Personal data processing notice for the T20 Italy event  (Privacy code – Legislative Decree no. 196/2003 as amended by Legislative Decree no 101/2018, EU regulation 679/2016 on personal data processing – Art. 13)


Istituto per gli Studi di Politica Internazionale of Milan, Palazzo Clerici, Via Clerici 5 – 20121 Milan, tax code/VAT no. 02141980157 (hereafter referred to as the “Data Controller”), as data controller of the personal data received for the management of the T20 Italy event, hereby informs you under  Legislative Decree no. 196/2003 as amended by Legislative Decree no 101/2018 (hereafter referred to as the “Privacy Code”) and art. 13 of EU Regulation no. 2016/679 (hereafter the “GDPR”) that your data will be processed by the methods and for the purposes specified below:

  1. Subject of Processing

The Data Controller will process your personal data, (such as name, surname, telephone number, e-mail address, and academic background) – hereafter referred to as “personal data” or “data” – which you provided during the process of selection of candidates for our courses or upon signature of contracts for the Data Controller’s services. Processing of personal data refers to any operation or set of operations performed with or without the aid of automated processes and applied to personal data or sets of personal data, even if not registered in a database, such as collection, registration, organisation, structuring, conservation, processing, selection, blocking, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, erasure or destruction.

  1. Purposes of processing

Your personal data will be processed:

  1. A) without your express consent (section 6, letters b) and e) of the GDPR), for the following Service Purposes:

– subscription to the format contained on the website;

– participation in any form in the event, including through call for papers;

– management of organizational activities related to the event, also by the partners who collaborate with us for those of relative competence;

– sending of service communications;

– navigation data including, for example, the IP addresses or domain names of the devices used to connect to the Site.

  1. B) with your express written consent (art.130 of the Privacy Code and art. 7 of the GDPR), conducting direct marketing initiatives such as sending – possibly by e-mail, text message, whatsupp and MMS – of advertising materials and announcements containing information and/or promotional material regarding products or services supplied and/or promoted by the Data Controller;
  1. C) whith your express written consent communication to third-party companies or other subjects, business partners who provide services, including external ones, on behalf of the Data Controller for the promotion and communication of the event and for the promotion in relation to products or services provided by them.
  1. Methods of processing

Your personal data will be processed through the operations identified in art. 4, point 2) of the GDPR, and specifically: collection, registration, organisation, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, freezing, communication, erasure and destruction of data. Your personal data will be processed in both printed and electronic and/or automated form.

The Data Controller will process your personal data for the amount of time necessary to fulfil the purposes specified above, in full compliance with GDPR and for the time necessary for legal obligations.

  1. Access to data

Your data may be made accessible for the purposes described in art. 2.A), and, with your consent, 2.B) 2.C):

  • to the Data Controller’s employees and collaborators, as persons in charge of the processing and/or internal data processors and/or system administrators;
  • to third-party companies or other parties providing services outsourced by the Data Controller in their capacity as external data processors. For third-party marketing activities it will be necessary to obtain your consent as specified in point 2.C) of this notice.
  1. Communication of the data

With no need for express consent (art. 6, letters b) and c) of the GDPR), the Data Controller may communicate your data for the purposes specified in section 2.A) to supervisory bodies, judicial authorities, Università Bocconi for the T20 Summit organization, insurance companies for the purposes of providing insurance services, and to those parties to whom the data must obligatorily be provided by law for the specified purposes. These parties will process the data as independent data controllers.

Your date will not be disseminated.

  1. Data transfer

Your personal data will be stored on a server located in the European Union. It is in any case understood that the Data Controller may, if it should become necessary, have the option of moving servers outside the European Union. In this case, the Data Controller hereby guarantees that transfer of the data outside of the European Union will take place in compliance with the applicable provisions of the law, following stipulation of the standard contractual clauses required by the European Commission.


  1. Nature of data conferral and consequences of refusal to respond

Please note that, with reference to the purposes identified in point 2A) of the section on “Purposes of processing”, in the absence of your personal data and your consent for the processing thereof, with the exception of those cases in which Legislative Decree 196/03 and EU Regulation 2016/679 permit subsequent consent, the service may not be provided. Failure to confer your data for the purposes identified in point 2B) and 2C) of the section on “Purposes of processing”, on the other hand, shall not affect the providing of services.

  1. Data subject’s rights

As data subject, you enjoy the rights identified in art. 15 of the GDPR, and specifically:

  • the right to obtain confirmation as to whether or not personal data concerning you exist, regardless of their being already recorded, and communication of such data in intelligible form;
  • the right to be informed: a) of the source of the personal data; b) of the purposes and methods of the processing; c) of the logic applied to the processing, if the latter is carried out with the help of electronic means; d) of the identification data concerning the data controller, data processors and the representative designated as per art. 3, paragraph 1 of the GDPR; e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing;
  • the right to obtain: a) updating, rectification or, where interested therein, integration of the data; b) erasure, anonymisation or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;
  • the right to object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, using automated calling systems without the action of an operator, by e-mail and/or or using traditional telephone and/or print mailing marketing methods. Note that the data subject’s right to object, described in point b) above, to the use of personal data for direct marketing purposes using automated methods also extends to traditional methods and that the data subject may exercise the right to object in whole or in part. The data subject may therefore decide to receive only communications sent by traditional methods or only automated communications, or neither of the two types of communication.

Where applicable, the data subject shall also have the rights guaranteed under sections 16-21 of the GDPR (right to correction, right to be forgotten, right to limitation of processing, right to data portability, right objection), and the right to present a complaint to the competent authority, the Autorità Garante.

  1. How data subjects may exercise their rights

Data subjects may exercise their rights at any time by sending:

a letter by registered mail with return receipt to Istituto per gli Studi di Politica Internazionale of Milan at the address Palazzo Clerici, Via Clerici 5 – 20121 Milan, or by sending an e-mail to

  1. Data Controller and DPO Data Protection Officer

Istituto per gli Studi di Politica Internazionale of Milan, Palazzo Clerici, Via Clerici 5 – 20121, Milan. An updated list of data processors and persons in charge of the processing is kept in the Data Controller’s registered offices.

Data Protection Officer’s contact details are the following: Dott. Cristian Pacelli, e-mail  writing to which you can exercise the rights contemplated by the section 15 of the Regulation