Personal Data: General Personal Data Protection Policy

Preamble

Whether you are a student, staff member, external partner, supplier, or simply a visitor,Université Grenoble Alpes committed to protecting your personal data.

Committed to ensuring a high level of compliance,Université Grenoble Alpes data protection at the heart of its priorities. It continuously ensures compliance with Regulation (EU) 2016/679 of April 27, 2016, known as the General Data Protection Regulation (GDPR), as well as the French Data Protection Act of January 6, 1978, in its current version.

The purpose of this privacy policy is to provide you with clear, accessible, and transparent information about the University’s data processing activities and the rights you have in this regard.

In addition, each instance of personal data processing is accompanied by a specific privacy notice detailing its purposes, legal basis, recipients, retention period, and the relevant rights. These notices are systematically provided to the data subjects prior to the collection of their data.

View the Cookie Policy

Data controllers

Université Grenoble Alpes, represented by its President in his capacity as data controller, determines the purposes and means of the processing of personal data carried out under its responsibility.

Address:
Université Grenoble Alpes
621 Avenue Centrale
38400 Saint-Martin-d’Hères

Data Protection Officer

In accordance with Article 37 of the GDPR,Université Grenoble Alpes appointed a Data Protection Officer (DPO).

You can contact the DPO by email or by mail.

Email address :
DPOgrenet.fr

Mailing address:
DPO Office – DPO
Shared Information Systems Department (DSIM)
University Campus
31, rue des mathématiques
38400 Saint-Martin-d'Hères

What is your status?

Are you a student or an applicant?

What data do we process, and why?

Université Grenoble Alpes your personal data for the purposes of managing applications, enrollment, administrative and academic support, as well as providing guidance throughout your time at the university.

Data may also be processed for management, statistical, or survey purposes, for the organization of events, or in connection with student health services.

This processing is based on various legal grounds set forth in the General Data Protection Regulation (GDPR), including the performance of a task carried out in the public interest, compliance with legal obligations, the University’s legitimate interests, or, in certain cases, your consent.

For more details on the data processed, the specific purposes, and the rights that apply to you, please refer to the policy on the processing of candidate and student data, available on the website:

etudiant.univ-grenoble-alpes.fr

Are you a staff member or a job applicant?

What data do we process, and why?

Université Grenoble Alpes your personal data for the purposes of recruitment management, human resources administration, and monitoring of careers and professional life within the institution. 

Data may also be processed for the purposes of management, statistics, internal investigations, event management, or to provide employees with access to certain services.

This processing is based on various legal grounds set forth in the General Data Protection Regulation (GDPR), including the performance of a task carried out in the public interest, compliance with legal obligations, the University’s legitimate interests, or, in certain cases, your consent.

For more details on the data processed, the specific purposes, and the rights that apply to you, please refer to the policy on the processing of staff and applicant data on the staff intranet.

Are you a partner, supplier, or guest?

What data do we process, and why?

Université Grenoble Alpes your personal data in connection with the management of contractual or partnership relationships, the award and performance of contracts or agreements, the promotion of its activities, and your participation in projects, events, meetings, or activities organized by the institution.

The purposes of this processing include the administrative, financial, and logistical management of these relationships, institutional communications, the security of the premises, and compliance with the legal obligations applicable to the University.

They are based on various legal grounds set forth in the General Data Protection Regulation (GDPR), such as the performance of a contract or pre-contractual measures, compliance with a legal obligation, the performance of a task carried out in the public interest, or the University’s legitimate interests.

Data is collected during your interactions withUniversité Grenoble Alpes, whether in connection with contracts, events, or specific services.

The categories of data collected include:

• Identity and contact information: information used to identify and contact you.
• Professional information: details about your professional activities and your company.
• Connection data: information related to your use of digital services.
• Financial data: information regarding transactions and payment methods.
• For partners, suppliers, or guests, this data is used for purposes such as:
  • Managing contracts with suppliers or service providers.
  • Event management.
  • Management of external library user accounts. 

Université Grenoble Alpes to handling your personal data with the utmost care, providing you with transparent information about how your data is processed, and adhering to the principles of the General Data Protection Regulation (GDPR).

In this regard, specific notices are provided to you at the time your data is collected, depending on the context and the purposes of the processing.

Who has access to your data?

The personal data collected byUniversité Grenoble Alpes accessible only to authorized departments and staff, within the scope of their respective responsibilities and strictly in accordance with the purposes for which it was collected.

The University maintains strict controls over access permissions and ensures that only those who need access to the data as part of their duties are granted access.

Where appropriate, certain data may be shared with institutional, academic, or contractual partners, or with service providers acting on behalf of the University, within the framework of clearly defined tasks governed by contractual agreements.

These recipients are also subject to confidentiality and security obligations.

Finally, data transfers are carried out in accordance with the principle of data minimization, limiting the data shared to what is strictly necessary for the intended purpose.

How long is your data retained?

Université Grenoble Alpes your personal data only for as long as is strictly necessary to fulfill the purposes for which it was collected, in compliance with applicable legal, regulatory, or contractual obligations.

Retention periods vary depending on the nature of the data and the processing operations involved. They are established in accordance with applicable regulations and, where applicable, with the recommendations of the competent authorities or the rules governing public archives.
At the end of these periods, the data is either deleted or securely archived when longer retention is required for evidentiary or archival purposes.

In this regard,Université Grenoble Alpes , in particular,Université Grenoble Alpes the provisions of Directive "DAF DPACI/RES/2005/003 of February 22, 2005, on the sorting and preservation of records received and produced by departments and institutions involved in national education."

Security and Incident Management

How is your data secured?

Université Grenoble Alpes implemented technical, legal, and organizational measures to ensure that your data is protected appropriately, taking into account the nature and scope of the processing.

In accordance with Article 32 of the GDPR,Université Grenoble Alpes appropriate technical and organizational measures to ensure the security of the personal data it processes.

These measures are designed to ensure the confidentiality, integrity, availability, and resilience of information systems, as well as to prevent and detect security incidents.

Université Grenoble Alpes to continuously reviewing and improving these measures to protect users' personal data from security risks.

These measures are in accordance with the information system security policy ofUniversité Grenoble Alpes.

Data Breach Management

In the event of a personal data breach—whether internal or external, intentional or accidental—Université Grenoble Alpes to gather as much information as possible in order to respond quickly and prevent any recurrence.

A data breach is characterized by a loss of data integrity, availability, or confidentiality.

If the breach poses a risk to the rights and freedoms of the individuals concerned,Université Grenoble Alpes the CNIL within 72 hours. 

In the event of a high risk, those affected are notified immediately so that they can take the necessary measures.

If you become aware of a breach, please report it immediately to the Data Protection Officer (DPO) at the following address:

DPOgrenet.fr

Transfer of your personal data outside the European Union

In general, the personal data processed byUniversité Grenoble Alpes hosted and stored within the European Union.

However, certain processing activities may involve the transfer of data to countries outside the European Economic Area, particularly in the context of international partnerships, student mobility programs, or the use of certain digital tools.

In such cases,Université Grenoble Alpes that these transfers are subject to appropriate safeguards that comply with the requirements of the General Data Protection Regulation (GDPR), such as:

• A suitability decision by the European Commission.
• The signing of standard contractual clauses approved by the European Commission.
• Or any other warranty provided for by applicable regulations.

You can obtain additional information about these transfers by contacting the Data Protection Officer.

What are your rights, and how can you exercise them?

Université Grenoble Alpes your personal data in the course of its activities. In accordance with the GDPR, you have the following rights:

1. Right to be informed: You have the right to know all the details regarding the processing of your personal data, including the data involved, the purposes and legal bases for processing, retention periods, recipients, and all other relevant information concerning the processing.
2. Right of access: Any person may review all information concerning them, as well as its source, and obtain a copy of it.
3. Right to rectification: the right to request that data be corrected, supplemented, updated, or deleted.
4. Right to restrict processing: You may ask the organization to temporarily suspend the use of certain of your data. This right may be exercised, in particular, while your request to exercise another right is being processed.

And, depending on the processing activities and their legal basis:  

1. Right to erasure: You may request that your data be erased under certain conditions, including if it is no longer necessary for the purposes of the processing or if the processing is unlawful.
2. Right to data portability: allows you to retrieve some of your data in a machine-readable format, which may enable you to transfer it to another organization.
3. Right to object: You have the right to object to the use of your data by an organization for a specific purpose, citing a particular circumstance.
4. Right to withdraw your consent.
5. Right to request direct intervention by an employee: in the case of an automated decision or profiling.
6. The right to provide instructions regarding your personal data after your death.

You may contact the Data Protection Officer to exercise your rights or, more generally, for any questions regarding the protection of your data. 

You also have the right to file a complaint with the CNIL:

www.cnil.fr/fr/plaintes

Developments in Personal Data Protection Policy

This privacy policy is subject to change, particularly in light of changes in laws and regulations.