Protection of personal data

The University of Ferrara, in its capacity as data controller, informs data subjects that their personal data is processed in accordance with the provisions and within the limits of the legislation in force (EU Regulation No. 2016/679 and Italian Legislative Decree No. 196/2003, as amended and supplemented by Italian Legislative Decree No. 101/2018.).

Personal data controller 

Università degli Studi di Ferrara

Via L. Ariosto, 35 - 44121 Ferrara (Italy)


Registered E-Mail (PEC): 

Data Protection Officer - DPO

Lepida S.c.p.A. Via della Liberazione, 15 - 40128 Bologna (Italy)

Tel. No. +39 0516338844


Registered E-Mail (PEC):

Protection of personal data

The University of Ferrara is a public institution with scientific, educational, organisational, financial and accounting autonomy.

Its primary aims are teaching, research and the 3rd Mission.  

According to the GDPR, data processing operations are deemed lawful if at least one of the following conditions applies (Art. 6 para. 1):

  • As regards the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject (letter b);
  • for legal obligations (letter c);
  • for reasons of public interest (letter e);
  • for legitimate interests of the University, if the interests, rights and fundamental freedoms of the data subject, especially if he/she is a minor, do not prevail (letter f).

If at least one of the above conditions is not met, data processing may be carried out with the consent of the data subject (Art. 6, para.1, letter a).

Exceptionally, in the event of special emergencies, the University may process personal data for the protection of the data subject or another natural person (Art. 6, para. 1, letter d).

Processing of special categories of personal data

The processing of special categories of personal data  is forbidden if the University cannot demonstrate that it meets at least one of the following conditions (Art. 9 of the GDPR): 

  • the data subject has given his/her explicit consent to the processing of such personal data for one or more specific purposes;
  • the processing relates to personal data made manifestly public by the data subject;
  • processing is necessary for one of the following purposes:
    • to fulfil the obligations and exercise the specific rights of the data controller or the data subject in the field of labour and social security law and social protection;
    • to protect a vital interest of either the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
    • to establish, exercise or defend a right before a court of law or whenever the courts exercise their judicial functions;
    • For reasons of substantial public interest  based on Union or Member State law;
    • for the purposes of preventive or occupational medicine, the assessment of the employee's ability to work, diagnosis, health or social care or treatment, or management of health or social care systems and services;
    • for reasons of public interest in the field of public health;
    • for archiving purposes in the public interest, scientific or historical research or statistical purposes.

Special categories of data

Special categories of data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric personal data intended to uniquely identify a natural person, data concerning a person's health or sex life or sexual orientation.

Genetic data

Personal data relating to the hereditary or acquired genetic characteristics of a natural person which provide unambiguous information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample from that natural person.

Biometric data

Personal data obtained via specific technical processing relating to physical, physiological or behavioural characteristics of a natural person that enable or confirm their unique identification, such as facial image or dactyloscopic data.

Health data

Personal data relating to the physical or mental health of an individual, including the provision of health care services, revealing information about his/her state of health.

Reasons of public interest

The Data Protection Code provides that the processing of special categories of data necessary for reasons of substantial public interest is permissible where it is provided for by EU law or, in domestic law, by provisions of law or, where provided for by law, or legal provisions, which specify the types of data that may be processed, the operations that may be carried out and the reason for the substantial public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the data subject. 

The public interest shall be deemed to be relevant in relation to processing carried out by entities carrying out tasks in the public interest or connected with the exercise of official authority in various matters, including:

  • university education and training;
  • archiving in the public interest or historical research;
  • scientific research;
  • establishment, management and termination of employment relationships of any kind, including unpaid or honorary, and other forms of employment, trade union matters, employment and compulsory placement, social security and assistance, protection of minorities and equal opportunities in employment relationships, fulfilment of pay, tax and accounting obligations, hygiene and safety at work and public health, assessment of civil, disciplinary and accounting liability, inspection activities.

Rights of the parties concerned

The parties to whom the processed data refer, i.e. the Data Subjects, have the following rights (Articles 15-22 of the GDPR): 

  • The right of access;
  • The right of rectification;
  • The right to erasure (The right to be forgotten);
  • The right of restriction of processing;
  • The right to portability;
  • The right of objection;
  • The right not to be subject to automated decision-making, including profiling.

In order to exercise your rights, it is necessary to use the form issued by the Italian Data Protection Authority, sending it to

In order to file a complaint with the Italian Data Protection Authority, the form issued by the same can be used.

Main purposes of processing in Unife

The University processes personal data for the performance of its institutional purposes, as identified by legal, statutory and regulatory provisions concerning, by way of example but not limited to

a.  data relating to subordinate, parasubordinate or self-employed staff, including persons whose employment relationship has ended or other staff working in various capacities in the University, with particular reference to:

  • competition/selection tests;
  • management of the employment relationship;
  • training and professional development;
  • management of research projects;
  • research monitoring and assessment;
  • technology transfer activities;
  • welfare policies and for the use of benefits;
  • health and safety of people in the workplace;
  • provision of fixed and mobile telephone services;

b.  data regarding students and graduates, with particular reference to:

  • careers guidance activities;
  • provision of entry tests or verification of entry requirements;
  • provision of training and career management (from enrolment to graduation);
  • Internship activities;
  • job placement activities;
  • fundraising, institutional communication and information as well as community development activities;
  • statistical surveys and assessment of teaching activities;
  • dissemination of the final paper or related elements;
  • mentoring, care, social inclusion services;
  • services and activities for the right to study;
  • disciplinary proceedings against students;

c.  data relating to management activities, third parties and/or related to cross-cutting activities, with particular reference to:

  • space management;
  • management of posts;
  • management of institutional bodies and offices;
  • accident management;
  • library services;
  • protocol and document storage services;
  • purchase of goods and services, conclusion of contracts, debt collection, litigation management;
  • e-mail services and collaboration tools;
  • federated service delivery;
  • provision of the Eduroam service;
  • access to federated services;
  • tracking of non-primary information;

d.  data on teaching and research activities (including research in the field of medicine and healthcare).

Unife information

Information for students:

Other information

Whoever processes personal data must also provide the interested party with certain information  also with the aim of enabling him/her to exercise his/her own rights (Articles 15-22 of the same Regulation).

Content of the information


The contents of the notice are listed exhaustively in the GDPR (Articles 13 and 14).

In particular, the University must specify:

  • identity and contact details;
  • the contact details of the Data Protection Officer;
  • the purposes and legal basis of the processing;
  • the recipients of the data;
  • any transfer of the same to a third country or international organisation;
  • the data retention period;
  • Rights of the parties concerned;
  • whether there is an obligation to provide it and what happens if one fails to do so;
  • if the provision of the data is a legal or contractual obligation or a necessary requirement for the conclusion of a contract; 
  • if the processing involves automated decision-making, including profiling.


The information shall be provided in writing or by other means, preferably in electronic form, for example through a website, if it is intended for the public.

Information must be transparent, understandable and easily accessible. 


If the data is collected directly from the data subject, the information must be provided to the data subject at the time it is obtained. 

If the data is not obtained from the data subject, the information must be provided within a reasonable period which may not exceed one month from the collection, or at the time of communication of the data to a third party or to the data subject.

If the Controller intends to further process the data for a purpose other than the one for which it was collected, the Data Subjects must be provided with information on that purpose before the processing is carried out.


Where processing is based on the data subject's consent, the controller must always be able to demonstrate that the data subject has given it.

The GDPR specifies certain conditions (Art. 7):

  • if consent is given in the context of a written declaration which also covers other matters, the request for consent shall be presented in a manner clearly distinguishable from the other matters, in a comprehensible and easily accessible form;
  • shall be expressed by an act whereby the data subject indicates his/her free, specific, informed and unambiguous intention to accept the processing of personal data relating to him/her; tacit or presumed consent, for example on forms with boxes already ticked, is not allowed;
  • is revocable at any time; before giving consent, the person concerned shall be informed thereof. 

When the data processing regards special categories of personal data, consent must be explicit; the same applies in the case of decisions based on automated processing, including profiling.

Protection of personal data

Personal data may be processed by technical-administrative staff, lecturers and researchers and the University's collaborators who, working under its direct authority, are authorised to do so. 

The University may avail itself of external subjects for the provision and management of particular services, inviting them to process data on behalf of Unife. In such cases, it appoints them as external data controllers, so as to ensure that processing is carried out in accordance with the GDPR.

Personal data may be communicated:

  • to other public administrations if they have to process the same for any activities falling within their own institutional competence; 
  • to public authorities or private entities where teaching, research or training activities can be carried out;
  • to judicial authorities at their request.

Personal data may be transferred abroad to other university institutions or research bodies for research and teaching purposes or as part of international mobility projects.

Reporting privacy breaches 

The University must notify the Guarantor of personal data breaches of which it becomes aware, within 72 hours and in any case without undue delay, if it considers that such a breach is likely to result in risks to the rights and freedoms of the data subjects, compromising the confidentiality, integrity or availability of the data. 



Privacy Code

Article 29 Group Guidelines

Measures adopted by the Italian Data Protection Authority

GDPR in a nutshell

"GDPR in a nutshell" document