Privacy Policy


Privacy Policy

On this page Carlo Cattaneo University (hereinafter also “LIUC”) with registered office at Corso Matteotti 22, 21053 Castellanza (VA) provides all the necessary information on the processing of personal data collected during internet browsing on the website and any other LIUC-owned website linked to it.

LIUC, as Personal Data Controller pursuant to EU Regulation 679/2016 (hereinafter also “GDPR”), operates in full compliance with national and European data protection regulations and pays particular regard to the confidentiality of its users’ data, adopting appropriate security measures to guarantee the protection of the information collected.

Data Controller

The Data Controller is LIUC, Carlo Cattaneo University, with registered office at Corso Matteotti 22, 21053 Castellanza (VA), tax code and VAT no. 02015300128.You can contact the Data Controller at:

Data Protection Officer

Pursuant to Articles 37 ff. of the GDPR, LIUC has appointed a Data Protection Officer (DPO) who can be contacted at the following address: Università Carlo Cattaneo – LIUC, Corso Matteotti 22 – 21053 Castellanza (VA); email

What data are processed?

1) Browsing data

The computer systems and software processes used to operate the website acquire, in the course of normal operation, certain data that are then automatically transmitted when using internet communication protocols. These include, for example, the IP address, the type of browser, the name of the provider, date and time of access to the website, etc. This data is mainly used for statistical information, to check the correct functioning of the website and to make browsing more efficient.

Other data are collected through cookies; for more details on this please refer to the relevant Cookie Policy.

2) Data provided voluntarily by users or visitors

Requests for information by users of the LIUC websites, or registration to certain areas, may entail the collection and consequent processing of personal data such as, for example, name, surname, email address, telephone number, address of residence, date of birth, profession, etc.

These data may be collected in the course of:

  • registration for specific initiatives organised or sponsored by LIUC;
  • sending requests via the Contacts section of the website;
  • completing other online forms;
  • content sharing via social networks.

In the context of the above actions, LIUC does not process data of a sensitive nature pursuant to Article 9, Paragraph 1 (“Processing of special categories of personal data”) of the GDPR (i.e. those data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”).

LIUC invites users not to send such types of data (for example, via contact forms) unless strictly necessary in relation to the request being made.

Purpose of processing and legal basis

We process personal data for the following purposes:

  • Website operation – ensuring website access and browsing; improving and/or customising the user experience; monitoring and ensuring security (legal basis: performance of a contract; a legitimate interest of the Data Controller)
  • Registration on LIUC websites, when it is necessary to access restricted sections of the website itself or to provide specific services of interest to users; this includes the sending of “transactional” emails related to website registration and account maintenance (legal basis: performance of a contract or pre-contractual measures).
  • Replying to user enquiries on LIUC services submitted through contact forms or by other means (legal basis: performance of a contract or pre-contractual measures)
  • Statistical analysis on aggregate or anonymous data, on the use of the LIUC website or related websites (legal basis: regulatory duties; a legitimate interest of the Data Controller)
  • Institutional promotion by means of communications on courses, other educational activities and LIUC initiatives (legal basis: specific consent)
  • Compliance with legal requirements under laws, regulations and EU legislation, administrative, tax, accounting, etc.; compliance with contractual duties and ascertainment of any liability in the event of damage to the website or the Data Controller’s infrastructure

Further specific information may be provided, linked to individual operations involving the provision of different personal data, published from time to time on the Data Controller’s websites (for example, in the case of special events, courses, etc.). Always refer to for the most complete information.


LIUC pays special attention to the protection of the personal data of minors. At present, LIUC websites do not collect personal data directly from minors, although there is content of potential interest to individuals under the age of 18 seeking information on available educational offers. LIUC has taken reasonable precautions to ensure that it does not intentionally collect, store, use or process personal information of minors who might use the LIUC website and services without the proper support of their parents or legal guardians.

Nature of provision

The provision of data may be necessary to comply with legal duties and to perform a contract or provide a certain service (for example, registration for a course, requesting information from the website, etc.). In these cases, any refusal to processing all or part of the data may make it impossible for LIUC to carry out contractual relations or in any case to provide what has been requested.

For all other purposes, users/visitors are free to provide their personal data. Failure to provide them may only result in the inability to provide certain services or to obtain the best browsing experience.

In the event of refusal or withdrawal of consent given, for those processing operations that provide for it, there are no consequences of any kind other than the cessation of communication activities; activities carried out prior to withdrawal of consent are deemed valid and lawful. Users may at any time object to processing for direct marketing and profiling purposes by contacting the Data Controller.

Data security and retention times

Processing is carried out mainly by electronic means and the data will be kept for as long as necessary to achieve the purposes for which the data were collected, in compliance with the relevant legal provisions and in any case no later than the withdrawal of consent for those purposes for which consent is required.

To protect the security and confidentiality of data, LIUC adopts (and requires its partners to adopt) technical and organisational security measures to prevent risks of loss, destruction, unauthorised access and unlawful use of data.

Finally, LIUC has developed a procedure to address and manage possible personal data breaches, as required by the GDPR. Breaches will be notified to the Italian Data Protection Authority if the breach poses a risk to the rights and freedoms of the persons concerned.

Scope of communication and dissemination

Personal data may be brought to the attention of LIUC employees or collaborators; these subjects are formally appointed and authorised to process such data and receive adequate operating instructions in this regard. Moreover, data may be processed by external legal or natural persons that LIUC may use in the management of the relationship with its users (for example, internet providers, communication agencies, individual or associated professionals, third party companies) or for organisational needs of its activity. These persons act, where applicable, as external data processors.

These recipients may operate in locations other than those where the data are collected, but always within the European Economic Area. Should it be necessary to transfer the data outside this perimeter, the Data Controller undertakes to comply with Chapter V of the GDPR and to do whatever is necessary to ensure adequate levels of protection and safeguarding of personal data, for instance by entering into the standard contractual clauses adopted by the European Union.

Personal data are not subject to dissemination.

Rights of the data subject

At any time, the data subject may exercise his or her rights with respect to the Data Controller; they are summarised below, but for exhaustive details, please consult Articles 15 to 22 of the GDPR:

  • right of access;
    • confirmation as to whether or not personal data concerning the data subject are being processed;
    • communication of data transfer to a third country or international organisation;
    • obtain a copy of the personal data being processed (if and only if the rights and freedoms of others are not infringed);
  • right of rectification;
  • right to total erasure (right to be forgotten);
  • right of restriction of processing;
  • right to data portability;
  • right to object (not exercisable where the data controller demonstrates legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the defence of a legal claim);
  • right to object to direct marketing and/or profiling;
  • right to withdraw consent.

The data subject also has the right to receive prompt notification in the event of a personal data breach that could harm his or her dignity and freedom.

Finally, the Data Subject has the right to lodge a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma;


LIUC may update and change this Privacy Policy at any time, to the fullest extent permitted by applicable law. The version published on the website is the one currently in force.

Starting from 25 May 2018, the 2016/679 EU Regulation, known as the GDPR (General Data Protection Regulation) – concerning the protection of individuals with regard to the processing and free circulation of personal data, is directly applicable in all Member States.

The GDPR arises from precise needs, as indicated by the EU Commission itself, of legal certainty, harmonisation and greater simplicity of the rules concerning the transfer of personal data from the EU to other parts of the world.

In order to fulfill the obligations established by the GDPR, Università Carlo Cattaneo – LIUC, and with this also its own division called “LIUC Business School”, has provided specific information for:

Prospective students and students, that is to say all those who intend to enroll or are enrolled in institutional courses of different levels active at the Università; in particular those who:

  1. intend to take advantage of orientation activities and/or that carry out entry tests or selections for the purpose of matriculation and/or enrollment on institutional courses;
  2. are enrolled on a specific course and have not yet completed the Università pathway;

Former students are also included for which training activities, job placement or with which they may be interested in maintaining and consolidating a relationship are carried out.

– Company contacts;

– Other contacts.

Further information

Pursuant to current legislation, regarding the protection of personal data, with particular reference to Article 13 of Regulation (EU) 2016/679, I hereby inform you in my capacity as Data Processor, that your personal data, collected exclusively for the purpose of the establishment, completion and management of your employment by the University, will be processed in full compliance with legal duties and principles, guaranteeing the full protection of your fundamental rights and freedoms, with particular regard to the principles applicable to the processing of personal data as set out in Article 5 of the Regulation.

1. Origin and type of data processed

The processing of your personal data, directly provided by you, is carried out by us for the purpose of fulfilling the duties arising from: the legal provisions applicable to your employment contract; the negotiating provisions of your employment contract; the provisions of any national collective agreement which may be applicable to your contract. This processing includes:

a) the personal and tax data and bank account details for you and of any members of your household provided by you. Those data are processed in order to fulfil legal and/or contractual duties, such as, for example, the processing and payment of your salary, recognition of family allowances and the like;

b) data that relate to your employment relationship with the University, such as feedback and checks on the fulfilment of contractual duties, such as statistics on your presence and absence from work, data on the management and updating of your professional profile, the assignment of new tasks and assignments, professional and career development, also in the form of CVs, and performance evaluation;

c) data on any trade union membership and filling of trade union positions;

d) data on the holding of elected public offices, in order to enjoy the ex officio rights provided for by law;

e) the data needed to control the expenses of employees and those treated as such, such as financial planning; the preparation of budgets and their management; the control of cost items relating to employees and those treated as such; the management of travel expenses; the management of the costs of telephone services, cars, and office automation tools provided;

f) data relating to the use of work tools, collected and processed for reasons of computer system security, for technical and/or maintenance reasons, such as, for example, updating, replacement or implementation of programmes, hardware maintenance, back-up, for the control and planning of business costs, such as, for example, checking internet connection costs, telephone traffic, or for regulatory requirements;

g) images collected and processed, at the premises where you work, by means of video surveillance systems designed to ensure the protection and safety of company property and persons, with clear respect for your rights.

This also includes data that current legislation considers as ‘special’, i.e. sensitive data, pursuant to Article 9 of the GDPR. These include, for example, those disclosing state of health, maternity, accidents, incapacity. These will be processed as per Article 9, Paragraph 2, letters a) b) c) d) e) f) g) h) i) and j), as necessary.

2. Purpose of processing

Your personal data, whether requested or acquired prior to the establishment of your employment or during or at the end thereof, will be processed by us for the following purposes:

a) to manage your employment relationship in all its contractual, social security, insurance and tax aspects;

b) to fulfil any obligation imposed by law or arising from your employment contract or the provisions of national collective labour agreements;

c) to perform any other task entrusted by law to the person acting in their capacity as employer;

d) to fulfil or require the fulfilment of specific duties, also with reference to collective agreements, as applicable from time to time;

e) the administration and organisation of your employment and professional evaluation;

f) the qualification and further training of employees and those treated as such, and the organisation of training courses;

g) the management of career and academic development plans and processes as necessary;

h) to comply with orders or measures of the judicial authorities, the financial administration, social security and welfare institutions, including supplementary ones, and insurance institutions;

i) to assert or defend a right in court, including by a third party, provided that, where the data are likely to reveal your state of health, the right to be asserted is of equal to or more important than your right to privacy;

j) to respond to any request made by you in the context of your employment;

k) the management of the company’s IT resources and equipment assigned to you, even on an exclusive basis;

l) the protection of life and limb for you and any other person;

m) to implement all necessary security measures to prevent the risk of destruction, loss, dissemination, alteration, theft, undue access and any other unauthorised activity involving personal data.

3. Legal bases for processing

Your personal data are processed by the University for the purposes specified above for the sole object of executing your contract of employment and/or fulfilling the legal duties to which the Data Controller is subject.

On the other hand, with regard to your data of a sensitive nature, as referred to in the above Article 9 of the GDPR, they will be processed by the University solely for the purpose of fulfilling the duties and exercising the rights of the Data Controller and/or Employer, in the field of employment law and social security and social protection, as well as for the purposes of preventive or occupational medicine, assessment of your capacity to work or, finally, to enable the University to ascertain, exercise or defend a right in court.

Personal data relating to you, collected from third parties, may also be processed for the same purposes as above, to the extent permitted by applicable law and the GDPR.

In addition to this, the Data Controller may process your image, possibly taken by video surveillance systems, on the basis of and within the limits of the provision issued by the Italian Data Protection Authority on 8 April 2010, as amended, as well as agreements entered into with the competent trade unions or an authorisation issued by the competent ITL (Local Labour Inspectorate), where necessary.

LIUC Carlo Cattaneo University may arrange for the publication and/or dissemination in any form, of images/videos on its website, in printed media and/or any other means of dissemination and the preservation of the photos themselves in its archives, confirming that the purposes of such publications are purely advertising and promotion of the University.

4. Communication and dissemination

Your personal data may be disclosed to third parties in order to comply with duties laid down by law or by the collective labour agreement, which may be applicable, as well as in execution of any proxies conferred by you, such as, for example: crediting your salary at banks; paying a portion of your salary to insurance companies, and the like. In relation to these purposes, your personal data will be communicated, by way of example but not limited to, to social security bodies, financial administrations, insurance and credit institutions, trade union organisations that are signatories to the applicable national collective labour agreement and the competent company doctor.

The data may also be made available to third-party service providers, outsourcers and, more generally, external companies to which you entrust the performance of duties arising from your contract of employment or other activities relating to personnel management (for example, companies entrusted with the storage and archiving of the personal data of employees and those treated as such, payroll management, the development and/or operation of information systems, companies issuing meal vouchers, travel agencies in relation to trips made by you, car rental companies, auditing and audit companies, etc.). These bodies, organisations, companies and professionals will process your data as autonomous data controllers or data processors depending on the purpose and type of processing in question. This is without prejudice to the Data Controller’s obligation to communicate the data to the competent judicial or administrative authorities, following a specific and legitimate request from the latter.

At the time of issuance of this notice, your data will be communicated to and processed by:

a) Studio Engolli Aspesi Battistuz Colombo & Associati, Busto Arsizio; tax code CLMVTR69S12L319M;; function: employment consultant

b) Studio Dr Fabio Bianchi, Busto Arsizio, tax code BNCFGS66C09B300I;; function: employment consultant;

c) Sabicom S.r.l. – Legnano, VAT no. 12600040153;; function: the supply and maintenance of online attendance and payroll software;

d) Sabicom Sistemi S.r.l. – Legnano, VAT no. 05378560964;; function: the provision and maintenance of data centre service.

5. Transfer abroad

Your data may be transferred outside the European Economic Area if this is necessary for the management of your working relationship with the University. In that case, protection and security duties equivalent to those guaranteed by the Data Controller will be imposed on the recipients of the data. In any case, only data necessary for the pursuit of the intended and described purposes will be disclosed, and the guarantees applicable to data transfers to third countries will be applied where required.

6. Processing methods and retention times

Your data are collected and recorded lawfully and fairly, in accordance with the provisions of Articles 5 and 6 of the GDPR, for the pursuit of the above-mentioned purposes and in compliance with the fundamental principles laid down in the applicable legislation. Personal data may be processed by manual, computerised or telematic means, but always under the supervision of appropriate technical and organisational measures to guarantee their security and confidentiality, especially in order to reduce the risks of destruction or loss, even accidental, of the data, of unauthorised access, or of processing that is not permitted or does not comply with the purposes of collection.

Personal data will be processed by the University for the entire duration of your contract of employment and also thereafter, within the limits granted by law and by the rules of national collective labour agreements and any applicable regulations, for administrative and accounting purposes, as well as to assert or protect the rights of the Data Controller and/or the Employer, as necessary.

7. Nature of conferment and consent to processing

As indicated above, the provision of your data is mandatory, as it is necessary for the performance of duties arising from legal or contractual provisions, as provided for in Article 6, letters a) b) c) d) e) and f) of the GDPR.

This also applies in relation to your data of a sensitive nature, as referred to in Article 9 of the GDPR, given that any refusal to provide this specific type of data would prevent the Data Controller/Employer from performing certain essential services provided for your benefit, the ineffectiveness of which, in certain cases, could make it impossible to establish or continue your employment and lead to its termination. A similar provision applies to judicial data, which may be processed by the University on the basis of express provisions of the law, regulations or collective agreements that may be applicable to you.

8. Your Rights

You may exercise your rights at any time, including:

a) to access your personal data, obtaining evidence of the purposes pursued by the Data Controller, the categories of data involved, the recipients to whom the data may be communicated, the applicable retention period, the existence of automated decision-making processes;

b) to obtain without delay the rectification of inaccurate personal data concerning you;

c) to obtain, in the cases provided for, the deletion of your data;

d) to obtain restriction of processing, where possible;

e) to request the portability of the data provided to third parties specifically indicated by you, i.e. to receive them in a structured, commonly-used and machine-readable format, also for the purpose of transmitting such data to another data controller, without any hindrance, in all cases where this is required by law;

f) to lodge a complaint with the Data Protection Authority.

To exercise these rights, simply send a written request to the Data Processor at

Address of the Data Controller: Carlo Cattaneo University – LIUC, Corso Matteotti 22, 21053 Castellanza (VA)

9. Data Controller

The data controller, pursuant to current legislation, is the Carlo Cattaneo University – LIUC.

10. Data Processor manager

The Managing Director, Dr Massimo Colli has been appointed Data Processor manager.

11. Data Protection Officer

Mauro Pelittias has been appointed Data Protection Officer and can be contacted by email at .

The Data Processor manager,
Dr Massimo Colli

Do you want to stay updated on all LIUC events and news?