Privacy Policy

Privacy Policy -
Remote Admissions Process


pursuant to
Article 13 of the European Union General Data Protection Regulation 2016/679
(GDPR)

 

Università  Commerciale “Luigi Bocconi,” with registered office at Via Sarfatti 25, Milan, in the person of its pro tempore legal representative, in the capacity of "Data Controller" (hereinafter "Data Controller" or "University"), hereby informs you that your personal data will be processed in compliance with the legislation on the protection of personal data (EU Regulation 2016/679, "
GDPR" and Legislative Decree no. 196/2003 and subsequent amendments "Privacy Code"), in order to guarantee the rights, fundamental freedoms, as well as the dignity of individuals, with particular reference to confidentiality and personal identity.

The University has appointed a Personal Data Protection Officer (hereinafter "DPO") who Data Subjects can contact to exercise the rights provided for by the GDPR (see paragraph 7) by writing to the address dpo@unibocconi.it.

  1. Categories and types of
    personal data subject to processing

The data processed by the University may include:

  1. personal and identification information (full name, place of birth, fiscal code, details of identification documents, IP address of the device used during the exam);
  2. contact information (email address, phone number, home and/or residential address);
  3. data for the verification of the requirements and relating to the university and academic career (qualifications, assessment of exams);
  4. video and sound recordings of the applicant and the surrounding environment during the exam recorded with the webcam of the device used by the applicant;
  5. pictures of the applicant and valid ID of the same;
  6. desktop and web pages that the applicant visits during the exam;
  7. the applicant's answers to the test questions;
  8. specific categories of data (relating to health status).

 

  1. Purpose and legal basis of data
    processing

In compliance with current legislation on the protection of personal data, your data will be stored, collected and processed by the University for the following purposes:

  1. management of administrative requirements for admission to the selection process;
  2. provision of support services for applicants with disabilities;
  3. sending communications relating to admission to the selection process;
  4. use of telematic and email services by generating identification credentials;
  5. carrying out admissions tests to degree programs open to a limited number of students.

The legal basis of the processing regarding the aforementioned purposes, pursuant to Article 6 letter e) of the GDPR, is the need to perform tasks of public interest in which the Data Controller is invested, as the primary headquarters of higher education and research, which operates in implementation of Article 33 of the Constitution and Article 6 of Law no. 168/1989 and subsequent amendments.

  1. Data processing methods

In relation to the aforementioned purposes, processing of personal data takes place using IT and telematic tools with logic strictly related to the purposes themselves and, in any case, with methods that guarantee the security and confidentiality of the data, in addition to compliance with the specific obligations established by law.

The University makes use of non-automated proctoring systems, which, through activities performed by human operators, allows the veracity of the test taken to be guaranteed. For any other information regarding the operation methods of the software, please click here.

In any case, it is hereby specified that all the data exchanged between the computer systems involved in the selection process (applicant client, University server and server repository) are protected by SSL encrypted network protocols.

Your personal data will be processed only by authorized personnel, in accordance with the provisions of Article 29 of the GDPR and by Article 2-quaterdecies of the Privacy Code, due to the performance of their work duties.

  1. Communication of personal data

As part of the aforementioned purposes, data may be disclosed to:

  • internal structures of the University in charge of managing student enrollment and careers (academic office, faculty, departments, Faculty Councils, committees);
  • external companies entrusted with the management of the tests, specifically appointed pursuant to Article 28 of the GDPR as data processors (Giunti Psychometrics Srl and Procwise Exam B.V.).

The list of data processors (and sub-processors) may be requested from the Data Controller, at the addresses indicated above.

  1. Retention times for personal
    data

Your personal data will be kept only for the time necessary to pursue the purposes for which they are collected, in compliance with the principle of minimization pursuant to Article 5, paragraph 1, letter c) of the GDPR.

The personal data of the applicants who have taken the admissions test is kept indefinitely over time, for historical interest.

The final storage period, for both the text in the test[1] and the audio-video recordings,[2] coincides with the entire period of carrying out the online test, to which will be added the additional period of 6 months starting from the date of release of the test outcome for the last session available for admission to the following academic year.

Retention times for administrative documents containing the remaining data underlies their retention.

  1. Transfer of data outside the EU

Personal data collected during the remote selection process through the proctoring software provider (Proctor Exam), Giunti Psychometrics, are stored on Amazon Web Service servers located in the EU (Germany and Ireland).The situations in which the applicant's personal data could be processed outside the European Union and in particular in the United States are linked to requests for support made through the ProctorE xam chat, which, it should be remembered, cannot be used by the Data Subject, as an ad hoc support has been activated by the Data Controller, as indicated in the document "
Instructions and Rules of Conduct".

Regarding the possible transfer of data to Third Countries, the Data Controller hereby announces that processing will take place according to one of the methods permitted by the law in force, such as the adoption of Standard Contractual Clauses approved by the European Commission, the selection of adhering subjects to international programs for the free circulation of data or operating in countries considered safe by the European Commission, and in any case in accordance with the provisions of Articles 44-49 of the GDPR. You may request further information from the Data Controller using the contact details provided above.

  1. Rights of data subjects

You have the right to access the data concerning you at any time, pursuant to Articles 15-22 of the GDPR. In particular, as an interested party, you have:

  1. the right to obtain confirmation as to whether or not personal data concerning you are being processed and, in this case, to obtain access to it (Article 15);
  2. the right to obtain the updating and/or correction/integration of your personal data (Article 16);
  3. the right to obtain the cancellation of your personal data, in cases where this is permitted by the GDPR (Article 17);
  4. the right to obtain limitation of the processing of your personal data, if one of the scenarios provided for by current legislation occurs (Article 18);
  5. the right to object to processing, except for those contained in documents that must be kept by the University and unless there is a legitimate prevailing reason for the University to continue processing;
  6. for the processing of data that have their legal basis in consent, the right to withdraw the consent without prejudice to the lawfulness of the processing carried out before the revocation.

Without prejudice to any other administrative or judicial appeal, you also have the right to lodge a complaint (Article 77 GDPR) with the Guarantor for the Protection of Personal Data (www.garanteprivacy.it), if you believe that the processing that concerns you violates the current legislation on protection of personal data.

To exercise all the rights indicated above, you can contact the Data Controller or the DPO in writing at the addresses indicated above.

Milan, 29 June 2023



[1]The text in the test contains the questions displayed on the screen
of the individual application and the answers of the same.
[2]The audio-video recordings of the test contain a) the video
recording of the applicant from the front through the webcam and from the side
through the mobile device, b) the recording of the computer screen used by the
applicant during the test (screen recording).