The Data Controller:
The Data controller of Politecnico di Milano is the General Manager upon authorization of the pro-tempore Rector – contact: dirgen@polimi.it
Data Processor: privacy@polimi.it, phone: +39 0223999378
Purposes of data processing and legal basis
This information concerns the processing of personal data carried out as part of the service provision offered to Users through the IT systems of the University. In particular, we refer here to non-primary personal information, or not strictly related, for example, to data processing supporting administrative processes.
These personal data, collected by the University as Data Controller (hereinafter "University" or "Data Controller") will be processed for correct and complete performance of the services (hereinafter "Services") offered to Users, included:
- User identification systems (e.g. credentials, badges)
- online services made available to users, possibly provided by third parties
- the wired or Wi-Fi networks to which users access, possibly through personal devices (e.g. laptops, tablets, smartphones)
- the fixed and mobile computer stations provided to administrative/teaching staff, or available for students and guests
- access control systems to classrooms, laboratories and University areas
- video surveillance systems
- landline and mobile phone systems
The User's data, provided voluntarily or otherwise collected through the use of Services upon request for consent where necessary, will be processed by the Data Controller for the following purposes:
a) for institutional and administrative purposes;
b) to fulfil any legal obligations connected to the relation between User and University;
c) purposes related to the provision of the requested services (e.g. registration to the University portal, access to the reserved area, use of the University's Wi-Fi networks, etc.)
d) purposes of statistical research/analysis on aggregated or anonymous data, without the possibility to identify the User and aimed, for example, to assess and monitor the Service performance;
e) to fulfil specific obligations coming from the law or regulations;
f) to guarantee the protection of data and/or information systems or to support setup and troubleshooting of services or for technical/system restrictions
g) to assert or defend rights in court or in stages leading to it in the event of abuse and/or illegal activities carried out by the interested parties or by third parties, in relation with the activities as referred in the purposes a), b), c), d), e), f).
Recipients of personal data and possible transfers of data abroad
Personal data may be processed by employees or collaborators of the Data Controller who, working under its direct authority, are appointed as responsible or authorized for data processing and are properly trained and receive specific operating instructions.
Personal data will not be disclosed to third parties, except in respect of:
• subjects, bodies or Authorities, to whom the communication is compulsory pursuant to the provisions of law or regulation.
• suppliers, limited to the needs strictly connected to the provision of the services mentioned above
Rights of the interested parties
The interested subject has the right:
- to ask the data controller, pursuant to Article 16, 17, 18, 19 and 21 of Regulation (EU) 2016/679, the access to their personal data and correction or their cancellation or limitation of the data processing that concern him/her or to object to their processing. Given the nature of the data, correction or cancellation actions may not be allowed and, in some cases, to object to data processing could compromise the access to specific services.
- To submit a complaint to a supervisory authority.
Processing methods
The processing of personal data will be carried out through manual, computerized and telematic means, however, suitable to guarantee their security and confidentiality
Security measures are used, in compliance with the provisions of Article 32 of the GDPR to prevent the loss of data, illicit or incorrect use and unauthorized access and in compliance with the AgID Circular n. 2/2017 "Minimum ICT security measures for public administrations".
In the context of network access using the tools provided (PC, tablet, smartphone), an encrypted Internet traffic check can be carried out (https sites) aimed at the prevention of crimes that may represent a potential compromise of the IT environment.
With reference to all users, extractions and processing of log files (related to the activities performed through the Services) could be performed to identify those responsible for abuses and/or illegal activities carried out by the interested parties or by third parties.
Types of data processed
The data processed can be connected to the following areas:
Browsing data and use of applications and services
The University computer systems, the software procedures and the applications that support performance and provision of services acquire, during their normal operation, some personal data on the use of the applications made available by the University.
These data are not collected to be related to the activities of identified subjects, but given their nature, through subsequent processing and possible additions to data held by third parties, they may be related to users.
This category of data includes, for example: the date and time of the request, the user and server IP addresses, the server name, the protocol, the port and method (POST/GET) used for submitting the request to the server, the browser used, the username, the service accessed, the resources required and any associated cookies, the number of bytes sent and received, the error code returned, the time required to process the request.
As part of a user interaction with web services made available by the University in an authenticated context, basic information regarding access to the individual service (timestamp, username, service) and session information structured in compliance to the standard W3C format are traced on the log. www.w3.org/TR/WD-logfile.html.
Session cookies are used for management of single sign on services.
In order to support aggregate statistical data processing on the use of services, anonymous cookies are used with registration limited to the following information: language, country and city of origin, browser used, operating system, internet service provider, screen resolution.
Connection data to the University network
Upon access by a user to network services (for example: connection to the authenticated wired/wireless data network, use of a managed workstation, dynamic assignment of an IP address, remote access via VPN, use of proxy, etc.), some specific technical data related to the accessed service are recorded in the logs, generated by the systems and by the devices. For example: the user's IP address, connection date and time, MAC address and the name of the device from which access is made, user ID, type of network used, etc.
This information is not collected in order to be related to the activity of identified subjects, however given its nature, through subsequent processing and possible additions with data held by third parties, it could be related to users as answer to specific requests or reports, for example, by judicial authority.
This information may be subject to subsequent updates and additions, so we suggest you to periodically review it.
In case of workstations managed by the University, TLS inspection is active, which allows firewalls to carry out an in-depth automated check to detect threats that can damage the University's assets. This control is carried out in compliance with the principle of minimization and limitation of the data collected: the contents (payload) of the traffic are not recorded and/or stored and automatic exclusion lists have been provided for certain categories of sites referring to the healthcare or banking sector.
Last update: 9 February 2023