Personal Data Protection Policy of the University of Nova Gorica

The purpose of this Personal Data Protection Policy shall be to inform students, employees, co-workers and other persons (hereinafter referred to as “the individual/individuals”) working with the University of Nova Gorica (hereinafter referred to as “the UNG”) of the purposes, legal bases, security measures and rights of individuals with regard to the processing of their personal data carried out by the UNG.

Because we value your privacy, we always carefully protect your data.

We process personal data in accordance with the relevant European legislation (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “the GDPR”), the applicable Slovenian legislation on the protection of personal data and other legislation that provides us with a legal basis for processing personal data.

This Personal Data Protection Policy contains information on how the UNG as a controller processes personal data that it receives from the individual on lawful legal bases.

1) Controller

The controller of personal data is the University of Nova Gorica:

University of Nova Gorica
Vipavska cesta 13, 5000 Nova Gorica
info@ung.si
+386 (0)5 620 5820

2) Data Protection Officer

Pursuant to Article 37 of the GDPR, we have appointed the following person as the data protection officer:

Nino Cotič
Human Resources Officer
Email: dpo@ung.si
Tel: +386 (0)5 62 05 817

3) Personal data

“Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4) Purposes of and bases for processing data

The UNG shall collect and process your personal data on the following legal bases:

  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.1) Compliance with a legal obligation

Based on legal provisions, the UNG may process certain personal data of individuals involved with the UNG. The legal basis for the processing of their personal data may be the following: Higher Education Act, Scientific Research and Innovation Activities Act, Labour and Social Security Registers Act, Employment Relationships Act and other legislation that more precisely defines the processing of personal data. Based on its legal obligation, the UNG processes mainly the following categories of personal data: name, gender, date of birth, personal identity number, place, municipality and country of birth, nationality, place of residence, overall educational achievement, completed requirements, etc., as prescribed by the legislation. In limited cases, the UNG may also process data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

All applicable education-related regulations can be found at the following webpage of the competent ministry:

https://www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-visoko-solstvo-znanost-in-inovacije/zakonodaja/.

4.2) Performance of a contract

If the individual enters into a contract with the UNG, the contract shall represent a legal basis for processing the personal data of that individual. We may process personal data for entering into and performing the contract, such as intent to enrol or enrolment in the UNG or for Erasmus+, a lease contract, an agreement on carrying out practical training of UNG students, a scholarship contract, work contracts, or copyright contracts and other civil law contracts.

If the individual fails to provide the personal data, the UNG will not be able to enter the contract and will not be able to provide the requested service, as it will not have the data necessary for its provision. Based on carrying out a legitimate activity, the UNG shall use the e-addresses of individuals and users of its services to notify them of its services, events, education courses, offers and other content. Individuals may at any time opt out of such communication and processing of their personal data and unsubscribe from emails by using the unsubscribe link in the received email or by sending a request by email to dpo@ung.si or by post to University of Nova Gorica, Vipavska cesta 13, 5000 Nova Gorica.

4.3) Legitimate interests

Relying on a legitimate interest as a legal basis for processing personal data by public authorities in carrying out their tasks is limited. Nevertheless, the UNG may, to a limited extent, process personal data also based on a legitimate interest pursued by the UNG. That shall not be allowed where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. When relying on the legitimate interest, the UNG shall always carry out an assessment in accordance with the GDPR.

We may occasionally notify individuals of services, events, education courses, offers and other content by email, phone or post. Individuals may at any time opt out of such communication and processing of their personal data and unsubscribe from emails by using the unsubscribe link in the received email or by sending a request by email to dpo@ung.si or by post to University of Nova Gorica, Vipavska cesta 13, 5000 Nova Gorica.

4.4) Processing based on consent

If the UNG does not have a legal basis established by law, carrying out a public task, performing a contractual obligation or a legitimate interest, it may ask individuals for consent. In that way it may also process certain personal data of individuals for other purposes when individuals give their consent:

  • use of student’s data (their name, date of birth, enrolment number, address, email address, the UNG’s email address and the faculty in which the student is enrolled) to register them with the UNG library free of charge;
  • use of student’s data (their name, email address, the UNG’s email address, mobile phone number, study programme) for the Careers Centre and Alumni Club activities for career and study consulting and Alumni Club membership;
  • use of student’s data (their name, email address, the UNG’s email address, mobile phone number, study programme) for activities of the International Office and administrating student enrolment for the purposes of informing students and sending them requests for participation in the UNG activities;
  • use of photographs, videos and other content relating to individuals (e.g. publication of their pictures on the UNG’s webpage) for the purposes of documenting activities and informing the public of the UNG’s work and events;
  • for other purposes to which individuals consent.

If the individual consents to the processing of their personal data and afterwards changes their mind, they may withdraw their consent by sending a request by email to dpo@ung.si or by post to University of Nova Gorica, Vipavska cesta 13, 5000 Nova Gorica. Withdrawal of consent shall not affect the legality of any processing carried out before consent is withdrawn.

4.5) Video surveillance

The University operates a video surveillance system. By means of video surveillance (cameras are placed in the areas surrounding entrances to the University) we monitor entry into and exits from premises (pursuant to Article 77 of the ZVOP-2). We also conduct video surveillance for the purpose of protecting individuals (students, employees and visitors) and University property (based on legitimate interest as defined by point (f) of Article 6(1) of the General Data Protection Regulation, in connection with Article 76 and subsequent articles of the ZVOP-2). Video surveillance is conducted within certain work premises, where this is essential for the safety of people or property or for the protection of secret data or trade secrets.

Video surveillance aids us in detecting, dealing with or resolving incidents or emergencies, criminal acts, and compensation or other claims. Recordings are stored for five days. We do not conduct video surveillance in a manner that would have any special processing effect. Equally, video surveillance does not enable any unusual further processing, such as transfer to entities in third countries, but it does enable live monitoring of events by the authorised officer.

All information regarding video surveillance can be obtained by telephone or email from the University. The rights of individuals are described in this Personal Data Protection Policy. Any additional questions may also be addressed to the Data Protection Officer.

4.6) Processing is necessary to protect the vital interests of the individual

The UNG may process personal data of data subjects where it is necessary to protect their vital interests. In an emergency, the UNG may search for the individual’s identity document, check whether that person exists in the UNG’s database, examine the individual’s medical history or contact their family, for which the individual’s consent is not required. All of this applies if it is strictly necessary to protect the vital interests of the individual.

5) Storage and erasure of personal data

The UNG shall store personal data only for as long as necessary to achieve the purpose for which they were collected and processed. If the UNG processes data under the law, it shall store the data for the duration prescribed by law. In doing so, some of the data shall be stored for the duration of the data subject’s cooperation with the UNG, while some data must be stored permanently. The personal data processed by the UNG on the basis of a contractual relationship with the individual shall be stored for as long as necessary for the contract to be performed and for six years after its termination, except when a dispute arises between the individual and the UNG in connection with the contract. In such cases, the UNG shall store the data for ten years after the finality of a court ruling, arbitration or court settlement or, in the absence of a court case, for five years from the date of an amicable settlement of a dispute. The data processed by the UNG on the basis of the individual’s personal consent or legitimate interest shall be stored by the UNG until consent has been withdrawn or until a request for data erasure has been submitted. The data shall be erased within 15 days of the receipt of a withdrawal of consent or request for data erasure. The UNG may also delete the data prior to the withdrawal if the purpose of their processing has been achieved or if the law so requires.

In exceptional cases, the UNG may refuse the request for erasure of personal data for the following reasons specified in the GDPR: exercising the right of freedom of expression and information, complying with a legal obligation to process, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or exercising or defending legal claims. After the storage period expires, the UNG shall effectively and permanently delete personal data or render them anonymous in such a manner that the data subject is not or no longer identifiable.

6) Recipients of personal data, contractual processing of personal data and transfer of data

“Recipient of personal data” means a natural or legal person, public authority, agency, or other body to which the personal data are disclosed. In carrying out their activities, organisations process numerous personal data of individuals. Personal data of individuals are processed by NGU employees in carrying out their work in accordance with their employment contracts or the act on the classification of posts and by (as a rule) third legal persons to which the UNG provides personal data because, for example, the law so requires. Recipients of personal data also include contractual processors hired by the UNG to carry out certain activities of processing personal data in the name and on behalf of the UNG.

The UNG may therefore entrust individual activities of processing personal data to a contractual processor based on a contractual processing agreement. Contractual processors may process the data entrusted solely on behalf of the controller, within its mandate specified in an agreement or other legal act in writing, and in accordance with the purposes defined by this Privacy Policy.

Potential contractual processors with which the UNG collaborates are mainly:

  • infrastructure maintenance contractors (e.g. Aktiva varovanje d.d.);
  • information system maintenance contractors (e.g. MiTeam);
  • software providers (e.g. the Ung business information system, IZUM, Zoom, Microsoft, etc.);
  • providers of social networks and online advertising (Google, Facebook, Instagram, LinkedIn, etc.).

For the purposes of improving overview of and supervision over the contractual processors and the contractual relationships with them, the UNG also keeps a list of contractual processors that contains all contractual processors with which the UNG collaborates.

The individual’s personal data shall in no case be provided by the UNG to third unauthorised parties. The contractual processors may process personal data solely as instructed by the UNG and may not use them for any other purposes.

As a controller, the UNG and its employees shall not transfer personal data to third countries (outside the Member States of the European Economic Area – Member States of the EU and Iceland, Norway and Liechtenstein) or to international organisations, except for the USA, wherein relations with contracted data processors have been arranged in accordance with standard contractual clauses (type contracts adopted by the European Commission) and/or binding commercial rules (as adopted by the organisation and approved by supervisory authorities in the EU).

7) Cookies

The UNG website uses cookies. A cookie is a file that saves website settings. Websites save cookies to the devices by which users access websites via the internet to identify individual devices and settings used by users upon access. Cookies enable websites to identify whether the user has already visited them. Cookies also enable adaptation of individual settings in advanced applications. The storage of cookies is fully controlled by the individual’s browser – individuals have the option of restricting or completely disabling the storage of cookies.

Cookies are essential for providing user-friendly online services. They are used to store data on the status of individual webpages, and they also help in collecting statistics on users and website traffic, etc. Cookies can help us assess the efficiency of our website design.

The UNG website (www.ung.si) uses the following cookies to track statistical use of webpages within its own information infrastructure (there is no external processor):

Name of cookie Duration Function
Csrftoken 24 hours A user-specific token, used in all submissions of forms and
side-effect URLs to prevent cross-site request forgery.
_pk_id.1.0b11 1 year Used for identifying visitors.
_pk_ses.1.0b11 30 minutes Shows visitor’s session activity.

The UNG website (www.ung.si) uses the following cookies due to embedded YouTube videos:

Name of cookie Duration Function
DEVICE_INFO 179 days Used to track user’s interaction with embedded content.
VISITOR_INFO1_LIVE 6 months Used to provide an estimate of the user’s bandwidth on pages with
embedded YouTube videos.
YSC During the session Registers the unique ID for keeping statistics on YouTube videos seen
by the user.
__Secure-3PAPISID 2 years Builds a profile of website visitor interests to display relevant and
personalised ads through retargeting.
__Secure-3PSID 2 years A targeting cookie. Used for building a profile of website visitor
interests to display relevant and personalised Google ads.
__Secure-3PSIDCC 2 years A targeting cookie. Used to create a user profile and display relevant
and personalised Google Ads to the user.
CONSENT 2 years Used to detect whether the
visitor accepted the marketing category in the cookie banner.
LOGIN_INFO 2 years Used by YouTube (Google) to
store user settings and for other non-specified purposes.
SOCS 13 months Used to store a user’s
status with regard to cookie selection.
PREF 8 months Used to store data on e.g.
the preferred webpage configuration and play settings, such as explicit
selections of autoplay, random content play and player size. As regards
YouTube Music, these settings include volume, repetition mode and autoplay.
SID 2 years Contains digitally signed
and encrypted records of the user’s Google Account ID and last login time.
SIDCC 3 months A security cookie used to
confirm visitor authenticity, prevent fraudulent use of login data and
protect visitor data from unauthorised access.
SSID Permanent Google collects data on
visitors for videos hosted by YouTube on maps integrated with Google Maps.
__Secure-1PAPISID 2 years Used for the purposes of
targeting to build a profile of website visitor interests to display relevant
and personalised Google ads.
__Secure-1PSID 2 years Used for the purposes of
targeting to build a profile of website visitor interests to display relevant
and personalised Google ads.
__Secure-1PSIDCC 2 years Used for the purposes of
targeting to build a profile of website visitor interests to display relevant
and personalised Google ads.

Due to embedded videos, the UNG website (www.ung.si) uses third party cookies (doubleclick.net):

Name of cookie Duration Function
IDE 2 years Stores visitor settings and
personalises ads on Google websites based on recent searches and
interactions.
DSID 2 weeks Used to identify users
logged in non-Google websites and to remember whether the user agreed with
the ad personalisation.

Individuals can erase cookies saved by their browsers (instructions can be found on the browser’s webpages).

8) Data protection and accuracy

The UNG provides information security and security of infrastructure (premises and application/systems software). Our information systems are protected by all necessary infrastructure (e.g. firewalls etc.), among other things. We have implemented appropriate organisational and technical security measures for protecting personal data from accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access and from other unlawful and unauthorised forms of processing. We transmit all special categories of personal data in encrypted form and password-protected.

Each individual has the sole responsibility to submit their personal data in a safe manner and to ensure that their data are accurate and authentic. The UNG shall make every effort to ensure that the personal data it processes are accurate and, if necessary, updated and may occasionally contact the individual for personal data validation.

9) Rights of the individual with regard to data processing

Under the GDPR, individuals have the following rights related to personal data protection:

  • they may request information on whether we possess their personal data and, if so, which data we possess and on what basis, as well as the purposes of their use;
  • they may request access to their personal data, enabling them to receive a copy of the personal data the UNG possess, and check whether the data are processed lawfully by the UNG;
  • they may request rectification of their personal data, such as rectification of incomplete or inaccurate personal data;
  • they may request erasure of their personal data when their further processing is no longer necessary or when they exercise their right to object to further processing;
  • they may object to further processing when the UNG relies on a legitimate commercial interest (including the legitimate interest of a third party) on grounds relating to their specific situation; where personal data are processed for direct marketing purposes, the data subject has the right to object at any time;
  • they may request restriction of processing of their personal data, which means suspending the processing of data, e.g. if the data subject wishes that the UNG establishes the accuracy or to verify the grounds for further processing of personal data;
  • they may request transfer of their personal data in a structured electronic format to another controller, where possible and feasible;
  • they may withdraw their consent given for collection, processing and transfer of their personal data for a particular purpose; upon the receipt of a notice of withdrawal of consent, the UNG shall cease to process personal data for the purposes initially set out, unless the UNG has other legal bases to do so lawfully.

In order for the individual to exercise any of the aforementioned rights, they may send their request by email to dpo@ung.si or by post to University of Nova Gorica, Vipavska cesta 13, 5000 Nova Gorica. The UNG shall reply to requests related to rights of individuals without undue delay, and no later than one month after receiving their requests. If this time limit is extended (up to two additional months at the most) due to the complexity and number of requests, the individuals concerned shall be notified thereof. Access to personal data of individuals and exercise of their rights shall be free of charge. However, a reasonable charge may be made by the UNG if the data subject's request is manifestly unfounded or excessive, especially if submitted repeatedly. In such cases, the UNG may also reject the request. When exercising rights in respect thereof, the UNG may need to request certain information from the individual to assist us in verifying the identity of the individual, which is only a security measure to ensure that personal data are not disclosed to unauthorised persons.

When exercising rights in respect thereof or if the individual believes that their rights have been violated, they may seek protection or help from a supervisory authority, i.e. the Information Commissioner, on https://www.ip-rs.si/.

If individuals have any questions regarding the processing of their personal data, they may always contact the UNG by sending their questions by email to dpo@ung.si or by post to University of Nova Gorica, Vipavska cesta 13, 5000 Nova Gorica.

10) Publication of amendments

Any amendments to our Personal Data Protection Policy shall be published on the UNG’s webpage: https://ung.si/en/privacy-policy/. By using the webpage, the individual confirms that they are aware of the entire content of this Personal Data Protection Policy.

This Personal Data Protection Policy was adopted on 12 April 2023 by Mr Boštjan Golob, Rector of the UNG.

Done in Vipava on 12 April 2023

Rector
Prof. Boštjan Golob, PhD