It should be noted that specific services usable online are accessible through the Site. Specific vertical disclosures on the processing of personal data pursuant to Articles 13 and 14 of the Regulation will be progressively reported and viewable in the pages and sections of the Site dedicated to the aforementioned services.
1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The Data Controller is Fondazione Policnico Universitario Campus Bio-Medico di Roma with registered office in Via Álvaro del Portillo, 200, 00128 Rome (hereinafter “Data Controller” or “Policlinico”) which can be reached at firstname.lastname@example.org.
The Data Protection Officer (hereinafter “Data Protection Officer” or “DPO”) may be contacted by regular email, at the Data Controller's registered office at the above address, by writing “to the attention of the Data Protection Officer”, and/or by email at: email@example.com
2. PERSONAL DATA BEING PROCESSED
We inform you that, using the Website, the Data Controller may collect and process information and personal data about you, which may consist of an identifier such as your name, identification number, location data, online identifier or one or more characteristics relating to your physical, physiological, psychological, economic, cultural, or social identity that are capable of identifying you or of making you identifiable depending on the type of services requested by you (hereinafter only “personal data”).
The personal data processed through the Website are as follows:
a. Navigation data
The management of the Website involves the use of computer systems and software procedures that collect information about users of the Websiste, as part of their normal operation. Although the Data Controller does not collect such information in order to link it to specific users, it is still possible to identify such users either directly through such information or by using other information collected – as such, this information is also considered personal data.
This information includes various parameters relating to the user’s operating system and computer environment of the, including the IP address, the location (country), the computer domain names, the URI (Uniform Resource Identifier) addresses of the resources requested on the Website, the time of the requests, the method used to send the requests to the server, the size of the file obtained in response to a request, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user's operating system and computer environment.
These data are used solely for the purpose of obtaining anonymous statistical information on the use of the Website as well as to verify its correct functioning and identify any malfunctioning and/or abuse of the Website. The data are deleted after processing, unless it is necessary to identify those responsible in the event of a hypothetical cybercrime against the Website or third parties.
b. Data voluntarily provided by the user
c. Data processed for the provision of online services
Regarding the processing of personal data for registration, access and use of the services available in the portal dedicated to the MyHospital Program (available at myhospital.policlinicocampusbiomedico.it ), please refer to the relevant vertical information on the processing of personal data pursuant to Articles 13 and 14 of the Regulations progressively reported and viewable in the portal pages prepared for the aforementioned MyHospital Program services.
d. Cookies and other tracking technologies
3. PURPOSE OF PROCESSING
Your personal data will be processed with your consent, where necessary for the following purposes:
a) to allow navigation through the Web site and interaction with the content therein, including managing the security of the Site;
b) to handle and acknowledge specific requests addressed to the Data Controller forwarded to the Data Controller's e-mail addresses available on the Site;
c) fulfill any obligations under applicable laws, regulations or EU legislation, or comply with requests from authorities;
d) to meet any defensive needs, possibly related to the detection, prevention, mitigation and investigation of fraudulent or illegal activities in connection with the services provided on the Site.
Regarding the processing of data for purposes related to the provision of specific services that can be reached through the Site (such as, for example, the online booking service, the “Work with us” section; the URP module; the “Zero Coda” system; the Telemedicine platform; the Home Care platform; the booking service at the Blood Donation Transfusion Center) please refer to the specific information on the processing of personal data ex Articles 13 and 14 GDPR therein.
4. LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING
The legal basis for the processing of personal data for the purposes referred to in section 3, (a) and (b) is art. 6, par. 1, letter b) of the GDPR ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing operations are necessary for the provision of the services. The provision of personal data for these purposes is optional, but failure to do so would make it impossible to access the services requested.
The purpose referred to in section 3 (c) represents legitimate processing of personal data within the meaning of Article 6, par. 1, let. c) of the Regulation ([…]processing is necessary for compliance with a legal obligation to which the data controller is subject). Indeed, once personal data have been provided, the processing is indeed necessary to fulfill legal obligations to which the Controller is subject.
Processing carried out for the purposes referred to in paragraph 3(d) is based on the legitimate interest of the Controller within the meaning of Articles 6, par. 1, let. f) and 9, apr. 2, let. a) of the Regulation.
5. RECIPIENTS OF PERSONAL DATA
- persons authorised by the Data Controller to process personal data pursuant to art. 29 and 32 of the GDPR and art. 2-quaterdecies of the Privacy Code the so-called “Privacy Code”), to process personal data necessary to carry out activities closely related to the provision of services, who have committed to confidentiality or have an appropriate legal obligation of confidentiality;
- subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders of the authorities.
These subjects are hereinafter collectively referred to as “Recipients”.
6. TRANSFERS OF PERSONAL DATA
The personal data provided through the Website will be processed and stored in the Data Controller's information systems, whose servers are located within the European Economic Area. However, some of your personal data may be shared with Recipients located outside the European Economic Area. In such cases, the transfer will take place in compliance with the conditions indicated in articles 44-49 of the GDPR, such as, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of subjects adhering to international commitments for the free movement of data or operating in countries considered adequate by the European Commission in compliance with Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.
7. STORAGE OF PERSONAL DATA
In general, the Data Controller reserves the right, in any case, to keep your data for the time necessary to comply with any regulatory obligation to which it is subject or to meet any defensive needs. Specific security measures are observed to prevent loss of data, unlawful or incorrect use and unauthorised access.
8. RIGHTS OF THE DATA SUBJECT
You, as data subject, may at any time exercise the following rights:
– right to withdraw any consent given (art. 7 of the GDPR) – You have the right to withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
– right of access (art. 15 of the GDPR) – You have the right to obtain confirmation as to whether or not personal data relating to you are being processed, as well as the right to receive any information relating to such processing;
– right to rectification (art. 16 of the GDPR) – You have the right to obtain the rectification of your personal data, should they be incomplete or inaccurate;
– right to erasure (art. 17 GDPR) – in certain circumstances, you have the right to obtain the erasure of your personal data in our archives;
– right to restriction of processing (art. 18 GDPR) – under certain circumstances, you have the right to obtain the restriction of the processing of your personal data;
– the right to portability (art. 20 of the GDPR) – you have the right to obtain the transfer of your personal data to a different data controller as well as the right to obtain in a structured, commonly used and machine-readable format the data concerning you;
– the right to object (art. 21 of the GDPR) – You have the right to make a request to object to the processing of your personal data in which you give evidence of the reasons justifying the objection; the Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate grounds for processing that override your interests, rights and freedoms;
– the right to lodge a complaint with the Supervisory Authority (art. 77 of the GDPR) – in accordance with the procedures indicated in the paragraph below, if you believe that the processing concerning you is in breach of data protection legislation, you may lodge a complaint with the Supervisory Authority of the Member State in which you habitually reside or work, or of the place where the alleged breach occurred;
– the right to take appropriate legal action (art. 79 of the GDPR).
To exercise the above rights or for any other request, you may write to the Data Controller at Via Álvaro del Portillo, 200, 00128 – Rome or at the e-mail address firstname.lastname@example.org.
You may also contact the Polyclinic's Data Protection Officer at the Data Controller's office at the above address and/or by e-mail at: email@example.com.