Skip to main content

Data protection

The European Regulation – Regulation (EU) 2016/679 – GDPR (adopted by the European Parliament – Law 119), concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, was published in the Official Journal of the European Union (OJEU) on May 4, 2016, and became fully effective on May 25, 2018.

The legislation, which defines the right to personal data protection as a fundamental right, requires Data Controllers to comply with a series of obligations, expressed through the concepts of privacy by design and privacy by default, in order to ensure protective measures and safeguards for the data processed, in accordance with the principle of accountability.

The University of Florence, in order to ensure an adequate level of protection for individuals’ personal data, is committed to processing such data in compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

In implementing Regulation 2016/679, the University has established an organizational model and identified the relevant data processing activities.

European Regulation – Regulation (EU) 2016/679

With a resolution of the Board of Administrators dated 23 December 2020, the University appointed the Data Protection Officer for the 2021–2023 term, supported by the Functional Support Office, composed of staff with technical‑IT, legal, organizational, and administrative expertise, in order to assist the various University structures in adapting their procedures to the GDPR.

The resolution also updated the data protection organizational framework, identifying the individuals responsible for data processing and for fulfilling regulatory requirements, along with their respective roles:

Delegates

  • Managers of the Central Administration Areas
  • Directors of the Service Centres
  • Administrative Managers of the Departments, with regard to the personal data processed in the administrative management of their respective structures
  • Directors of the Departments, in their role of general oversight of the proper conduct of teaching and research activities – Art. 16, letter g) of the University Regulation for Departments
  • Presidents of the Schools

Data Protection Contacts

  • Holders of organizational positions within the units belonging to the various Areas or Service Centres (Process Units, Functional Units, Libraries, museum sections), or within other structures reporting to one of the designated Delegates
  • Research project managers

Authorized Data Processors:

  • Permanent staff (technical‑administrative personnel, faculty members, and researchers) formally assigned to an organizational unit / structure / department responsible for carrying out processing operations on personal data held by the University
  • Any natural person who, following an assignment—even temporary—(coordinated and continuous collaborations, project contracts, student work‑study programs, internships, civil service volunteers, Ph.D. candidates, research fellows, tutors, research grant holders, etc.) is assigned to an organizational unit / structure / department responsible for carrying out processing operations on personal data handled by the University, for the processing activities and purposes relevant to each unit / structure / department, as identified in the Record of Processing Activities

The conditions of lawfulness, pursuant to Article 6 of the General Data Protection Regulation (EU Regulation 679/2016) or GDPR, on which the University, as a public body, bases its data processing activities (within the university organization), may include:

  • Processing necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre‑contractual measures taken at the data subject’s request;
  • Processing necessary for compliance with a legal obligation;
  • Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
  • Processing based on the University’s legitimate interest, provided that the interests, rights, and fundamental freedoms of the data subject—especially if a minor—do not override such interest.

Furthermore, under University regulations or calls for applications, data processing that does not fall under these legal bases may be carried out on the basis of the data subject’s consent.

In emergency situations, the University may process personal data to safeguard the vital interests of the data subject or of another natural person.

Notice

The GDPR provides, among other things, the right of data subjects to be informed (in writing or by other means, including electronic means where appropriate) of the existence of data processing and its purposes. The tool used to ensure this right is the privacy notice.

In accordance with the GDPR, individual notices must contain: 

  • the data and contact details of the Data Controller and the Data Protection Officer which, for the University of Florence, are:
  • Data controller: University of Florence, in the person of rector prof. Alessandra Petrucci as legal representative. Contact: tel. 055 27571, e-mail urp(AT)unifi.it, pec ateneo(AT)pec.unifi.it     
  • Data Protection Officer: Dr Massimo Benedetti. Contact: tel. 055 2757667, e-mail privacy(AT)adm.unifi.it, pec protezioneedati(AT)pec.unifi.it
  • Purpose and legal basis of processing
  • categories of data processed;
  • the nature of data provision;
  • the source of the data;
  • processing methods;
  • data recipient categories and their possible transfer;
  • the data retention period;
  • the rights of the persons concerned.

See the main information on data processing targeting those providing their personal data to the University of Florence, divided into categories on the Italian website.

Protezione dati webpage

 To request access to or deletion of personal data held by the University, data subjects must use the form provided for exercising the rights granted to them under the GDPR.