Awareness of Reporting Phishing Emails

PRIVACY NOTICE

INTRODUCTION
This Privacy Notice explains how the University of Luxembourg processes personal data in the context of the “Awareness of Reporting Phishing Emails at the University of Luxembourg” survey.
The survey responses of this project are, by default, anonymous and we will not be able to connect these survey responses to you in any way. We use the survey responses to identify differences between the university’s goal of phishing reporting and the level of awareness of phishing reports. The survey is also part of the master thesis by Kahye Ji, a student in the Master in Information and Computer Sciences, under the supervision of Prof. G. Lenzini and B. Stojkovski at the IRiSC research group of the SnT/UL.

However, participants willing to provide their email addresses may do so. This will let us compare your perception on how frequently you receive simulated phishing emails to the actual number sent to you by the University. If you wish to provide us with your email address in the survey, we will process the data as set out below.

1) WHO ARE WE ?
The University of Luxembourg is a public higher education and research establishment, operating under the supervision of the Ministry for higher education. The University has appointed a DPO: reachable during working hours. Further information on data protection is provided on https://wwwen.uni.lu/university/data_protection and an email address is available: dpo@uni.lu

2) PURPOSE, CATEGORIES OF PERSONAL DATA, LEGAL BASIS AND RETENTION PERIOD
We collect your personal data in order to calculate the level of preparedness against phishing attacks. The categories of personal data include: names, surnames, email addresses, number of phishing attacks received and the number of phishing attacks you are aware of. We will conduct an analysis by comparing both numbers to calculate the level of information security preparedness at an institutional level. The legal basis for the processing of your personal data is laid down in article 6 (f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the University of Luxembourg in terms of information security as that is the legitimate interest of the University to protect the confidential and personal data process at the University. The personal data will be deleted immediately after the analysis.

3) DATA COLLECTION, RECIPIENTS AND DATA TRANSFERS
We collect the personal data directly, as provided when you enter your email address, name, surname and phishing information on the survey. The personal data provided will only be accessed by Kahye Ji, Prof. G. Lenzini and B. Stojkovski. Your personal data will only be processed within the European Union.

4) YOUR RIGHTS
According to the GDPR, you benefit from the following rights: right to be informed, right to access to your personal data, right to rectification, right to erasure, right to restrict the scope of the processing, right to object, right to data portability, right to lodge a complaint. The University provides further information on its website page: https://wwwen.uni.lu/university/data_protection/your_rights.

You also have the right to lodge a with the Commission Nationale pour la Protection des Données (CNPD) at : Commission Nationale pour la Protection des Données,1, avenue du Rock’n’Roll, Service des réclamations, L-4361 Esch-sur-Alzette, Tel. : (+352) 26 10 60 -1, Fax : (+352) 26 10 60 -29. You can also use their contact form, at: https://cnpd.public.lu/fr/support/contact.html