Privacy

Protection of personal data

As of May 25, 2018, the "General Data Protection Regulation" (EU Regulation of April 27, 2016, No. 659) or GDPR has become directly applicable. The Italian Legislature, through Legislative Decree No. 101 of October 10, 2018, has adapted the provisions contained in the "Privacy Code" (Legislative Decree No. 196 of June 30, 2003) to the GDPR.

The data subject is the individual to whom the personal data refers, meaning any information concerning an identified or identifiable natural person, particularly an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.

The University of Sassari undertakes to process the personal data of the data subject in compliance with the regulations, ensuring that they are:

  • processed lawfully, fairly, and transparently;
  • collected for specified, explicit, and legitimate purposes;
  • adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, if necessary, kept up to date;
  • kept in a form that allows identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed;
  • processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

Privacy organization in the university

Through Rectoral Decree Rep. 2019/921 Prot. No. 27064 of March 12, 2019, the University of Sassari updated its internal organization regarding the management and protection of personal data in line with EU Regulation 2016/679 and related legislation.

For this purpose, the Data Controller has identified Delegates to whom specific tasks are assigned:

  • The Manager Responsible for University Information Systems/Digital Transition Manager for the processing of data in electronic format across all computer/information systems.
  • Department Heads and Coordinators, each for activities and data processed within their respective areas of competence.
  • Department Directors and top figures within administrative offices.
  • Directors of Research Doctorate Schools.
  • Directors of Specialization Schools.
  • Directors of Master's Programs.
  • Presidents of Liaison Structures.
  • Presidents of Degree Courses, Special Order Courses, Advanced Courses, and Continuing Education Courses, each for data processed within their respective fields of competence.

Identity and contact details of the data controller and DPO

In accordance with Article 4 of the GDPR, the DATA CONTROLLER is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

DATA CONTROLLER
The data controller ("data controller") is the University of Sassari, represented by the Acting Rector, (Prof. Gavino Mariotti), who can be contacted at the following address:
University of Sassari, Piazza Università, 21 – 07100 Sassari
PEC: protocollo@pec.uniss.it Regular Email: rettore@uniss.it

DATA PROTECTION OFFICER
The university has appointed the Data Protection Officer (DPO), Mr. P. Leoni, as the individual responsible for information, consultancy, and oversight functions concerning GDPR compliance, as well as cooperation and point of contact with the Supervisory Authority (Privacy Guarantor), whose contact details are:
PEC: protocollo@pec.uniss.it Regular Email: dpo@uniss.it

Purposes and legal basis of processing

"The University is a public institution, endowed with legal personality and autonomy in both public and private law, pursuant to Article 33 of the Constitution," and "is the primary seat of free research and teaching, a place for critical elaboration of knowledge and dissemination of scientific knowledge" (Articles 1 and 2 of the Statute of the University of Sassari).

The University of Sassari, within the scope of its institutional activities in teaching, scientific research, and third mission, carries out processing of personal data primarily related to the following categories of data subjects:

  • STUDENTS (e.g., for orientation purposes and management of academic careers from enrollment to graduation)
  • EMPLOYEES AND/OR COLLABORATORS (e.g., for the management of employment relationships), in addition to cross-cutting processing involving multiple categories of data subjects or other parties who come into contact with the university (e.g., suppliers, library users).

The legal basis for the processing, depending on the circumstances, may be:

  • the need to perform "a task carried out in the public interest or in the exercise of official authority vested in the controller" (Article 6.1e GDPR);
    the need to "comply with a legal obligation to which the controller is subject" (Article 6.1c GDPR);
  • the need to "perform a contract to which the data subject is party or to take pre-contractual measures at the data subject's request" (Article 6.1b GDPR);
    the need to pursue the "legitimate interests pursued by the controller or by a third party" (Article 6.1f GDPR);
  • the express consent of the data subject "to the processing of personal data concerning him or her for one or more specific purposes" (Article 6.1a GDPR).

Specific information, in accordance with Articles 12, 13, and 14 of the GDPR, provides the data subject with details regarding:

  • the contact details of the data controller and the data protection officer;
  • the purposes of the processing;
  • the categories of data processed;
  • the legal basis for the processing;
  • the nature of the data provision;
  • the source of the data;
  • the methods of processing;
  • the categories of recipients of the data;
  • the retention period of the data; and
  • the rights of the data subjects.

Rights of the data subject

The data subject, by contacting the Data Controller or the Data Protection Officer at the provided references, has the right to exercise:

  • the right to access their personal data (Article 15 GDPR);
  • the right to rectify inaccurate personal data and to have incomplete personal data completed (Article 16);
  • the right to erasure/right to be forgotten (except for data contained in documents that must be retained by the University and unless there is an overriding legitimate reason for processing) (Article 17);
  • the right to restriction of processing in cases provided by law (Article 18);
  • the right to data portability (in cases provided by law) (Article 20);
  • the right to object (Article 21).

FOR PROCESSING BASED ON CONSENT, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).