INFORMATION ABOUT DATA PROCESSING
(July 2018)
Medical Dimension s.r.l.s. (hereinafter "Medical Dimension") considers seriously the protection of personal data of its users and patients: for this reason, their personal data, the security of the processing and more in general the protection of the privacy are treated and considered as an important aspect to which give maximum attention during the business processes.
Each treatment is performed according to the applicable personal data protection law, in particular to the General Data Protection Regulation ("GDPR"). According to this law, the treatment will be on compliance with the principles of correctness, lawfulness and transparency and the protection of privacy and the rights of users and patients.
The present information paper has been written in order to give to that cathegory of subjects more details about how Medical Dimension processes personal data and about their rights.
a) Controller and Data Protection Officer.
The Controller of the processing is Medical Dimension s.r.l.s. (tax code and VAT number 12595701009) established in Rome (Italy), Via di S. Giovanni in Laterano, n°182 – 00184.
The controller can be contacted by e-mail at info@medicaldimension.net or calling the number +39.3208722126, also for exercising the rights reported above.
Data Protection Officer (D.P.O.) is Avv. Francesco Mambrini, who can be contacted by e-mail at francesco.mambrini@gmail.com.
b) Purpose and legitimation of the data processing.
Any data processing made by the controller is strictly limited to what is necessary.
The processing is mainly aimed to the correct and complete provision of the services offered by Medical Dimension to its users and may concern health data necessary for the correct provision of the services offered. Even in cases like that, however, the processing is carried out only if there is at least one of the condition referred to in Article 9, par. 2, of the GDPR.
The acquisition of the aforementioned data normally takes place through the direct communication given by the data subject who makes them available to the controller through the IT tools offered for this purpose.
In cases the informations collected concerns minors of sixteen, parental consent is always required and this kind of informations are used solely for the purpose specified.
The data acquisition of the data subject may also take place through third parties (such as insurance companies) for the provision of services to which the controller has engaged in the commercial relations stipulated during its business activity.
In order to make a transaction, it may also be necessary to provide some payment data.
In any case in which it would be necessary proceeding as user with the registration and / or the authentication to the website managed by Medical Dimension or through one of the following tools, the processing may be also necessary for other purposes reported above: Content comment, Statistics, Interaction with social networks and external platforms and in order to contact the User.
The access to the website with subsequent acceptance of the notification advice on the use of cookies also involves the installation of technical cookies for the proper functioning of some sections of the website and for profiling made by functionalities developed by third parties; this may happen also selecting icons and preferences expressed in social networks in order to share website content or for the use of third-party software services (such as software to generate maps or videos, and additional software that offer additional services). These cookies are sent from third-party domains that offer their own functionality to the website of Medical Dimension, even for the purpose of profiling - which, however, is performed directly by those third parties and not by the controller.
For more details refer to the separate document called “
Cookie Policy”.
Contact the user.
The user, filling the contact form on the website www.medicaldimension.net, consents the use of his data in order to let Medical Dimension respond requests for information, quotes, or other requests.
Personal data collected according to this method are: name, surname, gender, e-mail address, telephone number, address and city of residence or domicile.
Interaction with social networks and external platforms.
This type of services makes possible the interaction with social networks or with other external platforms using directly the pages of the website managed by Medical Dimension. The interactions and information acquired by this website are in any case subject to the User's privacy settings relating to any social network.
If an interaction service with social networks is installed, it could be possible that, even if the User doesn’t use the service, the traffic data relating to some pages may be registered. Furthermore, the aforementioned platforms may deposit cookies in the user's device through the website (third-party cookies), in order to collect information on the user's browsing.
For more details, please refer to the separate document called “
Cookie Policy”.
Statistics.
The services referred to this section allow the Controller to monitor and analyze traffic data and are used to keep track of User behavior through the tool named Google Analytics (Google Inc.). For more details about it, please refer to the separate document called “
Cookie Policy”.
System logs and maintenance.
For needs related to operation of maintenance, Medical Dimension’s website and any other third party services used on that website may collect system logs, which are files that record the interactions and which may also contain Personal Data, such as the User IP address.
More information on processing.
Finally, all the data communicated and processed for the aforementioned activities may also be used in order to make possible to comply with the obligations imposed to Medical Dimension and required by current legislation, such as:
• for the inclusion of personal data in databases;
• to draw up medical reports and information;
• for issuing invoices and credit notes;
• for keeping ordinary accounting;
• for the management of receipts and payments;
• to fulfill the obligations established by any law and regulation;
• for the defense before any court or for any linked necessity.
The User declares to be aware that the Controller may be required to disclose the Data at the request of the public authorities.
The User assumes responsibility for processing Personal Data of third parties and guarantees to have the right to rpcess and communicate them, assuming every liability about with third parties.
c) Methods of data processing.
The personal data of the interested parties are normally processed only with their consent, except in cases it is necessary for fulfilling obligations deriving from legal provisions both in civil and fiscal matters, deriving from National and/or Communitarian legislation, rules, codes or procedures or approved by Authorities and other competent Institutions.
Personal data may be processed by analogical and electronic archives, in both case in ways strictly necessary for the aforementioned purposes.
The Controller and its agents process the Personal Data of Users by adopting appropriate and adequate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data.
The Data are processed at the operational headquarters of the Controller and in any other place where a part involved in the processing is located.
Security measures have been adopted for the access to digital archives, such as the use of firewalls, antivirus and alphanumeric passwords for access.
The processing will be carried out in ways strictly related to the corresponding purposes, using the data already in possession and with the commitment to promptly communicate any corrections, additions and/or updates.
d) Legal Basis of the processing.
Medical Dimension processes the personal data in its possession according to the aforementioned legislation, only in case this processing activity:
• has been directly authorized by the interested part for a purpose agreed;
• is necessary for the performance of a service requested directly by the interested part or, for him, through persons legitimated in this sense;
• is necessary to fulfill a statutory legal obligation;
• for the activities referred to in point b).
e) Personal data processed and consequences of a missing communication.
In order to permit the above reported processing activities it could be necessary to know and store informations related to user’s personal data, tax code, VAT number, accounting data, data useful for contacting the user, data concerning his residence and domicile.
Considering the nature of the services offered by Medical Dimension, the processing will also concern data relating to the health of the data subject.
The missing or incorrect communication of personal data necessary for the execution of the services provided or related to the fulfillment of a regulatory obligation of the Controller (for example, the obligations referred to in point b) involves:
• The impossibility to guarantee the adequacy of the processing in compliance with the contractual agreements;
• The possible mismatch of the processing results to the obligations imposed by the fiscal, administrative or labor regulations;
• the lack of the genesis and/or the impossibility to continue the legal relationship engaged, its correct execution and any other legal obligations;
• Prevent the Medical Dimension website from providing the services offered.
f) Personal data retain.
The personal data processed for the above indicated purposes will be kept for the time necessary to perform the service requested by the User and, subsequently, for the time necessary to the Controller in order to make possible the fulfill of obligations provided by law (i.e. for tax purposes or for other purposes).
Expired this period of time, each analogical document containing user’s personal data will be returned to the data subject or destroyed and any digital support on which that data are saved will be formatted.
g) Data transmission.
The collected data will not be sold in any case to third parties. The transmission of data to third parties takes place only when it is necessary to permit the provision of the service to the user or for other lawful purposes or on the basis of the present information.
The Controller uses external IT service providers for its server infrastructure, for IT maintenance, or for other IT and software solutions; a data transimission could take place to this subjects within strictly necessary limits.
Moreover, the Controller in some cases hire external consultants not related to its organization; to that subject a data transmissione could occur within strictly necessary limits to permit the provide of the service to the user.
In addition, in some cases, the user’s data may be transmitted to categories of persons who maintain or operate on the website (system administrators, commercial and marketing consultans, legals) or to other external subjects (as suppliers of technical services, postal couriers, hosting providers, IT companies, communication agencies).
Personal data may be communicated in particular to:
• all those who the access to such data is permitted by law or other regulatory provisions;
• the collaborators of the Controller, for any indispensable purpose (accounting, administrative, legal, tax and financial reasons), within necessary with the scope related to their duties and in order to fulfill any contractual obligations concerning the commercial relationships with the interested parties;
• post offices, shippers and couriers for sending documentation and / or other material;
• all those persons, public and/or private (legal, administrative and fiscal consultancy studies, job consultancy studies, Judicial Offices, Chambers of Commerce, Chambers and Labor Offices, etc.) when the communication is necessary or functional for the provision of the service, within the limits and for the purposes illustrated above or for other Controller’s legitimate interests;
• banking institutions and any other payment service providers in order to allow the transaction and to carry out anti-fraud checks or even to persons who, in any case, provide functional services for the purposes indicated above: this transmissione may occur for the management of the payments deriving from the execution of contracts;
• Public and Private subjects, also as consequence of inspections or audits (i.e. by Judicial Authorities and by Offices part of the Ministry of Justice, by Tax Police, by Labor Inspectorate, by ASL, by Social Security Agencies, by ENASARCO, by Chambers of Commerce, by INAIL, by Customs Offices or others) or for fulfill the assignment entrusted and other related contractual or legal obligations;
• that subjects reported on point b), for the purposes illustrated above.
h) Data transmission across borders outside the Union.
For the purposes set out in point b) and/or in order to allow the fulfillment of the obligations assumed, the Controller may transmit the user’s data to third countries outside the EU.
Even in such cases, the processing of data remains bound to the purposes for which they were collected and takes place in full compliance with the standards of confidentiality and security and in compliance with data protection laws.
The aforementioned processing and transfer takes place purely towards Companies linked to the insurance circuit on behalf of which the Controller operates, who have commisioned visits to their users.
In such cases all the necessary precautions will be taken in order to guarantee the total protection of user’s Personal Data transfered on the basis of:
(a) adequacy decisions of the third country recipients expressed by the European Commission;
(b) appropriate guarantees expressed by the third non EU part, as expected in Article 46 of GDPR, that the Controller undertakes to request and negotiate;
(c) the adoption of binding corporate rules on the basis of Article 47 of GDPR, which the Controller undertakes to include in the future relationships established with non-EU third parties and to negotiate in change in the contest of the existing relationships - where the circumstances referred in the previous two letters have been omitted.
In a purely residual way, if the compliance with the aforementioned criteria can not be guaranteed, Article 49 of GDPR will be applied and so the transfer of data outside the Union may take place, with case by case assessment also regarding the limitation and containment of data transferred, on the basis of one of the criteria set out in paragraph 1 of that article.
i) Data profiling and disclosure.
The personal data of the interested will not be collected directly by the Controller for the purpose of profiling.
In any case, as expressed in point b), the navigation on the Medical Dimension website – after the acceptance made by the user in the relevant bar on the main page - may involve a profilation by third-party cookies. This process occur with the acquisition in the user's system of cookies that can cause the profiling.
The profiling purposes in this case are expressed in speciale papers prepared by that third parties.
For more details about it, please refer to the separate document called “Cookie Policy”.
l) Rights of the data subject.
Among the rights recognized by the GDPR to the interested parties are those of:
• ask the Controller for access to personal data and information related to the data subject, as well as the right to obtain a copy of the personal data processed; the correction of inaccurate data or the integration of incomplete data; the deletion of personal data (upon the occurrence of one of the conditions indicated in Article 17, paragraph 1 of the GDPR and in compliance with the exceptions provided in paragraph 3 of the same article); the limitation of the processing of personal data (in case occur one of the hypotheses indicated in Article 18, paragraph 1 of the GDPR);
• request and obtain from the Controller - in cases the legal basis of the treatment is the data subject consent and it has been collected by automated systems - their personal data in a structured and readable format, also in order to communicate such data to another data controller (so-called right to the portability of personal data);
• oppose at the processing of personal data if occur a particular situation that affect the data subject, with the consequences referred to in point e) of the present paper;
• revoke the consent at any time, in case the processing is based on consent for one or more specific purposes and concerns common personal data (for example date and place of birth or place of residence), or particular categories of data ( for example, data revealing racial origin, political opinions, religious convictions, health status or sexual life). The treatment based on consent and carried out prior to the revocation preserves, however, its lawfulness;
• propose a complaint to a Supervisory Authority (Italian Authority for the protection of personal data can be contacted by the website www.garanteprivacy.it).
m) Revise and update.
This information paper is valid from the date indicated in its header on.
The Contoller could also make changes and/or additions to the present document, also as a consequence of any subsequent change and/or regulatory addition to the GDPR.
The changes will be previously notified to the interested parties and it will be possible for the above mentioned subjects to view the text of the informative paper constantly updated in a special link of the website.