Privacy policy

Dear User,

pursuant to Section 13 of Italian Personal Data Protection Code and to art. 13 of the Regulation (EU) 2016/679 (hereinafter referred to European Regulation), by this policy we provide you the information about the modalities and the purposes of the processing of your personal data, collected through our web site.


1. Data controller and Data protection officer

The Data Controller is Fondazione IRCCS Ca’ Granda Ospedale Maggiore Policlinico, with registered office in Milano, via Francesco Sforza n. 28. You can contact him via registered mail to

Instead, the Data Protection Officer can be contacted at the e-mail


2. Categories of personal data subject to processing

Data Controller processes personal data you provided (name, surname, date of birth, fiscal code, phone number, email), compiling the on-line forms available in the sections of our website.

Furthermore, the acquisition of further of your personal data is necessary, due to our website normal mode of operation.

It concerns information that are not collected in order to be associated with identified individual concerned, but that could allow to identify users through the processing and connection with data held by third parties, due to their own nature. This category of data includes Cookies, small file of text that the websites visited by users send to user’s terminal, in which data are saved in order to be retransmitted to the same sites during a subsequent visit by the same user.

For further information about cookies used on our website please visit the web site


3. Purposes of the processing

Your personal data are processed only for the purpose of receiving and answering to the possible request of contact, in addition to the transmission of the information requested, and of the website proper working.

The personal data provision and their processing for the purposes described in paragraph 3 are necessary for the execution of the requests.

In case of refusal, you will not have the power to send requests and to receive any answer from Data Controller.


4. Processing method

Personal data are processed by the Data Controller according to lawfulness, fairness and transparency principles.

Data processing is carried out by the following operations: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

Data Controller will process personal data for the necessary time to fulfill the purposes mentioned above.

The Data Controller may extract, through IT tools, some personal data for the purpose of profiling strictly necessary for the activities specified above. In any case, it is specified that profiling activity does not collect data referring to your person, because it is characterized by the "anonymisation" of the data itself.


5. Data access

To the purposes of paragraph 3, your data can be notified to the following subject:

- companies or other third parties (subjects providing services to manage training courses, the computer system and the telecommunications network, as well as the website, etc.) that handle personal data in outsourcing on the Data Controller behalf. These have been appointed Processors;

- public entities, in order to comply with legal obligation, and judicial authorities, if required.

You can find the whole list of the Processors, that could find out about your personal data during their collaboration with the Data Controller, in the "Privacy" section of our website.


6. Data subjects’ rights

As data subject, you have certain rights in accordance with the European Regulation. You can address to the Data Controller: the access to personal data, the indication of the modalities, purposes and reasoning of processing, the request for restriction, objection or data portability, the rectification and erasure, in accordance with restrictions and conditions specified by the European Regulation. Lastly, you have the right to file a complaint to the supervisory authority pursuant to art. 77 European Regulation.

You can exercise your rights, described above, and withdrawal your consent writing to the Data Controller via registered mail to