Second Level Information concerning the processing of Personal Data for management of mail and protocol services

This document is issued pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 on protection of natural persons with regard to personal data processing and in compliance with the legislation on personal data processing, as well as on the free movement of such data.

Data Controller

The Data controller of Politecnico di Milano is the General Director upon authorization of the pro-tempore Rector – contact: dirgen(at)

Data Protection Officer – Identity and Contact

Dr. Vincenzo Del Core - privacy(at) tel.: 02.2399.9378

Internal data processor

Dr. Chiara Pesenti, mail chiara.pesenti(at)

Data will be processed by other authorized parties and, for this purpose, in compliance with current legislation.

Purposes of data processing

For the purposes of the application of European and national legislation on this matter (EU Reg. 679/2016, hereinafter Regulation), we inform you that your personal data will be used for the following purposes:

Purposes of the processing for which personal data are intendedLegal basis of data processingCategories of personal data to be processedStorage period of personal data
Provision of management services related to incoming mail of Politecnico, delivered by public or private carriers, with association of data from external sender to internal recipient. To fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e of the Regulations) Personal data (name, surname), contact details (address e-mail, internal telephone numbers), career data.<br/> The processed data are collected through a semi-automated procedure in specific records. The collected data will be stored for a period of 2 years.
Provision of document management services and IT protocol, as required by the Digital Administration Code (CAD). To fulfil the institutional activities of Politecnico di Milano (Article 6, paragraph 1, letter e of the Regulations). Personal data (name, surname, date and place of birth, tax code, residence), contact details (e-mail address, telephone numbers), career data, fiscal data.
Object and content of the registration, possible annexes also related to medical topics. The processed data are collected through a semi-automated procedure (sw Titulus).
The register data of protocol will be stored for a period that is unlimited.<br/> The documents related to records will be kept for different periods of time, in compliance with current legislation.

Nature of data

In protocol registrations, it is compulsory to identify the sender, otherwise the incoming request will be considered not important and it will not be registered.

Processing Method

The data processing carried out for the above mentioned purposes can be performed both through paper and digital means, manually and/or with electronic tools or, in any case, through automated tools, including the in house databases Anagrafica Unica, the sw and eW tracking of the EWBM company, the sw Titulus of CINECA. They are also stored in digital format for an indefinite period of time due to the transparency and good operation of the public administration.

The access to the data acquired, for the purposes mentioned above, is allowed only to duly authorized staff. The e-mail addresses are used for courtesy messages related to the receipt of tracked mail, and about the assignment as the Head of Administrative Procedure (RPA) in case of registration with protocol number.

The current legislation on protection of personal data and their processing in electronic format and, in particular, the rules of the Privacy Authority on the use of courtesy messages (notification) by public subjects, allow the latter to send mails for communications related to the services provided, without requiring the consent, and only for the purposes related to a specific request or indication of the interested party.

Recipient categories

In relation to the purposes mentioned above, data may be disclosed to the following public and/or private subjects, as to say to companies and/or persons, in Italy and abroad, that provide services, including external ones, on behalf of the Data Controller, for the provision of mail and protocol services and for management of the automation software: CAeB – Cooperativa Archivistica e Bibliotecaria (Association of Archives and Libraries), EWBM and CINECA, all appointed as external Data Processors, involved in personal data processing.

In particular, personal data may be communicated also to other public administrations, anonymised too, if these institutions must process them for procedures related to their institutional work, as well as to all those public entities to whom, with the same prerequisites, the communication is compulsorily provided in accordance to EU provisions, laws or regulations, as well as insurance companies for possible accident insurances.

Data Transfer to Extra EU Country

Personal data may be transferred abroad, in accordance with the provisions of the Regulations, even in countries outside the European Union when this is necessary for one of the purposes indicated in this information document. he transfer to non-EU countries, in addition to cases where this is guaranteed by the adequacy decisions of the European Commission, is carried out in a way to provide the appropriate guarantees required by the articles 46 or 47 or 49 of the Regulations.

Right to submit a complaint

The interested party, in relation to the personal data subject of this information, has the right to exercise the rights provided by the EU Regulation mentioned below:

  • right of access of the interested party [Article 15 of the EU Regulation] (the possibility of being informed about the processing performed on his/her Personal Data and eventually receive a copy);
  • right to correct personal data [Article 16 of the EU Regulation] (the interested party has the right to correction of incorrect personal data concerning him/her);
  • right to cancel their Personal Data without unnecessary delay ("right to be forgotten") [Article 17 of the EU Regulation] (the interested party has, and will have, the right to cancel his/her data);
  • right to limitation of his/her personal data processing, in the cases provided by Article 18 of the EU Regulation, including the case of unlawful processing or objections about the accuracy of Personal Data by the interested party [Article 18 of the EU Regulation];
  • right to object to personal data processing [Article 21 of the EU Regulation] (the interested party has, and will have, the right to object the processing of his/her personal data);
  • the right not to be subjected to automated decision-making processes [Article 22 of the EU Regulation] (the interested party has, and will have, the right not to be subjected to a decision based solely on automated processing).

Further information about the rights of the interested party is available on the web site

Politecnico di Milano, in compliance with Article 19 of the EU Regulation, will inform recipients, to whom the personal data have been communicated, about any corrections, cancellations or limitations of the treatment requested, where this is possible.
With reference to the aforementioned purposes, the interested party has the right to proceed, at any time, to the withdrawal of consent for identity and personal data processing by sending an email to:

Right to submit a complaint
If the interested party deems that his/her rights have been compromised, s/he has the right to submit a complaint to the Data Protection Authority, according to the procedures indicated by this Authority at the following internet address

Last update: January 28, 2019