Management of the internal payment service solution

Context 

The University of Namur has set up an internal electronic payment service to make payments for paid services. 

This solution allows users of this service to load money into their electronic account to pay for certain services available at the University of Namur (photocopies, printing, etc.) via a loading station and an online application.

Categories of personal data processed and purposes of use

For the purposes of this activity, the University of Namur processes data in the following categories:

  • General identification data [category including the following type of data: surname, first name, postal address, e-mail addresses, copy of identity card, identity photograph, telephone number, etc.]
  • Identifiers assigned by UNamur [category grouping the following type of data: student number, internal registration number, eID for access to internal resources, access card identifiers, student card number ...].
  • Banking and financial data of natural persons [category grouping the following type of data: bank account number, IBAN code, VAT details, etc.].
  • Payment data [category grouping the following type of data: data relating to a transaction, amount, date of payment, debtor, creditor, purpose of the transaction ...]
  • Authentication data [category covering the following type of data: log in, passwords, password modification date, token ...]
  • Data related to IT resources [category regrouping the following type of data: data related to user accounts, electronic communications, use of applications and software, use of storage tools in the IT resources made available ...]
  • Connection and logging data [category grouping the following type of data: dates and times of connection, type of operation carried out, user identifier, IP addresses, type of data accessed ...].
  • Data related to an IT incident [category grouping the following type of data: data related to incidents linked to the use of IT resources, date and time of the incident, nature of the incident, imputability...]
  • Data related to the category of users [category including the following type of data: staff member, student, external ...].
  • Data relating to the access card [category grouping the following type of data: card number, expiry date...].

This data is used to :

  • Manage user accounts specific to the payment solution
  • Manage the use of the payment solution
  • Manage refunds of unused balances
  • Manage IT support related to the use of the payment solution 

Basis of lawfulness of data processing

The University of Namur is entrusted with missions of public interest in terms of teaching, research and services to the community. For the purposes of carrying out these missions, the University of Namur processes the data of all staff members and students, as well as of external persons who so request (Article 6, (1), e) of the GDPR) to allow access to the paying services offered by the University.

Categories of data subjects

The categories of persons whose data are processed for the purposes of the activity are as follows:

  • Staff members
  • Registered students
  • External beneficiaries of university resources

Data Sources

The data included in the processing activity come from the following source(s):

  • The data is contained in a University database
  • The data is generated by an activity of the person

Data recipients

Data are processed only by persons and services of the University for the purpose of carrying out the activity. The internal recipients of the data belong mainly to the following categories

  • Staff of the University's administrative services
  • Staff of the IT support services

External data recipients belong to the following categories

  • Accounting and financial bodies
  • External service providers

The solution is hosted on behalf of UNamur by the service provider Xafax Belgium on European territory, with access to the services in the form of a webservice (MyNetPay).

In order to be able to recharge the accounts, data relating to payments and transactions may be provided to payment service providers, Worldine for recharges via physical recharging terminals and Mollie for online recharges via the user account. Other methods of reloading the online account involve the provision of data to third party service providers by the user (payment via Bancontact involving a redirection to the Bancontact application) or to a bank interface (currently Belfius).

Characteristics of the processing 

The data linked to the user account specific to the payment solution is kept as long as this account is active. This account is deleted one year after the user has been deactivated as a beneficiary of access to paid services (e.g. when he/she ceases to be a reader of the UNamur libraries or to be a student). The balance of the account is kept if it is not at zero to allow the repayment of the balance (maximum one year after the deactivation of the account).

Rights of data subjects

Data subjects have rights which are described on the www.unamur.be/en/privacy page. Any requests or questions relating to the Accounts can be addressed to .