The regulations regarding personal data protection are particularly complex as they encompass a vast body of European and National legislation with concrete effects in all sectors where data processing occurs.

The main legal sources are:

• Regulation (EU) 679/2016 (“GDPR”), which came into effect on May 25, 2018, provides immediately and directly applicable rules for all entities involved in the processing of personal data
• Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (“Privacy Code”)

As for the University, the main references concerning personal data protection are as follows:

• With D.R. No. 281 of April 6, 2021, the University implemented an organizational structure identifying various roles (bodies, offices, and personnel) and their respective functions in the processing of personal data;
• With D.R. No. 981 of September 30, 2021, specific obligations for each role (Data Controller’s Delegates, as structure heads; Data Controller’s Delegates, as scientific responsibles; Privacy Contact Persons) were outlined, along with instructions for all authorized processors;
• Additional and various documents (guidelines, policies, articles in Service Desk, etc.), also available on the internal pages of the University portal, provide indications and behavioral rules for different existing services.
   

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

At the opposite end of personal data is “anonymous data,” which does not allow for the identification of a person in any way and is not within the scope of privacy regulations.
There are also de-identified (or pseudonymized) data, which are personal data that do not immediately allow the identification of an individual but can, when associated with other information, lead to the identification of the subject. De-identified data constitute personal data and are therefore subject to privacy regulations.

While the notion of an ‘identified’ person is easily understandable, it should be clarified that ‘identifiable’ refers to someone who can be directly (e.g., name) or indirectly (e.g., address, job role) identified, even through one or more specific elements of their physical, physiological, genetic, mental, economic, cultural, or social identity.

Examples of personal data include:

• Personal identification data (e.g., name, surname, gender, age, date of birth);
• Contact data (e.g., email address, phone number, Skype ID);
• Identity documents and identification numbers (e.g., tax identification number, license plate number);
• CV and related professional and academic experiences;
• Unaltered recorded voice from which a person can be identified;
• Images from which a person can be identified (e.g., photographs, video footage).
   

The Data Subject is the natural person to whom the personal data refers.

Data Subjects are natural persons, not legal entities.

The term “sensitive data” commonly refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

In practice, this involves data that touches on the most intimate aspects of a person’s life and, consequently, must be collected with particular precautions and only in the presence of genuine needs and specific conditions that allow for legitimate processing. The terminology “sensitive data,” once contained in the “Privacy Code,” is now replaced by “special categories of personal data” as introduced by the GDPR.

Furthermore, personal data relating to criminal convictions and offences are also subject to special precautions.

Examples of special categories of personal data:

• Data revealing racial or ethnic origin (e.g., indicating the ethnic group or skin color on a form);
• Data revealing political opinions (e.g., list of members of a political party);
• Data revealing religious or philosophical beliefs (e.g., indicating a preference for kosher or halal food on a form);
• Data revealing trade union membership (e.g., list of members of a trade union);
• Genetic data (e.g., results of a genetic test);
• Biometric data (e.g., fingerprint);
• Data concerning health (e.g., indicating the presence of a disability on a form);
• Data concerning health sex life or sexual orientation (e.g., indicating membership to the LGBT community on a form);
• Data relating to criminal convictions and offences (e.g., data contained in criminal records).
   

The Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Some examples of Data Processors are cloud services, IT services, and storage services providers.

The Data Controller must adhere to the following principles regarding the processing of personal data:

• It must be lawful, fair, and transparent (lawfulness, fairness, transparency);
• It must be limited to specific purposes (purpose limitation);
• The personal data processed should be adequate, relevant, and limited to what is necessary (data minimization);
• The personal data must be accurate (accuracy);
• The personal data must not be retained longer than necessary (storage limitation);
• The personal data must remain well protected and confidential (integrity and confidentiality).

The Data Controller is responsible for ensuring that the data processing operations they perform comply with these principles and should be able to demonstrate such compliance (accountability principle).
 

The Data Controller of personal data must:

• document their data processing operations by maintaining a Record of Processing Activities (Article 30 GDPR);
• conduct a Data Protection Impact Assessment (DPIA) if necessary, before operations that pose a high risk to the rights and freedoms of data subjects;
• in certain circumstances, consult the Data Protection Authority before initiating high-risk processing activities;
• consider the principles of privacy by design and privacy by default when designing processing operations;
• implement appropriate security measures to protect personal data;
• in the event of a personal data breach, inform the Data Protection Authority if necessary and, in certain circumstances, inform the affected data subjects;
• enter into agreements/contracts only with Data Processors that provide adequate guarantees of security and confidentiality;
• enter into agreements with other controllers in cases of joint controllership to regulate respective obligations and duties;
• transfer personal data to other EU countries, non-EU countries, or international organizations only if the conditions of the GDPR are met;
• cooperate with the Data Protection Authority.

Finally, the Data Controller must provide data subjects with clear and accessible information about the processing and respect and guarantee the rights of data subjects.
 

The GDPR has expanded the rights recognized for data subjects concerning their personal data, making them more impactful in a reality increasingly permeated by the use of new technologies and the internet.

In particular, the following rights are recognized for the data subject:

• right of access: the right to obtain from the Data Controller confirmation as to whether or not personal data concerning them are being processed and to access such data;
• right to rectification: the right to obtain the rectification of inaccurate personal data or the completion of incomplete data, including by means of providing a supplementary statement;
• right to erasure (also known as the right to be forgotten): the right to obtain the erasure of personal data concerning them in the presence of specific conditions, unless there are some legal obligations;
• right to restriction of processing: the right to request and obtain the blocking or restriction of data processed in violation of the law and data no longer necessary for the purposes of processing;
• right to data portability: the right to receive the personal data provided in a structured, commonly used, and machine-readable format and to transmit it to another Data Controller;
• right to object: the right to object, in whole or in part, to the processing of personal data concerning them;
• right not to be subjected to automated decision-making: the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them.

The data subject also retains the right to lodge a complaint with the Data Protection Authority or to seek recourse through the appropriate judicial channels, as provided for by the GDPR.

Additionally, the data subject has the right to receive information regarding the processing of their personal data as well as the right to withdraw their consent at any time, as easily as it was provided.
 

In the context of the University's institutional tasks, personal data may be transferred to non-EU countries, for example, to universities, research institutes, public and private entities as part of international mobility programs, internships, research projects, and other activities that need to be carried out outside the territory of the European Union.

Such transfers will be conducted within the limits and under the conditions set forth in Articles 44 and following of the GDPR, for instance, in the presence of an adequacy decision from the European Commission or appropriate safeguards, including the standard contractual clauses for data protection adopted by the European Commission.

For University personnel, more information are available on Service Desk UniTrento and Infoservizi.

The regulations concerning personal data protection require that the Data Controller provides the data subject with a clear, simple, and specific explanation of various aspects of the processing to inform the data subject about how their personal data will be processed and to ensure the effective exercise of their right to protection.

This ensures that all relevant information is provided to guarantee secure and effective processing of personal data, while also facilitating the individual's ability to exercise control over their own data. For this reason, it is necessary to include in the notice not only the minimum content required by law but also to adapt the content of the notice so that it concretely reflects information regarding the operations performed on personal data, keeping in mind the general principle of transparency to be followed.

The Personal Data Protection Notice is usually provided in writing or using electronic and digital means (also in combination with standardized icons, to give a clear and easily visible overview). Naturally, the Notice is free of charge and does not impose any burden or cost on the data subject.

Regarding the timing of when the notice must be provided, it is important to distinguish:

• If the data is collected from the data subject, the notice must be provided before the data collection;
• When the data is obtained from a source other than the data subject, the notice must be provided to the data subject – provided that it is possible to track them and that doing so is not particularly difficult or excessive, as might be the case in research involving a very large number of individuals – within a reasonable period after obtaining the personal data, but at the latest within one month, or, if the personal data allows for direct contact with the data subject, in the first communication.