Privacy Policy (ENG)

INFORMATION IN ACCORDANCE WITH ARTICLE 13 OF EU REGULATION 2016/679 (GDPR) FOR THE PROCESSING OF DATA COLLECTED THROUGH WEB BROWSING

1. Parties concerned by data processing 

The Data Controller is the University of Parma, with registered office in via Università 12, 43121 Parma, Italy:

Tel.+39 0521 902111 
Email: protocollo@unipr.it
PEC: protocollo@pec.unipr.it

The Data Protection Officer can be contacted at the following addresses:

Email: dpo@unipr.it
PEC: dpo@pec.unipr.it

 

2. Purpose of data processing

The data collected are used exclusively within the University's institutional activities and for the following purposes:

  • to enable navigation of the elly.didattica and elly.formazione platforms;
  • to provide the user with the information and services related to digital and distance learning services;
  • to verify the proper functioning of the platforms, carry out monitoring activities for security purposes and identify actions aimed at improving the platforms (for navigation data);
  • fulfilling legal obligations, complying with orders from public authorities, ascertaining possible liability in the event of hypothetical computer crimes against the site or its users.

3. Types of data processed 

The IT systems and application procedures used to operate the Elly platforms acquire during their normal operation the following types of data, in automated form:

  • Personal data: name, surname, tax code, address;
  • Contact data: email address, telephone number;
  • Service log records: user identification, date and time of use, data collected during the visit to the website, transmitted implicitly with the use of Internet communication protocols or in the use of third-party technologies and/or web resources. (For example, the IP address of the device connected to the platforms (suitably anonymised during acquisition), date and time of visit, etc.).
  • Service log records necessary for the operation of the service;
  • data collected through cookies while users are browsing the site. The information and associated management preferences on cookies can be consulted in paragraph 12 - USE OF COOKIES.

The optional, explicit and voluntary sending of e-mail messages to the addresses indicated on this service entails the subsequent acquisition of the sender's address, which is necessary in order to reply to requests, as well as any other personal data included in the request.

The optional, explicit and voluntary registration through special web forms on Elly platforms entails the subsequent acquisition of all the data contained in the fields filled in by the user, and the processing is carried out exclusively to provide the requested service.

 

4. Legal bases of data processing

The legal bases of the processing can be identified as follows:

  • performance of tasks of public interest,
  • legitimate interest;
  • processing of data useful for the prevention and suppression of fraud and any illegal activity;
  • processing necessary for the performance of a contract where the data subject is one of the parties;
  • consent by the interested party as per Section 6(1) GDPR.

The provision of data and thus consent to the collection and processing of data is optional. The user may withhold consent and may revoke consent already given at any time. However, denying consent may result in the inability to provide certain services and degrade the browsing experience on the web portal.

 

5. Treatment modalities

The personal data collected are processed in compliance with the principles of lawfulness, fairness and transparency, indicated in Art. 5 GDPR, including with the aid of computer and telematic tools suitable for storing and managing the data, and, in any case, ensuring their security and protect the utmost confidentiality of the data subject.

The processing of data on the Elly platforms is also carried out by Amazon Web Services (AWS) in its capacity as Data Processor as per Article 28 of the GDPR, are limited to the purposes described in Section 3, and are carried out ensuring adequate security of personal data, including protection from unauthorized or unlawful processing and from accidental loss, destruction or damage, by means of appropriate technical and organizational.

 

6. Categories of persons authorized to process and to whom the data may be communicated

The personal data of users will be known and processed, in compliance with current legislation on the subject, by employees and collaborators of the University (identified as Authorized Persons for Processing) assigned to the management of the portal and involved in the provision of services associated with it. The data may be communicated exclusively:

  • to the structures of the University requesting it, for the University’s institutional purposes or in compliance with legislative obligations;
  • to non-economic public entities or consortia participated by the University (e.g. MIUR) when the communication is necessary for the performance of institutional functions of the requesting entity;
  • to any external parties, identified as Data Processors ex art. 28 RGPD, whose updated list is always available to the Data Controller;
  • to Public Security Authorities or other public entities for purposes of defense, state security and detection of crimes, or to the Judicial Authority in compliance with legal obligations, where criminal offenses are identified.

Outside of the above cases, personal data are not in any way and for any reason communicated or divulged to third parties. Finally, personal data will not be transferred to third countries or international organizations unless this is strictly related to specific requests coming from the user, for which special consent will be acquired

 

7. Data retention

In relation to the different goals and the purposes for which they were collected, the data will be kept for the time stipulated by the relevant legislation or for the time strictly necessary for the pursuit of the purposes.

 

8. Rights of data subjects

Data subjects have the right to obtain from the University of Parma, in the cases provided for, access to their personal data and the rectification or cancellation thereof or the restriction of the processing concerning them or to object to the processing (Articles 15 et seq. of the Regulations).
The application is made by contacting the Data Protection Officer at the addresses listed in Article 1 of this document. More information can be found on the Regolamento).

 

9. Right to complain

The interested parties who believe that the processing of personal data relating to them carried out through this site is in violation of the Regolamento, have the right to lodge a complaint with the Data Protection Authority, as per Article 77 of the Regolamento, or to take appropriate legal action (Article 79 of the Regolamento).

 

10. Changes to information

This information may change over time. Hence, it is advisable to check that the version referred to is current by accessing the Privacy section of the web portal.

 

11. List of sites referred to by the note 

This policy applies to the following sites:

Group A (Elly platforms hosted on Unipr servers)

Year 2015: elly.dicatea, elly.ingind, elly.dii, elly.alef, elly.lass, elly.giurisprudenza, elly.medicina, elly.farmacia, elly.foodscience, elly.bioscienze, elly.chimica, elly.difest, elly.dmi, elly.veterinaria, elly.economia, elly.master

Year 2016: elly.dicatea, elly.ingind, elly.dii, elly.alef, elly.lass, elly.giurisprudenza, elly.medicina, elly.farmacia, elly.foodscience, elly.bioscienze, elly.chimica, elly.difest, elly.dmi, elly.veterinaria, elly.economia, elly.master, elly.sicurezza

Year 2017 e 2018: elly.dicatea, elly.ingind, elly.dii, elly.alef, elly.lass, elly.giurisprudenza, elly.medicina, elly.farmacia, elly.foodscience, elly.bioscienze, elly.chimica, elly.difest, elly.dmi, elly.veterinaria, elly.economia, elly.master, elly.sicurezza

Year 2019: elly.dia, elly.dusic, elly.gspi, elly.medicina, elly.saf, elly.scvsa, elly.smfi, elly.veterinaria, elly.sea, elly.cla, elly.biblioteche, elly.postlaurea, elly.sicurezza, elly.vpi, elly.organi, elly.corsiformazione

Year 2020: elly.dia, elly.dusic, elly.gspi, elly.medicina, elly.saf, elly.scvsa, elly.smfi, elly.veterinaria, elly.sea, elly.cla, elly.biblioteche, elly.postlaurea, elly.sicurezza, elly.vpi, elly.foundationyear, elly.scuola, elly.foodproject, elly.corsiformazione

Year 2021: elly.dia, elly.dusic, elly.gspi, elly.medicina, elly.saf, elly.scvsa, elly.smfi, elly.veterinaria, elly.sea, elly.cla, elly.biblioteche, elly.postlaurea, elly.sicurezza, elly.vpi, elly.foundationyear, elly.scuola, elly.foodproject, elly.corsiformazione

Year 2022: elly.dia, elly.dusic, elly.gspi, elly.medicina, elly.saf, elly.scvsa, elly.smfi, elly.veterinaria, elly.sea, elly.cla, elly.biblioteche, elly.postlaurea, elly.sicurezza, elly.vpi, elly.foundationyear, elly.scuola, elly.foodproject, elly.corsiformazione

Group B (Elly platforms hosted on AWS servers )

Year 2023: elly.dia, elly.dusic, elly.gspi, elly.medicina, elly.saf, elly.scvsa, elly.smfi, elly.veterinaria, elly.sea, elly.cla, elly.biblioteche, elly.postlaurea, elly.sicurezza, elly.vpi, elly.foundationyear, elly.scuola, elly.foodproject, elly.corsiformazione

Year 2024: elly.didattica, elly.formazione

 

12. Use of Cookies 

Cookies are small text files sent by a site to the user's browser to be stored and retransmitted to the same site on the user’s next visit. Through cookies it is possible to collect information about the user who is visiting a website (e.g. date, time, pages visited, time spent on the site ...). Some information may fall under the definition of personal data and therefore subject to specific legal regulations.

On Elly platforms, both HTML Local Storage of the user browser and cookies are used for the purpose of tracking and indexing sessions created with SPs. In particular, Shibboleth IdP uses the ClientPersistentStorageService to manage session information via HTML Local Storage and cookies. Some of the techniques used to ensure that the session information managed by Shibboleth IdP is protected against various types of attacks and unauthorised access are as follows:

  • Encryption: session information stored in cookies and local storage is encrypted to prevent unauthorised access. This ensures that even if an attacker manages to obtain this data, he cannot read it without the decryption key.
  • Data integrity: A digital signature is used to guarantee the integrity of the stored data. This means that any unauthorised changes to the data will be detected, preventing the use of altered session data.
  • Expiry Policy: Cookies and data in Local Storage have a limited lifetime. This reduces the risk of session information being misused if a device is compromised.
  • Domain isolation: Session information is bound to specific domains, which prevents unauthorised websites from accessing the stored data.
  • Protection against XSS attacks: Shibboleth implements measures to prevent Cross-Site Scripting (XSS) attacks, which could be used to steal session information. This includes validation and sanitisation of user input.