IN ACCORDANCE TO ARTICLE 13 OF GDPR (General Data Protection Regulation) EU REGULATION N. 679/2016 OF 27 APRIL 2016

This document is issued pursuant to Article 13 of EU Regulation 2016/679 of 27 April 2016 on protection of natural persons with regard to personal data processing and in compliance with the legislation on personal data processing, as well as on the free movement of such data.


Data Controller

Politecnico di Milano – General Manager upon authorization of the pro-tempore Rector – contact: dirgen(at)


Internal data processor

Mauro Nisoli – Piazza Leonardo Da Vinci, 32 Milano (MI) – tel. 02.2399.6167 – mail mauro.nisoli(at)

Data will be processed by other authorized parties and, for this purpose, in compliance with current legislation.


Responsible for data protection and contact points

privacy(at) phone: +39 02.2399.9378


Purposes of data processing, legal basis, data categories and storage period.

For the purposes of the application of European and national legislation on this matter (EU Reg. 679/2016, hereinafter Regulation), we inform you that your personal data will be used for the following purposes:

Purposes of the processing for which personal data are intended Legal basis of data processing Categories of personal data to be processed Storage period of personal data
Execution of the activity: Attosecond School Execution of the contract with the interested party[1] (Article 6, paragraph 1, letter b) of the Regulations)


  • Identification data
  • Contact data
  • Career data
For a period of 1 year, or the duration of the contract and then, for the time of which Politenico di Milano is subject to storage obligations for tax or other purposes, provided by law or Regulation.


Nature of data

The provision of data is optional. If you refuse to provide data, it is impossible to perform the services. The collected data are compulsory. Failure to communicate and/or refusal to reply imply that you do not have access to the confidential information as referred in the Confidentiality Agreement.


Special categories of data.

No personal data of particular categories will be collected.


Processing methods – profiling

Processing methods

The data treatment carried out for the purposes mentioned above can be carried out on paper or digital means, manually and/or with electronic tools or, in any case, through automated processes, including in house database: Microsoft Office suite and external databases: Microsoft Forms/Saherepoint.

They are also stored in paper archives for the duration of the Attosecond School and in digital format for an indefinite period of time due to the transparency and good operation of the public administration.

The access to the data acquired for the aforementioned purposes is allowed to duly authorized staff.


The data will not be processed for profiling purposes.


Recipient categories

In relation to the mentioned purposes, data may be disclosed to the following public and/or private subjects:

  • COST Action CA18222 – European Cooperation in science & Tecnology, Attosecond Chemistry
  • Ettore Majorana foundation and centre for scientific culture (Italy)
  • UAM Universidad Autónoma de Madrid (Spain)
  • Institute for optical sciences, The Ohio State University (USA)

as to say to companies and/or persons, in Italy and abroad, that provide services, including external ones, on behalf of the Data Controller to facilitate contacts for possible internships. In particular, your personal data may be communicated also to other public administrations, anonymised too, if these institutions must process them for procedures related to their institutional work, as well as to all those public entities to whom, with the same prerequisites, the communication is compulsorily provided in accordance to EU provisions, laws or regulations, as well as insurance companies for possible accident insurances.


Storage period of personal data and their return.

At the end of the period indicated in TABLE 1, after that the limitation period for protection of the rights of the interested party have been expired, the data will be deleted or given back anonymously.


Transfer to Extra EU country

The data may be transferred to a third country, mainly for Cloud services, only in countries characterized by a high standard of protection of personal data, and subject to adequacy decisions by the Authorities. More in detail, it is about:

Country: Notes:
United States The relationship is governed by the Privacy Shield, a self-certification procedure, valid from 01/08/2016, for companies established in the USA that want to receive personal data from the European Union, on compliance with the principles mentioned in it and the commitment to provide the European interested parties with adequate protection tools,  or they will be deleted from the “Privacy Shield List” (available at by the U.S. Department of Commerce, and possible penalties by the Federal Trade Commission.

Rights of the interested parties

As interested party, you can ask the Data Controller, at any time:

  • confirmation of the existence or not of your personal data;
  • access to your personal data and related information; the correction of incorrect data or the addition of incomplete data; the cancellation of your personal data (if any condition indicated in Article 17, paragraph 1 of the Regulations can be applied and it is in compliance with the exceptions provided in paragraph 3 of the same article); the limitation of processing of your personal data (when one of the conditions indicated in Article 18, paragraph 1 of the Regulations can be applied), the anonymization or blocking of data processed unlawfully, including data whose storage is not required in relation to the purposes for which the data were collected or subsequently processed;

As interested party, furthermore, you have the right to wholly or partly oppose:

  • for legitimate reasons regarding the processing of his/her personal data, related to collection purposes;
  • to the processing of his/her personal data for the purpose of sending promotion of educational initiatives and cultural events of Politecnico di Milano.

These rights can be exercised by contacting

If you deem that your rights have been violated by the data controller and/or by a third party, you have the right to submit a complaint to the Data Protection Authority and/or to another competent supervisory authority pursuant to the Regulation.

Updated to 25.11.2022

[1]  Identified or identifiable natural person («interested party») Article 4 point 1 of the GDPR.