informational and promotional purposes with a view to achieving the institutional goals pursued through the event.
    The images, videos and other multimedia materials will be stored in electronic and/or other formats using any type of technological support for the purposes and within the limitations defined above and may be disseminated in accordance with Law 150/2000 via institutional websites and social network channels (including but not limited to: Facebook, Twitter, YouTube). Use of the images does not give the right to receive any remuneration. All use of images that might prejudice the honour, reputation or dignity of the person shown, filmed or recorded is specifically excluded, regardless of the circumstances.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the processing referred to in point (1) is found in art. 6, paragraph 1, letter e) (processing carried out in the public interest) of Regulation (EU) 2016/679.

In the event that the data subject decides not to provide their data for the purposes and methods referred to in point (1), the University will not be able to guarantee and manage their participation in the event.

The legal basis for the processing referred to in point (2) is found in art. 6, paragraph 1, letter a) (processing based on the consent given by the data subject) of Regulation (EU) 2016/679.

Data subjects will be deemed to have given their consent to appearing in the videos and multimedia materials referred to in point “2” if they voluntarily go to an area where it has been indicated that photographic, video or audio recordings will be made (e.g. conference halls spaces at a conference, etc.) or if they decide to intervene or switch on their webcam during the recording session.  The spaces and any on-line sessions that may be recorded are clearly identified by a specific info-icon and/or are specifically notified during the event.

Recipients of personal dataRecipients

In addition to the potential recipients mentioned in the general privacy policy, the data may be processed by companies and foundations appointed as Data Processors to perform activities such as, for example, website maintenance, managing web spaces, taking photos and recording and editing videos.

Data pertaining to participants may also be processed by those funding the project or activity in relation to which the event was planned, solely for monitoring and reporting purposes.

Data retention periodData retention period

With regard to the purposes referred to in point (1), the data will be kept only for the time strictly necessary for the event to take place, except in cases where the data must be kept for longer in order to comply with legal requirements or with the retention periods established in, for example, calls for funded research proposals.

With regard to the purposes referred to in point (2), the data will be kept for the time strictly necessary to achieve said purposes and, unless otherwise indicated at the time of providing the data, for not more than five years.

Processing in relation to subscriptions to newsletters promoted by the University

Purposes of processing personal dataSpecific processing purposes and methods

This privacy policy is for those subscribing to newsletters and guarantees them the possibility of unsubscribing at any time. The newsletters have been created in order to achieve one or more of the following purposes contemplated in Law no. 150/2000, including:

  • illustrating the activities of the University and how it operates;
  • raising awareness of and facilitating access to services;raising awareness of topics of significant public and social interest;facilitating the internal simplification of procedures and administrative processes;

promoting the image of the University (and Italy) in Europe and the rest of the world, publicising and enhancing the visibility of important local, regional, national and international events.

The personal data are processed in order to register the data subject on a mailing list for the purposes of managing the University newsletters, also through specific organisational units. To this end, data subjects will automatically receive by email all communications pertaining to the topic or area of reference.

The newsletters may also be used to facilitate the sharing of administrative, teaching or research procedures and activities, and to maintain a dialogue with and between students, teachers, professional staff and, in general, all Italian and foreign citizens interested in the activities discussed in the newsletters.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the processing is found in art. 6, paragraph 1, letter e) (processing carried out in the public interest) of Regulation (EU) 2016/679.

If the data subject does not provide the data for the purposes and in the manner described above, said data subject will not be able to use the service related to the newsletter.

Recipients of personal dataRecipients

In addition to the potential recipients mentioned in the general privacy policy, the data may be processed by companies and foundations appointed as Data Processors to perform activities such as, for example, website maintenance and managing web spaces.

Data retention periodData retention period

With regard to the above purposes, the data will be kept only for the period during which the newsletter service is active.

Processing for the purpose of providing teaching, training and refresher courses

Purposes of processing personal data

Specific purposes and methods of the processing

Personal data, including data of a sensitive nature (e.g. when special measures have to be taken for persons with special needs or learning disabilities), is processed for the purpose of providing teaching, training and refresher courses.

In particular, data is processed:

  • to ensure enrolment in training courses;
  • through the management of registers of teaching activities, also for the purpose of reporting on the teaching activities carried out;
  • by means of quality assessments if questionnaires can be indirectly traced back to a data subject;
  • to issue course attendance certificates or certifications;
  • to ensure the monitoring and evaluation of teaching activities, as well as the analysis and improvement of teaching and research activities and services, and students’ right to higher education.

In the event of training activities being video-recorded, the Data Subject may consult the specific privacy notice provided on this page: "Processing for the purpose of participating in an event in which promotional and informative videos and multimedia materials may also be produced".

Legal basis

Legal basis of the processing and nature of the disclosure

The legal basis for the data processing is found in:

  • article 6, paragraph 1, letters c) (processing in order to comply with a legal obligation) and e) (processing carried out in the public interest) and article 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679;
  • the following source of law: Law no. 240 of 30/12/2010, "Provisions governing the organisation of universities, academic staff and recruitment, as well as the Government mandate to incentivise the quality and efficiency of the university system".

The provision of personal data is compulsory. Refusal to provide the data will make it impossible to perform the operations necessary for conducting teaching, training and refresher courses.

Recipients of personal data

Recipients

In addition to the recipients mentioned in the general privacy policy, the data may also be sent to:

  • public and private entities for the provision of training and refresher courses, within the framework of training courses provided between several partner Universities and with the aim of improving the usability and guaranteeing the quality and effectiveness of training throughout Italy;
  • Italian Ministry of Education, Universities and Research;
  • third parties appointed as Data Processors pursuant to art. 28 of Regulation (EU) 2016/679 to assist the University in managing its information systems and services;
  • third parties appointed as Data Processors pursuant to art. 28 of Regulation (EU) 2016/679, to whom specific services are outsourced to achieve specific purposes.

Transfer abroad of personal data

Transfer of data outside of the EU and the conditions applicable to the transfer

 In addition to the cases provided for in the general privacy policy, the personal data collected may be transferred to a country outside of the European Economic Area (EEA, namely the EU + Norway, Liechtenstein and Iceland) in cases in which bodies or Universities are involved which are based outside of the European Economic Area.

Data processing in relation to fundraising and community development activities

Purposes of processing personal data

Specific processing purposes and methods

The University processes the data of persons who are interested in the founding values of the University itself, in culture, higher education and research, and who are willing to make their contribution to promoting and enhancing the institution, which, in order to pursue its goals, requires additional funding sources, other than traditional ones (such as public funding, tuition fees or third-party funding).

These data can be processed for the following purposes:

  • Allow the data subject to join initiatives in support of scientific knowledge and information transfer and enhancement;
  • Join fundraising campaigns to support teaching, research and third mission activities;
  • Encourage gifts, including conditional gifts, bequests and wills (charitable donations);
  • Facilitate accounting and administrative management (e.g. to receive tax advantages after making a gift).

For the above-said purposes, the data can be processed:

  • Through communications to the addresses provided; 
  • By signing up for newsletters, only relevant to the matter in question;
  • By attending university community promotion and development events;
  • By means of software (e.g. CRM platforms) and web channels aiming to fulfil the purposes in question (information on the data subject’s access to and use of the University platforms).

For the above-said purposes, the name of the person who contributed through a donation could, based on donor’s consent, be published in the list of donors on institutional promotion and communication sites and materials related to the fundraising activities.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the processing of data in relation to the provision of the newsletter service is Article 6, paragraph 1, point (e) (processing carried out in the public interest) of Regulation (EU) 2016/679, for the fulfilment of the purposes of Law 150/2000, as better described in the Privacy Policy on “Processing in relation to subscriptions to newsletters promoted by the University”. In accordance with the Privacy Policy, the disclosure of personal data for this purpose is optional.

The legal basis for the processing of data in relation to the accounting and administrative management of gifts, bequests and wills is/are:

  • Article 6, paragraph 1, letters (b) (processing necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract), (c) (processing in order to comply with a legal obligation) and (e) (processing carried out in the public interest) of Regulation (EU) 2016/679;
  • The sources of law that entitle the University to avail itself of independent sources of funding, such as voluntary contributions, business income, annuities, asset returns and asset sale proceeds, donations, and contract and agreement fees (Article 7 of Law 168/1989).

The disclosure of personal data for the accounting and administrative management of gifts, bequests and wills is mandatory.

The legal basis for the processing of data for publication on institutional sites of the donors’ names is found in art. 6, paragraph 1, letter a) (processing based on the consent given by the data subject) of Regulation (EU) 2016/679. The consent to the processing for the purpose described above is optional.
The provision of personal data is optional. Refusal will result in the non-publication of the donor’s name on institutional sites.

Data retention periodData storage period

With regard to the above-said purposes, the data will be stored only for the period during which the service tasked with managing such initiatives is active.

Processing of personal data related to the use of specific digital tools and web services

Privacy and cookie policy applicable to users of the University Portal system websites

Cookies and other personal data tracking tools on the University Portal System websites

Processing for the purposes of identifying and verifying the digital identity of a person

Purposes of processing personal dataSpecific processing purposes and methods

Personal data and any special categories of data (for example, data that may be revealed by photographs) are processed in order to establish and verify the identity of staff, students, collaborators, and third parties working at the University.

To this end, the data may be processed:

  • for digital signing purposes, to allow signatories to electronically sign documents in the performance of their institutional duties (for example, in order to maintain digital records of exams and/or for other record-keeping purposes);
  • to assign usernames and passwords in order to allow access to the University network, the related network services and IT applications (including the creation of an electronic mailbox to be used of institutional communications). The data are also processed in order to ensure the proper management of authorisations, including from an IT perspective, through the digital identity of the data subject;
  • to assign a badge to each employee, collaborator, student and third party so that they can be identified within the University. This badge also enables: 
    • access to rooms;
    • the control of physical access to the structures and rooms of the University in order to protect its assets and improve security. It should be noted that, for this purpose, the badges are equipped with radio-frequency identification (RFID), which makes it possible to identify users through the University’s “CIP” (access control) system. The personal data used (name, surname, student registration number, affiliation/type of appointment, access and exit data) are recorded when the badge is passed over the reader.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in articles 6, paragraph 1, letter e) (processing carried out in the public interest) and 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679.

The provision of personal data is compulsory. Refusal to provide the data will make it impossible to perform the work and/or make use of the University services.

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy, the data may also be sent to third parties appointed as Data Processors pursuant to art. 28 of Regulation (EU) 2016/679, who may directly assist the University in activities that entail the processing of personal data (including: printing and issuing badges, issuing certificates signed electronically and/or for authentication purposes and/or to manage the University’s information systems and services relating to digital identity management).

Data retention periodData retention period

The data processed internally with regard to the assignment and expiry of digital signatures will be retained for the entire period during which the service is active and may be retained for longer periods for statistical analysis and/or service improvement purposes.

Retention periods for usernames and passwords are defined by the regulations or through decrees issued by senior management.

Once the badge is returned to the University, it is destroyed by the relative office.

Privacy policy applicable to users of ACNP - Italian Periodicals Catalogue

Privacy policy applicable to users of ACNP - Italian Periodicals Catalogue (in Italian)

Privacy Policy Data processing in relation to the provision of federated services

Purposes of processing personal dataSpecific processing purposes and methods

Federated service provision makes it possible for user who has received credentials from organization A to authenticate through them to another service provided by organization B.

In order to simplify and clarify the roles of the organisations involved, it should be taken into account that, usually, at least two organisations are involved:

  • Organisation A, the "Identity Provider", which confirms that the person in question matches its digital identity;
  • Organisation B, the "Service Provider", which provides a service which access is granted only if the Identity Provider confirms the existence of the identity in question and the user type is allowed to use this service.

Alma Mater Studiorum - University of Bologna acts both as an Identity Provider (using two different systems, Microsoft ADFS and Shibboleth) and as a Service Provider.

When the University acts as an Identity Provider:

  • it ensures the correct and secure assignment of usernames and passwords assigned to the users;
  • it verifies the correctness of the @unibo.it, @esterni.unibo.it and @studio.unibo.it credentials typed in by the user to access the services of the Service Provider;
  • depending on the service delivered by the Service Provider, the University provides the user data, consisting of a list of attributes; the list of attributes and the relative processing purposes are defined in the terms of the service or into the Service Provider web pages.

When a user wants to access a University of Bologna service, the University acts as a Service Provider: in such case, the organisation receives and uses the data issued by another Identity Provider (for example, SPID) after the successful authentication of the user.

In particular, with regard to the federated service named UNIBO Service Gateway, the University receives:

  • the email address (email);
  • the name (givenName);
  • the surname (sn);
  • the student's European identification code (schacPersonalUniqueCode);
  • the domain name of the organisation to which the student belongs (schacHomeOrganization);
  • the username (eduPersonPrincipalName);
  • the type of affiliation the user has with its organisation, completed by the domain name of the organisation (eduPersonScopedAffiliation);
  • an opaque user identifier (eduPersonTargetedID) which allows for the unequivocal identification of the same user when it access the service in future.

Some service logs are collected by the University Identity Provider and the UNIBO Service Gateway for their operations. For example, the Shibboleth Identity Provider collects:

  • IdP service log: user identification code, date and time of use, resource requested, attributes sent;
  • log of the services necessary for the functioning of the IdP service.

Information provided on the use of the data received depends on the type of service requested or the purposes of the processing carried out; further details of which are available on the web page www.unibo.it/privacy.

For technical support, please contact cesia-sso-support@unibo.it

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in articles 6, paragraph 1, letter e) (processing carried out in the public interest) and 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679.

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy and the Service Providers to whom the user intends to send their data, in order to confirm their identity, the data may be sent to third parties, appointed as Data Processors in accordance with art. 28 of Regulation (EU) 2016/679, in relation to the management of the University's services or IT systems.

Transfer abroad of personal dataTransfer of data outside of the EU and the conditions applicable to the transfer

In addition to the cases provided for in the general privacy policy, the personal data collected may be transferred abroad in the event that the user wishes to access a Service Provider in a country outside of the European Economic Area (EEA, namely the EU + Norway, Liechtenstein and Iceland).

Data retention periodData retention period

All personal data collected in order to provide the federated authentication services are kept for six months.
After user deactivation, all the personal data generated to facilitate the management of the federation services will be deleted.
Data collected for purposes other than the management of federation services shall be kept in accordance with the specific service privacy policies.

Processing of data aimed at improving the quality and accessibility of University website services

Purposes of processing personal dataSpecific processing purposes and methods

Personal data, including special categories of personal data
(which may reveal the state of health if disabled users are involved in verifying website accessibility) is processed in order to carry out surveys on users of services provided by the University Portal in order to obtain opinions and suggestions for improvement, also through interviews that could be recorded in audio-video format.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in articles 6, paragraph 1, letter e) (processing carried out in the public interest) and 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679.

Failure to provide the information for the purposes indicated above will mean that it is not possible to participate in events and initiatives aimed at improving the quality and accessibility of institutional services provided by the University.

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy, the data may be sent to third parties, appointed as Data Processors in accordance with art. 28 of Regulation (EU) 2016/679, in relation to the management of the University's services or IT systems.

Data retention periodData storage period

The information is deleted as soon as the statistical report has been prepared and anyway within a maximum of 6 months from the time of collection.

Purposes of the further processing personal data

Processing of personal data for the purposes of transparency (publicity and access), prevention, and fighting corruption and maladministration

Purposes of processing personal dataSpecific processing purposes and methods

In order to encourage data subjects to participate in administrative activities, as well as to promote widespread forms of monitoring the fulfilment of institutional duties and the use of public resources, it may be necessary to process some of the data subject’s personal data (e.g. personal details, career data, financial and income data, etc.) by publishing them on the University website in the “Transparent Administration” section.

The data in question may be originally collected for different purposes (for example, when assigning a specific institutional or professional position) and may be published in compliance with current regulation.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for such processing is to be found in the institutional tasks entrusted to the Alma Mater Studiorum – University of Bologna aimed at complying with legal provisions for the purposes of transparency (publicity and access), prevention, and fighting corruption and maladministration, in light of the regulatory framework set out below:

  • art. 6 of Regulation (EU) 2016/679, paragraph 1 (c) (processing for legal obligations) and (e) (processing for reasons of public interest);
  • Legislative Decree No. 165/2001 - General rules concerning the organisation of employment in public administrations;
  • Legislative Decree No. 33 of 14 March 2013 - Restructuring the rules governing the public administration’s obligations in relation to the publicity, transparency and dissemination of the information
  • Legislative Decree No. 97 of 25 May 2016 - Restructuring the rules governing the right of civic access and the public administration’s obligations in relation to the publicity, transparency and dissemination of the information;
  • Law No. 190 of 6 November 2012 - Provisions for the prevention and repression of corruption and illegality in the public administration;
  • Legislative Decree No. 39 of 8 April 2013 - Provisions on the preclusion from and incompatibility of positions in the public administration and publicly controlled private corporations;
  • Law No. 241 of 7 August 1990 - New regulations on administrative procedure;
  • Legislative Decree No. No. 50 of 18 April 2016 - Public contracts code.

The provision of data for the above-mentioned purposes is mandatory.

Recipients of personal dataRecipients

Data are processed by the Persons in charge of their transmission and publication identified in the Corruption Prevention Plan – Annex A), by the Head of Corruption Prevention and Transparency and disseminated on the University website by persons specifically authorised by the Alma Mater Studiorum – University of Bologna.

Data retention periodData retention period

If the data subject’s personal data are disclosed for the above-mentioned purposes, they will be published for five years starting from 1 January of the year following the year of publication.

The only exceptions are:

  • acts that continue to have effect at the end of the five-year period, which must remain published until they cease to have effect (e.g. information on political bodies and public administration managers, which is updated and may remain online beyond the five-year period, until their term of office ends or their position is vacated);
  • data concerning holders of political offices, managers and holders of positions, consultants and collaborators (such data shall remain published for three years after the position is vacated).

Once these deadlines have elapsed, a request for generalised civic access to the data may be submitted pursuant to art. 5 of Legislative Decree 33/2013.

Data processing in relation to the COVID-19 green pass

Purposes of processing personal dataSpecific processing purposes and methods

From 1 September 2021 to 31 December 2021, the date on which the state of emergency will come to an end, in order to protect public health and maintain adequate safety conditions in the provision of essential in-person teaching services, all academic staff of the national school and university system, as well as university students, will be required to possess and exhibit a COVID-19 green pass.

The personal data will be processed for the purposes of:

  • verifying, using specific tools, the authenticity, validity and integrity of the pass and confirming that it corresponds to the holder by requesting them to produce their identity document;
  • attesting to any unjustified absence and, as of the fifth day of absence, determining that the employment is suspended and/or suspending the relative payment/salary/fee;
  • checking the medical certificate of persons exempt from vaccination according to that provided for in the Ministerial Circulars.

It should be noted that the information used in order to issue the pass will not be seen by the University.

Legal basisLegal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • articles 6, paragraph 1, letter c) (processing necessary for compliance with a legal obligation) and 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679;
  • the following sources of law: Decree Law no. 52 of 22 April 2021, "Urgent measures for the gradual recovery of economic and social activities while respecting the need to contain the spread of the COVID-19 epidemic"; Prime Ministerial Decree 17 June 2021 "Provisions implementing article 9, paragraph 10 of Decree Law no. 52 of 22 April 2021".

The provision of personal data is compulsory. Refusal to provide the data will make it impossible to access the University areas where possession of said pass is required.

Recipients of personal dataRecipients

In addition to the recipients mentioned in the general privacy policy, the data may be processed by third parties, appointed by the Data Processors in accordance with art. 28 of Regulation (EU) 2016/679, in order to provide specific support with regard to verifying possession of the Covid-19 green pass.

Data retention periodData retention period

The data will be retained for the time necessary to verify possession of the Covid-19 green pass and to manage any employment relationship.

Data processing in relation to dispute proceedings conducted in and out of court

Purposes of processing personal data
Specific processing purposes and methods

Personal data, special categories of data and/or data related to criminal convictions or offences will be processed for the purposes of providing legal representation and advice, both in and out of court, in the interests of the University or to protect third parties.

Legal basis
Legal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • articles 6, paragraph 1, letters c) (processing in order to comply with a legal obligation) and e) (processing carried out in the public interest) and 9, paragraph 2, letter f) (processing necessary for the establishment, exercise or defence of legal claims), letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679;
  • the applicable regulatory provisions, also in relation to activities performed by lawyers employed by public bodies (art. 12 of Legislative Decree 165/01, Statute, art. 23 of Law 247/2012 "New regulatory framework governing the legal profession"; the Lawyers Code of Professional Conduct, published in the Official Gazette, General Series, no. 241 on 16 October 2014, the University Regulations, CCNL for professional staff).

The provision of personal data is compulsory. Refusal to provide the data will make it impossible to perform the operations necessary to provide legal representation and advice in and out of court.

Recipients of personal data
Recipients

In addition to the recipients mentioned in the general privacy policy, said data may be processed by the Attorney General's Office, by freelance lawyers, technical advisers, accountants and any other persons lawfully involved in the investigation and management of the dispute proceeding.

Transfer abroad of personal data
Transfer of data outside of the EU and the conditions applicable to the transfer

Occasionally, the data may be transferred outside of the European Economic Area, if necessary, in relation to a contract or legal action in court, administrative and/or out-of-court proceedings, for reasons of substantial public interest or if required in order to establish, exercise or defend a right in legal proceedings, in accordance with that defined in art. 49 of Regulation (EU) 2016/679.

Data processing in connection with handling data subject requests

Purposes of processing personal data
Specific processing purposes and methods

Personal data, including special categories of personal data (e.g. to receive support or information on the services provided to those suffering from certain health conditions), are processed to:

  • Give support and/or allow the data subject to use the services offered;
  • Ensure information sharing between offices, as well as with the public relations offices of the various administrations.

Furthermore, personal data may be processed, also in an aggregate form, in the framework of customer satisfaction surveys, in order to:

  • Assess user satisfaction with the services provided by the University, including by acquiring information to measure perceived quality;
  • Engage users in activities that can help defining new ways of providing services or actions to improve the existing ones, so that the University’s services match the expectations and needs of users;
  • Measure the quality of support services.

Finally, personal data could be processed as part of public consultations in order to enable active participation in the University's decision-making processes, through the acquisition of observations and comments from the university community.

Legal basis
Legal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • Article 6, paragraph 1, letters c) (processing in order to comply with a legal obligation) and e) (processing carried out in the public interest) and Article 9, paragraph 2, letter g) (processing for reasons of substantial public interest) of Regulation (EU) 2016/679;
  • The following sources of Italian law: Article 12 of Legislative Decree 29/1993 and Articles 6 and 8 of Law 150/2000 (governing the Public relations office); Law 241/1990 “New rules on administrative proceedings and right to access administrative documents”; Legislative Decree 286/1999 “Reorganisation and strengthening of monitoring and assessment procedures and tools for costs, performance and results of the activities carried out by public administrations, pursuant to Law 59 dated 15 March 1997”.

Recipients of personal data
Recipients

In addition to the recipients mentioned in the general privacy policy, data may also be sent to third parties, referred to as Processors in Article 28 of Regulation (EU) 2016/679, which cooperate directly with the University in performing certain institutional activities (e.g. foundations that provide user support services on behalf of the University).

Data retention period
Data retention period

All documents containing personal data that are necessary in order to have a record of important legal and economic events concerning the student are stored indefinitely. The storage period for the other data depends on that for the administrative documents in which they are contained and/or on retention obligations under the law (e.g. ten years for tax compliance and accounting purposes) or on the need to retain data for reasons of historical interest (in accordance with the principles of Italian Legislative Decree 42 dated 22 January 2004 “Cultural heritage and landscape code, pursuant to Article 10 of Law 137 dated 06 July 2002”).

Processing for the purpose of providing teaching, training and refresher courses

Processing data required to conduct the institutional activities of monocratic and collegiate bodies, academic offices, and other bodies operating in the University

Purposes of processing personal data
Specific processing purposes and methods

Personal data, special category data and/or any data relating to criminal convictions or offences are processed so as to enable the performance of the institutional activities of academic bodies and offices and of other bodies operating in the University (e.g. convening meetings, collecting and organising preparatory material, reporting and drafting resolutions, communicating and disseminating the results of resolutions and their formulation, monitoring and updating web information relating to the composition of University bodies).
Personal data is also processed to enable the sending of communications relating to institutional activities carried out as part of an office held (e.g. through the use of distribution lists).

Legal basis
Legal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • article 6, paragraph 1, letters c) (processing in order to comply with a legal obligation) and e) (processing carried out in the public interest) and article 9, paragraph 2, letter g) (processing special category data for reasons of substantial public interest) of Regulation (EU) 2016/679;
  • the following regulatory sources: Law n. 240/2010; Rector’s Decree no. 1203/2011 as amended (University Statute); Regulations governing the operation of the Bioethics Committee of the Alma Mater Studiorum -Università di Bologna (approved by the Academic Senate on 23 June 2009 and 26 January 2010 and by the Board of Governors on 14 July 2009 and 2 February 2010, and then amended by the Academic Senate on 21 February 2023 and by the Board of Directors on 28 February 2023); Recommendation of the European Commission 92/131 of 27 November 1991 (for the identification of the Confidential Counsellor).

The provision of data for the above-mentioned purposes is mandatory.

Recipients of personal data
Recipients

In addition to the recipients mentioned in the general privacy policy, the data may be sent to third parties, appointed as Data Processors in accordance with art. 28 of Regulation (EU) 2016/679, in relation to the use and management of online services and platforms functional to conducting the above institutional activities.

Data retention period
Data retention period

Personal data is retained for a period consistent with the requirements of the office held and of preserving the relevant deeds and documents. Personal data contained in minutes are retained indefinitely.

Processing of data during proceedings (election, selection, appointment) to appoint monocratic and collegiate bodies, academic offices, and other bodies operating in the University

Purposes of processing personal data
Specific processing purposes and methods

The personal data, data belonging to special categories and/or any data relating to criminal convictions or offences of voters and candidates for the appointment of monocratic and collegiate bodies, academic offices and other bodies operating at the University, may be processed as part of the election, selection and appointment procedures, for both initial appointment and renewal. Processing may concern:

  • the drafting of lists of candidates and voters;
  • the drafting of lists of candidates and/or electoral lists;
  • the verification of requirements for the position to be filled;
  • the setting up of polling stations;
  • the management of voting procedures;
  • the management of ranking lists, where provided for in the notice;
  • the identification of those elected, selected or deemed suitable;
  • the verification of any incompatibilities for the position to be filled;
  • the issue of all deeds of appointment and establishment of monocratic and collegiate bodies, academic offices, and other bodies operating in the University.

Voters' personal data may also be processed by candidates for the use of distribution lists as part of the election campaign.

Legal basis
Legal basis of the processing and nature of the provision of data

The legal basis for the data processing is found in:

  • Article 6, paragraph 1, letters (b) (processing necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract), (c) (processing in order to comply with a legal obligation) and (e) (processing for reasons of public interest) of Regulation (EU) 2016/679;
  • Article 9, paragraph 2, letters g) (processing of special data for reasons of substantial public interest) and j) (processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes) of Regulation (EU) 2016/679;
  • Article 2-sexies, para. 2, letter cc) (archiving in the public interest or for historical research, scientific research and for statistical purposes) of Leg. Dec. 196/2003, as amended;
  • in the following regulatory sources: Art. 33 of the Constitution; Art. 6 l. 168/1989 as amended; Legislative Decree no. 42 of 22 January 2004 "Code of Cultural and Landscape Heritage, pursuant to Article 10 of Law no. 137 of 6 July 2002"; the University Statute.

The provision of data for the above-mentioned purposes is mandatory.

Recipients of personal data
Recipients

In addition to the recipients mentioned in the general privacy policy, the data may also be sent to:

  • external members of selection committees (e.g. in the Selection Committee for the appointment of the Board of Governors);
  • third parties appointed as Data Processors pursuant to art. 28 of Regulation (EU) 2016/679 with reference to the use and management of information systems and services for electoral purposes.

Data retention period
Data retention period

Personal data relating to electoral procedures are retained for a period in accordance with electoral legislation. Personal data in the context of selection and appointment procedures are retained for a period consistent with the conduct of the relevant proceedings and the preservation of the relevant acts and documents.