MyUnipd App and processing of personal data

The Data Controller, i.e. the body that determines how and why the data of the data subjects are processed, is the University of Padova, with campus in via VIII Febbraio n. 2, 35122, Padova (PEC address: amministrazione.centrale@pec.unipd.it).

At the University there is a Data Protection Officer, appointed pursuant to art. 37 of the EU Regulation, which can be contacted at the email address: privacy@unipd.it.

The University provides for the processing of personal data provided by the interested party during registration, pre-enrolment, enrolment and enrolment in courses of study, PhD, specialization, masters and any other advanced training or professional course activated at the University, also following the achievement of any final qualification.

The personal data that may be processed are:

• personal data (name, surname, date of birth, gender), contact, residence, career, participation in educational activities, qualifications held and income conditions;
• special data, relating only to the possibility of requesting compensatory tools in the exam room (functionality active only for students to whom they have been granted, on the basis of a declaration of temporary or permanent disability, without further information on the nature of the same being visible);
• browsing data (user ID and authentication information, IP address).

MyUnipd does not process data relating to:

• actions and interactions carried out on the app through the personal smartphone (content and services consulted, actions and selections carried out);
• smartphone model used, operating system version, and app version used;
• any interruptions or slowdowns in the service or connection, malfunctions or crashes of the system or some services.

In order to be able to identify the causes of any malfunctions, inefficiencies or errors of the app itself, the user may possibly provide personal and technical information for the resolution of the aforementioned problems.

The personal data of the data subjects are processed, on the basis of Art. 6(1)(e) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), for the following purposes:

University career management and service delivery. The MyUnipd app is an access interface to the reserved area of Uniweb, the information system that allows all members of the University of Padova to remotely access information on their course of study and to directly manage their university career.  The MyUnipd  app allows access to this information system after authentication, to consult the booklet and the study plan, enrolment in exams, refuse the grade, access the ESU canteen, borrow books in libraries, receive notifications from Uniweb, check the payment status of your university fees, the university credits accumulated and the average of your grades. The user's data is only displayed by the app through an interface adapted to the screen of the mobile device.

Management of access to the Uniweb reserved area. To access the Uniweb reserved area from MyUnipd, it is necessary to authenticate via university email and password. To avoid asking for credentials at each login or when its validity expires, the app stores authentication information on the mobile device, in a protected area. The session token is valid until you log out of the app or until it expires naturally (the session time to live is established by Uniweb). To delete the credentials stored on your smartphone, simply uninstall the app.

Collection and management of browsing data. The MyUnipd app acquires, during its normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols, such as IP addresses. These data are processed for the purpose of checking the correct functioning of the systems and services offered, as well as for reasons of security and protection of the rights of the Data Controller.

The personal data of the data subject are processed with the support of electronic means. The University shall take appropriate organisational and technical measures to protect and guarantee the confidentiality of the personal data in its possession, in particular against the loss, theft, as well as the unauthorised use, disclosure or modification of personal data.

Access to the MyUnipd app is through the institutional credentials provided by the University and protected by the centralized Single Sign On (SSO) access control system, which uses  Shibboleth technology. Users' credentials are not accessible, not even in encrypted form, by service providers and web and mobile applications, as the identification process always takes place within the University's authentication system, based on the Security Assertion Markup Language (SAML) protocol.

The University does not resort to automated decision-making processes relating to the rights of the data subject on the basis of personal data, including profiling, in compliance with the guarantees provided for by art. 22 of the EU Regulation.

Any processing of special data is carried out in compliance with the "Regulations for the processing of sensitive and judicial data of the University", which can be consulted on the page Regulations of general interest.

The processing of personal data for the purposes of managing the university career and providing services is essential for the establishment and management of the relationship between the data subject and the University, for the provision of services and for the fulfilment of the related legal obligations (execution of tasks of public interest entrusted to the University, as defined by law, the University Statute and internal regulations, pursuant to art. 6 (1) (e) GDPR. 

The processing of personal data for the purposes of collecting and managing navigation data is also essential for the provision of services and for the fulfilment of the related legal obligations (execution of tasks of public interest entrusted to the University, as defined by law, by the University Statute and by internal regulations, pursuant to art. 6, Section 1 (e) GDPR.

Failure to provide personal data relating to navigation will make it impossible to use the MyUnipd app.

Personal data will be processed by the staff of the University of Padova and by any collaborators appointed to evaluate the functioning of the application. They will not be disclosed to other third parties, nor will they be transferred to non-EU countries.

• data relating to the university career: personal data are stored for the entire period necessary for the performance of this purpose, in accordance with the provisions of current legislation and the University Regulations on the Scrap Ceiling with regard to the student's file.
• access data to the Uniweb reserved area from the App: the session token for access to Uniweb is valid until the student logs out of the app or until the natural expiry of the same.

• navigation data: electronic traffic data (IP addresses) are deleted or anonymised when they are no longer required for the transmission of the communication, unless otherwise provided for by law

The interested party may exercise the rights provided for in Articles 15 et seq. of the EU Regulation, such as the right of access, the right to rectification or integration of their data, the right to erasure (right to be forgotten) and restriction of processing and the right to data portability, under the conditions and within the limits indicated by the EU Regulation.

The request for erasure of personal data cannot be accepted to the extent that the processing is necessary for the fulfilment of a legal obligation, for the performance of institutional tasks, for the establishment, exercise or defence of a right in judicial campus and in any other case provided for by art. 17, paragraph 3 of the EU Regulation.

The interested party has the right to object at any time to the processing of his/her personal data, in accordance with the provisions of art. 21 EU Regulation.  The interested party may lodge  a complaint with the Guarantor for the protection of personal data.

To exercise his/her rights, the interested party may contact the University, by writing to the certified e-mail address amministrazione.centrale@pec.unipd.it or to the urp@unipd.it e-mail address. Alternatively, the interested party can write to: University of Padova, via VIII Febbraio n. 2, 35122 Padova.

The University is required to provide a response within one month of the request, extendable up to three months in case of particular complexity of the request.

Changes and additions to this policy are published in the privacy section of the corporate website at www.unipd.it/privacy.

In any case, the University undertakes to communicate directly to the data subjects, through its institutional channels, any changes in the purposes of the processing, the identity of the data controller and any other changes that may significantly affect the rights of the data subjects or their exercise.