pursuant to European Regulation no. 679/2016 (“GDPR”)
| Categories of data subjects | Students and Participants in the Masters or Programs organised by the Data Controller, lecturers and BBS staff authorised to use the “Maurice” artificial intelligence chatbot (hereinafter, the “Users”) |
| Data Controller | “Bologna University Business School” (hereinafter “BBS” or the “Data Controller”), Villa Guastavillani, via degli Scalini 18, Bologna (BO) – Italy Entry in the Register of Legal Persons at the Prefecture of Bologna No. 729, p. 118 vol. 5 – VAT No. 02095311201 |
| Data Protection Officer | BBS has appointed its Data Protection Officer, who can be contacted at the following e-mail address: dpo@bbs.unibo.it |
1. INFORMATION ON THE PROCESSING OPERATIONS PERFORMED
SECT. A
Purposes
To fulfil your request and allow you to use the “Maurice” artificial intelligence chatbot.
Legal basis
Performance of a service requested by the data subject – Art. 6.1(b) GDPR.
| Personal data collected | Data retention period |
|
Personal data (first name, last name), contact details (e-mail address), curricular or professional data, data contained in requests and conversations carried out through the Chatbot, and technical and log data relating to the use of the service. Please note that, in order to use the Maurice chatbot, the User undertakes not to include personal data in their requests, except where strictly necessary.
Required provision: any refusal to provide personal and contact data, as well as any request to have them erased, would make it impossible for BBS to satisfy your request and to provide (or continue to provide) the service requested by you, since access to the chatbot is subject to login via Single Sign-On.
|
Data relating to the User’s requests and to the responses generated by the chatbot, together with the relevant metadata, shall be retained for the period strictly necessary to handle the request and, unless deleted by the User, for the duration of the Master or Program, for educational purposes and in order to allow the User to access and review the responses provided. Where the duration of the Master or Program exceeds one year, the above-mentioned data shall in any event be deleted one year after the relevant request/response. The User’s right to request the deletion of such data at any time remains unaffected.
Metadata that is not necessary to provide this consultation functionality — including, by way of example, access logs, application logs, error logs and security logs, as well as timestamps and other technical metadata required for the operation of the service — shall be retained for a maximum period of 7 days.
|
SECT. B
Purposes
Aggregation of personal data for analysis purposes.
Legal basis
Legitimate interest – Art. 6.1(f) GDPR.
| Personal data collected | Data retention period |
|
Personal data (first name, last name), contact details (e-mail address), curricular or professional data, data contained in requests and conversations carried out through the Chatbot, and technical and log data relating to the use of the service. Please note that, in order to use the Maurice chatbot, the User undertakes not to include personal data in their requests, except where strictly necessary.
You may exercise your right to object and thereby exclude your personal data from being aggregated for analysis purposes.
|
Following aggregation, the data are no longer related to an identified or identifiable person.
|
2. METHODS OF TREATMENT
The processing of personal data is carried out by BBS using paper-based and computerized methods.
3. AUTOMATED DECISION-MAKING ACTIVITIES
BBS excludes the use of any decision-making activity based on automated processing that produces legal effects concerning you or similarly significantly affects you pursuant to Article 22 of European Regulation 679/2016.
4. FATE OF DATA AT THE END OF THE RETENTION PERIOD: THE AGGREGATION PROCESS, WITHOUT PREJUDICE TO THE RIGHT TO OBJECT
After the retention periods indicated above have elapsed, where you have not exercised your right to object, your Personal Data will be processed exclusively in aggregated form for analysis purposes, with the aim of improving the accuracy, quality and security of the Service. Data aggregation is carried out in compliance with the guidance provided by the Italian Data Protection Authority, in order to ensure that the data can no longer be linked or attributed to you in any way.
5. DATA PROCESSORS. THIRD PARTY RECIPIENTS OF DATA
The subjects or categories of subjects indicated on the website http://www.bbs.unibo.eu, in the section Privacy, are appointed as data processors pursuant to Article 28 of the aforementioned European Regulation No. 679/2016 and may therefore process and become aware of the data you have provided.
Those appointed as data processors by BBS are used to:
- for the provision, maintenance and technical support of the Chatbot;
- for the provision of technological, application, cloud and infrastructure services necessary for the functioning and security of the Chatbot;
- for the management, including computerized management, of BBS archives.
The data may also be transmitted to the judicial authorities and other public entities entitled to request them, in the cases provided for by law or as a result of an order of a judicial authority.
6. PLACE OF PROCESSING AND DATA TRANSFER TO NON-EU COUNTRIES
BBS carries out the processing of your data in Italy.
Some of the designated Data Processors are based, or process your personal data, also in countries other than Italy both in and outside of Europe and, in this case, the transfer of personal data outside the EU will take place in accordance with the provisions of law and, in particular, personal data will be transferred to third countries in compliance with the conditions set forth in Article 45 et seq. GDPR.
7. YOUR RIGHTS. COMPLAINT WITH THE SUPERVISORY AUTHORITY
You may exercise the rights granted to you by law and, in particular, the right to obtain from BBS access to your personal data (Art. 15 GDPR), rectification and/or supplementation (Art. 16 GDPR) and erasure (Art. 17 GDPR) of your personal data, restriction of processing (Art. 18 GDPR), the right to receive notification of rectification, erasure or restriction of processing carried out (Art. 19 GDPR), the right to data portability (Art. 20 GDPR), and the right to object to processing, in particular to processing based on the legitimate interest of the Data Controller (Art. 21 GDPR). These rights may be subject to certain exceptions and/or limitations (e.g., the right to erasure cannot be exercised for those data with respect to which BBS demonstrates the existence of overriding legitimate grounds for processing; the right to portability applies with respect to processing based on a contract or consent; the right to object applies to processing based on legitimate interest or for reasons of public interest).
Data subjects also have the right to lodge a complaint with the competent Supervisory Authority (Art. 77 GDPR), which in Italy is the Garante per la protezione dei dati personali [Italian Data Protection Authority] (Piazza Venezia, 11 – 00187 Rome – PEC [certified e-mail]: protocollo@pec.gpdp.it).
8. DATA PROTECTION OFFICER
BBS has appointed its Data Protection Officer, who can be contacted at the following e-mail address: dpo@bbs.unibo.it
You may contact the Data Protection Officer for all matters related to the processing of your personal data and the exercise of your rights under European Regulation no. 679/2016 and the Italian Privacy Code.
9. CONTACTS AND DISPUTES
If you have any questions or complaints regarding this Privacy Notice or BBS’s data processing practices, or for requests concerning the updating/rectification/erasure of personal data or the exercise of your privacy rights, you may contact the Data Controller or the Data Protection Officer.
For this purpose, you may send a communication to the e-mail address gdpr@bbs.unibo.it, from which you will receive a reply from the person appointed by BBS to provide feedback to the data subject, i.e. the internal coordinator of data processing, or to the Data Protection Officer at dpo@bbs.unibo.it
