The University of Milan manages daily thousands of pieces of personal data for students, professors and technical-administrative staff, as well as for all those who frequent our offices or browse the unimi.it portal.
To ensure maximum transparency regarding methods of personal data management, the University of Milan has dedicated this page to informing users about the internal regulations for implementing The General Data Protection Regulation (EU) 2016/679 (GDPR), also referred to as the Privacy Code, as well as the rights of the persons to whom the data refers.
- The European Regulation on the protection of personal data, approved on 27 April 2016 and published in the Official Journal of the EU on 4 May 2016, and became effective on 24 May of the same year. The regulation is directly applicable from 25 May 2018 in all member states.
- The Italian Legislative Decree 196/2003 – Italian Data Protection Code, amended by Legislative Decree 101/2018, "Provisions for the adaptation of the national legislation to the provisions of the regulation (EU) 2016/679", is the main national reference point concerning privacy. The framework is completed with the provisions and decisions of the Italian Guarantor Authority for the protection of personal data.
- With the entry into force of EU Regulation 2016/679 and following the amendments made to Legislative Decree 196/2003 by Legislative Decree 101/2018, the University revised its internal policies on personal data processing to reflect the new provisions, and adopted the new Regulations on the protection of personal data of the University of Milan, in force from 30 March 2021. As of the same date, the 2004 University Regulations on the protection of personal data and the Sensitive Data Regulations are no longer in force.
When personal data relating to internal and external parties is collected, the University of Milan and its facilities are obliged to furnish information regarding the purposes and methods of data collection and processing.
The rights of data subjects are governed by articles 15-22 of EU Regulation 2016/679.
The data subject has the following rights:
• The right of access, as follows:
- confirming whether or not their personal data is being processed
- obtaining access to the data and the following information:
- purposes of data processing
- categories of personal data
- recipients or categories of recipients to whom the personal data have been or will be communicated, particularly for third-country recipients or international organizations; in this case, adequate guarantees must be provided
- the estimated data retention period, if possible, or the criteria used to determine it
- the right of the data subject to ask the data controller to rectify or erase their personal data, or restrict processing, and to object to data processing for specific reasons
- the right to lodge a complaint with a supervisory authority
- if the personal data is not collected from the data subject, any available information regarding its source
- the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the underlying rationale, as well as the importance and the expected consequences of such processing to the data subject.
• The right to rectify inaccurate personal data
• The right to supplement incomplete personal data
• The right to erase their personal data ("Right to be forgotten"), including any link, copy or reproduction, in the following cases:
- the data is no longer required for the purposes for which it was collected or otherwise processed;
- the data subject withdraws their consent to data processing and there is no other legal basis for processing
- the data subject objects to data processing and there is no legitimate overriding reason to proceed
- the personal data has been unlawfully processed
- the data must be erased to comply with a legal obligation
- the data relates to children under the age of 16 and was collected in relation to the provision of IT services.
The exercise of this right entails the obligation for the Data Controller who has made the data public, taking into account available technology and implementation costs, to take reasonable measures to inform the other Data Controllers who are processing the data of the data subject's request.
• The right to restrict processing, in the following cases:
- the data subject challenges the accuracy of personal data (for the period required for the Data Controller to verify its accuracy)
- the processing is unlawful, the data subject objects to erasure of their personal data and instead requests the restriction of its use;
- although the Data Controller no longer needs it for the purposes of processing, personal data is necessary for the data subject to establish, exercise or defend a right in court
- the data subject objected to the processing, pending verification as to whether the legitimate reasons of the Data Controller override those of the data subject.
• The right to data portability, for automated processing based on the consent of the data subject or on an agreement signed with the same.
It consists of the right to receive, in a structured format, commonly used and readable by an automatic device, the personal data provided to a Data Controller and forward them to another Data Controller. If technically feasible, the data is transferred directly from one Data Controller to another.
• The right to object to data processing, in whole or in part, in the following cases:
- for specific reasons, in the case of processing in the public interest or by a public authority and in the case of processing in the legitimate interest of the Data Controller or third parties. The Data Controller refrains from further processing the data, unless it proves the existence of binding legitimate reasons overriding the rights of the data subject or aimed at establishing, exercising or defending a right in court;
- in the case of processing for direct marketing purposes, including profiling in so far as it is connected to marketing itself;
- for specific reasons, in the case of processing for scientific or historical research purposes or for statistical purposes, unless processing is required in the public interest.
• The right not to be subject to a decision that is based solely on automated processing, including profiling, which produces legal effects concerning the data subject or which significantly affects them (except in cases where the decision is necessary for the closing or execution of an agreement between the Data Controller and the data subject; or is authorized by EU or national regulations governing the Data Controller; or is based on the data subject's consent).
• The right to lodge a complaint with the Data Protection Authority (possibly using the template made available by the Data Protection Authority).
How to exercise your rights
You can exercise your rights, without prejudice to the lodging of a complaint with the supervisory authority, by means of a written request with a copy of your ID, possibly using the template made available by the Data Protection Authority, to be delivered to the Data Controller (University of Milan), including through its Data Protection Officer, as follows:
- in person to the offices in charge of data processing (e.g. Student Registrar, Salary, Benefits and Independent Contractor Division, Organisational Development and Hr Division)
- via certified e-mail (PEC) to email@example.com. The request must be addressed to the office in charge of data processing
- via e-mail to: firstname.lastname@example.org
- via certified e-mail (PEC) to: email@example.com
- by mail to the University of Milan, Via Festa del Perdono 7, 20122 - Milan, for the attention of the Archive and Filing Office.
The request may be submitted by a delegate of the data subject, showing or attaching a copy of a signed proxy, a copy of their ID as well as of the data subject's ID.
Response time: up to 1 month, which may be extended to 3 months in very complex cases, with prior notice to the data subject.
Costs: the exercise of rights is free of charge. However, in the event of manifestly groundless or excessive (including recurring) requests, the data subject may be charged a fee based on the administrative costs incurred by the Data Controller.