Privacy and cookies

Privacy and cookies
Freedom of information and protection of privacy and personal data

This information notice is provided in accordance with Article 13 of Italian Legislative Decree no. 196 of 2003, Code in relation to Personal Data Protection, to users of the portal and internet services of the Università degli Studi di Milano (hereafter known as “University”) accessible electronically from the homepage http://www.unimi.it/.
This information notice is not apply to websites external to the University even if consulted by way of links contained on the portal and themed websites.
This information notice describes the methods of managing the University’s web portal and the themed websites in relation to the processing of personal data of users who consult them, choose to register and/or use the online services.

1. Processing Controller

Consulting the University portal may involve the processing of data relating to identified or identifiable persons (see section below entitled “Types of Data Processed”).
Registration on the portal and subscription of the online services leads to the processing of personal data relating to individuals or entities.
The processing controller is the Università degli Studi di Milano with registered offices in Via Festa del Perdono, 7 – 20122 Milan.

2. Processing Managers

The processing in relation to the portal services takes place mainly at the University’s sites. It is performed by identified personnel specially appointed on the basis of the purposes of the requested and subscribed services.
For the processing in question, the University may make use of assistance from external companies, consultants, consortia, suppliers of software and operating services, by way of identified and appointed personnel, as part of the relevant purposes and in such a way as to ensure the maximum security and confidentiality of the data.

3. Types of Data Processed

3.1 Consultation of Portal: Browsing Data
The computer systems and application processes involved in the operation of the University portal acquire, during the course of their normal operation, some data whose transmission is implicit in the use of Internet communication protocols.
That information is used to obtain statistical information on the use of the portal and to check its correct functioning and is not associated with identified users; however, by its nature and by association with data held by third parties, it could allow for the identification of the interested parties. This category includes, for example, the IP address of the system used to connect to the portal.
This data is removed from the systems after the preparation of the statistics and is stored offline exclusively to ascertain liability in the case of computer crimes and it may only be consulted upon request by the judicial authority.
3.2 Data provided voluntarily by the user when using the online services
In order to use the online services that involve authentication, registration or sending of e-mails, personal data provided freely by users is used according to different methods:
3.2.1 Online services for University students and staff
The personal data of students and graduates, acquired upon enrolment and registration or by any subsequent collection methods, and personal data of staff and/or collaborators of the University that may be acquired by way of the procedures and online services will be processed in order to perform the institutional activities of the University, within the limits established by the law and regulations, in compliance with the general principles of transparency, correctness and confidentiality as identified in the Regulation implementing the rules in relation to personal data protection [link to document]
3.2.2 Sending of e-mails to addresses identified on the portal
The optional, explicit and voluntary sending of electronic mail to the addresses identified on the website involves the subsequent acquisition of the sender’s address, required to respond to the requests, along with any personal data included in the communication.

4. Processing Methods

The personal data is processed using automated tools for the time strictly necessary to achieve the purposes for which it was collected.
Specific security measures are applied in order to prevent the loss of the data, its unlawful or incorrect use and any unauthorised accesses.

5. Use of Cookies

Cookies are text files that are stored on the computers of web users to allow them safely and efficiently to browse the website and monitor its use.
The University website uses two types of technical cookies: session cookies for authentication (online services and reserved areas) and tracking cookies (Google Analytics).
The University website doesn't use profiling cookies.
5.1 Session cookies (essential for using the online services and accessing reserved areas of the portal)
The website www.unimi.it uses http session cookies to manage the authentication of online services and reserved areas. The use of session cookies (which are not stored permanently on the user's computer and are removed when the browser is closed) is strictly limited to the transmission of session identifiers (constituted by random numbers generated by the server) required to allow safe and efficient browsing of the website.
By disabling these cookies, online services cannot be used.
Session cookies:

Name Origin Function Expiration
JSESSIONID users2.unimi.it session tracking Till session end (when you close your browser)

5.2 Tracking cookies
Tracking cookies can be disabled without any effect on browsing of the portal: to disable them, please see the next section.
The University uses the Google Analytics services of the company Google, Inc. (hereafter "Google") to generate statistics on use of the web portal; Google Analytics uses cookies (not of third parties) which store personal data. The information identifiable from the cookies on use of the website by the user (including IP addresses) is transmitted from the user's browser to Google, based at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and stored on the server of that company.
In accordance with the terms of the service in place, Google uses this information, in the capacity of autonomous data processor, for the purpose of tracking and examining use of the website, compiling reports on website activity to be used by the operators of that website and to provide other services relating to website activity, the connection method (mobile, PC, browser used, etc.) and the methods of searching and accessing the pages of the portal. Google may also transfer this information to third parties where this is required by law or where those third parties process the aforementioned information on Google's behalf. Google will not associate the IP addresses with any other data possessed by Google.
In order to read the privacy information notice of the company Google, relating to the Google Analytics service.
To find out more about Google's privacy policy.
By using the University's website, you consent to the processing of your data by Google using the methods and for the purposes identified above.

Tracking cookies:

Name Origin Function Expiration
_ga Google Statistics on use of the web portal 24 months (2 years)
_gat Google Statistics on use of the web portal 10 minutes

5.2.1.How to disable cookies (opt-out)
It is possible to withhold consent to the use of cookies by selecting the appropriate setting on your browser: unauthenticated browsing on the unimi portal will in any case be available in all its functions. We set out below the links which explain how to disable cookies on the most popular browsers (for other browsers that may be used, we suggest you seek this option from the software help menu, which can usually be accessed by pressing the F1 key:

Internet Explorer;
Google Chrome;
Mozilla Firefox;
Apple Safari.

Alternatively, it is possible only to disable the Google Analytics cookies, using the additional opt-out component provided by Google for the main browsers. In this way, it will also be possible to use the unimi online services.

6. Rights of the Interested Parties

In accordance with Art. 7 of Italian Legislative Decree no. 196/2003, the interested party may exercise:
the right to know:
a) the origin of the personal data
b) the purposes and methods of processing
c) the logic applied in the case of processing performed with the use of electronic tools
d) the identification details of the controller, managers, individuals or categories of individuals to whom the data may be communicated or who may come to know of it;
the right to obtain from the controller or manager, without delay:
a) the update, rectification or, where applicable, addition to the data
b) the deletion, transformation into anonymous form or block on data processed in breach of the law, including data whose storage is unnecessary in relation to the purposes for which it was collected or subsequently processed
c) confirmation that the operations referred to in letters a-b above have been brought to the attention, also as regards their content, of those to whom the data has been communicated or disseminated, except in the case where that fulfilment is found to be impossible or involves the use of manifestly disproportionate means compared to the protected right;
the right to object in whole or in part:
a) for legitimate reasons to the processing of personal data relating to them, even if relevant to the purpose of its collection
b) to the processing of personal data relating to them for the purposes of sending advertising material or direct sales or to complete market research or sales communication.
The rights may be exercised by sending a request to the Controller (Università degli Studi di Milano – Legal Activities Division – Legal Department, via Festa del Perdono n. 7 – 21022 Milan).