INFORMATION ON DATA PROCESSING PURSUANT TO ART. 13 EU REGULATION N. 2016/679 (“GDPR”)
The Paracelso Institute association, in its capacity of Data Controller of your personal data, pursuant to and for the purposes of EU Reg. 2016/679 hereinafter referred to as ‘GDPR’, hereby informs you that the aforementioned legislation provides for the protection of data subjects with respect to the processing of personal data and that such processing will be based on principles of correctness, lawfulness, transparency and protection of your privacy and your rights.
Data controllers
The data controller is the Paracelso Institute association C.F .: 04218481002
Co-controllers for the processing of your data can be appointed, which will be governed by specific internal agreements.
Object of the treatment
The Data Controller processes personal data acquired in carrying out its business, as identified in art. 4 of the GDPR.
Purpose of the processing
The processing of the data you provide is necessary for the establishment of the relationship with the Data Controller. This processing is carried out for the following purposes: a) to fulfill the pre-contractual, contractual and tax obligations deriving from existing relationships with you; b) fulfill the obligations established by Italian and EU legislation or by an order of the Authority; c) exercise the rights of the owner, for example the right to defense in court; d) in the case of the processing of data relating to health, correctly carry out the activities necessary for prevention, diagnosis, treatment, rehabilitation or for other services that may be necessary; e) teaching and scientific research.
Marketing
Only with your specific consent pursuant to art. 7 GDPR, your personal data are processed for marketing purposes, ie for sending advertising material by any means, directly or through third parties. The consent for this specific treatment is optional, it can be revoked at any time and does not affect the provision of the requested services.
We inform you that if you are already our customer or supplier, we can send you commercial communications relating to the Controller’s services and products similar to those you have already used, unless you expressly disagree.
Processing methods
The processing is carried out in both paper and electronic format and the operations indicated in art. 4 par. 2 GDPR and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction.
Please note that if the assignment assigned to us necessarily also implies the processing of personal data of different natural persons (such as your employees, customers, suppliers, consultants or counterparties in general), it is your responsibility to inform the interested parties and obtain, where necessary, the consents necessary for the processing by the Data Controller of their personal data, it being understood that the request addressed to us to carry out the assignment will assume a presumption, pursuant to art. 2729 of the Civil Code, of the fulfillment by you of the related information activity and of the obtained consent (where due) from different natural persons in favor of the same Owner.
Provision of data and refusal
The provision of common, sensitive, genetic personal data, including those relating to health, is necessary for the purpose of carrying out the activities necessary for the management of any existing contracts or for other services requested by you. The refusal of the interested party to provide personal data makes it impossible to carry out these activities.
Data retention and destruction times
The Data Controller processes your data for the time necessary to fulfill the purposes of above, to fulfill regulatory obligations and in any case for no more than 10 years from the termination of the relationship for the purposes of the processing.
Data access
In addition to the provisions of the law, your data may be made accessible, for the aforementioned purposes, to:
- employees, collaborators, professionals, trainees and interns of the owner, in their capacity as persons in charge and / or managers of the treatment and / or system internists;
- third-party companies or other subjects (by way of example, credit institutions, professional firms, consultants, health professionals, insurance companies for the provision of insurance services, etc.) who carry out outsourced activities on behalf of the owner, in their capacity as external data processors;
- external parties charged with maintenance and assistance functions for information and communication systems.
Data communication
The Data Controller may communicate your data following your express consent to third parties. These subjects process the data in their capacity as independent data controllers. The data may be communicated, for institutional functions, or to other public bodies if required by the regulations in force, or to private bodies which, within the limits and in the forms provided for by current regulations, carry out services for the Data Controller defined by contracts or agreements for the execution. of the service and finally to natural persons other than the direct interested party if required by current legislation.
The particular categories of personal data pursuant to art. 9 par. 1 GDPR (“It is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as to process genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person “) will not be disseminated or communicated to third parties except in the manner provided for by art. 9 par. 2 GDPR (“Paragraph 1 does not apply if one of the following cases occurs: a) the interested party has given his explicit consent to the processing of such personal data for one or more specific purposes, except in cases where the right of The Union or of the Member States provides that the interested party may not revoke the prohibition referred to in paragraph 1; b) the processing is necessary to fulfill the obligations and exercise the specific rights of the data controller or of the data subject in the field of labor law and social security and social protection, to the extent that it is authorized by Union law or by Member States or by a collective agreement under the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the data subject; c) the processing is necessary to protect a vital interest of the data subject or of another natural person if the data subject is physically or legally incapable of giving his or her consent; d) the processing is carried out, in the context of its legitimate activities and with adequate guarantees, by a foundation, association or other non-profit organization that pursues political, philosophical, religious or trade union purposes, provided that the processing concerns only the members, former members or persons who have regular contact with the foundation, association or body due to its purposes and that personal data are not disclosed externally without the consent of the interested party; e) the processing concerns personal data made manifestly public by the interested party; f) the processing is necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions; g) the processing is necessary for reasons of significant public interest on the basis of Union or Member State law, which must be proportionate to the purpose pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject; h) the processing is necessary for purposes of preventive medicine or occupational medicine, assessment of the employee’s working capacity, diagnosis, health or social assistance or therapy or management of health or social systems and services on the basis of Union law or Member States or in accordance with the contract with a health professional, subject to the conditions and guarantees referred to in paragraph 3; (i) the processing is necessary for reasons of public interest in the public health sector, such as protection from serious cross-border threats to health or the guarantee of high standards of quality and safety of healthcare and medicinal products and medical devices , on the basis of Union or Member State law which provides for appropriate and specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy; j) the processing is necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89, paragraph 1, on the basis of Union or national law, which is proportionate to the purpose pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject “.) Information on your sensitive data can be provided to family members and acquaintances only on your express and specific indication.
Personal data are not transferred to third countries outside the EU. Where, for reasons connected with the provision of services / products and the execution of the contract, or the fulfillment of legal obligations, a transfer to countries and / or organizations outside the EU is necessary, said transfer will take place in compliance with the conditions set by the GDPR and, if necessary, companies for Logistics.
Disclaimer for video and audio
The Data Controller and its associated companies may acquire and use, directly or through third parties having cause, publish and disseminate the images / videos that portray you as well as the audio recordings collected, without limits of modality (for example web – radio – media television etc. ), time and space, in Italy and abroad, with every and wider faculty of adaptation / modification and assembly that may be appropriate. The interested party, having taken note of the possible use of the images concerning you in the manner described above, has nothing to claim against the Owner for damage to his name and / or image that may derive from a prejudicial use of the same by of third parties. The right to use images, photographs, videos, recordings as specified above, is to be understood free of charge with express waiver of any and all claims in this regard. The Data Controller may keep photos and videos in its computer archives and the purposes of these publications are merely of an informative and possibly promotional nature and in any case for the sole purposes of the articles of association.
Rights of interested parties
As an interested party, you can take advantage of the rights referred to in art. 15 GDPR:
- obtain confirmation of the existence or not of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
- obtain the indication: a) of the origin of personal data; b) the purposes and methods of the processing; c) the logic applied in case of processing carried out with the aid of electronic tools; d) the identity of the owner, manager and the designated representative; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or agents;
- obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is proves impossible or involves the use of means that are manifestly disproportionate to the protected right;
- object, in whole or in part: a) for legitimate reasons to the processing of personal data concerning you, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising or direct sales material or for carrying out market research or commercial communication.
Where applicable, it also has the rights referred to in Articles. 16-21 GDPR (right of rectification, oblivion, limitation of processing, data portability, opposition), as well as the right of complaint to the Guarantor Authority.
The exercise of the aforementioned rights can be exercised by written communication to be sent via email to the PEC address of the Data Controller or by registered letter with return receipt to the address of the Data Controller’s registered office as indicated in the Business Register, for the attention of the lawyer. representative.