Privacy Policy
Dear User, while browsing and using the website https://www.crcpediatrico.org (“Site”) some of your personal data, as defined by Article 4(1) of the EU Regulation 2016/679 (“GDPR”), will be collected and processed.
This policy (“Policy”) is intended to clarify the purposes, methods of collection, use, and retention periods of personal data of users of the Site (“Data Subjects”). The Disclosure is provided pursuant to Article 13 of the GDPR and applicable European and Italian legislation (“Privacy Policy”). We encourage each Data Subject to read this Notice carefully to understand their rights and how their data is processed.
Data Controllers
The Data Controller is the Romeo and Enrica Invernizzi Foundation Pediatric Research Center (“Data Controller”), located at Via Giovanni Battista Grassi, 74, 20157 Milan, Italy. It can be contacted at the e-mail address: mariagrazia.cova@unimi.it. In addition, the Holder has appointed a Data Protection Officer (DPO), who can be contacted for privacy support at the email address: valentina.frezzotti@unimi.it.
Categories of Interest
The personal data processed concern users of the Site.
Categories of Data Processed
Personal data collected through the Site (“Personal Data”) include:
- Browsing data: processed to ensure the proper functioning of the Site and obtain information about usage preferences, including through cookies. For more details, please refer to the Cookie Policy available on the Site.
- Common data: include, but are not limited to, first name, last name, date of birth, address, gender, marital status, social security number, contacts such as telephone and e-mail.
- Special categories of personal data:
- Collected only to the extent that the Data Subject provides them in order to receive services from or through the Data Controller.
- Data of third parties provided by the Data Subjects: in this case, the Data Subjects act as autonomous data controllers and are responsible for their legal obligations.
Purpose and Legal Basis for Processing
Personal Data are processed for the following purposes:
1. Erogazione dei servizi offerti dal Titolare, come la prenotazione e il pagamento di visite ed esami online (art. 6, par. 1, lett. b e art. 9, par. 2, lett. a del GDPR).
2. Promozione dei servizi sanitari offerti dal Titolare, previo specifico consenso o in base al legittimo interesse del Titolare.
3. Finanziamento della ricerca, con riferimento al 5 per mille per il sostegno a enti di ricerca e a soggetti che svolgono attività di rilevanza sociale (art. 6, par. 1, lett. e del GDPR).
4. Difesa dei diritti del Titolare in caso di contenziosi (art. 6, par.1, lett. f e art. 9, par. 2, lett. f del GDPR).
5. Sicurezza del Sito e gestione di operazioni societarie straordinarie, in base al legittimo interesse del Titolare (art. 6, par.1, lett. f del GDPR).
Methods of Data Processing and Retention
The processing of Personal Data is carried out with manual and electronic tools, always respecting security and confidentiality and in accordance with the Privacy Regulations. Data is kept for the time strictly necessary for the above purposes, in accordance with the minimization criteria of the GDPR.
Disclosure of Data
Personal Data may be shared with:
- Data Processors, appointed by the Data Controller pursuant to Article 28 of the GDPR, for activities strictly related to the purposes of processing.
- Associated or subsidiary companies for administrative and accounting purposes pursuant to Article 6(1)(f) and Recitals 47 and 48 of the GDPR.
- Legally competent authorities, such as supervisory and control bodies.
- Transfer of Data outside the EU
Personal Data are not transferred outside the European Union, unless this is necessary for the organizational needs of the Data Controller. In that case, the transfer will take place to countries considered safe by the European Commission or in accordance with standard contractual clauses.
Rights of Interested Parties
Interested parties have the right to:
1. Access your Personal Data.
2. Know the purposes of the processing, the categories of data processed and the recipients of the data.
3. Request rectification, erasure or restriction of processing.
4. Object to processing to the extent permitted by the GDPR.
5. Withdraw consent to processing at any time.
6. Request portability of data in a structured, commonly used, machine-readable format.
7. Propose complaints to the competent supervisory authority.
Requests should be made to the Data Controller or DPO at the contact details above. Any changes or deletions of Personal Data will be communicated to the recipients of the data where possible and unless it would require disproportionate effort.
This Policy is effective as of 2017.
Last updated: November 2024