Skip to main content

Privacy and data protection


This page describes the processing of personal data by Università di Genova (UniGe).

Legislation references
Since May 25, 2018, the Regulation (EU) 2016/679, "General Data Protection Regulation" (GDPR), has been fully applicable.
With Legislative Decree No. 101 August 10, 2018, the Italian legislator adapted the regulations contained in Legislative Decree No. 196 of June 30, 2003 (Personal Data Protection Code) to the GDPR.
In implementation, the Regulations of the University of Genoa on the processing of personal data (UniGe privacy regulation) were adopted.

Data controller

The Data controller (Titolare del trattamento) is Università di Genova in the person of its Rector, the pro tempore legal representative.

The Data controller, aware of the importance of adopting policies for the protection of personal data processed in the exercise of its institutional duties, undertakes to carry out the treatment in application of the principles of lawfulness, correctness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability.


  • Rettorato
  • Via Balbi, 5 - Genova
  • +39 010 209 9221
    +39 010 209 51929

Data protection officer

The Data Protection Officer (DPO) is Liguria Digitale Spa, appointed by Rectoral Decree 2407 of 13.05.2022.


Privacy in UniGe

Personal data are processed and accessible by UniGe employees and collaborators, assigned to the competent offices, in their capacity of authorized persons to the processing adequately instructed by the Data controller, according to the Authorization.

The data will also be processed by third parties who, on the basis of specific agreements/contracts, operate for supply, development and maintenance activities in compliance with institutional purposes and, therefore, will be appointed as data processors pursuant to art. 28 of GDPR.



Person identified by the Data controller among the heads of administrative and educational structure. He is trained by the Data controller regarding his role (ex art. 9 of the UniGe Privacy Regulation) and collaborates functionally with the DPO.
The persons responsible for the processing of personal data are those listed in Annex A of the UniGe Privacy Regulations.


In order to carry out its duties, each referent may identify one or more sub-referent(s) among the staff, teaching or technical-administrative personnel affiliated to the same structure of which the referent is head.


Subject who operates under the direct authority of the contact person and carries out, with regard to the activities for which he/she is responsible, the processing of personal data in compliance with the security measures provided for and the instructions received (ex art. 10 of the UniGe Privacy Regulations). In the absence of formal designation, those who process personal data as part of their relationship with the University are in any case considered authorized to process data and are obliged to:

Co-Data controller

External entity, public or private, that determines the purposes and means of data processing jointly with the University through a specific agreement, the essential contents of which are made available to the data subject.


External party, natural or legal person, who processes personal data on behalf of the University (ex art. 8 of the UniGe privacy regulation).
The appointment of the external data processor shall be made by a written measure, by the owner or the contact persons, which identifies the nature, purpose and duration of the processing, the type of personal data processed and the categories of data subjects and defines the obligations of the processor, in accordance with the provisions of Article 28(3) of the GDPR.

Legal acts

UniGe's Information notices

The principles of fair and transparent processing imply that the data subject is informed of the existence of the processing and its purposes and methods (ex art. 13 of EU Reg. n. 2016/679). The information must be provided at the time of collection from the data subject or, if the data is obtained from another source (ex art. 14 of EU Reg. n. 2016/679), within a reasonable time depending on the circumstances of the case and in any case within the time limits set out in art. 14 par. 3 of EU Reg. n. 2016/679.

Consent to processing is represented by any free, specific, informed and unambiguous manifestation of will by which the data subject expresses his or her consent, by means of a statement or unambiguous positive action, that personal data concerning him or her be processed (ex art. 14 of EU Reg. n. 2016/679).

If the object of the processing is special personal data (ex art. 9 and 10 of EU Reg. n. 2016/679), the consent must be explicit.

Access to University Buildings (Covid-19 emergency)

Due to the Covid-19 emergency, please read the University of Genoa Building Access Policy.

Web and automated tools












Images, video and video surveillance






Rights of the data subject

The data subject has the right to obtain from the owner the information and access to the processing of their personal data, confirmation of their existence, verify the accuracy, to request the integration, updating, change, limitation, revocation of consent, opposition or cancellation by writing to

Legislation references
Articles 15-22 Reg. UE 2016/679

Internal use acts

Report a personal data breach

A data breach is a security breach that results in the accidental or unlawful destruction, loss, modification, disclosure of or access to personal data transmitted, stored, or otherwise processed by the University.

UniGe has adopted a personal data breach management procedure.

Types of violations

Confidentiality Breach

Unauthorized or accidental disclosure of or access to personal information.

Integrity Breach

Changing personal information accidentally or without authorization.

Availability Breach

Accidental or unauthorized loss, access or destruction of personal data. The inability to access the data even temporarily is still a violation.

When to report a data breach

You must report a data breach in case of:

  • loss or theft of computer devices (e.g. pc, laptops, USB flash drive, external hard disk, smartphone, etc...) in which personal data are stored
  • loss or theft of paper documents containing personal data
  • access or acquisition of personal data by unauthorized third parties
  • loss or destruction of personal data due to accidents, adverse events, flooding, fire, or other calamities
  • violation of physical security measures (for example forcing doors or windows of security rooms or archives)
  • inability to access your personal data due to accidental causes or external attacks, such as viruses, malware, or other attacks on your computer system or corporate network
  • the documents containing personal data are altered compared to the originals without authorization issued by their owner
  • unauthorized (even involuntary) disclosure of personal data to mailing lists
  • unavailability, even if only temporary, of waiting lists for medical examinations or medical treatments.

What to do

If you detect a concrete, potential or suspected violation of your personal data, you must:

  • report it within 24 hours and without justified delay to
  • fill in the form for reporting a security incident and potential personal data breach that you will receive by email.

The DPO evaluates the report and verifies that the reported facts actually constitute a data breach and, if so, starts the data breach management phase.


  • DPO
  • Support office

Transparency, anti-corruption and privacy office

Last update 13/11/2023