Privacy Policy

This Privacy Policy has been drafted, pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter, the “Regulation” or “GDPR”), in order to inform those who interact with the Websites www.campusbiomedicohospital.com and www.campusbiomedicohospital.com/my-hospital-program (hereinafter, jointly, the “Site“), either through simple consultation or through the use of specific services made available through the Site, about the ways in which your personal data will be processed while using it. This Privacy Policy will also provide you with the information necessary to enable you to consent to the processing of your personal data in an explicit and informed manner, where appropriate.

The information is provided by the Fondazione Policlinico Universitario Campus Bio-Medico di Roma for the above web addresses and not also for other websites that may be consulted by the user through links present on the Site (for which please refer to the respective information/privacy policy).

It should be noted that specific services usable online are accessible through the Site. Specific vertical disclosures on the processing of personal data pursuant to Articles 13 and 14 of the Regulation will be progressively reported and viewable in the pages and sections of the Site dedicated to the aforementioned services.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is Fondazione Policnico Universitario Campus Bio-Medico di Roma with registered office in Via Álvaro del Portillo, 200, 00128 Rome (hereinafter “Data Controller” or “Policlinico”) which can be reached at presidenza@pec.policnicocampus.it.

The Data Protection Officer (hereinafter “Data Protection Officer” or “DPO”) may be contacted by regular email, at the Data Controller's registered office at the above address, by writing “to the attention of the Data Protection Officer”, and/or by email at: dpo@policnicocampus.it

2. PERSONAL DATA BEING PROCESSED

We inform you that, using the Website, the Data Controller may collect and process information and personal data about you, which may consist of an identifier such as your name, identification number, location data, online identifier or one or more characteristics relating to your physical, physiological, psychological, economic, cultural, or social identity that are capable of identifying you or of making you identifiable depending on the type of services requested by you (hereinafter only “personal data”).

The personal data processed through the Website are as follows:

a. Navigation data

The management of the Website involves the use of computer systems and software procedures that collect information about users of the Websiste, as part of their normal operation. Although the Data Controller does not collect such information in order to link it to specific users, it is still possible to identify such users either directly through such information or by using other information collected – as such, this information is also considered personal data.

This information includes various parameters relating to the user’s operating system and computer environment of the, including the IP address, the location (country), the computer domain names, the URI (Uniform Resource Identifier) addresses of the resources requested on the Website, the time of the requests, the method used to send the requests to the server, the size of the file obtained in response to a request, the numerical code indicating the status of the response given by the server (successful, error, etc.), and other parameters relating to the user's operating system and computer environment.

These data are used solely for the purpose of obtaining anonymous statistical information on the use of the Website as well as to verify its correct functioning and identify any malfunctioning and/or abuse of the Website.  The data are deleted after processing, unless it is necessary to identify those responsible in the event of a hypothetical cybercrime against the Website or third parties.

b. Data voluntarily provided by the user

This Privacy Policy shall also be deemed to apply to the processing of personal data concerning you (such as, but not limited to, e-mail address, personal and identification data) and voluntarily provided by you as part of the submission of specific inquiries to the Controller's e-mail addresses available within the Site.

c. Data processed for the provision of online services

This Privacy Policy is also understood to be rendered for the processing of data you voluntarily provide for the purpose of performing any services rendered through the Site. Specific vertical information on the processing of personal data ex art. 13 and 14 of the Regulations and any requests for consent will be progressively reported and viewable in the pages prepared for particular services that can be reached through this Site (such as, for example, the vertical disclosures reported in the section of the Site dedicated to the online booking service; in the form for sending reports/complaints/comments to the Customer Care Office; in the section dedicated to the “Zero Coda” system; in the Telemedicine platform; in the Palliative Care Center platform; in the section dedicated to the booking service at the Blood Donation Center).

Regarding the processing of personal data for registration, access and use of the services available in the portal dedicated to the MyHospital Program (available at myhospital.policlinicocampusbiomedico.it ), please refer to the relevant vertical information on the processing of personal data pursuant to Articles 13 and 14 of the Regulations progressively reported and viewable in the portal pages prepared for the aforementioned MyHospital Program services.

d. Cookies and other tracking technologies

For information on the type of cookies used, please see the Site's Cookie Policy.

3. PURPOSE OF PROCESSING

Your personal data will be processed with your consent, where necessary for the following purposes:

a) to allow navigation through the Web site and interaction with the content therein, including managing the security of the Site;
b) to handle and acknowledge specific requests addressed to the Data Controller forwarded to the Data Controller's e-mail addresses available on the Site;
c) fulfill any obligations under applicable laws, regulations or EU legislation, or comply with requests from authorities;
d) to meet any defensive needs, possibly related to the detection, prevention, mitigation and investigation of fraudulent or illegal activities in connection with the services provided on the Site.

Regarding the processing of data for purposes related to the provision of specific services that can be reached through the Site (such as, for example, the online booking service, the “Work with us” section; the URP module; the “Zero Coda” system; the Telemedicine platform; the Home Care platform; the booking service at the Blood Donation Transfusion Center) please refer to the specific information on the processing of personal data ex Articles 13 and 14 GDPR therein.

4. LEGAL BASIS AND OBLIGATORY OR OPTIONAL NATURE OF PROCESSING

The legal basis for the processing of personal data for the purposes referred to in section 3, (a) and (b) is art. 6, par. 1, letter b) of the GDPR ([…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract), since the processing operations are necessary for the provision of the services. The provision of personal data for these purposes is optional, but failure to do so would make it impossible to access the services requested.

The purpose referred to in section 3 (c) represents legitimate processing of personal data within the meaning of Article 6, par. 1, let. c) of the Regulation ([…]processing is necessary for compliance with a legal obligation to which the data controller is subject). Indeed, once personal data have been provided, the processing is indeed necessary to fulfill legal obligations to which the Controller is subject.

Processing carried out for the purposes referred to in paragraph 3(d) is based on the legitimate interest of the Controller within the meaning of Articles 6, par. 1, let. f) and 9, apr. 2, let. a) of the Regulation.

5. RECIPIENTS OF PERSONAL DATA

For the purposes set out in section 3 of this Privacy Policy, your personal data may be shared with:

  • persons authorised by the Data Controller to process personal data pursuant to art. 29 and 32 of the GDPR and art. 2-quaterdecies of the Privacy Code  the so-called “Privacy Code”), to process personal data necessary to carry out activities closely related to the provision of services, who have committed to confidentiality or have an appropriate legal obligation of confidentiality;
  • parties that typically act as data processors pursuant to Article 28 of the Regulations on behalf of the Polyclinic, in particular parties in charge of providing the Services (e.g., hosting providers, technical maintenance providers, etc.); the full list of data processors is available by sending a written request to the Data Controller or the DPO at the contact details indicated in section 10 of this Privacy Policy;
  • subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of legal provisions or orders of the authorities.

These subjects are hereinafter collectively referred to as “Recipients”.

6. TRANSFERS OF PERSONAL DATA

The personal data provided through the Website will be processed and stored in the Data Controller's information systems, whose servers are located within the European Economic Area. However, some of your personal data may be shared with Recipients located outside the European Economic Area. In such cases, the transfer will take place in compliance with the conditions indicated in articles 44-49 of the GDPR, such as, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of subjects adhering to international commitments for the free movement of data or operating in countries considered adequate by the European Commission in compliance with Recommendations 01/2020 adopted on 10 November 2020 by the European Data Protection Board.

Further information is available by sending a written request to the Data Controller and/or or the DPO at the contacts indicated in paragraph 1 of this Privacy Policy.

7. STORAGE OF PERSONAL DATA

Your personal data will be collected and stored in accordance with the principles of minimisation and storage limitation as referred to in art. 5.1.c) and e) of the GDPR, also while guaranteeing the necessary security measures to prevent data loss, illegal or incorrect use and unauthorised access. The personal data processed for the purposes referred to in sections a) and b) of paragraph 3 of this Privacy Policy shall be retained for as long as required by the specific obligation or rule of law applicable.

In general, the Data Controller reserves the right, in any case, to keep your data for the time necessary to comply with any regulatory obligation to which it is subject or to meet any defensive needs. Specific security measures are observed to prevent loss of data, unlawful or incorrect use and unauthorised access.

Further information on the data retention period and the criteria used to determine this period may be requested by sending a written request to the Data Controller and/or the DPO at the addresses indicated in section 1 of this Privacy Policy.

8. RIGHTS OF THE DATA SUBJECT

You, as data subject, may at any time exercise the following rights:

right to withdraw any consent given (art. 7 of the GDPR) – You have the right to withdraw any consent given at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal;
right of access (art. 15 of the GDPR) – You have the right to obtain confirmation as to whether or not personal data relating to you are being processed, as well as the right to receive any information relating to such processing;
right to rectification (art. 16 of the GDPR) – You have the right to obtain the rectification of your personal data, should they be incomplete or inaccurate;
right to erasure (art. 17 GDPR) – in certain circumstances, you have the right to obtain the erasure of your personal data in our archives;
right to restriction of processing (art. 18 GDPR) – under certain circumstances, you have the right to obtain the restriction of the processing of your personal data;
the right to portability (art. 20 of the GDPR) – you have the right to obtain the transfer of your personal data to a different data controller as well as the right to obtain in a structured, commonly used and machine-readable format the data concerning you;
the right to object (art. 21 of the GDPR) – You have the right to make a request to object to the processing of your personal data in which you give evidence of the reasons justifying the objection; the Controller reserves the right to assess this request, which may not be accepted if there are compelling legitimate grounds for processing that override your interests, rights and freedoms;
the right to lodge a complaint with the Supervisory Authority (art. 77 of the GDPR) – in accordance with the procedures indicated in the paragraph below, if you believe that the processing concerning you is in breach of data protection legislation, you may lodge a complaint with the Supervisory Authority of the Member State in which you habitually reside or work, or of the place where the alleged breach occurred;
the right to take appropriate legal action (art. 79 of the GDPR).

9. MODIFICATIONS

The Data Controller reserves the right to modify or simply update the content, in part or in full, also due to changes in the applicable legislation. The Data Controller therefore invites you to visit this section regularly in order to be informed of the most recent and updated version of the Privacy Policy so that you are always up to date on the data collected and its processing by the Policlinico.

10. CONTACTS

To exercise the above rights or for any other request, you may write to the Data Controller at Via Álvaro del Portillo, 200, 00128 – Rome or at the e-mail address presidenza@pec.policlinicocampus.it.

You may also contact the Polyclinic's Data Protection Officer at the Data Controller's office at the above address and/or by e-mail at: dpo@policlinicocampus.it.