1. Introduction

Pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 on the “protection of natural persons with regard to the processing of personal data” (hereinafter also “GDPR”), we are providing the information required on the processing of your personal data ("Data") performed by Università Cattolica del Sacro Cuore (hereinafter also the “University”) as part of the University's supplier selection procedures.

2. Identity and contact details for the Data controller

The Controller of the processing of your Data is Università Cattolica del Sacro Cuore, with registered office in Largo Agostino Gemelli 1, 20123 Milan, telephone (+39) 027234.1.

3. Categories of personal data

The Data processed by the University include, but are not limited to, personal data, contact data, bank data (e.g. IBAN), judicial data (such as self-certification of pending charges) relating to you as legal representative/director/reference person in your dealings with the University as well as, if applicable, the Data of your employees, collaborators and colleagues.

4. Purposes of the processing and legal basis

Data collected will be processed for the following purposes:

  1. Establishment and execution of the contractual relationship;
  2. Answers to requests for information you may send to the University
  3. Completion of administrative, accounting, fiscal and capital activities;
  4. If necessary, asserting and/or defending the University's rights in civil, criminal and/or administrative litigation. 

The legal basis of processing is :

  1. For the purposes of sub a) and sub b), the execution of the contract to which you are party or the execution of pre-contractual measures;
  2. For the purpose mentioned sub c), the fulfilment of legal obligations;
  3. For the purpose referred to in sub d), the legitimate interest of the Data Controller;

It is not mandatory to provide your Data, but an eventual refusal to do so will entail the objective impossibility to fulfil your requests and/or allow you to take part in courses, seminars, activities and events organised by the University and/or in collaboration with the latter.

5. Processing methods

Personal Data are processed manually, digitally and electronically applying logics strictly connected to the purposes and, in any case, to guarantee the security and confidentiality of the Data pursuant to laws in force.

6. Data storage period

The Data shall be kept for the time strictly necessary to achieve the purposes for which the data were collected, for the duration of the supplier's stay in the University's systems, for the duration of the contractual relationship, if any, without prejudice to any further retention periods provided for by law or regulations.

7. Subject categories that the Data can be communicated to

Your data may be communicated to:

  • Public and private entities or competent authorities, in order to fulfil legal obligations or internal regulations of the University, as well as to allow the performance of the service and/or the provision of the service requested by you;
  • Administrative services companies
  • Banks;
  • Legal and tax professionals;
  • Authorities (judicial, administrative).

The subjects belonging to the categories to which the data may be communicated will carry out the processing of the data themselves and will use them, as the case may be, in their capacity as Data Processors expressly appointed by the Controller in accordance with the law, or rather as autonomous Data Controllers.

The list of appointed Data Processors is constantly updated and available at the University's offices.

8. Transfer of personal Data to countries extra EU

Personal Data can be transferred to non-EU Countries, in particular for services located outside the European Union (e.g. cloud storage). In that case, the Controller hereto assures that the transfer of data outside the EU will take place pursuant to laws applicable, for example after stipulating the standard contractual clauses adopted by the European Union.

9. Data Protection Officer, D.P.O.

The University has appointed a Data Protection Officer, D.P.O., email

10. Rights of the Data subject

As Data subject you have the right to:

  1. Ask the Controller to access, cancel, rectify if inaccurate, integrated if incomplete your data, and to restrict processing in cases set forth in Art. 18 of the GDPR;
  2. Object, at any time, in full or partially, to processing of Data needed for pursuance of the legitimate interest of the Controller;
  3. If the conditions for the portability right pursuant to Art. 20 of the GDPR exist, receive in a structured form, commonly used and readable with an automatic device the Data supplied to the Controller and, if technically feasible, transmit it to another Controller without hindrance;
  4. Revoke consent given at any time;
  5. Lodge a complaint with a supervisory Authority.

Those rights may be exercised by registered mail, addressed to Università Cattolica del Sacro Cuore, Direzione Generale (Office of the General Manager) – Privacy, Largo Agostino Gemelli 1, 20123, Milan, or by email to

Updated on: 20 June 2023