Personal data protection

The General Data Protection Regulation (EU) 2016 of the European Parliament, implemented since May 25, 2018 in each of the countries of the European Union, reinforces the French Data Protection Act of 1978 as amended.

By appointing a Personal Data Protection Officer (DPD/DPO), the UPHF is committed to establishing a relationship of trust and protecting the privacy of students, staff members, partners... in compliance with this European regulation and law.

Personal law

The processing of personal data must not contravene the rights of the persons concerned.
The latter have several rights over this data:

  • The right to information: being able to know for whom and for what purpose this data is collected.
  • The collection of consent.
  • The right to object: being able to object to the reuse and processing of this data.
  • The right of access: to be able to consult the data collected
  • The right of rectification and deletion: to demand that data be modified, completed, updated or even deleted.
  • The right to portability: to be able to receive data concerning her and transmit it to another data controller.

For more details, you can visit the CNIL page dedicated to people's rights.

The request for application of these rights will have to contain the reason for the request as well as the applicant's contact details.
He/she will also have to prove his/her identity on the spot or by sending a proof of identity (photocopy of CMS card, or of an ID...).

  • Students can contact their pedagogical secretariat or the Pôle Formation et Vie Étudiante (Maison des services à l'étudiant building)
  • Staff can contact the Human Resources Department (Froissart building)

Obligations of persons processing personal data

Since the application of the RGPD, the principle of declarative logic for personal data processing has been replaced by a principle of accountability.
The data controller, represented by the President of the University, must demonstrate compliance through documentation (processing activity entered in the register, subcontracting contract, empowerment procedure...).

By default and right from the design stage of a personal data processing project, the staff responsible for its implementation are required to comply with the principles of personal data protection rules:

  • Purpose principle: data processing must be legal and legitimate.
  • Proportionality and Relevance of data: the data processed must be strictly necessary with regard to the purpose.
  • Data retention period :Data must be retained for a limited period.
  • Security obligation : the security and confidentiality of data must be guaranteed.
  • People's rights: people's rights must be respected.

The DPO's mission is to help and support data processing project managers in their compliance process.

By an order dated October 7, 2021, the President of the UPHF and the Director of the INSA HdF have designated RGPD correspondents responsible for cooperating with the DPO and contributing more specifically within their structure to supporting project managers in the compliance of their data processing.

Provacy, UPHF's RGPD registry tool

The treatment register is available via the Provacy tool, accessible from your ENT.

Staff can register and begin their compliance process in a draft treatment.
The DPO is responsible for publishing the treatment if its compliance is demonstrated.

Data Protection Officer

Contact : Guy Bisiaux - dpo@uphf.fr