The University of Milan manages daily thousands of pieces of personal data for students, professors and technical-administrative staff, as well as for all those who frequent our offices or browse the portal.

To ensure maximum transparency regarding methods of personal data management, the University of Milan has dedicated this page to informing users about the internal regulations for implementing The General Data Protection Regulation (EU) 2016/679 (GDPR), also referred to as the Privacy Code, as well as the rights of the persons to whom the data refers.

  • The European Regulation on the protection of personal data, approved on 27 April 2016 and published in the Official Journal of the EU on 4 May 2016, and became effective on 24 May of the same year. The regulation is directly applicable from 25 May 2018 in all member states.
  • The Italian Legislative Decree 196/2003 – Italian Data Protection Code, amended by Legislative Decree 101/2018, "Provisions for the adaptation of the national legislation to the provisions of the regulation (EU) 2016/679", is the main national reference point concerning privacy. The framework is completed with the provisions and decisions of the Italian Guarantor Authority for the protection of personal data.
  • The University of Milano has activated the Code with regards to its responsibilities relating to institutional activities through the University Regulation on personal data protection, approved on December 2, 2004, and with the Sensitive Data Regulation, approved on March 28, 2006 and last amended by Rectoral Decree 288432 of 12/13/2013.
  • Both university regulations are being updated in the light of EU Regulation 2016/679 and Legislative Decree 101/2018.

Data Protection Officer

Pursuant to Article 37 and subsequent articles of EU Regulation 2016/679, the University of Milan has appointed the following Data Protection Officer (DPO):

Pierluigi Perri
Via Festa del Perdono 7, 20122 Milano

Contact information for the Guarantor for data protection:

The controller of personal data processing, in line with the regulations currently in force, is the current chancellor (Data Controller).

In order to manage personal data more effectively and within the context of reference, the Data Controller appoints Managers, who in turn choose the Processors, that is, those who actually process the data.

Data Controller
The current chancellor

• Department directors
• Research centre directors
• Directors of Postgraduate Schools
• Division Heads
• Directors of Functional Centres and Service Centres
• Library directors
• Heads of offices and staff services
• Secretary of the Chancellor and of the Director-General

Appointed by the managers

The management of privacy policies at a central level is entrusted to the Legal Department and Central Purchasing Office, Legal Sector, which is the legal point of reference for Managers and Processors in the daily processing of personal data.

The rights of the persons to whom the personal data refer are governed by Articles 15-22 of EU Regulation 2016/679.

The rights of those concerned:

  • Access
  • Rectification
  • Integration
  • Cancellation
  • Treatment limitation
  • Data portability
  • Opposition to processing
  • Selection to not be the recipient of decisions based on exclusively automated processing
  • Claim to the supervisory authority

Exercise of rights

Contact the Data Protection Manager:

  • by e-mail at:
  • by registered mail, with a period for reply from 1 to 3 months


The exercise of rights is free of cost.