Privacy Policy

Policy for the Processing of personal data collected from the person concerned

Art. 13 of EU Reg. 2016/679 – GDPR

In compliance with the provisions of art. 13 of EU Reg. 2016/679 (European Regulation for the Protection of Personal Data) please find here all relevant information on the processing of the provided personal data. The policy is also inspired by the provisions of Directive 2002/58/EC, as amended by Directive 2009/136/EC, on Cookies, and by the provisions of the Regulation of the Data Protection Authority of 08.05.2014 regarding cookies.


The DATA CONTROLLER pursuant to articles 4 and 24 of EU Reg. 2016/679 is the International University of languages and Media IULM, with headquarters in Via Carlo Bo 1 – 20143 Milan, in the person of its pro tempore legal representative.


Personal data shall be processed lawfully, in compliance with the provisions of art. 6 of EU Reg. 2016/679, for the following purposes:

A)Data processing management under (art. 6 letter f) concerning: – registration for orientation events (e.g. Open Day)

– participation in orientation interviews;

– response to general requests for information relating to the University;

– sending of documentation (e.g. information material) concerning the University’s educational offer (e.g. degree courses, master’s degree courses, professional training courses);

– the development of anonymous internal statistics on the orientation services of IULM University;

Data processing is based on Article 6(1)(f): (recital 47), taking into account the reasonable expectations of the data subject at the time and in the context of the collection of personal data, where the data subject can reasonably expect that processing for this purpose will take place.

B) Data processing management under (art. 6 letter a) concerning:

– with prior consent and until objection, the receipt of communications – via e-mail and/or newsletters – relating to events and initiatives promoted by the International University of languages and Media IULM.


The supplied personal data may be transferred to the recipients mentioned in art. 28 of EU Reg. 2016/679, who shall process them in the capacity of data processors and/or as individuals operating under the authority of the Controller and Processor, in order to comply with the relevant contracts or purposes. More specifically, data may be transferred to recipients in the following categories:

insurance companies, for the processing of accident claims;

authorities of competent jurisdiction, for the fulfilment of legal obligations, on request;

entities carrying out maintenance on the information system and the data collection platform;

authorized persons within the Data Controller organization.

Subjects belonging to the abovementioned categories shall become the Data Processors, or shall operate in a completely autonomous way, as Data Controllers in their own right. The list of designated Data Processors is constantly updated and is available at the International University of languages and Media IULM main office.

4.DATA TRANSFER TO THIRD COUNTRIES AND/OR INTERNATIONAL ORGANISATIONS Personal data will not be transferred abroad within or outside the European Union.


Data shall be processed automatically and/or manually, in a manner and with tools that ensure maximum security and confidentiality, by specifically appointed subjects.

In compliance with the provisions of art. 5 par. 1 lett. e) of EU Reg. 2016/679, the collected personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes

for which the personal data are processed. The storage of personal data is determined on the basis of criteria detailed in the guidelines provided by CODAU (Association of General Managers of Italian Universities). Alternatively, and in compliance with the regulatory requirements, different storage periods may be provided for in the Regulations/ Statutes of the International University of languages and Media IULM, available upon request to the Data Controller.


Provision of personal data for the purposes of paragraph A) of this policy is necessary in order to manage the data subject’s registration for the Open Day and enrolment in the relevant activities. Any failure to provide relevant personal data shall entail the impossibility to manage the application. Provision of personal data for the purposes of paragraph B) (newsletter subscription) is discretionary, even though the failure to provide such data shall entail the impossibility to receive the newsletters concerning events and initiatives organised by the Data Controller, without prejudice for the purposes under paragraph A) (registration for the Open Day).


You shall be able to exercise your rights under articles 15, 16, 17, 18, 19, 20, 21 and 22 of EU Regulation 2016/679 by writing to the Data Controller, the Data processor or the Data Protection Officer at the following address:

You shall have the right to obtain, at any moment, from the controller, access to your personal data, and their rectification or erasure, as well as the restriction of their processing. Moreover, you have the right to object to the processing of your data (including automated processing, such as, for instance, profiling) and to receive the personal data concerning you. Without prejudice for any other administrative and jurisdictional recourse, if you believe that the processing of your personal data violates the provisions of EU Reg. 2016/679, you have the right, pursuant to art. 15 letter f) of said EU Reg. 2016/679, to lodge a complaint with the Data Protection Authority and, pursuant to art. 6 paragraph 1 letter a) and to art. 9 paragraph 2 letter a), to revoke your consent to the processing at any time.

In case of a request for data portability, the Data Controller shall provide your personal data to you in a structured, commonly used and machine-readable format, without prejudice for the provisions of paragraphs 3 and 4 of art. 20 of EU Reg. 2016/679.

Updated on: 10th April 2018