1. Introduction

Pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data” (hereinafter also “Reg. UE 2016/679” or “GDPR”), we are providing the information required on the processing of your personal data ("Data") performed by Università Cattolica del Sacro Cuore (hereinafter also the “University”), for the purpose of establishing and managing your employment relationship with it.


2. Identity and contact details for the Data controller

The Controller of the processing of your Data is Università Cattolica del Sacro Cuore, with registered office in Largo Agostino Gemelli 1, 20123 Milan, telephone (+39) 027234.1.

3. Categories of personal data

The Data processed by the University include, including but not limited to:

  • Common Data: Personal Data, contact details, information included in your CV, your picture in digital format, details of your bank account, income Data (wage garnishment, dependency allowance);
  • Special categories of personal Data pursuant to Art. 9 of the GDPR: this includes information about your health (doctor’s sickness certificates, maternity leaves, injuries, suitability for employment, protected characteristics) and/or the health of your dependent relatives (right to paid leaves to assist disabled relatives pursuant to Law 104/1992), Data revealing your trade union membership (direct involvement in trade union activities, requests to pay trade union subscriptions out of your wage) and religious beliefs;
  • Personal data relating to criminal convictions and offences pursuant to Art. 10 of the GDPR, which are reasonably inferable from the documentation submitted by the Data subject and only to the extent permitted by law.


4. Purposes of the processing and legal basis

1. Data collected will be processed for the following purposes:

a). Establishment and management of your employment relationship with the University (attendance tracking, management of payroll, discounts and benefits);
b). Personnel management and performance review (changes/promotions); training and/or development requirements; obligations connected to the payment of trade union membership fees and the exercise of the related rights (management of paid time off, time off for trade union duties/activities, etc.);
c). Insurance claims management;
d). Publication of your personal Data (namely, given name, family name, telephone no. and/or cellphone no., your business email address and office) on the University intranet;
e). Sending communications and company newsletters to your business email address;
f). Assessment of your working capacity on health grounds;
g). Management of the IT resources and of your business devices.

2. We will also process your personal Data for the following purposes:

a). Control of physical access, also through the video-surveillance systems, in order to guarantee security and safety of property and persons;
b). Budgeting and cost control.

3. Your personal Data, including "special categories" of Data, will be also processed for the following purposes:

a). Discharge the obligations and exercise the rights lay down by national or European law, or by the collective agreements in the field of employment, social security, safety at work, social protection, health & social care, as well as taxation and human resources management;
b). Comply with the provisions of the Authorities empowered by law and provisions issued by supervisory and control bodies (e.g. Italian Revenue Agency), Finance administration, Social security and welfare institutions – also supplemental – and Insurance companies.

4. We may also use your Data to exercise and/or defend the University legal rights in civil, criminal and/or administrative litigation.

The legal basis of processing is constituted:

  1. For purposes under sub) 4.1, by execution of the employment contract that you are a part of;
  2. For purposes under sub) 4.2 , by the legitimate interest pursued by the Controller;
  3. For purposed under sub) 4.3, by the need to comply with obligations and exercise the rights of the Controller or of the Data Subject in the field of employment and social security and social protection law;
  4. For purposed under sub) 4.4, by the need to establish, exercise or defend legal claims.


It is not obligatory to provide your Data, but a refusal to do so could make it objectively impossible for the University to proceed with the establishment and management of your employment relationship with it.


5. Processing methods

Personal Data are processed manually, digitally and electronically applying logics strictly connected to the purposes and,


6. Data storage period

The University will process the Data for the time strictly needed to achieve the abovementioned purposes; with no prejudice to any storage terms established by law or regulations.


7. Subject categories that the Data can be communicated to

Your Data can be communicated to external Companies/Entities to comply with legal obligations or internal University regulations and/or to enable the establishment and management of your employment relationship with the University itself; in particular:

  • Public and private entities or competent Authorities;
  • Banks;
  • Subjects and Institutions, also ecclesiastic;
  • Social security and welfare institutions;
  • Insurance companies;
  • Consulting firms (legal and tax advice, etc.);
  • Freelance professionals and accountancy firms;
  • Health and safety consultants;
  • Payroll service companies;
  • IT consulting firms.


Subjects belonging to the categories that data can be communicated to, will process the Data, based on the case, as Processors specifically appointed by the Controller pursuant to law, or as autonomous Controllers. The list of Data Processors appointed is updated continuously and available from the University offices.


8. Transfer of personal data to countries extra EU

Personal Data can be transferred to non-EU Countries, in particular for services located outside the European Union (e.g. cloud storage). In that case, the Controller hereto assures that the transfer of data outside the EU will take place pursuant to laws applicable, for example after stipulating the standard contractual clauses adopted by the European Union.


9. Data Protection Officer, D.P.O.

The University has appointed a Data Protection Officer, D.P.O., Mr.Ferdinando Zanatti email


10. Rights of the Data subject

As Data subject you have the right to:

a). Ask the Controller to access, cancel, rectify if inaccurate, integrated if incomplete your data, and to restrict processing in cases set forth in Art. 18 of the GDPR;
b). Object, at any time, in full or partially, to processing of Data needed for pursuance of the legitimate interest of the Controller;
c). If the conditions for the portability right pursuant to Art. 20 of the GDPR exist, receive in a structured form, commonly used and readable with an automatic device the Data supplied to the Controller and, if technically feasible, transmit it to another Controller without hindrance;
d). Revoke consent given at any time;
e). Lodge a complaint with a supervisory Authority.

Those rights may be exercised by registered mail, addressed to Università Cattolica del Sacro Cuore, Direzione Amministrativa (Office of the General Manager) – Privacy, Largo Agostino Gemelli 1, 20123, Milan, or by email to

Updated on: 20 June 2018