INFORMATION ABOUT DATA PROCESSING
(July 2018)
Medical Dimension s.r.l.s. (hereinafter "Medical Dimension") considers seriously
the protection of personal data of its users and patients: for this reason,
their personal data, the security of the processing and more in general the
protection of the privacy are treated and considered as an important aspect to
which give maximum attention during the business processes.
Each treatment is performed according to the applicable personal data protection
law, in particular to the General Data Protection Regulation ("GDPR"). According
to this law, the treatment will be on compliance with the principles of
correctness, lawfulness and transparency and the protection of privacy and the
rights of users and patients.
The present information paper has been written in order to give to that
cathegory of subjects more details about how Medical Dimension processes
personal data and about their rights.
a) Controller and Data Protection Officer.
The Controller of the processing is Medical Dimension s.r.l.s. (tax code and VAT
number 12595701009) established in Rome (Italy), Via di S. Giovanni in Laterano,
n°182 – 00184.
The controller can be contacted by e-mail at info@medicaldimension.net or
calling the number +39.3208722126, also for exercising the rights reported
above.
Data Protection Officer (D.P.O.) is Avv. Francesco Mambrini, who can be
contacted by e-mail at francesco.mambrini@gmail.com.
b) Purpose and legitimation of the data processing.
Any data processing made by the controller is strictly limited to what is
necessary.
The processing is mainly aimed to the correct and complete provision of the
services offered by Medical Dimension to its users and may concern health data
necessary for the correct provision of the services offered. Even in cases like
that, however, the processing is carried out only if there is at least one of
the condition referred to in Article 9, par. 2, of the GDPR.
The acquisition of the aforementioned data normally takes place through the
direct communication given by the data subject who makes them available to the
controller through the IT tools offered for this purpose.
In cases the informations collected concerns minors of sixteen, parental consent
is always required and this kind of informations are used solely for the purpose
specified.
The data acquisition of the data subject may also take place through third
parties (such as insurance companies) for the provision of services to which the
controller has engaged in the commercial relations stipulated during its
business activity.
In order to make a transaction, it may also be necessary to provide some payment
data.
In any case in which it would be necessary proceeding as user with the
registration and / or the authentication to the website managed by Medical
Dimension or through one of the following tools, the processing may be also
necessary for other purposes reported above: Content comment, Statistics,
Interaction with social networks and external platforms and in order to contact
the User.
The access to the website with subsequent acceptance of the notification advice
on the use of cookies also involves the installation of technical cookies for
the proper functioning of some sections of the website and for profiling made by
functionalities developed by third parties; this may happen also selecting icons
and preferences expressed in social networks in order to share website content
or for the use of third-party software services (such as software to generate
maps or videos, and additional software that offer additional services). These
cookies are sent from third-party domains that offer their own functionality to
the website of Medical Dimension, even for the purpose of profiling - which,
however, is performed directly by those third parties and not by the controller.
For more details refer to the separate document called “Cookie Policy”.
Contact the user.
The user, filling the contact form on the website www.medicaldimension.net,
consents the use of his data in order to let Medical Dimension respond requests
for information, quotes, or other requests.
Personal data collected according to this method are: name, surname, gender,
e-mail address, telephone number, address and city of residence or domicile.
Interaction with social networks and external platforms.
This type of services makes possible the interaction with social networks or
with other external platforms using directly the pages of the website managed by
Medical Dimension. The interactions and information acquired by this website are
in any case subject to the User's privacy settings relating to any social
network.
If an interaction service with social networks is installed, it could be
possible that, even if the User doesn’t use the service, the traffic data
relating to some pages may be registered. Furthermore, the aforementioned
platforms may deposit cookies in the user's device through the website
(third-party cookies), in order to collect information on the user's browsing.
For more details, please refer to the separate document called “Cookie Policy”.
Statistics.
The services referred to this section allow the Controller to monitor and
analyze traffic data and are used to keep track of User behavior through the
tool named Google Analytics (Google Inc.). For more details about it, please
refer to the separate document called “Cookie Policy”.
System logs and maintenance.
For needs related to operation of maintenance, Medical Dimension’s website and
any other third party services used on that website may collect system logs,
which are files that record the interactions and which may also contain Personal
Data, such as the User IP address.
More information on processing.
Finally, all the data communicated and processed for the aforementioned
activities may also be used in order to make possible to comply with the
obligations imposed to Medical Dimension and required by current legislation,
such as:
• for the inclusion of personal data in databases;
• to draw up medical reports and information;
• for issuing invoices and credit notes;
• for keeping ordinary accounting;
• for the management of receipts and payments;
• to fulfill the obligations established by any law and regulation;
• for the defense before any court or for any linked necessity.
The User declares to be aware that the Controller may be required to disclose
the Data at the request of the public authorities.
The User assumes responsibility for processing Personal Data of third parties
and guarantees to have the right to rpcess and communicate them, assuming every
liability about with third parties.
c) Methods of data processing.
The personal data of the interested parties are normally processed only with
their consent, except in cases it is necessary for fulfilling obligations
deriving from legal provisions both in civil and fiscal matters, deriving from
National and/or Communitarian legislation, rules, codes or procedures or
approved by Authorities and other competent Institutions.
Personal data may be processed by analogical and electronic archives, in both
case in ways strictly necessary for the aforementioned purposes.
The Controller and its agents process the Personal Data of Users by adopting
appropriate and adequate security measures to prevent unauthorized access,
disclosure, modification or destruction of Personal Data.
The Data are processed at the operational headquarters of the Controller and in
any other place where a part involved in the processing is located.
Security measures have been adopted for the access to digital archives, such as
the use of firewalls, antivirus and alphanumeric passwords for access.
The processing will be carried out in ways strictly related to the corresponding
purposes, using the data already in possession and with the commitment to
promptly communicate any corrections, additions and/or updates.
d) Legal Basis of the processing.
Medical Dimension processes the personal data in its possession according to the
aforementioned legislation, only in case this processing activity:
• has been directly authorized by the interested part for a purpose agreed;
• is necessary for the performance of a service requested directly by the
interested part or, for him, through persons legitimated in this sense;
• is necessary to fulfill a statutory legal obligation;
• for the activities referred to in point b).
e) Personal data processed and consequences of a missing communication.
In order to permit the above reported processing activities it could be
necessary to know and store informations related to user’s personal data, tax
code, VAT number, accounting data, data useful for contacting the user, data
concerning his residence and domicile.
Considering the nature of the services offered by Medical Dimension, the
processing will also concern data relating to the health of the data subject.
The missing or incorrect communication of personal data necessary for the
execution of the services provided or related to the fulfillment of a regulatory
obligation of the Controller (for example, the obligations referred to in point
b) involves:
• The impossibility to guarantee the adequacy of the processing in compliance
with the contractual agreements;
• The possible mismatch of the processing results to the obligations imposed by
the fiscal, administrative or labor regulations;
• the lack of the genesis and/or the impossibility to continue the legal
relationship engaged, its correct execution and any other legal obligations;
• Prevent the Medical Dimension website from providing the services offered.
f) Personal data retain.
The personal data processed for the above indicated purposes will be kept for
the time necessary to perform the service requested by the User and,
subsequently, for the time necessary to the Controller in order to make possible
the fulfill of obligations provided by law (i.e. for tax purposes or for other
purposes).
Expired this period of time, each analogical document containing user’s personal
data will be returned to the data subject or destroyed and any digital support
on which that data are saved will be formatted.
g) Data transmission.
The collected data will not be sold in any case to third parties. The
transmission of data to third parties takes place only when it is necessary to
permit the provision of the service to the user or for other lawful purposes or
on the basis of the present information.
The Controller uses external IT service providers for its server infrastructure,
for IT maintenance, or for other IT and software solutions; a data transimission
could take place to this subjects within strictly necessary limits.
Moreover, the Controller in some cases hire external consultants not related to
its organization; to that subject a data transmissione could occur within
strictly necessary limits to permit the provide of the service to the user.
In addition, in some cases, the user’s data may be transmitted to categories of
persons who maintain or operate on the website (system administrators,
commercial and marketing consultans, legals) or to other external subjects (as
suppliers of technical services, postal couriers, hosting providers, IT
companies, communication agencies).
Personal data may be communicated in particular to:
• all those who the access to such data is permitted by law or other regulatory
provisions;
• the collaborators of the Controller, for any indispensable purpose
(accounting, administrative, legal, tax and financial reasons), within necessary
with the scope related to their duties and in order to fulfill any contractual
obligations concerning the commercial relationships with the interested parties;
• post offices, shippers and couriers for sending documentation and / or other
material;
• all those persons, public and/or private (legal, administrative and fiscal
consultancy studies, job consultancy studies, Judicial Offices, Chambers of
Commerce, Chambers and Labor Offices, etc.) when the communication is necessary
or functional for the provision of the service, within the limits and for the
purposes illustrated above or for other Controller’s legitimate interests;
• banking institutions and any other payment service providers in order to allow
the transaction and to carry out anti-fraud checks or even to persons who, in
any case, provide functional services for the purposes indicated above: this
transmissione may occur for the management of the payments deriving from the
execution of contracts;
• Public and Private subjects, also as consequence of inspections or audits
(i.e. by Judicial Authorities and by Offices part of the Ministry of Justice, by
Tax Police, by Labor Inspectorate, by ASL, by Social Security Agencies, by
ENASARCO, by Chambers of Commerce, by INAIL, by Customs Offices or others) or
for fulfill the assignment entrusted and other related contractual or legal
obligations;
• that subjects reported on point b), for the purposes illustrated above.
h) Data transmission across borders outside the Union.
For the purposes set out in point b) and/or in order to allow the fulfillment of
the obligations assumed, the Controller may transmit the user’s data to third
countries outside the EU.
Even in such cases, the processing of data remains bound to the purposes for
which they were collected and takes place in full compliance with the standards
of confidentiality and security and in compliance with data protection laws.
The aforementioned processing and transfer takes place purely towards Companies
linked to the insurance circuit on behalf of which the Controller operates, who
have commisioned visits to their users.
In such cases all the necessary precautions will be taken in order to guarantee
the total protection of user’s Personal Data transfered on the basis of:
(a) adequacy decisions of the third country recipients expressed by the European
Commission;
(b) appropriate guarantees expressed by the third non EU part, as expected in
Article 46 of GDPR, that the Controller undertakes to request and negotiate;
(c) the adoption of binding corporate rules on the basis of Article 47 of GDPR,
which the Controller undertakes to include in the future relationships
established with non-EU third parties and to negotiate in change in the contest
of the existing relationships - where the circumstances referred in the previous
two letters have been omitted.
In a purely residual way, if the compliance with the aforementioned criteria can
not be guaranteed, Article 49 of GDPR will be applied and so the transfer of
data outside the Union may take place, with case by case assessment also
regarding the limitation and containment of data transferred, on the basis of
one of the criteria set out in paragraph 1 of that article.
i) Data profiling and disclosure.
The personal data of the interested will not be collected directly by the
Controller for the purpose of profiling.
In any case, as expressed in point b), the navigation on the Medical Dimension
website – after the acceptance made by the user in the relevant bar on the main
page - may involve a profilation by third-party cookies. This process occur with
the acquisition in the user's system of cookies that can cause the profiling.
The profiling purposes in this case are expressed in speciale papers prepared by
that third parties.
For more details about it, please refer to the separate document called “Cookie
Policy”.
l) Rights of the data subject.
Among the rights recognized by the GDPR to the interested parties are those of:
• ask the Controller for access to personal data and information related to the
data subject, as well as the right to obtain a copy of the personal data
processed; the correction of inaccurate data or the integration of incomplete
data; the deletion of personal data (upon the occurrence of one of the
conditions indicated in Article 17, paragraph 1 of the GDPR and in compliance
with the exceptions provided in paragraph 3 of the same article); the limitation
of the processing of personal data (in case occur one of the hypotheses
indicated in Article 18, paragraph 1 of the GDPR);
• request and obtain from the Controller - in cases the legal basis of the
treatment is the data subject consent and it has been collected by automated
systems - their personal data in a structured and readable format, also in order
to communicate such data to another data controller (so-called right to the
portability of personal data);
• oppose at the processing of personal data if occur a particular situation that
affect the data subject, with the consequences referred to in point e) of the
present paper;
• revoke the consent at any time, in case the processing is based on consent for
one or more specific purposes and concerns common personal data (for example
date and place of birth or place of residence), or particular categories of data
( for example, data revealing racial origin, political opinions, religious
convictions, health status or sexual life). The treatment based on consent and
carried out prior to the revocation preserves, however, its lawfulness;
• propose a complaint to a Supervisory Authority (Italian Authority for the
protection of personal data can be contacted by the website
www.garanteprivacy.it).
m) Revise and update.
This information paper is valid from the date indicated in its header on.
The Contoller could also make changes and/or additions to the present document,
also as a consequence of any subsequent change and/or regulatory addition to the
GDPR.
The changes will be previously notified to the interested parties and it will be
possible for the above mentioned subjects to view the text of the informative
paper constantly updated in a special link of the website.