1. Home
  2. The University
  3. Privacy

Privacy

The University of Milan manages a large quantity of personal data on a daily basis, including information relating to students, professors, technical-administrative staff, and to anyone who visits our campuses or browses this website.

To ensure maximum transparency on the management of personal data, we have dedicated this page to informing users about their rights as data subjects, and about internal policies adopted by the University to implement Regulation (EU) 2016/679 — i.e. the General Data Protection Regulation of the European Union — and the Italian Personal Data Protection Code.

  • The General Data Protection Regulation (GDPR), approved on 27 April 2016 and published in the Official Journal of the EU on 4 May 2016, entered into force on 24 May of the same year. The Regulation has been directly applicable in all Member States since 25 May 2018.
  • Legislative Decree no. 196/2003 is the main piece of national legislation relating to data protection. It is also known as the "Italian Personal Data Protection Code", or simply "Privacy Code". The legal framework is completed by the provisions and decisions of the Italian Data Protection Authority.
  • Following the entry into force of Regulation (EU) 2016/679 and the amendments made to Legislative Decree 196/2003 by Legislative Decree 101/2018, the University revised its internal policies on personal data processing to reflect the new provisions. The main result of this process was the adoption of the new Regulations on the Protection of Personal Data of the University of Milan, which has been in force since 30 March 2021.

Data Protection Officer (DPO)

Pierluigi Perri
Via Festa del Perdono 7, 20122 Milan
E-mail: [email protected]

Privacy and DPO Support Office 
E-mail: [email protected]

For all activities entailing the collection of personal data, the University of Milan has an obligation to inform all data subjects (not only students and staff, but also external parties) about how their data are collected and processed, and for which purposes.

The rights of data subjects are governed by articles 15-22 of EU Regulation 2016/679.

The data subject has the following rights:

The right of access, as follows:

  1. confirming whether or not their personal data is being processed
  2. obtaining access to the data and the following information:
  • purposes of data processing
  • categories of personal data
  • recipients or categories of recipients to whom the personal data have been or will be communicated, particularly for third-country recipients or international organizations; in this case, adequate guarantees must be provided
  • the estimated data retention period, if possible, or the criteria used to determine it
  • the right of the data subject to ask the data controller to rectify or erase their personal data, or restrict processing, and to object to data processing for specific reasons
  • the right to lodge a complaint with a supervisory authority
  • if the personal data is not collected from the data subject, any available information regarding its source
  • the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the underlying rationale, as well as the importance and the expected consequences of such processing to the data subject.

The right to rectify inaccurate personal data

The right to supplement incomplete personal data

The right to erase their personal data ("Right to be forgotten"), including any link, copy or reproduction, in the following cases:

  • the data is no longer required for the purposes for which it was collected or otherwise processed;
  • the data subject withdraws their consent to data processing and there is no other legal basis for processing
  • the data subject objects to data processing and there is no legitimate overriding reason to proceed
  • the personal data has been unlawfully processed
  • the data must be erased to comply with a legal obligation
  • the data relates to children under the age of 16 and was collected in relation to the provision of IT services.

The exercise of this right entails the obligation for the Data Controller who has made the data public, taking into account available technology and implementation costs, to take reasonable measures to inform the other Data Controllers who are processing the data of the data subject's request.

The right to restrict processing, in the following cases:

  • the data subject challenges the accuracy of personal data (for the period required for the Data Controller to verify its accuracy)
  • the processing is unlawful, the data subject objects to erasure of their personal data and instead requests the restriction of its use;
  • although the Data Controller no longer needs it for the purposes of processing, personal data is necessary for the data subject to establish, exercise or defend a right in court
  • the data subject objected to the processing, pending verification as to whether the legitimate reasons of the Data Controller override those of the data subject.

The right to data portability, for automated processing based on the consent of the data subject or on an agreement signed with the same.

It consists of the right to receive, in a structured format, commonly used and readable by an automatic device, the personal data provided to a Data Controller and forward them to another Data Controller. If technically feasible, the data is transferred directly from one Data Controller to another.

The right to object to data processing, in whole or in part, in the following cases:

  • for specific reasons, in the case of processing in the public interest or by a public authority and in the case of processing in the legitimate interest of the Data Controller or third parties. The Data Controller refrains from further processing the data, unless it proves the existence of binding legitimate reasons overriding the rights of the data subject or aimed at establishing, exercising or defending a right in court;
  • in the case of processing for direct marketing purposes, including profiling in so far as it is connected to marketing itself;
  • for specific reasons, in the case of processing for scientific or historical research purposes or for statistical purposes, unless processing is required in the public interest.

The right not to be subject to a decision that is based solely on automated processing, including profiling, which produces legal effects concerning the data subject or which significantly affects them (except in cases where the decision is necessary for the closing or execution of an agreement between the Data Controller and the data subject; or is authorized by EU or national regulations governing the Data Controller; or is based on the data subject's consent).

The right to lodge a complaint with the Data Protection Authority (possibly using the template made available by the Data Protection Authority).

How to exercise your rights

You can exercise your rights, without prejudice to the lodging of a complaint with the supervisory authority, by means of a written request with a copy of your ID, possibly using the template made available by the Data Protection Authority, to be delivered to the Data Controller (University of Milan), including through its Data Protection Officer, as follows:

  • in person to the offices in charge of data processing (e.g. Student Registrar, Salary, Benefits and Independent Contractor Division, Organisational Development and Hr Division)
  • via certified e-mail (PEC) to [email protected]. The request must be addressed to the office in charge of data processing
  • via e-mail to:  [email protected]
  • via certified e-mail (PEC) to:  [email protected]
  • by mail to the University of Milan, Via Festa del Perdono 7, 20122 - Milan, for the attention of the Archive and Filing Office.

The request may be submitted by a delegate of the data subject, showing or attaching a copy of a signed proxy, a copy of their ID as well as of the data subject's ID.

Response time: up to 1 month, which may be extended to 3 months in very complex cases, with prior notice to the data subject.

Costs: the exercise of rights is free of charge. However, in the event of manifestly groundless or excessive (including recurring) requests, the data subject may be charged a fee based on the administrative costs incurred by the Data Controller.