INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA
under art. 13 of EU Regulation 2016/679 and Legislative Decree no. 196 of 2003, as amended by Legislative Decree no. 101 of 2018
UNIMED – Mediterranean Universities Union is committed to guaranteeing the protection of the personal data of students, researchers, stakeholders and, in general, of employees/collaborators of universities participating in UNIMED projects, initiatives and activities and who, in this context, benefit from the services provided by the Association.
With this information, we wish to offer a clear and transparent view of what information we collect and process within the scope of UNIMED’s projects, initiatives and activities, updating our Privacy Policy to comply with the General Data Protection Regulation 2016/679 (hereinafter, ‘GDPR’ or ‘Regulation’) applicable from 25 May 2018 in every Member State of the European Union, as well as to the provisions of Legislative Decree no. 196 of 2003, as amended by Legislative Decree no. 101 of 2018.
1. Who is the Data Controller of your personal data?
UNIMED – Mediterranean Universities Union, with its registered office in Rome, Corso Vittorio Emanuele II, 244 (hereinafter also referred to as “UNIMED” or “Association”) is the Data Controller of your personal data (hereinafter also referred to as the “Data Controller” or “we”).
2. What does personal data mean and what do we process?
‘Personal Data’ means any information suitable for identifying, directly or indirectly, a natural person, in this case, you, as a student, teacher, researcher and, in general, employee/collaborator of Universities or other institutions participating in the projects, initiatives and activities of UNIMED and who, in this context, benefit from the services provided by the Association (so-called ‘Interested Party’), including the booking of travel through Italian and foreign agencies (within and outside the EU) as part of the logistical organisation of events and the collection of administrative documents from EU and non-EU partners regarding projects whose coordination is managed by UNIMED.
UNIMED collects and processes your personal data, strictly necessary for the execution of UNIMED projects, initiatives and activities in which you participate and, in particular:
- personal, identification and economic data, i.e. name, surname, date and place of birth, tax code, gender, residential address, telephone number, any e-mail address and, in general, any other data and information necessary for the conclusion and execution of UNIMED projects, initiatives and activities in which you participate (for example, data relating to documents, residence permits/visas, identification photos, etc.), academic and professional data (institutional affiliation, professional online profile, level of education, academic work experience, research field, curriculum vitae, etc.) ;
- “special categories of personal data”, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, in the presence of specific needs represented by the Data Subject.
3. Why do we process your personal data?
Your personal data is collected and processed to allow the Data Controller to carry out the UNIMED projects, initiatives and activities in which you participate. In particular, identify the needs and challenges of the research community in Gaza or abroad to inform project outputs, activities in the Hub, and future interventions.
The legal basis for the processing of the data is the execution of a contract (art. 6, co. 1, lett. b) of the Regulation) and the fulfilment of legal obligations to which UNIMED is subject (art. 6, co. 1, lett. c) of the Regulation), as well as the pursuit of a legitimate interest of the Data Controller (art. 6, para. 1, letter f) of the Regulation) to carry out activities that constitute the pursuit of the association’s purpose and to exercise or defend its rights in court, where necessary.
Concerning the processing of data relating to health, the legal basis is constituted by the consent provided by the interested party to the Data Controller (art. 9, co. 2, lett. a) of the Regulation), while for data revealing racial or ethnic origin and religious beliefs, the legal basis can be found in the provision referred to in art. 9, co. 2, letter e) of the Regulation (personal data made manifestly public by the interested party).
4. How do we collect and process your personal data?
UNIMED collects your personal data directly from you, through its administrative staff delegated to acquire paper and/or electronic documentation.
On the other hand, if the data is also collected from third parties, we will promptly inform you, as required by art. 14 of the GDPR.
If you have to provide us with particular categories of personal data (art. 9 GDPR), such as health data, they will be processed for the exclusive purpose of fulfilling contractual obligations, within the scope of the purposes indicated in point 3 and only if the processing is strictly necessary to achieve legitimate purposes and complies with the principles of proportionality and subsidiarity.
The processing of your personal data for the purposes outlined in point 3 will be carried out using computerised and manual methods, based on logical criteria compatible and functional to the purposes for which the data was collected, always respecting the rules of confidentiality and security established by law and internal regulations. In particular, the data will be processed through comparison, classification and calculation, as well as through the production of lists and/or directories.
Some of your data may be processed on behalf of UNIMED by third-party companies, organisations or professionals (for example, IT providers, accounting firms, consultants, etc.) who, as external data processors according to art. 28 of the Regulation, perform specific processing services or activities that are complementary to ours; such third parties may also process special categories of data, always subject to the Data Controller’s authorisation, such as, for example, health data mandatory under regulations concerning health and safety in the workplace.
In other cases, however, your personal data may be provided to entities to allow access to specific software or databases, in their capacity as parties authorised to process data on behalf of UNIMED.
We process your personal data in compliance with the principles of lawfulness, correctness and transparency, and we always operate in such a way as to guarantee the confidentiality and security of the information. We also undertake to ensure that the information and data collected and used are adequate, relevant and limited to what is necessary with respect to the purposes described above and that your personal data are processed in such a way as to guarantee their security, including through adequate and effective technical and organisational measures put in place by the Data Controller, in compliance with the principle of Accountability as prescribed by the GDPR. These measures guarantee, in any case, that access to your personal data is allowed only to persons authorised by the Data Controller, as well as to third parties if appointed as external Data Processors according to art. 28 of the Regulation.
Specific security measures are observed to prevent data loss, illicit or incorrect use and unauthorised access.
5. Are you obliged to provide us with your Personal Data?
The provision of personal data to the Data Controller is mandatory only for data for which there is a regulatory obligation (i.e., established by laws, regulations, provisions of Public Authorities, etc.) or necessary for participation in UNIMED projects, initiatives and activities in the face of a legitimate interest of the Data Controller.
In the presence of a regulatory or contractual obligation to confer the data, your refusal, as the interested party, to provide the data may determine the violation of the norms that establish this obligation (with possible consequences for the interested party) or the contractual non-fulfilment (which may result in contractual or civil remedies for non-fulfilment). In any case, UNIMED will not be able to carry out the operations that require the processing of the personal data, with all consequent consequences and damages to be borne by the interested party.
In cases where you are free to provide your personal data, any refusal to do so does not result in regulatory or contractual violations (with the related consequences outlined above).
However, if your data is necessary or strictly instrumental to participation in UNIMED projects, initiatives and activities, refusal to provide it may make it impossible to carry out the operations connected to such data or may cause delays in the fulfilment of these operations.
6. Who do we share your data with?
We communicate your data exclusively to the subjects (authorised to process the data, appointed as external managers or recipients due to legal obligations) that we use to carry out the activities necessary to achieve the purposes described in paragraph 3 above, i.e. for purposes strictly connected and instrumental to the management of projects and related activities, in particular:
a) UNIMED employees and collaborators;
b) consultants and freelancers working on behalf of UNIMED;
c) external service providers (hosting and IT support);
d) insurance companies, banks and credit institutions.
If necessary, for the fulfilment of regulatory obligations, or in the case of an obligation to report a crime or, in any case, the need to pursue a legitimate interest in exercising or defending a right in court, UNIMED may communicate the data to public administrations or institutions, to the judicial authorities or the police, as well as to its lawyers.
7. Where do we transfer your data?
Personal data may be communicated to, or otherwise processed by, specific third parties who have their registered office or also operate outside the European Union, because they participate in projects carried out by UNIMED, or because they perform particular services (in particular, the companies we use for cloud computing, email management, for the automated management of various administrative and operational activities, through web-based platforms and management software). These subjects guarantee that the data processing is carried out according to quality and IT security standards in compliance with the Regulation.
In the case of transmission/communication to subjects based or operating outside the European Union, the transfer is carried out under articles 45 and 46 of the Regulation.
8. How long do we keep your personal data and where?
We only keep your data for the time necessary to carry out the processing for the purposes mentioned in point 3.
In particular, we report below the main periods of use and storage of your personal data with reference to the different processing purposes:
a) We will process your data for the entire duration of the project and as long as obligations or fulfilments related to the execution of the project persist. After the termination of the project, UNIMED will process and store your personal data – also to comply with legal and regulatory obligations, as well as for its own or third parties’ defensive purposes – until the expiry of the legally applicable storage period from case to case;
b) for the fulfilment of legal obligations, your data will be processed and stored for as long as the need for processing persists to fulfil said legal obligations.
9. What are your rights as a Data Subject?
According to articles 15, 16, 17, 18, 19, 20, 21 and 22 of the GDPR, you may, at any time, exercise the following rights towards the Data Controller:
- right of access: the right to obtain confirmation as to whether or not data concerning you are being processed, as well as the right to receive any information relating to the processing;
- right to rectification: the right to obtain the rectification of your data if they are incomplete or inaccurate;
- right to cancellation (so-called ‘right to be forgotten’): in certain circumstances provided for by the Regulation, you have the right to obtain the cancellation of your data present in our archives if not relevant for the continuation of the contractual relationship or necessary by law;
- right to limitation of processing: under certain conditions, you have the right to obtain limitation of processing, if not relevant for the continuation of the contractual relationship or necessary by law;
- right to data portability: the right to obtain the transfer of your data to a different Data Controller;
- right to withdraw consent: the right to withdraw consent to the processing of data, if given, without prejudice to the lawfulness of the processing based on consent before its withdrawal and without prejudice to the consequent and inevitable termination of the contractual relationship;
- right to lodge a complaint with the Data Protection Authority: you have the right to promote requests for the exercise of your rights at any time.
The above rights may be exercised with UNIMED by writing to the e-mail address: privacy@uni-med.net.
The exercise of your rights as an interested party is free of charge according to Article 12 of the GDPR.
The list of external data processors of your personal data, as well as the employees authorised to process it, can be requested by writing to the email address: privacy@uni-med.net.
10. Changes to our Privacy Policy
The Data Controller reserves the right to modify and/or implement this privacy policy, also due to changes in legislation, or recommendations, general authorisations, guidelines or additional guarantee measures indicated by the Italian or European Data Protection Authority, but always to provide greater protection for the processing of your personal data. However, the aforementioned changes will only be made after informing you, by sending written notification to one of the contact details held by UNIMED.
If the changes involve processing based on consent, the Data Controller will collect your consent if necessary.
Rome, 25 June 2026
