PRIVACY POLICY

Information document pursuant to Article 13 of EU Regulation 2016/679 (GDPR) – Information on the processing of personal data collected by the interested party

In compliance with the provisions of EU Reg. 2016/679 (European Regulation for the protection of personal data) we hereby provide the necessary information regarding the processing of personal data collected during the telephone call with the Clinic.

This Privacy Policy Statement is pursuant to art. 13 of EU Reg. 2016/679 (European regulation for the protection of personal data)

1. HOLDERS OF THE DATA PROCESSING

Pursuant to arts. 4 and 24 of EU Reg. 2016/679, the Data Controller is Columbus Clinic Center Srl, based at 48, Via Michelangelo Buonarroti, 20145 Milan, in the person of its pro tempore legal representative

2. PROCESSED DATA

Personal Data: any information concerning the Data Subject, with particular reference to identifiers such as the name, identification number, geographical position, online identification or to one or more factors specific to his or her physical, physiological, genetic, psychic, economic, cultural or social identity – please refer to art. 4, c. 1, no. 1 GDPR.

Personal data processing refers to: “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” .

Data Subject is: “any identified or identifiable natural person”.

3. PURPOSE AND LAWFULNESS OF PROCESSING

The personal data provided will be processed in compliance with the conditions of lawfulness pursuant to art. 6 EU Reg. 2016/679 for the following purposes:

– to provide feedback to your requests; (telephone connectivity);

– book any appointments, services, medical appointments and related activities (in-house activities and activities for the fulfilment of contractual and pre-contractual obligations).

The processing of data will be in compliance with the conditions of law pursuant to Article 6, paragraph 1, letter f): (with reference to 47) taking into account the reasonable expectations of the data subject at the time of and with reference to the collection of personal data, whenever it is reasonably expected that data processing is being carried out for these purposes.

4. PERSONAL DATA RECIPIENTS/RECIPIENT CATEGORIES

The personal data provided will be shared with a number of recipients, who will process the data as Data Processors (Article 28 of EU Reg. 2016/679) or as natural persons, as duly appointed by the Data Controller and the Data Processor (art. 29 of the EU Reg. 2016/679), for the purposes listed above in point 3. Namely, the data will be shared with:

– firms or companies providing services for the management of the information system and communication networks (telephone connectivity); – authorities competent for the carrying out of relevant laws and/or regulations of public bodies, upon request.

The subjects belonging to the aforesaid categories are either considered Data Processors, or they act independently as separate Data Controllers. The list of the data processors is constantly updated and available at our headquarters: 48, Via Michelangelo Buonarroti, 20145 Milan.

5. DATA TRANSFER TO A THIRD COUNTRY AND / OR AN INTERNATIONAL ORGANIZATION AND GUARANTEES

The Personal Data provided will not be transferred to countries of the European Union, nor to third countries outside the European Union.

6. PERIOD OF DATA STORAGE OR CRITERIA FOR DETERMINING THIS TIME PERIOD

Data processing will be carried out in an automated and / or manual way, with methods and tools aimed at guaranteeing maximum safety and confidentiality, by subjects specifically appointed to do so.

Pursuant to art. 5 paragraph 1 letter e) of Reg. UE 2016/679, the personal data collected will be retained in a form that allows identification of data subjects for a period of time not exceeding the achievement of the purposes for which the personal data is processed. The retention of personal data provided depends on the purpose of the processing and the User can view any criterion used by consulting the Data Retention Policy of the Data Controller.

7. NATURE OF THE PROVISION AND CONSEQUENCES OF REFUSAL

The provision of data for the purposes referred to in paragraph 3. is necessary for the purpose of pursuing your legitimate interest, i.e. receiving feedback on the information requested and possibly booking a service through telephone contact with our operator. Failure to provide the data will make it impossible to offer the service and fulfil your requests.

8. RIGHTS OF THE DATA SUBJECT

You can assert your rights as expressed in articles 15, 16, 17, 18, 19, 20, 21, 22 of EU Regulation 2016/679, by referring to the Data Controller, or the Data Processor, or the Data Protection Officer, pursuant to article 33 paragraph 4, by contacting dpo@columbus3c.com. You have the right, at any time, to ask the Data Controller to access your personal data, to rectify it, to delete it or limit its processing. Furthermore, you have the right to object, at any time, to the processing of your data (including automated processing, e.g. profiling) based on legitimate interest and, lastly, you have the right to data portability. Without prejudice to any other administrative and judicial appeal, if you believe that the processing of your personal data is violating the provisions of EU Reg. 2016/679, pursuant to art. 15 letter f) of the aforementioned EU Reg. 2016/679, you have the right to lodge a complaint with the Guarantor for the protection of personal data and, with reference to art. 6 paragraph 1, letter a) and art. 9, paragraph 2, letter a), you have the right to revoke the consent given at any time. In the case of request for data portability, the Data Controller will provide, in a structured, common and legible format, by automatic device, the personal data concerning you, without prejudice to paragraphs 3 and 4 of art. 20 of the EU Reg. 2016/679.

Last updated on: April 24th, 2018