Personal Data Processing Policy, pursuant to Article 13 of EU Regulation 2016/679 on the protection of personal data
INFORMATION NOTICE FOR THE PROCESSING OF DATA INHERENT TO THE PROCESSES OF MANAGEMENT AND USE OF THE UNIVERSITY MERCHANDISING PLATFORM
Dear User, pursuant to Art. 13 of EU Regulation 2016/679 — the GDPR, we inform you about how we will process your personal data.
Your personal data will be processed in accordance with the principles of propriety, lawfulness, transparency and the protection of privacy and your rights. The data can be processed manually or electronically or, nonetheless, with the use of IT or automated devices. Data processing may consist of any operation carried out with or without the use of automated processes, including the collection, recording, organisation, structuring, storage, elaboration, selection, blocking, adaptation, modification, extraction, consultation, use, communication via transmission, diffusion or any other means of making available, comparison, interconnection, limitation, cancellation or destruction of said data.
Who is the Data Controller?
The Data Controller - i.e. the body that determines how and why your data is processed - is the University of Milano-Bicocca, located in Piazza dell’Ateneo Nuovo 1, 20126 Milan, represented by its legal representative Rector Giovanna Iannantuoni (hereinafter the Data Controller). You can contact the Controller by writing to the address shown above or sending an e-mail to rettorato@unimib.it or a certified e-mail to ateneo.bicocca@pec.unimib.it
Who is the Data Protection Supervisor?
The University of Milano-Bicocca has appointed a Data Protection Supervisor who can be contacted with all queries relating to personal data processing and to exercise any rights deriving from GDPR. The Data Protection Supervisor can be contacted at rpd@unimib.it or certified e-mail address rpd@pec.unimib.it
Why do we process your data?
Your personal data, specifically your personal and contact data (name, surname, tax code, email address, telephone number), are processed on the basis of Art. 6, para. 1 of GDPR, so that the relevant departments of the University can fulfil all duties allocated to them. More specifically, the University will process your data for:
- data are collected and processed for the purpose of acquiring and managing purchase orders on the University's merchandising platform.
Who can we communicate your data to?
Your data is processed by personnel who belong to the departments of the University and are authorised by the Data Controller, in accordance with their functions and skills.
Moreover, the Data Controller can communicate your personal data to the following external third-party subjects, because their activities are essential to the achievement of the aforementioned purposes, including as regards functions attributed to them by law:
- EFREE Sas, platform provider and data processor;
- Banca Popolare di Sondrio, intermediary for the pagoPA payments system;
- Carriers entrusted with the shipment of purchased products;
- Any other public or private figures to whom the University allocates its services, within the limits set out by law, on an out-sourcing basis or as part of understandings or agreements
Your data will not be transferred to countries outside the EU or to international organisations. In the event that this becomes necessary, you will be provided with a specific information notice. In the event that no decision on adequacy has been issued for the destination country, or if adequate guarantees are not available as regards data protection, you will be asked to grant your consent before we proceed with the transfer.
Is it compulsory for you to provide us with your data?
Yes, because if you fail to do so, the University will be unable to complete required activities and deal with requests. However, no formal declaration of consent for data processing is required.
How long will we store your data for?
The Consumer's data shall be retained by the Seller for the period strictly necessary and in any case until the purpose is fulfilled.
If your personal data is stored in the database of the Data Controller, it is stored for an unlimited period of time.
If your personal data is contained in analogue documents and/or digital products or products owned by the Data Controller, this data is subject to legal storage time limits; the various time limits are contained in the “Disposal of analogue and digital documents guidelines”, which can be found on the University website.
Where present, authentication logs will be erased after 180 days.
What are your rights and how can you exercise them?
You have the right to:
- access your personal data;
- obtain the correction or cancellation of data or the limitation of data processing;
- request data portability if data is in digital form;
- oppose data processing;
- make a complaint to the supervisory authorities.
You can exercise your rights by contacting the Data Controller and/or the Data Protection Supervisor; the Data Controller must respond within 30 days of the date they receive your request (this period can be extended to 90 days if the request is particularly complex).
In the event that you believe that your data has been processed in a way that violates relevant regulations, or if the response to a request in which you have exercised one or more of the rights set out in Articles 15-22 of GDPR fails to arrive within the time limit indicated or is unsatisfactory, you can contact the supervisory authority or the authority of the protection of personal data.
Will you be subject to automated decision-making processes?
No, you will not be subject to any decisions based solely on automated processes (including profiling), unless you have explicitly provided your consent for this.
Therefore, the Data Controller does not use automated decision-making processes for the data processing regulated herein.
Should you be asked for further data or to undergo profiling activities via the UNIMIB merchandising platform operated by EFREE, you will be provided with further information and asked for your explicit consent directly by the company EFREE.
Is your data safe?
Your data is processed in a lawful, proper manner and we adopt appropriate security measures designed to prevent any unauthorised access, disclosure, modification or destruction of the data.
This information notice is updated on 12/01/2023
