0 item(s) - €0.00
You have no items in your shopping cart.


Information on the processing of personal data of users and purchasers, pursuant to Article 13 of EU Regulation 2016/679


Pursuant to EU Regulation 2016/679 (hereinafter "Regulation" or "GDPR"), this page describes the methods of processing of personal data of users who buy products and services through e-Commerce offered by "MIP Politecnico di Milano Graduate School of Business ScpA" (hereinafter “MIP").


Given that the processing will be based on the principles of legality, correctness and transparency, minimisation and limitation of data retention, accuracy, integrity and confidentiality, in light of the above, MIP, as Data Controller, provides you with the following information.



Data Controller


MIP Politecnico di Milano - Graduate School of Business SCpA

Via Lambruschini 4C - Building 26/A

20156 Milano, Italy

Tel: +39 02 2399 2820

Fax: +39 02 2399 2844


Data Protection Officer (DPO)

Data Protection Officer

c/o MIP Politecnico di Milano

Tel: +39 02 2399 2820





The purchase of products and services in the form of e-Commerce involves the processing of personal data (as defined in art. 4.1 of the GDPR) of the parties concerned, i.e. data relating to identified or identifiable natural persons, and this entails the need, for the party who decides the purposes and methods of processing ("Data Controller"), to respond to certain obligations, including informing interested parties and acquiring consent, where the latter constitutes the legal basis for the processing itself.

This information does not relate to other sites, pages or online services accessible via hypertext links that may be published on the sites but refer to resources external to the domain.

Data processing is based upon the principle of the minimisation of data and purpose limitation: only  the minimum set of data will be processed, over the period strictly necessary.

Personal data to be processed includes the following:

  • personal and tax details;
  • contact details (domicile, mobile number, telephone number, e-mail address);
  • details of the current bank or post office account or credit card only for the management of payment and depending on the payment instrument used;
  • data relating to the use of the platform.

The provision of data marked with an asterisk (*) is mandatory for the conclusion and continuation of the contract.






Accounting and administrative management



6.1.c) Legal obligation

The data is processed to meet the legal obligations relating to the keeping of accounting records and to the fulfilment of related tax obligations.


The data is stored for ten years.


Supply of products and services

6.1.b) Execution of a Contract

The data is processed to provide products and services requested by the user.


The data is stored for ten years after purchase.


The exercise of a right in legal proceedings for the defence of the interests of the Data Controller (protection of assets and corporate resources; need to identify specific responsibilities for violations of law or fraudulent behaviour; compliance with contractual obligations).

(Art. 6.1.f) Legitimate interest of the Data Controller

This practice may also involve analysis of backup copies of the data in order to ascertain precise responsibilities for violations of law or inappropriate and/or fraudulent behaviour.


The data is kept for the maximum time provided for by the applicable legal provisions on the subject of the limitation of rights and/or expiry of the action and, in general, for the exercise/defence of the rights of the Data Controller in disputes brought by public authorities, subjects/public bodies and, in any case, for the entire duration of the judgment in every phase and degree.




Most of the data is collected and processed by virtue of contractual clauses or legal obligations and, only for profiling, the user’s consent is required.

The absence of consent will simply result in the impossibility of obtaining targeted communications (in the case of lack of consent to profiling).




Without prejudice to communications and dissemination carried out in the execution of contractual obligations, those arranged by orders of the authorities or provided for by the law, premising that communication to third parties does not exempt them from providing information and requesting consent to the processing, it is specified that the data may be communicated to third parties, in the manner indicated below:

  • To banks and credit institutions, Post Offices, and issuers of credit/debit cards for the management of the transaction;
  • To insurance companies, insurance brokers and expert assessors in cases of casualty or accident;
  • To control bodies and supervisory authorities, tax offices and public safety authorities in the case of requests from these public bodies;
  • In the case of the purchasing of products and services provided by the Observatories, the data related to the purchases will be communicated to the Politecnico di Milano, owner of the platform on which you have registered.




The data may be processed by persons designated as Data Processor under GDPR Art. 4.8 and 28 (professionals, lawyers, accountants, consultancy and service firms, hardware and software service and support companies, …) and by persons authorised to process data pursuant to Art. 29, who operate under the direct authority of the Data Controller (employees, lecturers and/or collaborators in various capacities), whom he has instructed in this sense.




The Data Controller will use Cloud services offered by several vendors who are suitably qualified as Data Processors and operate in Europe or in the United States or, in any case, in the countries for which there is an adequacy decision by the European Community.

With regard to the United States, data transfer is permitted under the Privacy Shield, a self-certification framework that became effective in Italy on 01 August 2016 for US- based companies that wish to receive personal data from EU countries. Participating companies undertake to respect the principles contained therein and to provide the data subjects with adequate means of protection or else be removed from the "Privacy Shield List" (accessible at by the US Department of Commerce, and additionally they may be subject to penalties imposed by the Federal Trade Commission.

Among the companies on the list are the main suppliers of Cloud services.




Data subjects have the right to be informed by the Data Controller whether or not personal data relating to them is being processed and, potentially, request access to, rectification and deletion of their personal data, or to limit the purposes of the processing of data concerning them or to oppose their processing - if this is not required by law - in addition to exercising their right to data portability.

At any time, the data subject has the right to withdraw his or her consent, without this affecting the lawfulness of the processing undertaken on the basis of consent given before this was withdrawn.

Every data subject also has the right to lodge a complaint with the supervisory authorities.








At MIP, with regard to the users of the Flexa service who have given their free consent, profiling processes are put in place to deduce the interests of the user through the analysis of preferences, habits and behaviours related to the use of the platform and the data provided to or in possession of MIP.



If the Data Controller intends to process personal data further for a purpose other than that for which it was collected, before that further processing can take place the Data Controller undertakes to provide the data subject with further information and to request a new consent (if foreseen by its legal basis) regarding the different purpose and any further pertinent information.


Last update: August 2019