PoliTO eduGateway

PoliTO eduGateway - Extended Privacy Policy

Extended Privacy Notice on the Processing of Personal Data for Access to IDEM - eduGAIN Federated Services for Users of Politecnico di Torino
(Art. 13 of EU Regulation 2016/679)

As required by the General Data Protection Regulation (EU Regulation 2016/679 – also known as “GDPR”), we provide the following information regarding the processing of your personal data.

Contact details

The Data Controller is Politecnico di Torino, located at Corso Duca degli Abruzzi, 24, 10129 – Torino, represented by the Rector pro tempore as legal representative.
The Data Controller can be contacted at PEC: politecnicoditorino@pec.polito.it
For further information and clarifications: privacy@polito.it
The Data Protection Officer ("DPO") of Politecnico di Torino, whom data subjects may contact regarding matters related to the processing of their personal data and the exercise of their rights, can be reached at: dpo@polito.it; PEC: dpo@pec.polito.it.

Principles, legal basis, and purpose of processing

In compliance with the principles of lawfulness, fairness, transparency, adequacy, relevance, and necessity set forth in Article 5, paragraph 1, of the GDPR, Politecnico di Torino, as the Data Controller, will process the personal data provided at the time of access: Surname, Name, Email, schacHomeOrganization, eduPersonPrincipalName, schacPersonalUniqueID (mandatory data) for the following purposes:

Description	Legal Basis
Enrollment and participation in online courses and educational activities;	Article 6, paragraph 1, letter: b) GDPR – [“Processing is necessary for the performance of a contract to which the data subject is party”]; e) GDPR – [“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”]
University’s interest in: obtaining anonymous statistical information on service usage; verifying proper service functionality (troubleshooting); performing monitoring to support service security;	Article 6, paragraph 1, letter: e) GDPR – [“see above”]
Compliance with legal obligations or authority requests directed to the Data Controller	Article 6, paragraph 1, letter: c)GDPR – processing is necessary for compliance with a legal obligation;
Establishment, exercise or defense of legal claims;	Article 9, paragraph 2, letter: f)GDPR – processing is necessary for the establishment, exercise or defense of legal claims

Your personal data will be collected and processed by electronic means and, where necessary, on paper.

Authorized processing parties, potential recipients or categories of recipients, and data processors

The personal data processed for the above purposes will be communicated or made accessible to employees and collaborators of Politecnico di Torino assigned to the relevant departments and adequately instructed by the Data Controller.
To correctly provide the service, the Data Controller communicates to the resource providers the authentication proof and only the personal data (attributes) strictly necessary for access to the requested services.
Personal data may also be communicated to other public administrations where necessary for institutional purposes, and to entities to whom communication is mandatory under EU regulations, national laws or regulations, or to public entities for defense, security or criminal investigations.
Personal data collected is managed and stored on systems located within the University and/or external service providers responsible for technical-administrative support. These providers may become aware of personal data solely for the purpose of the requested service and will be duly appointed as Data Processors under Art. 28 of the GDPR.

Data transfer

The collected data will not be transferred to a country outside the European Union ("third country") unless covered by a European Commission adequacy decision or carried out with appropriate and suitable guarantees under Articles 46, 47, or 49 of the GDPR.

Data retention period

Considering the archiving obligations imposed by current regulations, personal data will be retained for the period strictly necessary to achieve the above-mentioned purposes. Specifically:

Data related to online courses available on the Edvance platform will be retained for a period of three years from the end of the individual MOOC;
General Edvance user data will be deleted after 10 years of user inactivity.

Data provision

Providing personal data is mandatory. Refusal to provide the requested data will result in the inability to execute the specified purposes.

Data subject rights

As a data subject, you have the right to request from the Data Controller, in accordance with Articles 15 and following of the GDPR:

Access to your personal data and all information under Article 15 of the GDPR.
Correction of inaccurate personal data and completion of incomplete data.
Deletion of personal data, except for data contained in records that must be legally retained by the university, and unless there is a prevailing legitimate reason for processing.
Restriction of processing in the cases specified under Article 18 of the GDPR.

You also have the right:

To object to the processing of personal data, subject to the necessity and mandatory nature of data processing for accessing the offered services.

If you wish to exercise any of your rights, you can contact the Data Controller.

Complaint

You have the right to lodge a complaint with the Data Protection Authority following the instructions available at the following link: Complaint template – Garante Privacy.

This notice was last updated on March 18, 2025