Information for staff of Bologna University concerning the treatment of their personal data

The present document stems from a requirement of Leg. Dec. n. 196/03 (Privacy Code), art. 13 of which makes it obligatory for interested parties to be informed of how their personal data are being treated. This information sheet is explicitly for those working for the University of Bologna.

The Alma Mater Studiorum – Università di Bologna is updating its privacy policies pursuant to the new EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.

In the next few days this privacy policy will be brought up to date.

In the meantime, the current privacy policy is supplemented by the information published on the Privacy Policy Update pursuant to the EU General Data Protection Regulation (2016/679)" webpage (in Italian).


Purpose and form of processing of data

1.1. Data supplied by the interested party

Any data you may have given – before working, during or after – about yourself and your family are to be collected and used within the limits foreseen by the privacy law and regulations.

Your private data are exclusively processed for the institutional purposes established by law or those authorized by the Authority and described in attachment D of D.R. 271/2009. That attachment will also inform you of the precise legal clauses relating to the specific treatment of data required by your position as a University employee or collaborator (Unified Text on Privacy and Use of Information Systems).

Please note that your data may be handled with or without electronic equipment. ICT systems, if used, (and in compliance with the norms listed in Attachment B of the Code) are equipped with security devices to prevent loss of data, illicit or incorrect use of same, or access to unauthorized persons.

1.2. Credentials and e-mail

Employees and collaborators are assigned university ‘credentials’ (username and password). These are handled as per attachments A, B and C of D.R. 271/2009 and the body of that law (Unified Text on Privacy and Use of Information Systems). The reasons for handling those credentials may only be of an institutional nature (see art. 4 of the above decree).

Such credentials tie up with an e-mail address. The e-mail system is managed by the University Centre for Development and Management of ICT Systems. An updated list of system administrators will be supplied if you write to

The Director of that Centre is responsible for how your data are computer-processed.

E-mail addresses are published on the university website to improve internal communications.

Your credentials may also be handled by external persons should third parties need to use them for authentication purposes. Such persons are authorized data-handlers and their identity may be learnt from

1.3. Badge and use of “Radio Frequency Identification” technology (“RFID”)

Every employee or collaborator is given a badge to assist identification inside the university.

Note that for certain security requirements (e.g. monitoring access to certain areas) it is University policy to label badges “RFID”. This enables the personal information contained in the magnetic card to be read.

Any use of this processing system will abide by the principles stated in Leg. Dec. 196/2003 (Privacy Code), with particular regard to freedom, basic rights, and the dignity of the person (art. 2, clause 1, Code); it will likewise reflect the principles of necessity (art. 3), legitimacy, the purpose and quality of the data, and a due sense of proportion (art. 11).

You are informed that areas covered by “RFID” data detection will be specifically signposted and adequate information given along the route.

Data detected will on no account be processed, collected or manipulated for any purpose other than stated above, or used to compile preferential profiles on the employee.

Without affecting the rights mentioned at point 5, you are entitled to have the “RFID” label removed or de-activated, though of course by doing so you will lose the services granted to badge-holders.

1.4. Information as to presence on duty

Data on the hours employees work are handled electronically (and otherwise) by the PresenzeWeb application. Data are recorded or entered concerning days of leave, compensatory rest, card-punching, etc. The databases containing such data are administered by the University Centre for Development and Management of Information Systems. An updated list of system administrators may be had from

Nature of data

It is in the nature of the personal data described above that they be collected. Refusal to comply would make it impossible to perform the operations needed to set up and manage a work relationship.

Entities involved in data treatment

The official recipient of the data you supply is the University of Bologna based at via Zamboni, N° 33 – 40126 Bologna.
Those responsible for data-handling are the persons in charge of the various University facilities (Directors, Managers, Campus Vice-Deans, or equivalent figures). A list of these last is published on the university website (by way of example).

Data flowpath

Access to your personal data by University offices and employees will be made exclusively for institutional purposes and in line with the relevant laws and regulations governing labour, pensions, health care and taxation, as well as everything connected with staff management, processing salaries and complementary/accessory operations relating thereto. Within the ambit of institutional purposes, data may be disclosed to entities officially authorized to receive them by EU legislation, laws, regulations or contracts, and specifically the following:

  • M.I.U.R. (Italian Ministry for the University and Research) in performance of its legal functions;
  • C.U.N. (National University Council) in performance of its legal and institutional functions;
  • INPS (Pensions Authority) for operations involving pensions and severance pay, L. 335/1995;
  • Committee to monitor service causes and the local Medical Board (re procedures establishing cause of service/fair indemnity, as per DPR 461/2001);
  • INAIL (Public Safety and Accidents at Work), police authorities, Unified Immigration Office (DPR n. 334/2004) and/or other authorities appointed by law (reporting of accidents, DPR 1124/1965);
  • The relevant health agencies (re domicile inspections, art. 21 CCNL del 06/07/1995, CCNL di comparto);
  • Public and private entities appointed under regional/provincial law to train personnel (data disclosed are only sensitive if the service in question regards certain categories of worker, e.g. the disabled);
  • Private entities to whom the University outsources its own services;
  • Job Centre or local authority concerning employment of personnel, as per Law 68/1999 and subsequent changes/supplements thereto;
  • Provincial Administrations and regional Job Centre to be notified of hiring, job termination and changes of work status, as per L. 68/1999 and subsequent changes/supplements thereto;
  • Police authorities (C.P. and C.P.P.);
  • Trade Union organizations re payment of union dues and management of union permits;
  • Board of Inland Revenue, insofar as the University acts as a Tax Assistance Centre (CAF), in relation to employees’ income tax returns (art.17 D.M. 164/1999 and art. 2-bis D.P.R. 600/1973);
  • Public administrations to which employees may be seconded as part of worker mobility;
  • Entities covered by art. 18 of D.R. 271/2009;
  • Lepida S.p.A or other federation service intermediaries whose authentication services employees may choose to use;
  • Public and private entities involved in salary-based loans (“cessione del quinto” and other small loans) as per DPR 180/50 and 895/50 and subsequent modifications thereto.

Rights of the interested party

What follows is an extract from art. 7 of Leg. Dec. n. 196/2003, as a reminder of certain rights that employees may claim:

  • To have it confirmed that personal data regarding them exist, even if not yet recorded, and to be told intelligibly what they are and where they came from, as well as how and for what purpose they are to be handled and by what reasoning if they are to be computer-processed;
  • To have data cancelled, made anonymous or blocked when the purpose for which they were collected, processed or kept does not exist;
  • To make sure their data are updated, rectified and completed;
  • To object, in part or in toto and for legitimate reasons, to data regarding them being handled, even if relevant to the purpose for which they were collected.

These rights may be exercised by writing to the address of the official recipient mentioned above, or by contacting the person in charge of handling the specific data over which they claim to exercise rights under art. 7 of Leg. Dec. n. 196/2003.