The information and the personal data supplied or otherwise collected shall be processed in accordance with the provisions of both the Regulation and the Privacy Code and in compliance with the confidentiality obligations inspiring UniSR activity.
According to the provisions of both the Regulation and the Privacy Code, any processing of personal data carried out by UniSR shall be lawful, fair and transparent and shall be consistent with the following principles: limitation of scopes and conservation, minimization of data, exactness, integrity and confidentiality.
2. Data Controller and Data Protection Officer
The controller of the personal data is Università Vita-Salute San Raffaele.
According to (i) Article 37 of the Regulation and (ii) the CODAU Guidelines, by resolution of the Board of Directors dated 22 January 2018, UniSR appointed GSD SISTEMI E SERVIZI S.C.A.R.L., with registered office located in Milan, Corso di Porta Vigentina no. 18, VAT no. 06959200962 (hereinafter referred to as “GSD”), as data protection officer (hereinafter referred to as the “DPO”).
The professional indicated by GSD for the purposes of the carrying out of the DPO activities is Mr. Gabriele Tettamanti.
The DPO is available for any information regarding the data processing carried out by UniSR.
The contact details of the Data Processor and of the DPO are the following: firstname.lastname@example.org
3. Purposes of the processed data
The personal data collected by UniSR will be processed for institutional purposes only and, in particular, for the purposes of all fulfilments necessary for the full implementation of UniSR scopes in compliance with the Regulation and the Privacy Code as well as with the aforementioned principles of
limitation of scopes and conservation, minimization of data, exactness, integrity and confidentiality in connection with the institutional purposes for which such data are processed.
For security and prevention against frauds purposes only, the Data Processor implemented all necessary data protection instruments.
The processing does not imply and automation decisional process (including profiling).
4. Legal basis – voluntary or mandatory processing
Please find below the main legal provisions justifying the data processing of sensitive and judicial personal data: Royal Decree no. 1592/1933 and subsequent amendments; Royal Decree no. 1269/1938 and subsequent amendments; Presidential Decree no. 382/1980; Law no. 168/1989; Law no. 398/1989; Law no. 341/1990; Law no. 390/1991; Law no. 104/1992; Ministerial Decree no. 224/1999; Italian Legislative Decree no. 445/2000; Law no. 148/2002; Ministerial Decree no. 270/2004; Presidential Decree no. 334/2004; Ministerial Decree no. 142 of 25/3/1998 and Law 24 giugno 1997, no. 196; Presidential Decree 9 April 2001; Law no. 14 February 2003, no. 30; Contratto Istituzionale Socrates Erasmus; By-laws, UniSR Regulations; Regional Laws in force.
5. Transfer of personal data
The personal data collected online by UniSR shall not be transferred to any third country.
6. Keeping of personal data
Personal data processed according to Paragraph 4. above shall be kept for the time strictly necessary to achieve the purposes for which such data have been collected. Considering that the personal data are collected for UniSR institutional scopes only, UniSR shall process the personal data for up to the time limits provided under applicable laws. As an exemple, traffic data could be kept, for judicial reasons, for a period up to 6 years starting from their creation.
Further information request in respect to the above can be addressed to the Data Controller and the DPO.
Rights of the data subject
At any time you are entitled to ask UniSR to have access to your personal data, to modify or cancel the same or to object to their processing according to Article 20 of the Regulation. You are further entitled to request for a restriction of processing according to Article 18 of the Regulation, and for the portability according to Article 20 of the Regulation.
Any request should be addressed in writing to the DPO.
You are always entitled to make a claim before the competent supervisory authority (Garante per la Protezione dei Dati Personali) according to Article 77 of the Regulation, should you consider any data processing being in breach of the applicable laws.