Privacy Policy

Policy for the Processing of personal data collected from the person concerned

Art. 13 of EU Reg. 2016/679 – GDPR

In compliance with the provisions of art. 13 of EU Reg. 2016/679 (European Regulation for the Protection of Personal Data) please find here all relevant information on the processing of the provided personal data. The policy is also inspired by the provisions of Directive 2002/58/EC, as amended by Directive 2009/136/ECon Cookies, and by the provisions of the Regulation of the Data Protection Authority of 08.05.2014 regarding cookies.


The DATA CONTROLLER pursuant to articles 4 and 24 of EU Reg. 2016/679 is the International University of languages and Media IULM, with headquarters in Via Carlo Bo 1 – 20143 Milan, in the person of its pro tempore legal representative.


Furthermore, the company has appointed the person responsible for Data Protection (RPD/DPO- Data Protection Officer) in compliance with the provisions of articles 37 – 39 of EU Reg. 2016/679. The following are the related contacts: 


Personal data shall be processed lawfully, in compliance with the provisions of art. 6 of EU Reg. 2016/679, for the following purposes:

A)Getting response to requests for information relating to the University and the services offered by the latter;

– sending of documentation (e.g. information material) concerning the University’s educational offer (e.g. degree courses, master’s degree courses, professional training courses)- art. 6 par. 1 lett. f) which is the legal basis for processing.

Data processing is based on Article 6(1)(f): (recital 47), taking into account the reasonable expectations of the data subject at the time and in the context of the collection of personal data, where the data subject can reasonably expect that processing will take place for the purpose of receiving the information required regarding the University’s educational offer. 

  1. B)

– with prior consent and until objection, the receipt of communications – via e-mail and/or newsletters – relating to events and initiatives promoted by the International University of languages and Media IULM  – art. 6 par. 1 lett. a) consensus, which is the legal basis for processing.


The supplied personal data may be transferred to the recipients mentioned in art. 28 of EU Reg. 2016/679, who shall process them in the capacity of data processors and/or as individuals operating under the authority of the Controller and Processor, in order to comply with the relevant contracts or purposes. More specifically, data may be transferred to recipients in the following categories:

–entities carrying out maintenance on the information system and the data collection platform;

–authorized persons within the Data Controller organization.

Subjects belonging to the abovementioned categories shall become the Data Processors, or shall operate in a completely autonomous way, as Data Controllers in their own right. The list of designated Data Processors is constantly updated and is available at the International University of languages and Media IULM main office.

4.DATA TRANSFER TO THIRD COUNTRIES AND/OR INTERNATIONAL ORGANISATIONS Personal data will not be transferred abroad within or outside the European Union.


Data shall be processed automatically and/or manually, in a manner and with tools that ensure maximum security and confidentiality, by specifically appointed subjects.

In compliance with the provisions of art. 5 par. 1 lett. e) of EU Reg. 2016/679, the collected personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes

for which the personal data are processed. The storage of personal data is determined on the basis of criteria detailed in the guidelines provided by CODAU (Association of General Managers of Italian Universities). Alternatively, and in compliance with the regulatory requirements, different storage periods may be provided for in the Regulations/ Statutes of the International University of languages and Media IULM, available upon request to the Data Controller.


Provision of personal data for the purposes of paragraph A) of this policy is necessary in order to receive response by the Data Controller regarding the information requested. Any failure to provide relevant personal data shall entail the impossibility to manage their requests. Provision of personal data for the purposes of paragraph B) (newsletter subscription) is discretionary, even though the failure to provide such data shall entail the impossibility to receive the newsletters concerning events and initiatives organised by the Data Controller, without prejudice for the purposes under paragraph A)


You shall be able to exercise your rights under articles 15, 16, 17, 18, 19, 20, 21 and 22 of EU Regulation 2016/679 by writing to the Data Controller at the following address:, or the Data Protection Officer  at the following address:

You shall have the right to obtain, at any moment, from the controller, access to your personal data, and their rectification or erasure, as well as the restriction of their processing. Moreover, you have the right to object to the processing of your data (including automated processing, such as, for instance, profiling) and to receive the personal data concerning you. Without prejudice for any other administrative and jurisdictional recourse, if you believe that the processing of your personal data violates the provisions of EU Reg. 2016/679, you have the right, pursuant to art. 15 letter f) of said EU Reg. 2016/679, to lodge a complaint with the Data Protection Authority and, pursuant to art. 6 paragraph 1 letter a) and to art. 9 paragraph 2 letter a), to revoke your consent to the processing at any time.

In case of a request for data portability, the Data Controller shall provide your personal data to you in a structured, commonly used and machine-readable format, without prejudice for the provisions of paragraphs 3 and 4 of art. 20 of EU Reg. 2016/679.

Updated on: 30th July 2018