Data Protection
The European University Institute takes inspiration for its action in the field of data protection from the general principles contained in the European Convention on Human Rights, the Charter of the Fundamental Rights of the Union and the relevant European Union legislation.
The internal regulation of the Institute (see President’s Decision N° 32 of 27 November 2008 on privacy) is drafted in accordance with the principles contained in the Convention establishing the EUI, signed on 19.4.1972, and with the Protocol on Privileges and Immunities annexed to it.
What follows is a summary of the main aspects related to data protection at the EUI.
Personal data are data related to an identified or identifiable individual. These do not include personal data which have been definitively rendered anonymous;
Data subject shall mean any natural or legal person, body, association that is the subject of the personal data;
Controller is a member of the staff of the Institute who is authorised to decide upon the implementation, purposes and protection of personal data processing, regardless of whether or not the processing operation is implemented by that person or delegated to an authorised third party or to any other person;
Processor is a member of the staff of the Institute who has responsibilities for data processing assigned by Controller within one department/service/centre or programme;
Person in charge of processing is a member of the staff of the Institute who has been authorised by the Controller or one of the Processors to carry out processing operations;
Personal data filing system (‘filing system’) shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized or decentralized on a functional or geographical basis;
The data subject's consent shall mean any freely given specific and informed indication of the consent of the data subject to the treatment of his personal data;
The personal data held by the Institute consist of the following:
-
Personal data provided by the data subject, collected for academic, administrative and accounting use, as well as for the fulfillment of contractual obligations;
-
Data stored in the home directories of data subjects and in their mailboxes, limited to backup operations executed via automatic procedures and to restore operations performed on the data subject’s request;
-
Data from telecommunication traffic such as Internet browsing, limited to the analysis of overall traffic in anonymous form in order to evaluate network performance and diagnose problems;
-
Data concerning telephone calls, collected for billing and statistical evaluation of overall traffic, stored in anonymous form;
-
Data concerning staff clocking, collected for administrative and accounting purposes;
-
Images recorded by video surveillance systems, collected for the safety of people and buildings;
-
Data collected through application procedures, stored and circulated among selection and advisory committees composed of internal and external members, as well as, if necessary, inside the Institute;
-
Data collected for research purposes.
The Institute processes all data for institutional purposes only, in line with the general principles of the relevant European legislation.
The Institute does not store or process data for commercial purposes; mailing commercial advertising material or performing market research is therefore excluded in all cases not related to its mission.
The consent is considered implicit when the data subject provides data for administrative procedures established by the Institute, with the exception of the processing of special categories of data, as defined by the EU legislation, where the explicit consent of the data subject is required.
In case of denial of consent, the Institute reserves its right to refuse the request of the data subject.
For specific types of processing, it is not possible to abstain from data collection as these are gathered without the active involvement of the data subject, as in the case of video surveillance, or because these are an integral part of institutional activities.
Personal data are processed lawfully and fairly. Data are collected and recorded for specific, explicit and legitimate purposes.
Data processing is accurate and, where necessary, kept up to date; it is relevant, complete and not excessive in relation to the purposes for which data are collected.
Data are kept in a form which permits identification of the data subject for no longer than it is necessary for the purposes for which the data was collected.
Processors and those in charge of the processing can only access personal data within their own area of competence and for the execution of tasks assigned to them by the Controller.
Processors and those in charge of the processing are informed and instructed regarding the rules and methods for handling personal data in accordance with the rights to privacy of the persons concerned.
Personal data collected by the Institute for research purposes are processed according to the general principles of the present regulation and in any case only for the scientific objective for which they were collected.
Personal data collected for research purposes, which are not kept in anonymous form, may not be diffused beyond members of the research team.
The Institute assures the security of data, for both paper or electronic files. All staff involved are made aware of the security procedures they must follow when handling personal information. Data is protected from unauthorized access to prevent unlawful access to personal information.
While the Institute will take all reasonable precautions to make sure that other organizations with which it deals have good security practices, the Institute is not responsible for the privacy practices of those organizations whose websites may be linked to its own services.
Personal data can be transferred, for institutional purposes, to third parties linked to the Institute such as the European Commission, the Claims offices of the Sickness Insurance Scheme common to the institutions of the European Community (JSIS), Van Breda International, the Institute's medical advisers, consultants, the Institute's diagnostic laboratory.
Student application data is communicated to the Institute’s Member States upon request.
Communication and dissemination of personal data, such as those stored in the home directory of data subjects, emails and the logs of internet browsing, shall be prohibited except in the case where such data might be required by judicial authorities or by the Institute itself in the event of disciplinary action and then only after the person concerned has been duly notified.
Personal data collected for research purposes, which are not kept in anonymous form, may not be diffused beyond members of the research team.
Personal data is held permanently by the Personnel Service for all members of the administrative and teaching staff and by the Academic Service for researchers and fellows. Both services retain the data in the form of electronic databases or on paper.
For other kind of data, the following retention periods are applied:
-
Telecommunication logs are retained for 6 months;
-
Data from telephone calls, either with or without billing, are retained for 24 months;
-
Employee clocking data are retained for at least 14 months;
-
Recorded images from video surveillance are retained for no more than 5 working days;
-
Data deriving from any point on the access control system are retained for no more than 5 working days;
-
Applications of unsuccessful candidates shall be retained for no more than 2 years.
The data subject has the right of access to his own personal data. The data subject can also ask that his own personal data be transcribed in a readable way, and can demand to be informed regarding the origin of his data.
The data subject can request that his personal data be updated, corrected, integrated, deleted, converted to an anonymous form or cease to be processed if the request is done in accordance with the regulation in force at the Institute.
If the data subject believes that there has been a breach in the principles of the Decision of the President No 32 of 27 November 2008, he can file a complaint to the Controller.
If the reply is not satisfactory, or it is not given within 60 Institute working days, the data subject can appeal to the Data Protection Committee established by the above mentioned Decision.
The following e-mail address is designated to receive all requests: privacy@eui.eu
The Controller is nominated by the President of the Institute; the Processors are nominated by the Controller, normally among heads of services, departments, centre and programme where personal data is stored and managed in either electronic or paper format.
The list of Processors and staff members in charge of the processing is kept updated and will be sent to data subjects on request.
This Website per se does not use permanent cookies which contain Personal Data; however, there are some specific applications running under the www.eui.eu domain that may do so.
Some applications running from this Website use per session cookies that are deleted at the end of the session.
You should note that if a User sets up his/her browser to reject the cookie, he/she may still use the Website, although functionality may be impaired.
Continuous logs of requests received by the Website’s web servers are kept upon accessing. These logs are used for analyzing Website usage.
Log files are kept to store messages exchanged via e-mail. They are used for troubleshooting of delivery and/or spam problems.
Logs include the internet protocol (ip) address of the client PC used and the Institute is only able to link log entries to individuals where it holds personal data that can be associated with log entries using IP address or login name.
The Institute will only use this information to identify users in case of compulsory action when we are required to by law or when the Institute suspects that there has been a breach of terms of use of electronic resources or IT services.