Privacy Notice
DATA DATA PROTECTION NOTICE FOR STUDENTS PARTICIPATING IN THE MSC TITLED «MSC IN PUBLIC HEALTH AND EPIDEMIOLOGY»
This notice concerns the processing of your personal data carried out by the University of Thessaly (Greece), in the context of your participation to the University’s MSc Program titled “MSc In PUBLIC HEALTH AND EPIDEMIOLOGY”.
Please read this document to receive detailed information about the terms of the processing of your personal data by the University.
I.Who is the Controller of my personal data?
The University of Thessaly (hereinunder “University”, “UTH”, “Controller”, or “We”) acts as the Controller for the processing of your personal data.
The University’s contact details may be found below:
Address: Argonafton & Filellinon Str., Volos, Greece, 38221, Tel: (+30)2421074000
You may also contact the University’s Data Protection Officer in the following email address: dpo@uth.gr
II.Personal data categories
We process exclusively the personal data which you provide us yourself, either:
a) During the MSc selection and registration process, and throughout the course of your studies.
indicative data categories collected under this process:
· name/surname,
· contact details: address, email, phone no.,
· passport no., Student ID no., Social Security No.,
· Country of Origin, Birth date,
· University Department of Study, date of admittance in the MSc Program,
· Payment data: tuition fees, payment date, annual income (only where necessary to assess a scholarship application that you submitted)
· Data related to your academic performance: attendance, coursework/exam grades etc.
· Data included in your CV and in recommendation letters about you
· Video Data: CCTV data collected from the on-premise CCTV system in some of the University’s facilities
No special categories of personal data are collected under this process for the purposes of the MSc.
Or
b) When using the MSc’s eLearning platform/app and/or your academic email account.
indicative data categories collected under this process:
· eLearning Calendar Data: Course Schedule, Calendar Events
· Course attendance, Course grades
· Username/Email Address
· Personal Notes/Personal Files, uploaded in the relevant section of the eLearning platform
· Data contained in the Coursework/Essays which you upload in the eLearning platform
· IP Address
· Metadata and Security Logs related to the use of the eLearning platform and the academic email account.
No special categories of personal data are collected under this process In certain cases, the University may also receive personal data about you from third parties that are authorised or required to share such data with the University, such as previous educational institutions, scholarship bodies, public authorities, or referees providing recommendation letters, strictly for the purposes described in this Notice and in accordance with applicable law.
III. For what purpose is your data collected?
We process your personal data exclusively for the following purposes:
a) For the purpose of student selection for the MSc
b) For the purpose of student registration in the MSc
c) For the purpose of supervising and ensuring the proper administration and the successful completion of our MSc program
d) For the purpose of receiving the MSc tuition fees and issuing the corresponding invoices/receipts
e) For the purpose of supervising your academic progress and supporting you during the MSc program (exams, coursework, meetings during visiting hours etc.)
f) For the purpose of communicating with you regarding academic events and opportunities, related to your curriculum
g) For the purpose of responding to your communications, inquiries, and complaints
h) For the purpose of managing scholarships
i) For the purpose of providing you the services of our eLearning platform.
j) For the purpose of ensuring the safety of students, staff, and visitors on the premises of the University (through the use of CCTV systems)
k) For the purpose of producing official statistics relating to the functioning of the University
l) For the purpose of ensuring the security and integrity of the University’s digital and electronic systems (through the use of security logs and measures)
m) For the purpose of protecting the University’s legal right and claims.
IV.What is the legal basis for the processing of your data?
For purposes “a” to “k”, we process your personal data on the legal basis that the processing is necessary for the performance of the tasks carried out by the University in the public interest or in the exercise of the official authorities vested to UTH under the Greek Legislation which encompasses the founding and functioning of the University of Thessaly. (Article 6 par.1e GDPR)
For purposes “l” and “m”, we process your personal data on the legal basis that the processing is necessary for the protection of our legitimate interests. The legitimate interests sought are specified as: a. The protection of the Intellectual Property and Personal Data contained in the University’s digital systems and services, and b. the protection of the university’s property, rights, and legal claims.
Additionally, we may process your personal data when the processing is necessary for us to comply with our legal obligations. As a general principle, the University processes your personal data only for the purposes for which the data were initially collected. In exceptional cases, personal data may be processed for a further purpose, provided that such purpose is compatible with the original purpose of collection, in accordance with Article 6(4) of the GDPR. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall be considered compatible with the original purposes of processing, subject to the implementation of appropriate safeguards.
V.Who is your data shared with?
As a rule, your data is only being processed by the competent, in each case, staff of our University, who have been duly informed about the secure processing of your personal data.
Your data may also be transferred, where applicable and necessary, to:
1) Natural and legal persons to whom we entrust the performance of specific tasks on our behalf, such as the hosting provider of our eLearning platform, the company who has undertaken the creation and distribution of your student IDs, and the company who has undertaken the security of our premises. These persons, who act as data processors on our behalf, have been informed and committed in advance to respecting the confidentiality of your data, are aware of and follow our instructions regarding the processing of personal data, and take all appropriate measures to protect it.
2) Courier/Mail service providers, as well as the Bank used for the payment of your tuition fees. These partners act as independent Data Controllers for your data within the scope of the regulatory/legal frameworks governing their operations.
3) Visiting Professors or lecturers.
4) Supervisory, auditing, independent, judicial, public and/or other official authorities and bodies within the scope of their statutory powers, and duties when the transmission, of your data, to them is required by law (such as the Greek Ministry of Education, the State Scholarships Foundation, Other Greek Public Universities, The Hellenic Statistical Authority etc.) .
5) Lawyers, law firms, bailiffs, experts, and expert witnesses, in cases where we need to take legal actions to safeguard our rights and interests.
VI.Is your data transferred outside the European Economic Area?
As a rule, your data is processed exclusively within the European Economic Area.
If the transfer of your data outside the EEA is absolutely necessary for the purposes mentioned above, the University will ensure that there is a sufficient legal basis for the transfer and that all the safeguards and requirements of Chapter V of the GDPR have been applied.
VII.For how long is your data stored and when is it deleted?
As a general rule, we delete your data as soon as the processing is no longer necessary to achieve the purpose for which the data was collected or for us to comply with our legal obligations. In any case, your data will not be kept for more than 20 years, following the completion of your studies in our MSc Program (In accordance with statute of limitations rules).
Different retention periods may apply depending on the category of personal data and the applicable legal obligations. In particular:
– Academic and student record data may be retained for extended periods in accordance with national education and archiving legislation;
– Financial and accounting data are retained in accordance with tax and financial legislation;
– CCTV and security-related data are retained for limited periods, unless required for the investigation of an incident or legal claim;
– IT and security logs are retained for the minimum period necessary to ensure system security and integrity.
Where personal data are retained for archiving, statistical, or scientific research purposes, appropriate technical and organisational measures are applied to safeguard your rights and freedoms.
VIII. Is your data safe?
We are committed to safeguarding your Personal Data. We have taken appropriate organizational and technical measures to ensure the security and protection of your Data from any form of accidental or unlawful processing, modification, destruction, or loss. These measures are reviewed and modified at regular intervals and also on an ad-hoc basis when necessary.
IX. Photos, video recordings, and online teaching
During academic activities, events, or online teaching sessions organised by the University, photos, audio recordings, or video recordings may be made for educational, administrative, or promotional purposes.
Where such processing is based on the University’s legitimate interests, appropriate measures are taken to minimise the impact on your privacy. Where required by law, your consent will be requested prior to recording or publication.
Recordings of teaching activities are made available exclusively to authorised participants and are not made publicly accessible unless otherwise specified.
When using the University’s electronic systems, platforms, and email services, certain technical data and logs may be automatically collected for the purposes of ensuring security, integrity, and proper functioning of such systems, as well as for preventing misuse.
Such data are retained for a limited period and accessed only by authorised personnel, in accordance with internal policies and applicable law.
X. Automated decision-making and profiling
The University does not take decisions that produce legal effects concerning you or similarly significantly affect you based solely on automated processing, including profiling, within the meaning of Article 22 of the GDPR.
Where automated processes are used for security or system integrity purposes (such as the automatic detection of suspicious activity within IT systems), appropriate safeguards are applied, and human intervention is available upon request.
XI.What are your data protection rights?
You have the right to access your personal data.
This means that you have the right to be informed by us on whether we are processing your Data. If we are processing your Data, you can request to be informed about the purpose of the processing, the type of your Data we hold, who we give it to, how long we store it for, whether automated decision-making is taking place, and on how to exercise your remaining data protection rights, such as the right to rectification, the right of erasure, and the right of restriction of processing and the right to file a complaint with the Data Protection Authority.
You have the right to rectify inaccurate personal data.
If you find that there is an error in your Data, you may submit a request for us to correct it (e.g., correcting your name or updating a change of telephone number).
You have the right to request the deletion of your personal data/right to be forgotten.
You may ask us to delete your Data if it is no longer necessary for the processing purposes listed above or if you wish to withdraw your consent, where your consent is used as the sole legal basis for the processing.
Please note that this right will not be satisfied if the processing of your data is still necessary for tasks carried out in the public interest or in the exercise of official authority vested in the University.
You have the right to restrict the processing.
You may ask us to restrict the processing of your Data for as long as your objections to the processing are pending, or if part of the processing is no longer necessary to fulfil the purposes for which your Data was collected.
You have the right to object to the processing of your Data.
You may object to the processing of your Data where it is carried out in the pursuit of our legitimate interests, and we will stop processing your Data if there are no other compelling and legitimate grounds that override your rights and interests.
Where the processing of your personal data is based on your consent or on the performance of a contract and is carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where technically feasible, without hindrance from the University.
XII. How can you exercise your rights?
You may exercise the abovementioned rights by sending an email to the Data Protection Officer of the University of Thessaly, in the following email address: dpo@uth.gr
In order to ensure that personal data are disclosed only to the data subject concerned, the University may request additional information necessary to verify your identity when exercising your rights. Such verification measures shall be proportionate and shall respect the principle of data minimisation.
Additionally, you may choose to exercise your rights, specifically for the data contained in the eLearning platform, by using some of the privacy functionalities available to you through the “profile” page of our eLearning platform.
XIII.When will you receive a response to your request?
We will respond to your Requests free of charge and without delay. We aim to always respond to your requests within one (1) month of receiving them. However, if your Request is complex or there is a large number of pending Requests, we will let you know within the first month if we need an extension of two (2) additional months within which to respond to you.
If your Requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may impose a reasonable fee to respond, taking into account the administrative costs of providing the information or performing the requested action, or refuse to follow up on your request.
XIV.Right to lodge a complaint
a) your request has not been adequately and/or lawfully fulfilled, or
(b) If you believe that your personal data protection rights are being violated by any processing carried out by us, you have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA) (postal address: 1-3 Kifisias Ave, P.C. 115 23, Athens; website: https://www.dpa.gr/; tel: 210 6475600; e-mail: contact@dpa.gr) or the competent data protection authority of your country of residence (within the EU).
The University reserves the right to amend or update this Data Protection Notice in order to reflect changes in legal requirements or processing activities. Where significant changes are made, students will be informed through appropriate communication channels. The most recent version of this Notice shall always be made available to data subjects.