Privacy policy

Protection of personal data

On 25 May 2018, the General Data Protection Regulation (GDPR) dated 27 April 2016, no. 659) became applicable.
Through the legislative decree dated 10 October 2018, no. 101, the Italian Parliament aligned the provision of the "Italian Privacy Code" (Legislative Decree No. 196 dated 30 June 2003 - Code concerning the protection of personal data", to the GDPR.

The DATA SUBJECT involved in the data processing is the natural person that the PERSONAL DATA refer to, such data being any information about a natural person identified or identifiable directly or indirectly, with particular reference names, identification numbers, location data, online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

The University of Sassari will process the personal data of the data subject in compliance with current regulations so that data are:

  1. processed lawfully, correctly and transparently;
  2. obtained for specified, explicit and legitimate purposes;
  3. adequate, relevant and limited to what is necessary in relation to the processing purposes;
  4. accurate and, where necessary, kept up to date;
  5. kept in a manner which permits data subjects' identification, for no longer than necessary for processing purposes;
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Name and contact details of the data controller and the DPO

The DATA CONTROLLER referred to in art. 4 of the GDPR is the natural or legal person, public authority, service or other body that, individually or together with others, determines the purposes and means of personal data processing.

Please note that

The DATA CONTROLLER is the University of Sassari, the legal representative of which is the pro tempore Rector (Prof. Massimo Carpinelli), who can be contacted as follows:
Università degli Studi di Sassari, piazza Università, 21 – 07100 Sassari
Italian Registered Email: Email:

The university has appointed Mr. P. Leoni as the Data Protection Officer, that is responsible to provide information, advice and oversight in the implementation of the GDPR, as well as cooperation and support to the Supervisory authority (Data protection authority); contact details are: Italian registered email: Email:


Data processing purpose and legal basis

"The University is a public institution, with legal personality and public and private law-based autonomy, pursuant to art. 33 of the Italian Constitution", and "it is the primary forum for independent research and higher education, a place for critical thinking and the dissemination of scientific knowledge" (srt. 1 and 2 of the Statute of the University of Sassari).

As part of the institutional educational activities, scientific research and third mission, the University of Sassari performs processes personal data mainly for the following categories of stakeholders:

  • STUDENTS (for instance, for guidance, career management from enrolment to graduation)
  • EMPLOYEES AND/OR COLLABORATORS (for instance, employment practices), as well as cross-category data processing for data subjects or other subjects who come into contact with the university (e.g., suppliers, library users).

Depending on the circumstances, the legal basis of data processing may be affected by

  • the need to perform "a task of public interest or connected to the execution of public duties, for which the University serves as the Data Controller" (art. 6. 1e GDPR);
  • the need to "fulfil legal obligations which are typical of a Data Controller"; (art. 6. 1c GDPR)
  • the need to "execute a contract that the Data Subject is part of, or the execution of pre-contractual measures initiated at the request of the same"; (art. 6. 1b GDPR)
  • the need to pursue a "legitimate interest of the Data Controller or third parties (...)". (art. 6. 1f GDPR)
  • from the consent expressed by the Data Subject "whose personal data are to be processed for one or more specific purposes" (art. 6. 1a GDPR)

Pursuant to art. 12, 13 and 14 of GDPR, specific privacy statements provide detailed information to the Data Subject relating to:

  • the contact details of the data controller and the data protection officer;
  • the purpose of the data processing;
  • the categories of the personal data being processed;
  • the legal basis for data processing;
  • the nature of data provision;
  • the data source;
  • the mode of the data processing;
  • the categories of the recipients of personal data;
  • the data storage period;
  • the rights of data subjects;

The Privacy statements section includes the main privacy statements on the personal data processing carried out by the University.

Rights of the data subject

The data subject may contact the Data Controller or the Data Protection Officer using the references provided, and he or she has the right to exercise his or her:

  • right to access his/her personal data (art. 15 GDPR);
  • right of amend inaccurate data and supplement incomplete personal data (art. 16);
  • "right to delete data"/"right to be forgotten" (except for those contained in documents which the University must store, and unless there is an overriding legitimate reason to process the data) (art. 17);
  • right to restrict data processing in the cases provided by the law (Art. 18);
  • right to request data portability in the cases provided by the law (Art. 20);
  • right to object (art. 21)

FOR CONSENT-BASED DATA PROCESSING, the data subject has the right to withdraw his/her consent at any time, without affecting the lawfulness of the processing based on the consent granted before the revocation (art. 7 GDPR c.3).

Organization of privacy at the university

By Rector's Decree Reg. 2019/921 (Prot. n. 27064) dated 12 March 2019, the University of Sassari has updated its internal organization for the management and protection of personal data pursuant to EU Regulation 2016/679 and the relevant regulations.

For this purpose, the Data Controller has appointed the following Delegates who are assigned specific tasks in this field:

  • The Executive Officer of the University ICT Systems/Head of Digital Transition
    with regard to the processing of data in digital format on all University computer/information systems
  • The Managers and Coordinators

for the activities and to the data processed by the Organizational Units/specific offices

  • The Directors of the Departments and the executive officers of each Organizational Unit

The Directors of the PhD Courses

The Directors of the Specialization Schools

The Directors of the Master's courses

The President of the School of Medicine

The Presidents of the Courses, Special Courses, Training Courses and lifelong learning courses each of which for their own data processing assignments

Personal area - Tutorials and forms

Tutorials and form templates for staff and collaborators are available in the personal area (user name and password required; see below)