Privacy policy

The purpose of this Personal Data Protection Policy is to inform individuals, service users, external partners, employees and other persons (hereinafter referred to as "the individual" or »data subject«) working with University of Nova Gorica, (hereinafter referred to as "UNG" or »we« or »Organization«) of the purposes, legal bases, security measures and rights of individuals with regard to the processing of personal data carried out by University of Nova Gorica.

We value your privacy, and always carefully protect your data.

We process personal data in accordance with European legislation – Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data (hereinafter referred to as the "General Regulation"), the applicable Slovenian legislation on the protection of personal data and other legislation that provides us with a legal basis in this regard.

The Personal Data Protection Policy contains information on how we, as controller, process personal data that we receive from the individual on legal basis.

1. Data Controller

The controller of personal data is:

University of Nova Gorica

Vipavska cesta 13, 5000 Nova Gorica

info@ung.si

05 6205 820

2. Data Protection Officer

Nina Cotič

Strokovna sodelavka za kadrovske zadeve

e-pošta: dpo@ung.si

telefon: +386 5 62 05 817

3. Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4. Purposes of and Bases for Data Processing

We collect and process personal data on the following legal grounds:

  • The processing is necessary to fulfil a legal obligation applicable to the controller.
  • The processing is necessary for the fulfilment of a contract to which the data subject is a contracting party, or for the implementation of measures at the request of such an individual prior to the conclusion of the contract.
  • The processing is necessary due to the legitimate interests pursued by the controller or a third party.
  • The data subject consents to the processing of his or her personal data for one or more specific purposes.
  • The processing is necessary to protect the vital interests of the data subject or of another natural person.

4.1 Personal data processed by a SMASH project

If you apply to the SMASH open calls, we collect all your data provided in the application platform for the purpose of the application, evaluation, and the selection procedure, as well as for the reporting purposes to the financing organisations (European Commission, MVIZ).

This website is hosted in Slovenia by University of Nova Gorica.

We collect data and process data when you apply to the SMASH open calls:

Date of birth, Current institution, Phone number, Current country of residence, Sex As it appears in your National ID card or passport, Nationality, Orcid number, PhD awarded date, PhD awarded country, PhD certificate, Scanned PhD certificate document, MSCA mobility, CV, Data regarding proposal: Proposal acronym, Proposal title, Proposal abstract, Proposal keywords, Selection of primary research area, Selection of a host institution, Suggestion of 3 experts: First name, Last name, Organisation, Email.

We collect your data so that we can:

  • Organise and manage evaluation and selection procedure of the applicants via the application platform (only if you are applicant to the open calls)
  • (Only if you are applicant to the open calls) We will use your data and share it with the members of the Executive Board to organise the evaluation and selection process; selected referees/evaluators to perform the evaluation process, Governing Board to do the final selection of the applicants following the evaluation ranking list; to our project partner organisations so that any and all reasonable requests for information or follow up may be completed appropriately (e.g. Letter of support of host organisation).

If you are applicant to the open calls the application platform https://smash.ung.si/ does directly store your data provided in the application platform on University of Nova Gorica servers. However, these details are not routinely or directly shared with SMASH project partners.

4.2 Fulfilment of a Legal Obligation
Under the law, we process our employees’ data; this processing is allowed by the labor law and social assistance legislation. Based on the legal obligation for employment purposes, we process mainly the following types of personal data: name, gender, date of birth, personal identity number, tax number, place, municipality and country of birth, nationality, place of residence, etc. The legal basis for the processing of personal data of individuals is also the Exercising of the Public Interest in Culture Act and other legislation governing culture and the meetings industry. In limited cases, the processing of personal data is permissible in the Organisation also on the grounds of public interest.

All sector-specific legislation in force is collected on the website of the competent ministry: https://www.gov.si/drzavni-organi/ministrstva/ministrstvo-za-visoko-solstvo-znanost-in-inovacije/zakonodaja/.

4.3 Legitimate Interests
The legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. At any rate the existence of a legitimate interest is subject to careful assessment in accordance with the General Regulation. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. We may also process personal data of individuals collected from publicly available sources or during lawful activities for the purposes of offering goods, services, employment, information on benefits, events, etc. To achieve these purposes, we may use land mail, telephone calls, e-mails, and other means of telecommunication. For the purposes of direct marketing, we may process the following personal data of individuals: the name and surname of the individual, address of permanent or temporary residence, telephone number and e-mail address. We may also process these personal data for the purposes of direct marketing without the explicit consent of the individual. The individual may at any time opt out of such communication and processing of personal data and exercise the right of withdrawal from receiving notifications by clicking the unsubscribe link in the received message or by e-mail.

4.4 Processing on the basis of Consent
If there is no legal basis in the law of the Member State to which the controller is subject, contractual obligation or legitimate interest, we may seek consent from the individual. Thus, where the individual gives his or her consent, we may process specific personal data of the individual for the following purposes:

  • The e-mail address for information and communication purposes.
  • Photos, videos, and other content relating to the individual (e.g., posting of pictures of individuals on our website) for the purposes of documenting activities and informing the public about our work and events.
  • Other purposes to which the individual agrees through giving consent.

The data subject shall have the right to withdraw his or her consent to the processing of personal data at any time. The data subject may request that data processing be suspended by e-mailing or sending a land mail to our address. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4.5 Processing Is Necessary to Protect the Vital Interests of the Individual
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject. In an emergency, we may search for the individual's identity document, check whether that person exists in our database, examine his or her medical history or contact his or her family, for which the individual's consent is not required. All of this applies solely if strictly necessary to protect the vital interests of the individual.

5. Storage and Erasure of Personal Data

We shall store personal data only for as long as necessary to achieve the purpose for which they were collected and processed. If the data is processed under the law, it is stored for the duration prescribed by law. In doing so, some of the data is stored for the duration of the data subject’s contractual/business relationship with us, while some data needs to be stored permanently. We store personal data that we process on the basis of a contractual relationship with the individual for as long as necessary for the contract to be fulfilled and for six years after its termination, except when a dispute arises between the individual and the controller in connection with the contract. In such cases, we keep the data for ten years after the legal effect of a court ruling, arbitration or court settlement, or in the absence of a court case, for five years from the date of the amicable settlement of a dispute. We may keep the data we process on the basis of the individual’s personal consent or the legitimate interest until consent has been withdrawn or until a request for data erasure has been submitted. The data is erased within 15 days upon the receipt of a withdrawal of consent or request for data erasure. We may also delete data prior to withdrawal if the purpose of their processing has been achieved or if the law so provides.

In exceptional cases, we may refuse a request for erasure of personal data for the reasons specified in the General Regulation, as follows: the exercise of the right to freedom of expression and information, the fulfilment of a legal obligation to process, reasons of public interest in the field of public health, the purposes of archiving in the public interest, scientific or historical research or statistical purposes, the exercise or defence of legal claims. After the purpose of storing has been served, unless there exist legal grounds, personal data shall be effectively and permanently deleted or rendered anonymous in such a manner that the data subject is not or no longer identifiable.

6. Cookies

The University's website works with the help of the so-called cookies. A cookie is a file that stores website settings. Websites store cookies on users' devices with which they access the Internet to identify individual devices and the settings that users used to access the website. Cookies allow websites to recognize if the user has already visited the website. In the case of advanced applications, individual settings can be adjusted accordingly. Their storage is under the full control of the browser used by the individual - this can limit or completely disable the storage of cookies as desired.

Cookies are of fundamental importance for providing user-friendly online services. They are used to store information about the state of the individual website, help to collect statistics about users and visits to the website, etc. We use cookies to evaluate the effectiveness of our website design.

PrivcyPolicy update-1

Cookies saved by the browser can be deleted by the individual (instructions can be found on the websites of the individual browsers).

7. Subcontracting the Processing of Personal Data and Data Output

The processing of personal data may be entrusted to a subcontractor on the basis of a data processing contract. The data entrusted to a subcontracted processor may be processed exclusively on behalf of the controller, within the limits of the powers expressly conferred upon the processor, which shall be recorded in a written contract or other legal act, and in accordance with the purposes set out herein (Personal Data Protection Policy).

The processors with whom we have entered into a subcontract are, in particular:

  • Auditing services and other legal and business consultancy providers;
  • Infrastructure maintenance providers (video surveillance, security services);
  • Information systems maintenance providers;
  • E-mail and software service providers, Cloud services;
  • Social media and online advertising providers (Google, Facebook, Instagram, Twitter etc.).

We do not transmit personal data to third unauthorized parties under any circumstances. Subcontracted processors may process personal data only within the framework of our instructions and may not use it for any other purposes.

UNG as the controller and its employees do not transfer personal data to third countries (outside the Member States of the European Economic Area – EU members, as well as Iceland, Norway and Liechtenstein) and to international organisations, except to the USA, whereby relations with US subcontracted processors are regulated on the basis of standard contractual clauses (standard contracts adopted by the European Commission) and/or binding corporate rules (adopted by the organisation and approved by the EU supervisory authorities).

For the purposes of better review and control over the subcontracted processors and for the sake of the regularity of contractual relationships, we keep a list of subcontracted processors, which specifies all the processors with whom we have entered into a contractual relationship.

8. Data Protection and Data Accuracy

We provide information security and security of infrastructure (premises and application/systems software). Our information systems are protected by antivirus programs and firewalls, among others. We have put in place appropriate organisational and technical security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and against other unlawful and unauthorized forms of processing. Any transmission of specific types of personal data is password protected and carried out in an encrypted form.

The individual has the sole responsibility for providing his or her personal data securely and for ensuring the data is accurate and authentic. We have spared no effort to ensure that the personal data we process is accurate and, if necessary, updated, and may therefore occasionally contact the individual for data validation.

9. Rights of a Data Subject

In accordance with the General Regulation, the individual may exercise the following personal data protection rights:

  • The right of requesting information concerning whether we have collected his/her personal data and, if so, which data we have collected and on what basis, as well as the purposes of its use;
  • The right to access his/her personal data, enabling him/her to receive a copy of the personal data collected and stored by the organisation and determine whether the data is processed lawfully;
  • The right of rectification: data subject has the right to obtain from the Organisation the rectification of incomplete or inaccurate personal data concerning him/her;
  • The right to erasure of personal data when no reason exists for further processing or where he/she exercises his/her right to object;
  • The right to object to further processing of personal data, where we refer to the legitimate commercial interest (including the legitimate interest of a third party) on grounds relating to his/her particular situation; Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing;
  • The right to obtain from the controller restriction of processing which means suspending the processing of data, for example if a data subject wishes to establish the accuracy or verify the grounds for further processing of personal data;
  • The right to transmit to another controller the personal data concerning him or her, where technically feasible;
  • The right to withdraw the consent given for the collection, processing and transfer of personal data for a particular purpose; Upon receipt of a notice of withdrawal of consent, we shall cease to process personal data for the purposes initially set out, unless we have other legal basis to do so lawfully.

If wishing to exercise any of the above rights, a data subject may e-mail the request to us. We shall reply to a data subject’s request without undue delay, i.e. within one month at the latest. If this time limit were extended (up to two additional months at the most), taking into account the complexity and number of requests, a data subject shall be informed thereof. Access to personal data and acquired rights is free of charge for the data subject. However, a reasonable charge may be made if the data subject's request is manifestly unfounded or excessive, especially if submitted repeatedly. In such a case, we may also refuse the request. When exercising rights under this title, we may need to request certain information from the data subject to assist us in verifying the identity of the data subject, which is only a security measure to ensure that personal data is not disclosed to unauthorized persons.

If a data subject has reasonable belief that his or her rights have been infringed, he or she may contact the supervisory body (Information Commissioner) for protection or assistance:

For any questions regarding the processing of personal data, the individual may always contact us by sending an e-mail.

10. Changes to the Personal Data Protection Policy

Any change to our Personal Data Protection Policy is posted on our website:

By using the website, the individual confirms that they accept and agree to the full content of this Privacy Policy.