Privacy Policy pursuant to the General Data Protection Regulation (EU) 2016/679

Data Controller

Fondazione NOVA E.T.S.
based in Milan, via Riva di Trento n. 11/a
20139 - F.C. 12156500964

Owner contact email:

Pursuant to EU Regulation 2016/679 (hereinafter, “GDPR”), Fondazione Nova, with registered office in Milan, Via Riva di Trento no. 11/a (hereinafter, referred to as “Foundation” or“Data Controller”), which can be contacted to exercise the rights provided by the current legislation or for further information at the head office address or at the following e-mail address, the data controller of your personal data, hereby informs you that your personal data may be processed, in accordance with the regulations on the protection of personal data, by the Foundation, the objectives of which are the development of an inclusive and meritocratic ecosystem, training and promotion of talent and enhancing the relationship between universities and professional activities.

Categories of personal data

As a visitor to the Nova Foundation website ( (the "Site"), the Data Controller informs you that, through the website or by using it, the Foundation processes personal data you voluntarily provide to us through the Site's "Contacts" form, such as personal data and contact details, as well as data automatically collected during navigation.

Please note that this Site uses some cookies. For further information about cookies, please refer to our Cookie Policy

  • A - Personal data you provide through the 'Contacts' form
  • We collect the data you voluntarily provide to us with, such as personal data and contact details (e.g. first name, last name and e-mail address), in order to respond to your information requests submitted using the 'Contacts' form on the Site.

  • B - Browsing data
  • The computer systems and software procedures used to operate the Site may, in the course of their standard operation, obtain certain personal data the transmission of which is implicit in the use of Internet communication protocols. This data is not collected in order to be associated with identified data subjects, but by its very nature could, through processing and association with data held, also by third parties, allow to identify users. This category of data includes the IP addresses or domain names of the devices used by users connecting to the Site, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user's operating system and IT environment.

    This data is used for the sole purpose of obtaining results on the use of the Site and to check its correct operation, allow the proper provision of the various functions you requested, and ascertain any liability in the event of potential cybercrimes to the detriment of the Site or third parties; unless this occurs, such data is erasured after 7 days.

Purpose of processing and legal basis

Personal data will be processed by the Data Controller to allow you to browse the Site and ensure its proper function, manage and respond to your requests of information, and to protect our rights in court proceedings or out-of-court procedures.

In relation to the purposes we pursue, the legal bases for the processing are the performance of a contract or pre-contractual measures taken at your request and our legitimate interest.

  1. i - Allowing you to browse on the Site and ensuring its proper functioning. The legal basis of the processing is the performance of a contract or pre-contractual measures taken at your request.
    Providing personal data for this purpose is necessary to enable you to navigate the Site and to be able to monitor its proper functioning.
  2. ii - Managing and responding to your requests for information received via the "Contacts" form on the Site. The legal basis of the processing is the performance of a contract or of pre-contractual measures taken at your request.
    You are not obliged to provide your data for the above-mentioned purpose, however, the consequence, in the event of non-disclosure of such data, is the impossibility to receive and/or fulfill your request.
  3. iii - Exercising or defending a right in court proceedings or out-of-court procedures. The legal basis of the processing is the legitimate interest of the Data Controller in exercising or defending its rights; the Data Controller has considered that this legitimate interest does not prejudice your rights and freedoms.

Processing methods

Personal data will be processed by means of IT tools designed to store, manage and transmit the data.

Data retention time

The personal data processed will be retained for as long as is strictly necessary for the purpose it was collected. If personal data are processed for two different purposes, we will retain those data until the purpose with the longer retention period ends. In any case, we will no longer process personal data for the purpose for which the retention period has expired. Personal data that is no longer needed, or for which there is no longer a legal basis for its retention, will be irreversibly anonymised (and thus may be retained) or deleted.

Browsing data are deleted after 7 days without prejudice to any need for criminal investigations by the judicial authorities.

The personal data processed to handle and answer your enquiry are kept for the time necessary to handle your request and are subsequently deleted.

In the event that it is necessary to process data for the purpose of exercise or defense in court proceedings or out-of-court procedures, the data is retained for as long as any claims/actions may be pursued by law.

Categories of data recipients

The communication, including by simply making available the access to your personal data, may take place either to subjects operating on our behalf as data processors who have been specifically instructed on the processing of your personal data, or to subjects operating as autonomous data controllers. The list of such third parties, appointed - where necessary - as data processors, will be constantly updated and available upon request.

In particular, your data may be communicated exclusively for the purposes specified above to the following recipients:

  • a - companies, collaborators, consultants and third-party service providers, who will process your personal data as data controllers or as autonomous data controllers to whom the disclosure of data is necessary or mandatory;
  • b - companies that provide IT support services for our systems;
  • c - companies that provide us with cloud services;
  • d - authorities and institutions to which the right to access the information is regulated by laws or regulation (e.g. public security authorities and police forces). The entities referred to in such point operate as autonomous data controllers.

Transfer of personal data

The Foundation stores data in the European Union.

Where the Foundation, due to necessity related to the location or processing sites of its providers, needs to transfer data outside the European Union to countries for which the European Commission has not issued an Adequacy Decision, the Foundation undertakes to ensure adequate levels of protection and safeguards, including contractual safeguards, in accordance with the applicable rules, including the stipulation of standard contractual clauses as referred to in art. 46(2)(c) of the GDPR, supplemented if necessary by additional technical, legal and organisational measures required to ensure that the level of protection of personal data is equivalent to that of the European Union.

You may contact the Foundation at any time, by sending an e-mail to, requesting which subjects your personal data are transferred to as well as to receive a copy of the safeguards adopted for the transfer.

Rights of the data subject

The GDPR provides each natural person to whom personal data directly or indirectly relate to specific rights over his or her personal data, including the right to know which personal data are processed and how they are used, receiving a copy of the data (the right of access), the right to rectification updating, and the right to erasure or restriction, as well as to object to processing for legitimate reasons or, where applicable, the right to data portability, in the manner and within the limits provided for by the GDPR. With regard to processing based on legitimate interest concerning communications relating to similar services, you may object to such processing at any time. In the case of processing based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing before the withdrawal. To exercise these rights, you may contact the Foundation at the following e-mail address:

Right to lodge a complaint with the Supervisory Authority

Without prejudice to any administrative or judicial action, a data subject who considers that the processing concerning him or her violates the GDPR or the legislation on the protection of personal data may lodge a complaint with the Garante per la protezione dei dati personali. The following are the contact details of the Garante: Garante per la protezione dei dati personali - - - E-mail:

Last update: January 2023

The icons reproduced in this notice were created by the Maastricht European Centre on Privacy and Cybersecurity and disseminated by the Garante ( in the form in which it received them from the authors. The icons are used here on the basis of the CC BY 4.0 licence (the conditions of which are recalled), in the form in which they are published on the Garante website.