Skip navigation links
Open menu
 UniversityData protection

Data protection

social share Facebook logo Twitter logo


The new European Regulation - Regulation (EU) 2016/679 - GPDR (Deliberated by the European Parliament - L. 119), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data was published in the OJEU on 4 May 2016 and came into full operational effect on 25 May 2018.

Defining the right to personal data protection as a fundamental right, the new regulation imposes a series of obligations on data controllers, expressed in the concepts of privacy by design and privacy by default, to ensure measures to protect and guarantee the data processed in accordance with the principle of accountability.

In order to ensure an adequate level of protection for individuals' data, the University of Florence undertakes to process them in accordance with the principles of lawfulness, correctness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability.

In implementing Regulation 2016/679, the University defined an organisational model and identified data processing methods.

Head | Delegates | Support Office | Appointees

With a Board of Directors resolution dating to 23 December 2020, the University appointed a Data Protection Officer for the 2021-2023 three-year period, assisted by a Functional Support Office, made up of staff with the technical, IT, legal, organisational and administrative skills needed to support the various University structures in adapting their procedures to the GDPR.

The resolution updated the data protection organisation which sets out the people in charge of data processing and compliance with regulatory requirements and their roles:


  • the Managers of the Central Administration Areas;
  • the Directors of the Service Centres;
  • Departmental Administrative Managers with regard to personal data processed in the administrative management of their respective structures;
  • Heads of Departments in the general supervision of teaching and research activities - Art. 16 section g) University Regulation on Departments;
  • Presidents of the Schools.

Contact people for data protection:

  • the holders of organisational positions relating to organisational units pertaining to the various Areas or Service Centres (Process Units, Functional Units, Libraries, Museum Sections) or other structures subordinate to one of the designated Delegate figures;
  • research project managers.

People in charge of processing:

  • permanent staff (technical-administrative staff, teaching staff and researchers) appointed in writing to an organisational unit/structure/department responsible for carrying out processing operations on personal data held by the University;
  • any natural person who, following a permanent or temporary deed of appointment (coordinated and continuous collaborations, project contracts, 150 hours for students, internships, civil service volunteers, PhD students, scholarship holders, tutors, research fellowship holders, etc.), is assigned to an organisational unit/structure/department in charge of carrying out processing operations on personal data processed by the University for the processing operations and purposes pertaining to each organisational unit/structure/department, identified in the Register of Processing Activities.

Data processing

The conditions of lawfulness, pursuant to Art. 6 of the General Data Protection Regulation (EU Regulation 679/2016) or GDPR, on the basis of which the University, a public body, carries out its data processing (within the university organisation), may be:

  • Processing necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request;
  • Processing to fulfil a legal obligation;
  • Processing for the performance of a task carried out in the public interest or in connection with the exercise of official authority;
  • Processing in accordance with the University's legitimate interests, unless the interests, rights and fundamental freedoms of the person concerned, especially minors, take precedence over this;

Data processing not falling within these legal bases may also be carried out with the consent of the data subject by virtue of University regulations or announcements.

In an emergency the University may process personal data in order to safeguard the vital interests of the person concerned or those of another individual.


The GDPR provides, inter alia, for the right of data subjects to be notified (in writing or by other means, including, where appropriate, electronically) of the existence of a processing operation and its purposes. The instrument by which this right is implemented is a notice.

In accordance with the GDPR, individual notices must contain: 

  • the data and contact details of the Data Controller and the Data Protection Officer which, for the University of Florence, are:
    • Data controller: University of Florence, in the person of Rector Prof. Alessandra Petrucci as legal representative. Contact: tel. 055 27571, e-mail urp(AT), pec ateneo(AT)     
    • Data Protection Officer: Dr Massimo Benedetti. Contact: tel. 055 2757667, e-mail privacy(AT), pec protezioneedati(AT)
  • purpose and legal basis of processing;
  • categories of data processed;
  • the nature of data provision;
  • the source of the data;
  • processing methods;
  • data recipient categories and their possible transfer;
  • the data retention period;
  • the rights of the persons concerned.

See the main information on data processing targeting those providing their personal data to the University of Florence, divided into categories on the Italian website.

social share Facebook logo Twitter logo