Privacy and cookies

Privacy
Overview

In accordance with Article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR), in this notice the University of Milan (also referred to below as the 'University' and represented by the Rector pro tem) provides users of the University's web portal (www.unimi.it) and sites with URLs ending in *.cdl.unimi.it with information on how their personal data will be used. 

This notice only applies to the internet sites referred to above. It follows that the information in this document does not apply to websites other than those referred to above, including where accessed via links provided in the same.

This is without prejudice to compliance by the University with the legislation in force on transparency and on the compulsory disclosure of data and documents.

1. Data Controller, Data Protection Officer (DPO) and Data Processor

The Data Controller is the University of Milan, represented by the

Rector pro tem,
Via Festa del Perdono 7,
20122 Milan, e-mail [email protected].

In accordance with Article 37 et seq. of Regulation EU 2016/679 (the GDPR), the University has appointed

Prof. Pierluigi Perri as DPO. c/o 'Cesare Beccaria' Dept. 
Via Festa del Perdono 3, 20122 Milan,  e-mail [email protected].

The data processor for provision of the University Portal services is the CINECA consortium, registered office Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO).

2. Types of data processed

During normal operation and using automated systems, the IT systems and application procedures that operate the internet sites referred to above acquire the following types of data:

  1. browsing data captured during the visit to the website,  the transmission of which is implicit in the use of Internet communication protocols, examples here being: IP address for the device connected to the site, type of browser used, name of the internet service provider or ISP, date and time of the visit and the visitor's referral and exit web page, etc;
  2. browsing data captured via Google Analytics, using all appropriate mechanisms to reduce the possibility of connecting users being identified, examples here being: type of device used to connect, town connected from and duration of visit to a site, etc.;
  3. data relating to the browsing session captured via New Relic in order to monitor application performance and use of the resources. There is no user or IP profiling; the data captured stays in the form of aggregated statistical data;
  4. data captured via cookies during user browsing of the site; further information about the cookies used on the web portal or by the sites that make up its system can be found in the cookie policy in full as annexed.
3. Purposes of the processing

The data captured is only used for the University's institutional activities and in order to:

  1. allow browsing of the University's web portal (www.unimi.it) and sites with URLs ending in *.cdl.unimi.it;
  2. provide the user with the information and services required (specific notices in summary form appear on the pages of the portal that deal with specific on-demand services);
  3. gather anonymous statistical information on use of the University's web portal or the connected services, check that it is working properly, conduct monitoring to ensure its security and identify the steps to be taken to improve it (in terms of the browsing data);
  4. discharge obligations pursuant to law, comply with orders issued by public authorities, establish liability in the event of cybercrimes committed against the site or its users.
4. Legal basis for the processing

The legal bases for the processing are the following:

  • discharge of duties of public interest;
  • processing of data to prevent and put a stop to fraud and any other unlawful activity;
  • processing required in order to perform a contract that the data subject is a party to; 
  • the data subject's consent in accordance with Article 6 (1) of the GDPR.

Provision of the data, and, therefore, consent to the capture and processing of the data, is optional. Users can withhold consent and can withdraw consent previously provided at any time.

Where consent is withheld, however, this may mean that certain services cannot be provided and may affect the user's experience when browsing the University's web portal and unimi.it domain sites.

5. Manner of processing

The personal data captured is processed in accordance with the principles of lawfulness, fairness and transparency established in Article 5 of the GDPR, including with the use of IT and telecommunications tools that can store and manage the said data and, therefore, can guarantee its security and ensure maximum confidentiality for the data subject. 

As data processor, the processing by the CINECA consortium is only for the purposes set out at point (3) and is done in such a way that ensures that the personal data is kept sufficiently secure, including protection, via adequate technical and organisational means, from unauthorised or unlawful processing and from loss, destruction or accidental damage.

6. Use of cookies

Cookies are small text files that a website sends to the browser used to browse online to be stored and sent back to that site on a subsequent visit. 

These cookies capture information about a user visiting a website (e.g. date, time, pages visited, time spent on the site, etc.); some of this information can be classed as personal data and is therefore subject to specific provisions of the law.

The internet sites referred to above use various types of first-party and third-party cookies for the purposes set out in the full notice annexed. Please see that notice for further details.

7. Categories of parties authorised to carry out processing and to whom the data might be communicated

Users' personal data will, in accordance with the relevant legislation in force, be disclosed to and processed by the University's employees and contract staff (identified as persons authorised to carry out processing) who operate the portal and are involved in providing the services associated with it.

The data will only be communicated to:

  1. University departments that ask for it for the University's institutional purposes or in accordance with legislative requirements;  
  2. not-for-profit public bodies or consortiums that the University has an interest in (e.g. MUIR - the Ministry for Education, Universities and Research) where necessary so that the organisation requesting the data can perform its institutional duties;
  3. external parties, identified as processors pursuant to Article 28 of the GDPR, with an up-to-date list of the same available to the data controller at any time;
  4. the authorities responsible for public order and safety or other public bodies for the purposes of defence, State security and criminal investigations or the judicial authorities in accordance with obligations pursuant to law, where criminal offences are suspected. 

For the purposes of the processing of the data required in order to carry out their duties and responsibilities, the data may come to the attention of the individuals (employees or contract staff) authorised by the CINECA Consortium, being the data processor. Other than in the above cases, the personal data will not be communicated or circulated to third parties in any manner or for any reason.

Finally personal data will not be transferred to third countries or international organisations unless strictly relating to specific requests by the user, for which the appropriate consent will be obtained.

8. Storage period

Where the various reasons and purposes for which it is collected are concerned, the data will be stored for the period of time established by the relevant legislation or for such period of time as is strictly necessary in order to the purposes to be achieved.  More specifically:

  • browsing data will be stored for no longer than 365 days;
  • browsing data captures by Google Analytics will be stored for no longer than 26 months;
  • data relating to the browsing session captured via New Relic will be stored for no longer than 24 hours;
  • data captured via cookies will be stored for no longer than the period of time referred to in the full notice attached.
9. Rights of the Data Subject

In the appropriate cases, data subjects have the right to obtain, from the University of Milan, access to their personal data and to have that data rectified or erased or to restrict the processing data concerning them or object to such processing (Article 15 et seq. of the Regulation).

Requests should be submitted to the Data Protection Officer (Data Protection Officer, Via Festa del Perdono 7, 20122 Milan - e-mail: [email protected]).

10. Right to complain

Data subjects who consider that the processing of their personal data via this site is in breach of the provisions of the Regulation are entitled to lodge a complaint to the Data Protection Authority in accordance with Article 77 of the Regulation or to bring proceedings in the appropriate courts (Article 79 of the Regulation).

11. Third parties

The University's web portal (www.unimi.it) and the sites with a *.cdl.unimi.it URL use 'third parties'' content and services as a result of the incorporation of external resources or the implementation of technologies to increase functionality and improve users' browsing experience.

As a result, while they are browsed, certain technical and/or profiling cookies are sent by third parties to the terminal that the users are on, without the data controller being aware or being able to intervene.

Set out below is a list of the services activated on this website plus links to the corresponding privacy notices and cookies:

For further information on the services listed above and to understand how to opt-out (erasure), please see the corresponding privacy policies.

12. Changes to the information

This information may be changed over time. You should therefore check that you are looking at the latest version by going to the Privacy section on the web portal www.unimi.it.

12. Changes to the information

This information may be changed over time. You should therefore check that you are looking at the latest version by going to the Privacy section on the web portal www.unimi.it.

Cookies
Introduction

In accordance with the provisions of the data protection legislation in force, in this notice the University of Milan (represented by the Rector pro tem), as data controller, provides users with the necessary information about the cookies used by the internet site www.unimi.it and by the sites with a *.cdl.unimi.it URL.

This notice, which only applies to the websites referred to above, is an integral part of the corresponding Privacy Notice, to which reference is made for further information.

1. Data Controller, Data Protection Officer (DPO) and Data Processor

The Data Controller is the University of Milan, represented by the Rector pro tem, Via Festa del Perdono 7, 20122 Milan, e-mail [email protected]

In accordance with Article 37 et seq. of Regulation EU 2016/679, the University has appointed the following person as Data Protection Officer (DPO): Prof. Pierluigi Perri, c/o 'Cesare Beccaria' Dept., Via Festa del Perdono 3, 20122 Milan, e-mail [email protected].

The data processor for provision of the University Portal services is the CINECA consortium, registered office Via Magnanelli 6/3, 40033 Casalecchio di Reno (BO).

2. What are cookies?

Cookies are small text files sent by a website to a user's computer or other device used for browsing (e.g. a smartphone or tablet), where they are stored and then sent back again on the user's next visit to that particular website.

Cookies can be stored permanently and for different periods of duration ('persistent cookies'), but can also disappear once the browser is closed or be for a limited duration ('session cookies').

Similarly, cookies can be installed by the site visited ('first-party cookies') and by other websites ('third-party cookies') and are used to perform IT authentications, monitor sessions and store information about the activities of users who visit a certain site.

3. Use of cookies

The internet sites mentioned above use various types of cookies in order to speed up and simplify the browsing experience and make it more efficient.

These cookies capture information about a user visiting a website (e.g. date and time, pages visited, time spent on the portal, etc.); some of this information can be classed as personal data and is therefore subject to specific provisions of the law.

If certain cookies are disable, this website may not work correctly.

4. Cookies used by the site

The internet sites mentioned above use first-party technical cookies that enable them to operate, monitoring cookies similar to the technical cookies and third-party cookies.

Cookies are not used for specific profiling purposes or for purposes other than those set out here. Profiling cookies or cookies with purposes other than those mentioned here may, however, be installed when the third-party services listed in paragraph 11 of the Privacy Notice are used.

4.1 First-party technical cookies

The websites mentioned above use technical cookies (browsing, functionality, session and/or persistent cookies) or similar in order to operate and be viewed correctly, allow authentication for reserved areas or improve the user experience (e.g. by storing a user's language preference or saving their back-end access credentials for next time).

As no consent is required for their installation, these cookies will always be used and sent to the browser in use unless the user changes their settings (with the result that correct use of the services or the content made available will be hampered). 'First-party' cookies collected by the site are processed by the external data processor (the CINECA consortium) at its premises, where it makes the log files on behalf of the data controller.

Technical cookies used:

Name

Domain

Source

Function/Data captured 

Expiry

SESS*

. www . unimi .it

Drupal

Cookie used to manage the authenticated user's session

23 days

4.2 Monitoring cookies

The University of Milan uses a service called 'Google Analytics' to analyse the web traffic conveyed by the internet sites mentioned above in order to check that they are operating properly, provide support in terms of their security and take steps to improve the services that they provide  The service is implemented via Google Tag Manager.

Using Google Analytics involves using cookies via which Google obtains information in a completely anonymous format such as that listed below. By way of example only:

  • the IP address assigned to the device being used;
  • the browser used to browse the portal;
  • geographical area, preferred language, date and time of visit to a specific section of the web site;
  • information relating to the source site or the landing page.

The information obtained relating to use of the internet portal will be processed by Google in accordance with its notice on https://www.google.com/analytics/terms/it.html and http://www.google.com/intl/it/privacy/privacy-policy.html.

By browsing this site, you consent to the processing of your data by Google in the manner and for the purposes referred to above or stated by the service provider.

Using the service described here, the University of Milan adopts any measures necessary in order to reduce the powers of identification that the cookies have by:

  • IP anonymization
  • avoiding the data captured being crossed with other information. 

As a result, the Google Analytics monitoring cookies are to be treated as technical cookies, which do not need the user's consent in order to be used.

Users of the portal can, however, disable Google Analytics by installing the opt-out provided by Google on their browser. 

To disable Google Analytics, follow this link: https://tools.google.com/dlpage/gaoptout.

Other analytics services

A service that monitors the web applications, called 'New Relic' is also in operation, which measures the use of the resources and performance. This does not involve user or IP profiling; the data captured stays in the form of aggregated statistical data.

The website also uses the Web Analytics Italia service, based on Matomo, whose  privacy policy  is available. The cookies used by Matomo do not allow for user identification or profiling, and can be enabled or disabled by the user.

Monitoring cookies

Name

 Domain

Source

Type - Function/data captured

Expiry

_ga

 

.unimi.it

Google

Records a unique ID used to generate statistical data on how the visitor uses the site

24 months (2 years): the expiry date is renewed on every hit

_gat_gtag

 

.unimi.it

Google

Used to capture anonymous data on site visit statistics

1 minute

_gid

 

.unimi.it

Google

Records a unique ID used to generate statistical data on how the visitor uses the site

24 hours

JSESSIONID

.nr-data.net

New Relic

Used by New Relic for counting purposes in relation to the session in order to monitor the application

When the browsing session ends

_pk_id .unimi.it Matomo used to store a few details about the user such as the unique visitor ID 13 months
_pk_ses .unimi.it Matomo short lived cookies used to temporarily store data for the visit 30 minutes
4.3 Third-party cookies

As referred to in paragraph 10 of the Privacy Notice relating to the University portal's internet sites system, this web application uses certain functionalities provided by other organisations ('third parties') to improve the user's browsing experience. 

As a result of specific extensions being installed (modules, plugins or widgets) or content hosted on external platforms being incorporated, third-party cookies might be sent to and from any sites that do not belong to the University.

In order to use this type of cookie, the data subject's consent is required in advance; this consent can be revoked at any time by following the instructions in paragraph 5 of this notice.

The information captured by 'third parties' cannot be accessed by the data controller.  In terms of how this information is handled, please refer to the relevant notices.

Third-party cookies used

Name

Domain

Source

Type - Function/data captured

Due Date

qos_token

.openstreetmap.org

OpenStreetMap

 

Used in context with the website's map-content. The cookie is set by OpenStreetMap in order to limit the number of requests over a given time span. 

1 hour  

WFESessionId

app.powerbi.com

Microsoft Power BI

Captures information on the browsing session

When the browsing session terminates

ai_session

app.powerbi.com

Microsoft Power BI

Maintains user status while requests to see web pages are sent

1 hour 

ai_user

app.powerbi.com

Microsoft Power BI

Used by Microsoft Application Insights to capture information for statistical and telemetric purposes. The cookie stores a unique ID in order to recognise users who visit a site again over time.

365 days

ig_putma .infogram.com Infogram HTTP Cookie for statistic purpose on behaviors of website visitors. End of session
  • 1P_JAR
  • CONSENT
  • NID
  • DV
.google.com Google

These cookies are set on the user's terminal only after clicking on the youtube video player.
These cookies store user information and preferences (e.g. language preference), which could be used by Google for marketing purposes.

  • 1 month
  • up to 20 years
  • 6 months
  • 6 hours
5. How to opt out of cookies

Preferences in relation to cookies can be managed directly within the browser used in order to prevent third parties from capturing data indiscriminately (for example).

By using browser preferences, cookies that have been installed can be deleted; this includes cookies in which consent (if granted) to the installation of cookies by this site is stored.

Information on how to handle cookies with some of the more popular browsers can be found on the following web pages:  

Cookies can also be deactivated as explained in the notices provided directly by the third parties listed in paragraph 11 of the Privacy Notice, which this notice is an annex to.

Additional information on the choices that can be made where cookies are concerned can be found at www.youronlinechoices.com.

6. Changes to this notice

This information may be changed over time. You should therefore check that you are looking at the latest version by visiting this web page.