Information on the processing of personal data

For the users consulting the portal of the University of Bergamo, pursuant to art. 13 of (EU) Regulation no. 679/2016 of the European Parliament and Council of April 27th 2016, General Data Protection Regulation (GDPR):

the new European Regulation (EU) Regulation no. 679/2016, General Data Protection Regulation, (GDPR, hereinafter referred to as “Regulation”) has full effect from  May 25th, 2018 and sets rules concerning the protection of individuals with regards to the processing of personal data and free movement of data.

This page describes the procedures for processing personal data of users consulting the portal of the University of Bergamo:

The information here provided does not concern other online websites, pages or services that can be reached through hypertext links published on the portal, but refer to resources outside the domain of the University of Bergamo.

Data controller

Following consultation of the site mentioned above, data concerning identified or identifiable natural persons may be processed.

The data treatment controller is the University of Bergamo, with registered office in Bergamo, via Salvecchio 19 (email: [email protected]; PEC: [email protected] switchboard: +39 035 205 2111).

Data Protection Officer (DPO)

The Data Protection Officer (DPO) is Mr. Michele Gorga, who can be contacted at [email protected], to whom data subjects (natural persons to whom the data refer) may turn for questions concerning the processing of their personal data and the exercise of their rights.

Purpose and legal basis of the processing

The personal data indicated in this page are processed by the University of Bergamo in the performance of its institutional tasks and in any case for the following purposes:

  1. provide the services requested by the users
  2. provide support to users
  3. carry out statistical analysis, for the sole purpose of improving the supply of services.
Types of data processed

Navigation data

In their daily operation, the IT systems responsible for the functioning of the portal automatically acquire certain personal data, implicitly transmitted in the use of web communication protocols: this is data (for example, IP address and domain names of the devices used by users/visitors to which, if processed with data held by third parties, could identify users/visitors. Such personal data are normally collected for statistical surveys, managed anonymously and used to facilitate navigation on the portal. Navigation data do not persist for more than seven days and are deleted immediately after their aggregation (except for any need to ascertain crimes by the judicial authorities).



Cookies are short strings of text sent by the site server to the user's/visitor's browser and automatically stored on the user's/visitor's device. The main purpose of cookies is to make the navigation of the site more usable. Almost all browsers are set to accept cookies, however, the user/visitor may autonomously change the configuration of their browser and block them: in this case, the use of the portal and the use of certain services may be limited. Cookies are divided into "session cookies" and "persistent cookies": once downloaded, the former are deleted when the browser is closed; the latter are stored on the hard drive of the user/visitor's device until they expire. The portal uses "session" cookies for the functioning of navigation within the pages: no navigation information is tracked and cookies are deleted once the browser is closed. The portal uses only one permanent cookie, that allows you to decide whether to use the mobile site when accessing with a smartphone or tablet.


Embedded content and services

The portal may incorporate content from external providers (i.e. Facebook, LinkedIn, Twitter, Youtube) that could track cookies. This tracking also occurs for the use of the search engine (provided by Google inc.). The data of these services are processed directly by the provider of the embedded services.


Reserved areas

The portal may contain links to reserved access areas (i.e. Internet Point; My portal; E-learning), whose credentials are provided and managed by the University of Bergamo for the sole purpose of providing online services, according to the specific procedures of each service, in whose pages specific information will be published.


Data communicated by the user

The optional, explicit and voluntary sending of messages to the contact addresses specified in the portal implies the acquisition of the sender's contact data, necessary to reply, as well as all personal data included in the communications.

Data processing

The processing may be carried out either manually or with the aid of electronic (or automated) means and include, in compliance with the principles, limits and conditions set out in article 5 of the Regulation, all the operations, or set of operations, specified in article. 4 (2) of the Regulation, such as the collection, recording, organisation, structuring, storage, processing, adaptation or modification, extraction, consultation, use, communication by means of transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction of data.

Data communication

The data collected will not be disclosed or communicated to third parties, except in the cases provided for by the information and/or by law and, in any case, in the manner permitted by law.

The data may come to the knowledge of external subjects operating as managers or internal staff of the University, as subjects authorised to process them, within their respective functions and in compliance with the instructions received, and exclusively for the achievement of the specific purposes indicated in this statement.

Rights of data subjects

In the cases envisaged, data subjects have the right to obtain from the Data Controller access to their personal data and the correction or cancellation of the same or the limitation of their processing or to object to their processing (articles 15 et seq. of the Regulation). The relevant request may be submitted contacting the Data Protection Manager at the University (email: [email protected]), also using the form for the exercise of data subjects' rights prepared by the Guarantor.

Right of complaint

The interested parties who believe that the processing of personal data referred to them carried out through this site is in breach of the provisions of the Regulation have the right to lodge a complaint with the Guarantor Authority, as provided for in article 77 of the Regulation itself, or to take appropriate legal action (article 79 of the Regulation).