1. Data controllers
Ulysseus partners are the controllers of individuals data. This means that Ulysseus European University alliance determines the purposes and means by which individual’s data is processed. Each Ulysseus member institution is a co-controller of personal data, contact details for each partner are:
UNIVERSITY OF SEVILLE, Calle San Fernando 4, CP 41004 Seville (Spain),
UNIVERSITA DEGLI STUDI DI GENOVA, established in VIA BALBI 5, GENOVA 16126, Italy. Cinzia Leone: email@example.com,
UNIVERSITE COTE D’AZUR, established in GRAND CHATEAU 28 AVENUE VALROSE, NICE 06100, France firstname.lastname@example.org,
TECHNICKA UNIVERZITA V KOSICIACH, established in LETNA 9, KOSICE 042 00, Slovakia. Radovan Hudak: email@example.com,
MCI MANAGEMENT CENTER INNSBRUCK INTERNATIONALE HOCHSCHULE GMBH, established in UNIVERSITATSSTRASSE 15, INNSBRUCK 6020, Austria. Siegfried Walch: firstname.lastname@example.org and,
HAAGA-HELIA AMMATTIKORKEAKOULU OY, established in RATAPIHANTIE 13, HELSINKI 00520, Finland. Kitte Marttinnen: email@example.com.
2. Data processor
Ulysseus Digital Platform is managed by the Ulysseus Digital Unit meaning that individuals personal data is processed by the Ulysseus Digital Unit for the purposes defined by the Ulysseus European University alliance. The exercise of individual’s rights description can be found in section 10.
3. Protection of personal data
The Parties ensure compliance with the European Regulation n°2016/769 on the protection of individuals regarding the processing of personal data known as General Data Protection Regulation “GDPR”. The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
The Parties define and implement technical, physical or logical security measures to protect individuals’ data from destruction, loss, alteration, unauthorized access, or disclosure of individuals data.
The Parties undertake to contractually impose security guarantees on its processors in particular technical measures to protect the data and the appropriate human resources.
4. Inclusion of personal data in ulysseus files
Ulysseus parties collection includes the one directly or indirectly obtain by the Ulysseus Digital Platform and to the data collected via the website “https://ulysseus.eu” its subdomains and aliases (ulysseus.eu, ulysseus.fr, ulysseus.es, ulysseus.it, ulysseus.at, ulysseus.sk and ulysseus.fi) and the Ulysseus mobile applications.
5. Purposes for and basis upon ulysseus uses individuals’ personal data
Ulysseus Digital Platform collects, stores and uses individuals’ data:
- To comply with a legal obligation to which Ulysseus is subject to
- To fulfil its public interest mission
- Based on individuals’ consent, explicitly requested before using the service, in a way that is accessible for people with impairments
- Based on contractual provisions
6. Origin of the data processed
Ulysseus is an alliance of university created in the scope of an Erasmus+ program which purpose is to become a fully integrated European University
As part of its work, Ulysseus Digital Platform collects individual’s data in several ways:
- Data provided by individuals
- In application of a legal provision
- In the process of individual’s registration
- By subscribing to a newsletter
- By contracting with Ulysseus
- By registering to a Ulysseus course
- By producing course content for Ulysseus
- By holding courses on behalf of Ulysseus
- By collaborating with other people within Ulysseus
- By establishing virtual social bonds through Ulysseus services
- By holding or participating to a Survey
The above can include First Name, Last Name, email, date of birth, student files, examination results, social profile, social interactions, document produced or reviewed, result of a survey.
- Data obtained from a third Party
- When individuals connect through Orcid
- Universities from the alliance will share list of participants with personal data to joint activities in the scope of Ulysseus European University alliance
- Scopus and WebOfScience APIs will be used to assist the completion of researcher’s social profile on Match4Cooperation application and to ease the data collection for Ulysseus Research Information System
- Public information from Ulysseus institution websites
- Public research publications sourced from open-science repositories
This can include emails, names, research public identifiers, research keywords, laboratory, research publications.
7. Time limit for storing personal data sharing of data
As stated in section 2 of the main agreement, the Parties will keep and store the data collected the time necessary for the purpose of processing and within the limits provided by the European legislation.
Personal data within the Ulysseus Digital Platform will be kept until the purpose for which it was collected has been fulfilled (end of a contractual relationship, last activity in the absence of a permanent contractual relationship, or in case of withdrawal of individual’s consent to the specific processing of the data).
Personal data is retained beyond this period only:
- if there are legal retention obligations
- For the establishment, exercise or defense of legal claims,
- if deletion is contrary to the legitimate interests of the data subjects;
- in the event of an exception pursuant to Art. 17, § 3 of the GDPR.
8. Sharing of data
The Parties ensure that data is only accessible to authorized internal recipient or authorized external Parties. Recipients of student’s personal data within Ulysseus are subject to a specific confidentiality obligation.
The Parties decide which recipients may have access to which data according to a defined authorization policy.
The Parties are not responsible for any damage of any kind that may result from an illicit access to personal data.
In particular, the personal data may be sent to:
- Universities that are part of Ulysseus
- People who operate the service
- People who administrate the service
- Other users of the service (social network)
Furthermore, personal data may be communicated to any authority legally entitled to know about it. In this case the Parties are not responsible for the conditions under which the staff of theses authorities’ access and use the data, according to section 3 (pg.6) of the main agreement.
9. Data transfers outside the European Union
The Parties reserve the right to choose whether to have data transfers outside the European Union or not. In case of a such transfer, the Parties will inform the data subjects.
The provisions relating to data transfers outside the European Union are enforceable against the Parties, except in the cases provided for in the article 49 of the GDPR.
Therefore, it is agreed that the transfers referred below are necessary for the conclusion of a contract concluded in the interest of data subject between the controller and a third Party.
Using the “Log in with Orcid” function will share with Orcid NPO the information of individuals connection through their service.
Using Microsoft 365 services (Sharepoint, Teams, etc.), individuals personal information might be transferred to the USA due to the Privacy Shield.
Navigation on the website is tracked with Google Analytics. Thus, the anonymized data about individuals’ navigation is transmitted to Google and stored in the USA on their servers.
10. What are individualidual’s rights and how can individuals exercise them?
Under the GDPR Regulation, individuals have the rights set out in articles 12 to 21 of the GDPR Regulation.
Individuals may at any time exercise its right of access to their personal information to complete, modify, rectify or delete it or to object to its processing in accordance with applicable data protection laws. For exercising individuals’ rights according to the Digital Platform data collection, the following should be follow:
A request must be sent with an identification form, either passport or any other form of identification:
- By post: Ulysseus European University, Grand Chateau, 28 avenue de Valrose, 06104 NICE
- By email: firstname.lastname@example.org
To ensure the individuals data fully respect, a proof of individuals identity is required in order to avoid possible filtrations to a third Party.
For services available through a connection to Geant Network and in particular EduGAIN, we’re complying with Geant data protection code of conduct.