INFORMATION ON PERSONAL DATA PROCESSING RELATED TO THE “BicoccApp” STUDENT APP

Dear user, in accordance with Article 13 of EU Regulation 2016/679, also known as GDPR, please find the following information on how we will process your personal data.
Your personal data will be processed in accordance with the principles of propriety, lawfulness, transparency and the protection of privacy and your rights. It may occur manually or electronically or with the use of IT or automated devices. Data processing may consist of any operation carried out with or without the use of automated processes, including the collection, recording, organisation, structuring, storage, elaboration, selection, blocking, adaptation, modification, extraction, consultation, use, communication via transmission, diffusion or any other means of making available, comparison, interconnection, limitation, cancellation or destruction of said data.

Who is the Data Controller?

The Data Controller - i.e. the body that determines how and why your data is processed - is the University of Milano-Bicocca, located in Piazza dell’Ateneo Nuovo 1, 20126 Milan, represented by its legal representative Rector Giovanna Iannantuoni (hereinafter the “Controller”). You can contact the Controller by writing to the address shown above or sending an email to rettorato@unimib.it or the certified email address ateneo.bicocca@pec.unimib.it.

Who is the Data Protection Officer?

The University of Milano-Bicocca has appointed a Data Protection Officer who can be contacted with all queries relating to personal data processing and to exercise any rights deriving from GDPR. The Data Protection Officer can be contacted at rpd@unimib.it or certified email address rpd@pec.unimib.it.

Why do we process your data?

In accordance with Article 6, Paragraph 1 of GDPR, your personal data (by way of example but not limited to, UNIMIB credentials, personal data, contact and geolocation data) is processed so that the relevant university department/bodies can fulfil all duties allocated to them. More specifically, the university with process your data for the following purposes:

  1. Service provision. The app interfaces with the restricted area of the UniMIB website and, therefore, transmits the authentication credentials to the website (e-mail, password) and enables access to and use of the content and services of the restricted area (booking exams, viewing the class calendar, study plan, academic curriculum). This data is only displayed by the app, which enables it to be viewed through an interface adapted to the screen of the mobile device (so-called responsive mode). The legal basis for the processing is Article 6 paragraph 1, letter b) GDPR.
  2. Geolocation. Upon consent issued to the device through activation of the GPS location feature, the app can show your location on a map of the University in relation to the classrooms you are interested in. The location data is shown for as long as the feature is activated and is not stored by the app, which does not track movement but merely offers help in finding your way around the campus. The legal basis for the processing is your consent given to the device by activating the tracking functionality, pursuant to Article 6 paragraph 1, letter a) GDPR and Article 122 Privacy Code.
  3. Statistical analysis on the functioning of the app. Analytical cookies are installed on the app that collect data on the app experience using pseudonymised (with masking of the fourth part of the IP address) and aggregated data. The collection of browsing data is used to verify the correct functioning of the app, improve the browsing experience, and adapt future updates to the users' needs.

Who can we communicate your data to?

Your data is processed by personnel who belong to the departments of the university and are authorised by the Data Controller, in accordance with their functions and skills.
Moreover, the Data Controller can communicate your personal data to the following external third-party subjects, because their activities are essential to the achievement of the aforementioned purposes, including as regards functions attributed to them by law:

  • IT companies involved in the development of the application,
  • IT service providers for the maintenance and operation of the app.

In the event that your data is transferred out of the EU or to international organisations, you will be provided with a specific information notice. In the event that no decision on adequacy has been issued for the destination country, or if appropriate and adequate guarantees are not available as regards data protection and/or no information as to how to obtain a copy of your data or the location where the data is made available is provided, you will be asked to grant your consent before we proceed with the transfer.

Analytical cookies are installed within the app, which collect browsing data in aggregate form. This data is masked within the territory of the European Union in our server in Frankfurt so that the data subject cannot be identified in any way.

Is it compulsory for you to provide us with your data?

Yes, because if you fail to do so, the University will be unable to complete required activities and deal with requests. However, no formal declaration of consent for data processing is required.

How long will we store your data for?

Your personal data will be processed until this purpose is fulfilled. 

If your personal data is stored in the database of the Data Controller, it is stored for an unlimited period of time. If your personal data is contained in analogue documents and/or digital products or products owned by the Data Controller, this data is subject to legal storage time limits; the various time limits are contained in the “Disposal of analogue and digital documents guidelines”, which can be found on the University website.

Where present, authentication logs will be erased after 180 days.

What are your rights and how can you exercise them?

You have the right to:

  • access your personal data;
  • obtain the correction or cancellation of data or the limitation of data processing;
  • request data portability if data is in digital form;
  • oppose data processing;
  • make a complaint to the supervisory authorities.

You can exercise your rights by contacting the Data Controller and/or the Data Protection Officer; the Data Controller must respond to your within 30 days of the date they receive your request (this period can be extended to 90 days if the request is particularly complex).

In the event that you believe that your data has been processed in a way that violates relevant regulations, or if the response to a request in which you have exercised one or more of the rights set out in Articles 15-22 of GDPR fails to arrive within the time limit indicated or is unsatisfactory, you can contact the supervisory authority or the authority of the protection of personal data.

Will you be subject to automated decision-making processes?

No, you will not be subject to any decisions based solely on automated processes (including profiling), unless you have explicitly provided your consent for this.

Is your data safe?


Your data is processed in a lawful, proper manner and we adopt appropriate security measures designed to prevent any unauthorised access, disclosure, modification or destruction of the data.

[This policy was last updated on 27/04/2023]