INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF REGULATION (EU) NO. 679/2016
This information notice is provided pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”) and provides information on the processing of personal data carried out within the framework of the scientific research activities of Politecnico di Milano – Department of Electronics, Information and Bioengineering (“DEIB”).
Data Controller
The Data Controller is Politecnico di Milano (“Politecnico”), represented by the General Director acting under delegation from the Rector pro tempore (contact point: dirgen@polimi.it).
Data Protection Officer and contact details
Email: privacy@polimi.it
Purposes of processing
The scientific research activities carried out by DEIB aim to contribute to the development of new knowledge, methodologies and technologies in the fields of automation, bioengineering, electrical engineering, electronics, information systems and telecommunications.
In principle, the main areas of scientific research may concern the following fields:
| Main research areas | Specific purposes |
|---|---|
| Digital Health |
|
| Cybersecurity and Data Protection |
|
| Human–Machine Interaction (HMI) |
|
| Technological Innovation |
|
| Artificial Intelligence |
|
Any reuse of data for further scientific analyses strictly connected to the original objectives will be carried out in compliance with the principle of compatibility (Art. 5(1)(b) GDPR).
Legal basis
The processing of personal data for scientific research purposes is lawful when one of the conditions set out in Articles 6 and 9 of the GDPR applies. For research projects carried out by DEIB, the applicable legal bases are the following:
1. Article 6(1)(e) GDPR – performance of a task carried out in the public interest:
scientific research falls within the institutional purposes of Politecnico-DEIB, as provided by applicable law and the University Statute;
2. Article 9(2)(j) GDPR – processing of special categories of personal data for scientific or statistical research purposes:
this condition allows the processing of special categories of personal data for scientific or statistical research purposes;
3. Article 6(1)(a) GDPR and Article 9(2)(a) GDPR – data subject’s consent:
the withdrawal of consent does not affect the lawfulness of processing based on other legal grounds.
Categories of data
The categories of personal data processed may include those listed below, depending on the specific needs of individual research projects:
| Type of data | Description |
|---|---|
| Behavioral data | Analysis of user interaction with technologies, electronic/electrical control systems and human–machine interfaces; may include location data to improve user experience. |
| Photos | Collection of images for scientific research purposes. |
| Special categories of data (such as health data, biometric data, data revealing racial or ethnic origin) | Information from wearable devices and monitoring systems; physiological parameters and physical performance data; other special categories when relevant to the project. |
| Tracking and logistics data | Data used to monitor the movement of goods or persons; may also be used for security or emergency assistance purposes. |
| Geographical data | Location data used for position-based analyses (e.g. maps, navigation, proximity services). |
| Technical and usage data | Usage logs of electronic systems, software and telecommunications; traffic data; interaction data; simulation data; data from devices monitoring physical performance. |
| Cybersecurity-related data | Information processed in the context of cybersecurity activities, including attack/defense analysis and other technical information. |
| Data for analysis and identification | Images or other data processed for technical analyses, including health-related analyses, object or person recognition or other forms of identification. |
| Identification data | Personal details (name, surname, date/place of birth, residence) used to associate participants with the collected data. |
| Contact data | Email addresses, phone numbers and postal addresses for communication with participants. |
| Video | Images and video recordings collected exclusively for scientific purposes. |
| Security data | Data collected to ensure the safety of persons or places, when relevant to the research. |
Processing methods
Personal data are processed exclusively for the purposes of the research project by duly authorized and trained personnel. Processing is carried out using appropriate tools to ensure security and confidentiality, in compliance with applicable legislation. Where the project предусматриes anonymization of personal data, anonymized data may be stored in the research archive and used for future scientific purposes, without the possibility of identifying data subjects.
Data retention
The retention period of personal data is determined in relation to the purposes of the research project and the needs for verification, evaluation and reporting. Information documents (Informed Consent – Specific Information Notice), where provided, indicate the project duration and any need to retain personal data in identifiable form for the entire period.
Personal data may be retained in identifiable form for an additional period beyond the duration of the project, normally ranging from 5 to 10 years after its conclusion, where necessary, for example to link research results to further studies, verify result accuracy, enable follow-up analyses or comply with requests related to the study, such as evaluations or audits by funding bodies or institutional entities.
Where research is subject to specific obligations imposed by funders or legislation (e.g. projects in collaboration with healthcare institutions), data may be retained for longer periods.
When data are no longer necessary for research purposes or related obligations, they are anonymized or securely deleted, ensuring they are no longer accessible or recoverable. For special categories of data, retention is strictly limited to the time necessary to achieve the project’s purposes, and the anonymization process ensures irreversibility.
Data transfer
Within the research project, access to identifiable personal data may be granted to third parties where necessary for carrying out the planned activities. This possibility is also described in the information documents (Informed Consent – Specific Information Notice), where provided.
Data transfer or disclosure may occur when research is conducted in collaboration with other universities, funding bodies, project partners, external organizations or public authorities requiring information for legal obligations or audit, monitoring or reporting activities. Recipients may also include Ministries and institutional bodies where disclosure is required by law or competent authorities.
Where such recipients are located outside the European Union, data transfers are carried out in compliance with GDPR requirements.
In all cases, agreements or contractual commitments are put in place to ensure that third parties process data exclusively for research purposes and adopt appropriate security measures.
Exercise of data subject rights
Pursuant to Regulation (EU) 2016/679 (“GDPR”), data subjects may exercise at any time the rights listed below against Politecnico di Milano, as Data Controller. Some rights may be subject to limitations where, pursuant to Article 89 GDPR, their exercise could jeopardize the validity, integrity, reliability or achievement of scientific research purposes. In such cases, the Data Controller adopts appropriate measures to safeguard the rights and freedoms of data subjects.
Right of access (Art. 15 GDPR)
Data subjects have the right to obtain confirmation of whether their personal data are being processed and to receive information on purposes, data categories, recipients, retention periods and a copy of the processed data. Access may be limited where it would compromise experimental activities, statistical analyses or essential aspects of the research.
Right to rectification (Art. 16 GDPR)
Data subjects may request the correction of inaccurate data and the completion of incomplete data. Rectification may not be possible where data are pseudonymized or included in models and datasets already used for scientific purposes.
Right to erasure (Art. 17 GDPR)
This right may be exercised in the cases provided for by the GDPR. However, it does not apply where retention is necessary for scientific research purposes in accordance with Art. 17(3)(d). In such cases, alternative measures such as pseudonymization may be adopted.
Right to restriction of processing (Art. 18 GDPR)
This right may be exercised where data accuracy is contested or processing is unlawful. In scientific research, restriction may not apply if it compromises project continuity or integrity.
Right to object (Art. 21 GDPR)
Data subjects may object to processing based on public interest. The Data Controller may reject the objection where processing is necessary for conducting research or performing a task carried out in the public interest.
Right to data portability (Art. 20 GDPR)
Applicable only to processing based on consent or contract and carried out by automated means. It generally does not apply to DEIB research processing based on public interest.
Right not to be subject to automated decision-making (Art. 22 GDPR)
DEIB does not carry out processing involving automated decision-making producing legal effects or significantly affecting data subjects. Any future activities will be subject to a specific information notice.
How to exercise rights
Requests may be sent to: privacy@polimi.it
Complaint to the Supervisory Authority
Data subjects may lodge a complaint with the Italian Data Protection Authority: www.garanteprivacy.it