Pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data” (hereinafter also “GDPR”), we are providing the information required on the processing of your personal data ("Data") performed by Università Cattolica del Sacro Cuore (hereinafter also the “University”).

2. Identity and contact details for the Data controller

The Controller of the processing of your Data is Università Cattolica del Sacro Cuore, with registered office in Largo Agostino Gemelli 1, 20123 Milan, telephone (+39) 027234.1.

3. Categories of personal Data

The Data processed by the University include:

  • Common Data: Personal Data and contact details (e.g. address and telephone number), education, income data, your picture in digital format;
  • Special categories of personal Data pursuant to Art. 9 of the GDPR (e.g. Data on the health status and religious beliefs).


We would also like to inform you that there are closed circuit video-surveillance systems operating in the University, suitably signalled by proper information notices posted outside the area covered by the surveillance cameras, clearly visible regardless of lighting conditions, as set forth in the General Measure on Video-surveillance, issued by the Personal Data Protection Authority (“Authority”) on 8 April 2010 (“Video-surveillance Measure”). Therefore, Data includes your picture viewed and/or recorded through the closed circuit video-surveillance systems.

4. Processing purpose and legal basis

Data provided by you will be processed for the following purposes:

a). Enrolment for admission tests /calls for applications, performing the enrolment process and obligations connected to the position of student/user of the various initiatives, performing the institutional functions of the University, and use and provision of additional services (e.g. scholarships and financial assistance);
b). Dispatch of communications and information through automated and non-automated means related to academic offer and related services, in order for you to take part and enrol in bachelor and master programs, seminars, academic events (e.g. Open day, Career day, etc.) organised directly by the University and/or in collaboration with the latter, pastoral centre activities, allocation of scholarships and to assess your level of satisfaction;
c). Answers to requests for information you may send to the University;
d). Completion of administrative, accounting, fiscal and capital activities;
e). Based on your specific consent, sending communications and information through the automated and non-automated means, for you to enrol in events organised by University partners and/or third parties, promotional activities, surveys linked to research activities;
f). Access to the preventive medicine and assistance service made available to students;
g). Issue and management of identification instruments made available to students and/or users in order to guarantee control of physical access to University classrooms, laboratories and spaces;
h). Security and property protection purposes.


The legal basis of processing is constituted:

1.For purposes under a), b) and c):

  • In reference to common Data, by execution of the contract that you are a part of or execution of pre-contractual measures, for example participation in admission tests;
  • In reference to special categories of personal Data, by the need to comply with obligations and exercise your social protection rights, and for purposes connected to academic support activities, benefit from financial assistance or additional services connected to execution of the institutional functions of the University.

2. For purposes under d), by compliance with legal obligations;

3. For purposes under e), by your consent provided;

4. For purposes under f), by the need to provide you with preventive medicine service, diagnosis, assistance, health therapy;

5. For purposes under g) and h) by the legitimate interest of the Controller.

It is not mandatory to provide your Data, but an eventual refusal to do so will entail the objective impossibility for you to enrol in the University, to perform the administrative activities connected to your position as student/user of training initiatives, to comply with legal obligations, and to fulfil your requests and/or allow you to take part in courses, seminars, activities and events organised by the University.

On the contrary, it is understood that a refusal to give your consent to processing for purposes under e) will not allow the University to pursue the purposes indicated therein.

5. Processing methods

Personal Data are processed manually, digitally and electronically applying logics strictly connected to the purposes and, in any case, to guarantee the security and confidentiality of the Data pursuant to laws in force.


6. Data storage period

The University will process the Data for the time strictly needed to achieve the abovementioned purposes; with no prejudice to any storage terms established by law or regulations.

The images taken by the video-surveillance circuits are kept for a period of time compliant with the requirements of the “Video-surveillance Measure”.

7. Subject categories that the Data can be communicated to

Your Data can be communicated to external Companies/Entities to comply with legal obligations or internal University regulations and/or to enable the service/supply of the service you requested; in particular:

  • Public and private entities or competent Authorities;
  • Banks;
  • Subjects and Institutions, also ecclesiastic;
  • Various entities and bodies for purposes connected to the execution of the institutional functions of the University (e.g. additional teaching activities, internships, placement activities cultural promotion, pastoral missions and sharing of scientific and educational information);
  • External Companies/Bodies for support activities such as sending communications and information, related to promotional activities and surveys;
  • Companies providing substitute filing services.

Subjects belonging to the categories that Data can be communicated to, will process the Data, based on the case, as Processors specifically appointed by the Controller pursuant to law, or as autonomous Controllers.

The list of Data Processors appointed is updated continuously and available from the University offices.

8. Transfer of personal Data to countries extra EU

Personal Data can be transferred to non-EU Countries, in particular for services located outside the European Union (e.g. cloud storage). In that case, the Controller hereto assures that the transfer of data outside the EU will take place pursuant to laws applicable, for example after stipulating the standard contractual clauses adopted by the European Union.

9. Data Protection Officer, D.P.O.

The University has appointed a Data Protection Officer, D.P.O., Mr.Ferdinando Zanatti email

10. Rights of the Data subject

As Data subject you have the right to:

a). Ask the Controller to access, cancel, rectify if inaccurate, integrated if incomplete your data, and to restrict processing in cases set forth in Art. 18 of the GDPR;
b). Object, at any time, in full or partially, to processing of Data needed for pursuance of the legitimate interest of the Controller;
c). If the conditions for the portability right pursuant to Art. 20 of the GDPR exist, receive in a structured form, commonly used and readable with an automatic device the Data supplied to the Controller and, if technically feasible, transmit it to another Controller without hindrance;
d). Revoke consent given at any time;
e). Lodge a complaint with a supervisory Authority.

Please note that the data subject’s right to object for the purposes under point (e) of this information notice through automated means, is extended also to the traditional ones and that, in any case, the possibility for the Data subject to object even just partially remains in force. Therefore, the Data subject may decide to receive communications either by traditional means or by automated means, or neither of the two communication types.

Those rights may be exercised by registered mail, addressed to Università Cattolica del Sacro Cuore, Direzione Amministrativa (Office of the General Manager) – Privacy, Largo Agostino Gemelli 1, 20123, Milan, or by email to

Updated on: 25 May 2018