Preamble

Whether you are a student, member of staff, external partner, supplier or simply a visitor, the University of Grenoble Alpes pays constant attention to the protection of your personal data.

Committed to ensuring a high level of compliance, the University of Grenoble Alpes places data protection at the heart of its priorities. It constantly monitors compliance with Regulation (EU) 2016/679 of 27 April 2016, known as the General Data Protection Regulation (GDPR), as well as the French Data Protection Act of 6 January 1978 in its current version.

The purpose of this personal data protection policy is to inform you, in a clear, accessible and transparent manner, about the processing carried out by the University and your rights in this regard.

Each processing operation involving personal data is also subject to a specific information notice detailing its purposes, legal basis, recipients, retention period and related rights. These notices are systematically brought to the attention of the persons concerned prior to the collection of their data.

Consult the cookies policy

Data controllers

The University of Grenoble Alpes, represented by its President as data controller, determines the purposes and means of processing personal data under its responsibility.

Université Grenoble Alpes  
621 avenue centrale 
38400 Saint-Martin-d’Hères

Data Protection Officer

In accordance with Article 37 of the GDPR, Université Grenoble Alpes has appointed a Data Protection Officer.
You can contact the DPO by email or post: 
Email address: dpo@grenet.fr
Postal address:
Mission DPO – DPO
Direction des Systèmes d’Information Mutualisés (DSIM)
Domaine universitaire
31, rue des mathématiques
38400 Saint-Martin-d'Hères

What is your status?

You are a student or applicant

What data do we process and why?
The University of Grenoble Alpes processes your personal data for the purposes of managing applications, enrolment, administrative and educational follow-up, and supporting your studies at the institution. 
Other processing may also be carried out for management, statistical, survey, event organisation or student health service purposes.
This processing is based on various legal grounds provided for in the General Data Protection Regulation (GDPR), in particular the performance of a task carried out in the public interest, compliance with legal obligations, the legitimate interests of the University or, in certain cases, your consent.
For more details on the data processed, the specific purposes and your applicable rights, please consult the policy on the processing of applicant and student data available on the website:
https://etudiant.univ-grenoble-alpes.fr/

You are a member of staff or an applicant

What data do we process and why?
The University of Grenoble Alpes processes your personal data for the purposes of recruitment management, human resources administration, career monitoring and professional life within the institution. 
Other processing may be carried out for management, statistical, internal survey, event management or access to certain services offered to staff purposes.
This processing is based on various legal grounds provided for in the General Data Protection Regulation (GDPR), in particular the performance of a task carried out in the public interest, compliance with legal obligations, the legitimate interests of the University or, in certain cases, your consent.
For more details on the data processed, the specific purposes and your applicable rights, please consult the policy on the processing of staff and applicant data on the staff intranet.

You are a partner, supplier or guest

What data do we process and why?
Grenoble Alpes University processes your personal data for the purposes of managing contractual or partnership relationships, awarding and executing contracts or agreements, promoting its activities, and in connection with your participation in projects, events, meetings or activities organised by the institution.
The purposes of this processing include the administrative, financial and logistical management of these relationships, institutional communication, the security of premises, and compliance with the legal obligations applicable to the University.
They are based on various legal grounds provided for in the General Data Protection Regulation (GDPR), such as the performance of a contract or pre-contractual measures, compliance with a legal obligation, the performance of a task carried out in the public interest, or the legitimate interests of the University.
Data is collected during your interactions with the University of Grenoble Alpes, whether in the context of contracts, events or specific services. 

The categories of data collected include:

• Identity and contact details: Information that allows us to identify and contact you.
• Professional data: Information relating to your professional activity and your company.
• Connection data: Information relating to your use of digital services.
• Financial data: Information relating to transactions and means of payment.
• For partners, suppliers or guests, this data is used for purposes such as:
  • Managing contracts with suppliers or service providers
  • Managing the organisation of events
  • Managing external library reader accounts 

The University of Grenoble Alpes strives to process your personal data with the utmost care, informing you in a transparent manner about how your data is processed and complying with the principles of the General Data Protection Regulation (GDPR).
In this regard, specific information notices are provided to you at the time your data is collected, depending on the context and purposes of the processing.

Who has access to your data?

Personal data collected by the University of Grenoble Alpes is only accessible to authorised departments and staff, within the limits of their respective responsibilities and in strict compliance with the purposes for which it was collected.
The University applies rigorous management of authorisations and ensures that only those who need access to the data in the course of their duties can access it.
Where applicable, certain data may be transmitted to institutional, academic or contractual partners, or to service providers acting on behalf of the University, within the framework of clearly defined and contractually supervised tasks. 
These recipients are also subject to confidentiality and security obligations.
Finally, data transfers are carried out in accordance with the principle of minimisation, limiting the data shared to what is strictly necessary for the purpose pursued.

How long are your data kept?

The University of Grenoble Alpes keeps your personal data only for the period strictly necessary to achieve the purposes for which they were collected, in compliance with the legal, regulatory or contractual obligations applicable to it.
Retention periods vary depending on the nature of the data and the processing involved. They are defined in accordance with the regulations in force and, where applicable, with the recommendations of the competent authorities or the rules applicable to public archives.
At the end of these periods, the data is either deleted or archived securely when longer retention is required for evidentiary or archival purposes.
In this respect, the University of Grenoble Alpes complies in particular with the provisions of instruction ‘DAF DPACI/RES/2005/003 of 22 February 2005 on the sorting and storage of archives received and produced by departments and establishments contributing to national education’.

Security and incident management

How is your data secured?

The University of Grenoble Alpes has defined technical, legal and organisational measures to protect your data in an appropriate manner according to its nature and the extent of its processing.
In accordance with Article 32 of the GDPR, the University of Grenoble Alpes implements appropriate technical and organisational measures to ensure the security of the personal data processed.
These measures aim to guarantee the confidentiality, integrity, availability and resilience of information systems, as well as to prevent and detect security incidents.
The University of Grenoble Alpes is committed to continuously reviewing and improving these measures to protect users' personal data against security risks.
These measures comply with the University of Grenoble Alpes' Information System Security Policy.

Data breach management

In the event of a personal data breach, whether internal or external, intentional or accidental, the University of Grenoble Alpes endeavours to gather as much information as possible in order to respond quickly and prevent any recurrence.
A data breach is characterised by a loss of data integrity, availability or confidentiality.
When the breach poses a risk to the rights and freedoms of the individuals concerned, the University of Grenoble Alpes notifies the CNIL within 72 hours. 
In the event of a high risk, the individuals concerned are informed without delay so that they can take the necessary measures.
If you notice a breach, please report it immediately to the Data Protection Officer (DPO) at the following address: dpo@grenet.fr 

Transfer of your personal data outside the European Union

In general, personal data processed by the University of Grenoble Alpes is hosted and stored within the European Union.
However, certain processing operations may involve data transfers to countries outside the European Economic Area, particularly in the context of international partnerships, student mobility or the use of certain digital tools.
In such cases, the University of Grenoble Alpes ensures that these transfers are subject to appropriate safeguards, in accordance with the requirements of the General Data Protection Regulation (GDPR), such as:

• an adequacy decision by the European Commission,
• the signing of standard contractual clauses approved by the European Commission,
• or any other safeguard provided for by the applicable regulations.

You can obtain further information on these transfers by contacting the Data Protection Officer.

What are your rights and how can you exercise them?

The University of Grenoble Alpes processes your personal data as part of its remit and, in accordance with the GDPR, you have the following rights:

• Right to be informed:   You have the right to know how your personal data is processed, as well as the data concerned, the purposes and legal bases, the retention periods, the recipients and all other information relating to the processing.
• Right of access: anyone can view all information concerning them and its origin, and obtain a copy.
• Right to rectification: you may request that your data be rectified, completed, updated or deleted.
• Right to restriction of processing: you may ask the organisation to temporarily freeze the use of some of your data. This right may be used in particular while your request to exercise another right is being processed.

And, depending on the processing and its legal basis:  

• Right to erasure: you can obtain the erasure of your data under certain conditions, in particular if it is no longer necessary for the purposes of the processing or if the processing is unlawful.
• Right to data portability: allows you to retrieve some of your data in a machine-readable format, enabling you to transfer it to another organisation.
• Right to object: you have the right to object to your data being used by an organisation for a specific purpose, highlighting a particular situation.
• Right to withdraw your consent.
• Right to request the direct intervention of an agent: in the case of an automated decision or profiling.
• Right to define guidelines regarding your personal data after your death.

You may contact the Data Protection Officer to exercise your rights or, more generally, for any questions relating to the protection of your data. 

You also have the right to lodge a complaint with the CNIL:
https://www.cnil.fr/fr/plaintes

Changes to the Personal Data Protection Policy

This privacy policy is subject to change, particularly in light of legislative and regulatory developments.