Information and declaration of consent to personal data processing about libraries

This document is issued pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 on protection of natural persons with regard to personal data processing and in compliance with the legislation on personal data processing, as well as on the free movement of such data.

Data Controller – Identity and Contact

The Data controller of Politecnico di Milano is the General Director upon authorization of the pro-tempore Rector – contact: dirgen(at)polimi.it

Data Protection Officer – Identity and Contact

Dr. Vincenzo Del Core - privacy(at)polmi.it tel.: 02.2399.9378

Internal data processor

Dr. Chiara Pesenti, mail: chiara.pesenti(at)polimi.it.

Data will be processed by other authorized parties and, for this purpose, in compliance with current legislation.

Purposes of data processing

For the purposes of the application of European and national legislation on this matter (EU Reg. 679/2016, hereinafter Regulation), we inform you that your personal data will be used for the following purposes:

Purposes of the processing for which personal data are intendedLegal basis Categories of personal dataStorage period of personal data
1. Provision of loan services to internal users. Loan services include, in addition to home loans, on-site consultation services, inter-system and interlibrary loans, Document Delivery, purchase suggestions, Reference services.To fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e) of the RegulationsPersonal data (name, surname, date and place of birth, tax code, residence), contact details (e-mail address, telephone numbers), career data.
The data processed are automatically collected in the University records, which is integrated into the library management software.
Data collection takes place for employees and students, at the start of the relationship width Politecnico
The collected data will be kept for a period of 10 years.
2. Provision of loan services to occasional external users.
Loan services include, in addition to home loans, on-site consultation services, inter-system and interlibrary loans, Document Delivery, Reference services.
To fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e) of the RegulationsPersonal data (name, surname, date and place of birth, tax code, residence), contact details (e-mail address, telephone numbers).
The data processed are automatically collected in the University records, which is integrated into the library management software.
Data collection takes place when the external user requests to be able to use the library services.
The collected data will be kept for a period of 10 years.
3. Processing of reports and statistics on loan servicesTo fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e) of the RegulationsPersonal data, career data, loan transactions carried out (items of bibliographic materials, start and end date of the loan, possible fine)The collected data will be kept for a period of 10 years.
4. Number of accesses to libraries, also for statistical purposesTo fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e) of the RegulationsPersonal data, career data, amount of time of accesses and stay in the libraryThe collected data will be kept for a period of 10 years.

Nature of data

The provision of data for the intended purposes is optional. However, if you refuse to provide data you will not be allowed to use the services provided by the libraries of Politecnico di Milano.

Processing Method

The data processing carried out for the above mentioned purposes can be performed both through paper and digital means, manually and/or with electronic tools or, in any case, through automated tools, including the in house databases Anagrafica Unica and SebinaNEXT of Data Management. They are also stored in paper archives for the duration of the processing and in digital format for an indefinite period of time due to the transparency and good operation of the public administration.
The access to the data acquired, for the purposes n. 1, 2, 3, 4, is allowed only to duly authorized staff. E-mail addresses and mobile phone numbers are used both to contact the interested parties and to send automatic communications and SMS messages in order to provide communications that are closely related to the correct provision of the services offered by the library.

The messages and communications sent by the library through the above-mentioned tools will concern:

  • communication about the expiry of the library loan
  • communication on the availability of documents (books) reserved by the user
  • communication on the availability of documents (books or articles) requested by the user as intra-university loan, interlibrary or document delivery;
  • notices on the availability of books that the user wants to purchase

The current legislation on protection of personal data and their processing in electronic format and, in particular, the rules of the Privacy Authority on the use of short text messages by public subjects, allow the latter to send text messages for communications related to the services provided, without requiring the consent, and only for the purposes related to a specific request or indication of the interested party.

Recipient categories

In relation to the purposes n.1 and 2, data may be disclosed to the following public and/or private subjects, as to say to companies and/or persons, in Italy and abroad, that provide services, including external ones, on behalf of the Data Controller, for the provision of loan services and for management of the automation software: CAeB - Association of Archives and Libraries and Data Management, both appointed as external Data Processors, involved in personal data processing.

In particular, personal data may be communicated also to other public administrations, anonymised too, if these institutions must process them for procedures related to their institutional work, as well as to all those public entities to whom, with the same prerequisites, the communication is compulsorily provided in accordance to EU provisions, laws or regulations, as well as insurance companies for possible accident insurances.

Data Transfer to Extra EU Country

Personal data may be transferred abroad, in accordance with the provisions of the Regulations, even in countries outside the European Union when this is necessary for one of the purposes indicated in this information document. The transfer to non-EU countries, in addition to cases where this is guaranteed by the adequacy decisions of the European Commission, is carried out in a way to provide the appropriate guarantees required by the articles 46 or 47 or 49 of the Regulations.

Right to submit a complaint

The interested party, in relation to the personal data subject of this information, has the right to exercise the rights provided by the EU Regulation mentioned below:

  • right of access of the interested party [Article 15 of the EU Regulation] (the possibility of being informed about the processing performed on his/her Personal Data and eventually receive a copy);
  • right to correct personal data [Article 16 of the EU Regulation] (the interested party has the right to correction of incorrect personal data concerning him/her);
  • right to cancel their Personal Data without unnecessary delay ("right to be forgotten") [Article 17 of the EU Regulation] (the interested party has, and will have, the right to cancel his/her data);
  • right to limitation of his/her personal data processing, in the cases provided by Article 18 of the EU Regulation, including the case of unlawful processing or objections about the accuracy of Personal Data by the interested party [Article 18 of the EU Regulation];
  • right to object to personal data processing [Article 21 of the EU Regulation] (the interested party has, and will have, the right to object the processing of his/her personal data);
  • the right not to be subjected to automated decision-making processes [Article 22 of the EU Regulation] (the interested party has, and will have, the right not to be subjected to a decision based solely on automated processing).

Further information about the rights of the interested party is available on the web site www.garanteprivacy.it .

Politecnico di Milano, in compliance with Article 19 of the EU Regulation, will inform recipients, to whom the personal data have been communicated, about any corrections, cancellations or limitations of the treatment requested, where this is possible.
With reference to the aforementioned purposes, the interested party has the right to proceed, at any time, to the withdrawal of consent for identity and personal data processing by sending an email to: privacy(at)polimi.it .

Right to submit a complaint

If the interested party deems that his/her rights have been compromised, s/he has the right to submit a complaint to the Data Protection Authority, according to the procedures indicated by this Authority at the following internet address www.garanteprivacy.it .

Last update: December 17, 2018