Information for data processing: Health and Safety in the workplace

This document is issued pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 on protection of natural persons with regard to personal data processing and in compliance with the legislation on personal data processing, as well as on the free movement of such data.

Data Controller

The Data controller of Politecnico di Milano is the General Manager upon authorization of the pro-tempore Rector – contact: dirgen(at)

Responsible for data protection and contact points

Dr. Vincenzo Del Core - privacy(at) phone: 02.2399.9378

Purposes of data processing, legal basis, data categories and storage period

For the purposes of the application of European and national legislation on this matter (EU Reg. 679/2016, hereinafter Regulation), we inform you that your personal data will be used for the following purposes:


Special categories of data

Any personal data belonging to particular categories, pursuant to former Article 9 paragraph 1 of the Regulation, as for example data related to the health status, are processed, within the purpose as referred in TABLE 1, purposes of health surveillance activities and for Obligations provided to protect health and safety in the workplace, to allow the interested party to establish, manage and terminate an employment relationship and for purposes related to protection of life or physical safety of the employee or a third party. These purposes are allowed by the Regulation, according to Article 9 paragraph 2 letters g) and h). In the case of Article 9 paragraph 2, they are processed in compliance with the rules on professional secrecy, as set out in paragraph 3. Furthermore, the processing of particular data is legitimated by the general authorization n. 1 of 2016 of the Data Protection Authority, extended by the same Authority with provision n. 424 of 19 July 2018.

Processing methods

The data processing carried out for the above mentioned purposes can be performed both through paper and digital means, manually and/or with electronic tools or, in any case, through automated tools, including internal self-produced database with File Maker, to manage deadlines about medical checks, used at Politecnico di Milano, and external databases: "GESLAB" laboratory management tool and MELANET work medicine software used at Bio-Data S.r.l. Personal data are also stored in paper archives for the duration of the activity. Access to data acquired for the purposes mentioned above is allowed to duly authorized staff and in particular to the Prevention and Protection Service.

Recipient categories

In relation to the mentioned purposes, data may be disclosed to the following public and/or private subjects and/or to the categories of parties indicated below, as to say to companies and/or persons, in Italy and abroad, that provide services, including external ones, on behalf of the Data Controller in order to carry out clinical and medical examinations. In particular, your personal data may be communicated also to other public administrations, anonymised too, if these institutions must process them for procedures related to their institutional work, as well as to all those public entities to whom, with the same prerequisites, the communication is compulsorily provided in accordance to EU provisions, laws or regulations, as well as insurance companies for possible accident insurances.

  • Medical analysis laboratory BIO-DATA Lavagna
  • General practitioner
  • Clinical Institute Città Studi s.p.a.
  • ATS

Storage period of personal data and their return

At the end of the period indicated in TABLE 1, after that the limitation period for protection of the rights of the interested party have been expired, the data will be deleted or given back anonymously.

Transfer to Extra EU country

The data collected for the aforementioned purposes could be transferred to a country located outside the European Union (the so-called Third country). The Data Controller specifies that this extra EU transfer will take place only to third countries on which the European Commission has taken an adequacy decision (Article 45 GDPR) or to third countries that provide one of the guarantees indicated as appropriate by the Article 46 of the GDPR.

Rights of the interested parties

As interested party, you can ask the Data Controller, at any time:

  • confirmation of the existence or not of your personal data;
  • • access to your personal data and related information; the correction of incorrect data or the addition of incomplete data; the cancellation of your personal data (if any condition indicated in Article 17, paragraph 1 of the Regulations can be applied and it is in compliance with the exceptions provided in paragraph 3 of the same article); the limitation of processing of your personal data (when one of the conditions indicated in Article 18, paragraph 1 of the Regulations can be applied), the anonymization or blocking of data processed unlawfully, including data whose storage is not required in relation to the purposes for which the data were collected or subsequently processed;

As interested party, furthermore, you have the right to wholly or partly oppose for legitimate reasons regarding the processing of his/her personal data, related to collection purposes.

These rights can be exercised by contacting privacy(at) If you deem that your rights have been violated by the data controller and/or by a third party, you have the right to submit a complaint to the Data Protection Authority (for Italy, Autorità garante per la protezione dei dati personali:”) and/or other competent supervisory authority under the Regulations.

Last update: November 9, 2018