Data controller
Data Controller is IUSS Pavia School, represented by the Rector, Prof. Riccardo Pietrabissa.
Contact informations: head office Piazza della Vittoria n.15, 27100 Pavia, IT.
Data protection officer (DPO)
Data Protection Officer is Dr. Nadia Pazzi.
Contact informations: head office Piazza della Vittoria n.15, 27100 Pavia, IT.
Phone number: 0382 375876 – 0382 375862
Email: dpo@iusspavia.it - Pec: diram@pec-iusspavia.it
Information on the processing of personal data
Information concerning the individual processing of personal data carried out by IUSS School is provided to the interested parties before the start of the activities and contains all the necessary information to assess the impact and extent of the processing on the rights of the interested parties.
Underage people, before communicating data to the IUSS School, are kindly requested to carefully read the information together with their parents or guardians. Consent to the processing in these cases must be signed by the parents or guardian.
Principles
Data processing is governed by the principles laid down in the legislation on the protection of personal data, with particular regard to the lawfulness, correctness and transparency of processing, the use of data for specified, explicit, legitimate purposes, in a manner relevant to the processing, respecting the principles of data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Purposes of data processing
The data are processed by IUSS School, as Data Controller, for the performance of its institutional tasks of public interest or in any case connected to the exercise of its powers, including the fulfilments required by law for the management of the teaching/administrative/employment relationship between the School, students, collaborators and employees.
Storage
The period of retention of personal data complies with the principle of necessity of processing. The retention periods for personal data generally depend on the laws and the retention periods of the documents containing them. Data will be retained in accordance with the regulations on the retention of administrative documents.
Categories of persons to whom the data may be communicated or who may become aware of the data in their capacity as Data Processors or Persons in Charge of Processing
Users' personal data may be disclosed to and processed, in compliance with the relevant regulations in force, by staff and collaborators of the competent offices of the School, authorised and adequately instructed by the Data Controller, or by service providers expressly appointed as external data processors (pursuant to art. 28 of the GDPR) to whom the School entrusts technical-administrative management services in outsourcing. Personal data may be communicated in cases provided for by EU provisions, laws or regulations.
This is without prejudice to the observance by IUSS School of the current regulations on transparency and the compulsory publication of data and documents.
Internal organisational structure
IUSS School has adopted an organisational structure aimed at ensuring effective data management and a process of compliance with the regulations with the collaboration of the entire academic community. This organisation is based on empowering staff according to their role.
The interested parties have the right to ask the Data Controller for access personal data aand the rectification or erasure thereof or the restriction of processing concerning them or to object to processing (Articles 15 et seq. of EU Regulation 2016/679). The appropriate request should be presented to the Data Controllerwriting to Scuola Universitaria Superiore IUSS - Piazza della Vittoria n.15, 27100 Pavia, IT and also via PEC at diram@pec-iusspavia.it. The application may also be submitted through the DPO.
Data subjects, if the conditions are met, also have the right to lodge a complaint with the Guarantor in accordance with the procedures provided for in Article 77 of EU Regulation 679/2016, or to act pursuant to Article 79 of the Regulation.
A data breach consists of a security breach that accidentally or unlawfully results in the destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processe (Art. 4, par. 1, pt. 12 EU Regulation 679/2016 GDPR).
Information regarding the event must be communicated as soon as possible.
All persons who in any capacity process personal data within the School's competence are required to report a personal data breach of which they have become aware. The report must be made within a maximum of 48 hours of the breach.
How to report a data breach:
- Teaching and research staff, administrative staff, research fellow: by means of a special “Data breach notification” form within the School's DPM software which allows this procedure to be dematerialised;
- Students, PHD Students, external people: using the attached form. The form must be sent by pec to diram@pec-iusspavia.it.
When research staff working in the context of scientific studies carried out by the School process personal data for statistical or scientific purposes, they must guarantee the necessary standards of data security and protection and follow certain rules, including: compliance with Community and international regulations on the processing of personal data for statistical and scientific purposes and observance of the Code of Ethics and Good Conduct for the Processing of Personal Data for Statistical and Scientific Purposes (Garante Order No. 2 of 16 June 2004, Official Gazette No. 190 of 14 August 2004).
Before starting research projects, it is useful, in order to comply with the relevant requirements, for the scientific managers of the projects to fill in the Research Project Analysis Form prepared following the instructions of the CODAU working group. You can find the form attached.
More information is available by accessing the Myportal reserved area.