Data processing policy for all the websites of the University Paris-Panthéon-Assas
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter GDPR) sets out the legal framework for the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
For a clear understanding of this policy, it is stated that:
- The “data controller” is the natural or legal person who determines the purposes and means of processing personal data. For the purposes of this policy, the data controller is the Université Paris-Panthéon-Assas;
- The “University” will refer to the University of Paris-Panthéon-Assas, unless otherwise specified;
- A “processor” is any natural or legal person who processes personal data on behalf of the controller. In practice, this means the service providers with whom the University works and who process the University’s personal data;
- The “Platform” means the website www.u-paris2.fr, and more generally all the sites of the domain of the University Paris-Panthéon-Assas;
- The “User” means any Internet user browsing and consulting the Platform;
- Data subjects” are persons who can be identified, directly or indirectly, and their personal data are collected by the data controller, i.e. the users of the Platform;
- The “recipients” of the data are the natural or legal persons who receive the personal data. The recipients of the data can therefore be both employees of the University and external organizations (institutions, social organizations, Crous, etc.);
- Personal data” means any information relating to an identified or identifiable natural person;
- Processing” means any operation or set of operations that is performed on personal data or sets of personal data;
Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.
In order to ensure its proper functioning, the University of Paris-Panthéon-Assas is required to implement and operate the processing of personal data relating to the Users of the Platform.
The purpose of this policy is to satisfy the University’s obligation to provide information and thus to formalize the rights and obligations of Platform Users with regard to the processing of their personal data.
This personal data protection policy applies to any person who browses the Platform, uses the various services intended for the administrative and pedagogical management of students available on the Platform and/or interacts with the University in the context of using the Platform.
By providing personal data when using the Platform and the Services, the User acknowledges that he/she has read the terms of this Data Protection Policy.
The data protection policy can be consulted on the Platform and may be modified or amended at any time in the event of changes in the law, case law, decisions and recommendations of the CNIL or practices. The User is therefore invited to regularly read the provisions of the Data Protection Policy.
1.5 Identity and contact details of the data controller
Our personal data protection policy describes the way in which the Université Paris-Panthéon-Assas, in its capacity as Data Controller within the meaning of the applicable regulations on the protection of personal data, treats the personal data of users of the Platform.
The University Paris-Panthéon-Assas, located at 12 Place du Panthéon – 75231 Paris CEDEX 05, is represented by its president Stéphane BRACONNIER.
We have appointed a Data Protection Officer (DPO): Mr Thierry NGUYEN.
The personal data collected by the University concerning you is accessible upon request to the personal data protection officer whose contact information is indicated below.
The processing of personal data implemented on the Platform is documented in the register of processing activities maintained by the University.
2. Legal basis
Under the European General Data Protection Regulation 2016/679 (known as RGPD), the personal data processed on the Platform are according to the purposes:
- Necessary for the performance of the University’s mission of public interest; or
- Dependent on the consent of the persons concerned;
- Legitimate interest of the University.
None of the personal data processing carried out by the University involves automated decision-making within the meaning of Article 22 of the GDPR.
3. Purposes of the processing
As the data controller, the Université Paris-Panthéon-Assas processes users’ personal data in a lawful and fair manner and in compliance with their rights.
Personal data collected by the University is used for the following purposes:
- Manage user account creation and access;
- Ensure the administrative and pedagogical management of students;
- Send newsletters;
- Develop statistics and improve the Platform and services;
- Inform the CROUS of the student’s registration;
- Communicate with users and answer their questions submitted via the contact forms;
- Web application management ;
- Processing online registration forms;
- Room Reservations;
- Comply with applicable laws and regulations.
4. Categories of personal data
The University Paris-Panthéon-Assas may in particular collect and process the following User data:
- The user account credentials: username and email address;
- Identity and contact details: title, surname, first names, address, telephone number (landline and/or mobile), fax number, e-mail addresses, date and place of birth, nationality, photo, photocopy of a national identity card;
- Family, economic and financial situation: marital life, socio-professional category and profession of parents, type of scholarship, national service ;
- Professional life: CV, cover letter, copy of transcripts and degrees obtained, letter of recommendation ;
- International action: host university, length of stay, type of scholarship or special allowance ;
- INE number, desired field of study ;
- Academic status: transcripts, copies of diplomas, copies of school records, etc.
The University may ask the User to provide certain personal data for canvassing/marketing purposes (sending newsletters, invitations to events, etc.). The User may explicitly and freely consent or not to the collection and processing of his/her personal data for these purposes by means of a checkbox. The user also has the possibility, at any time, to unsubscribe, at least by request by e-mail via the unsubscribe link present on the newsletter or by simple e-mail to the address firstname.lastname@example.org indicating as subject “Unsubscribe to the Newsletter”.
5. Recipients of the data
5.1 Communication of users’ personal data
The Université Paris-Panthéon-Assas undertakes to keep all personal data collected via the Platform and to share them only in certain circumstances and in accordance with the provisions of the applicable regulations.
The University of Paris-Panthéon-Assas may in particular give access to users’ personal data to third-party service providers, acting as subcontractors, to perform services relating to the Platform and in particular hosting, storage, analysis, data processing, database management or computer maintenance services. These service providers will only act on the instructions of the University and will only have access to users’ personal data to perform these services and will be bound by the same security and confidentiality obligations as the University.
User data can be shared:
- To administrative and teaching staff authorized by the University;
- To the relevant departments of the University;
- To foreign universities linked by an agreement with the University;
- To the Ministry of National Education;
- To the Ministry of Higher Education, Research and Innovation ;
- At the Student Life Observatory;
- To the holder of the maintenance of the University Platform (exceptional cases).
5.2 Data transfer
Where transfers are made outside the European Union, the University ensures that the transfer is made in compliance with applicable data protection legislation.
In particular, the University shall ensure that the recipient of the data will offer a level of data protection at least equivalent to that available to the data subject within the European Union. If this is not the case, the transfer can only be made with the consent of the data subject.
6. Duration of data retention
The data collected will be kept in accordance with the legislation in force and the applicable limitation periods.
7. Special cases of data collected by means of cookies
Cookies may be used on the Platform. Cookies are small files that are stored on the user’s computer or on any electronic communication device used by the user when browsing the Platform. These files allow the exchange of status information between the Platform and the user’s browser.
The University uses the following cookies:
- Cookies necessary for operation: These cookies are essential for the proper functioning of the Platform and its features. These cookies do not collect information intended to be used for commercial prospecting or advertising targeting;
- Performance Cookies: These cookies collect information about how users use the Platform as a whole. In particular, performance cookies help identify particularly popular sections of the Platform and count the number of visits. These elements make it possible to adapt the contents of the Platform to the needs of the users and thus to improve the offer and the ergonomics of the services offered on the Platform. To use the data for statistical purposes, the Platform uses the Google Analytics tool.
You can delete any cookies that have been installed in your browser’s cookie folder. Each browser has different procedures for managing your settings:
If you do not use any of the above browsers, you will need to select the “cookies” option in the “Help” function to obtain information about the location of your cookie file.
Please be aware that if you choose to disable cookies completely, you may not be able to use all of our features.
The data is kept in an active database for the current academic year and during the academic year and then archived.
The security of personal data is one of the priorities of the Université Paris-Panthéon-Assas. The University undertakes to take all reasonable administrative, technical and organizational measures to prevent any disclosure, unauthorized access, unauthorized use, alteration or destruction of personal data provided by a user (access control, password security, access according to specific authorizations, etc.).
The data is only accessible to authorized internal or external recipients according to an access and authorization policy defined by the University and depending on the use case and the treatment implemented.
Recipients of student personal data within the University are subject to a specific confidentiality obligation. Where the University is the data controller, the University implements all reasonable and legitimate measures to ensure that data recipients, external to the University, will provide an adequate level of data protection and comply with the requirements of the GDPR.
Appropriate technical and organizational security measures are implemented to combat accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure of data.
These measures are taken in compliance with other applicable laws and regulations, particularly with regard to the use of cryptographic means.
The Universitý shall implement all necessary measures to ensure the securitý of the information system and the protection of users.
The University facilitates users’ access to the resources of the information system. The resources made available to them are primarily for professional use, but the University is required to respect the privacy of each individual.
The Information Systems Department (ISD) ensures the proper functioning and security of the University’s networks, computer and communication resources. The agents/staff of this service have technical tools to investigate and control the use of the computer systems in place, and undertake to respect the rules of confidentiality applicable to the contents of documents.
They are subject to a duty of confidentiality and are required to maintain the confidentiality of any data they come into contact with in the course of their duties.
The University informs the User that the information system may give rise to monitoring and control for statistical, tracking, optimization, security or abuse detection purposes.
9. Your rights regarding the processing of your personal data
9.1 What are your rights
In accordance with the regulations in force, you have the right to access your personal data, to rectify them, to object to their processing or to obtain their limitation, deletion or portability insofar as applicable.
Furthermore, you may at any time withdraw your consent for processing based on it, or request that you no longer receive communications from us regarding information, announcements, greetings, newsletters, and invitations to events organized by the University.
Depending on the treatment, you have the following rights:
- Right to object: you have the right to object at any time to the processing of your personal data for the purpose of sending information, announcements, greetings, newsletters and invitations;
- Right of access: you have the right to obtain confirmation as to whether or not your personal data is processed by the University;
- Right of rectification: you have the right to obtain the rectification of inaccurate or incomplete information concerning you;
- Right to withdraw your consent: you may, for processing that would be based on consent, withdraw at any time the consent you have given for a processing;
- Right to erasure or right to be forgotten: you have the right to have the University erase your personal data where any of the following grounds apply:
- The data are no longer necessary for the purposes for which they were collected;
- You withdraw your consent to the processing and there is no other legal basis for the processing;
- You object to the processing of your personal data and there is no compelling legitimate reason for the processing;
- The data are subject to unlawful processing;
- Data must be deleted to comply with a legal obligation.
- Right to Portability: you have the right to obtain the personal data you have provided to the University in a structured, commonly used and machine-readable format so that you can transmit it to another data controller.
This right is applicable when the processing is based on your consent or on the performance of a contract, and is carried out by means of automated processes.
- Right to file a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) at the following address CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
9.2 How to exercise them
If you wish to exercise these rights, you may send your request to our Data Protection Officer (DPO) by completing the Online Rights Request Form on our Platform, by email to DPO@u-paris2.fr or by post with your contact details.
University of Paris-Panthéon-Assas
Data Protection Officer / DPO
12 Place du Panthéon
75231 Paris CEDEX 05
If you feel, after contacting us, that your rights have not been respected, you may submit a complaint to the CNIL.