PROCESSING OF PERSONAL DATA RELATING TO CUSTOMERS / USERS ("interested")
EU Regulation 2016/679
As part of the continuous updating of our procedures aimed at respecting the privacy of our Customers / Users and the obligations imposed by the legislation on the protection of personal data, we have considered it appropriate to summarize in this document all the elements concerning the processing of personal data already present in the documentation made available to users, integrated with more specific indications in order to give maximum transparency to our work.
1. WHICH DATA ARE PROCESSED
> data provided by the User / Customer, or by a person / body acting on your behalf (attending physician, ASL / USL) including personal data (name and surname, residence / domicile, place and date of birth, nationality) tax code, identity document details, contact details (number of telephone / fax, e-mail address);
> data, always provided by the interested party, contained in any reports / requests;
> data relating to payments made by the Customer.
The legislation establishes particular safeguards for judicial data (relating to criminal convictions and offenses) and for "particular categories of data" as defined by art. 9 of EU Reg. 2016/679: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to health or life sexual orientation or the person's sexual orientation .
FOR ORDERS RELATING TO Specific immunotherapy products intended for identified and identifiable patients ANALLERGO SpA will inevitably process data relating to health, which may also appear in the reports sent by users to customer service, for this reason specific consents will be requested from the interested party, should the characteristics or methods of treatment so require.
With regard to this point, particular attention was paid in requesting only the data and in carrying out only the treatments necessary to satisfy the requests of the interested parties.
The data can be processed, always in relation to the purposes indicated below:
> as necessary to fulfill obligations deriving from a contract of which the interested party is a party, and to related parties legal obligations (in particular for the purposes referred to in point 3 letters abc )
> as necessary for the pursuit of a legitimate interest of the data controller, consisting in the optimization of the organization of activities, in the security of the systems, credit protection (in particular for the purpose referred to in point 3 letters def hi)
> as necessary to assert or defend a right in court or to assess whether there is a right to be usefully protected in court
> as they come from public registers accessible to anyone and / or manifestly made public by the interested party;
> having the interested party expressed his consent, (in particular in relation to the processing of some particular categories of personal data communicated by the interested party and the use of contact details other than the e-mail address provided at the time of signing the contract for commercial and advertising communications referred to in point 3 letters fg h)
2 ORIGIN OF THE DATA
Assumption and updating of personal data can take place:
- through the person concerned or, if a minor, through whoever exercises parental authority (parents or guardians);
- through intermediaries authorized by the interested party (e.g. family members, attending physician, ASL / USL);
- from sources freely accessible to anyone.
3. PURPOSE OF THE TREATMENT - WHY THE DATA ARE PROCESSED
The treatments carried out have the following purposes:
to) satisfy the requests of the Bodies (Hospitals, Health Authorities, etc.), which order specific immunotherapy products for identified and identifiable patients, or of private customers who, by means of a medical prescription, order specific immunotherapy products for themselves or for them family members;
b) fulfill obligations deriving from EU laws, rules and regulations, regional laws; fulfillment of provisions issued by the Judicial Authority, or by other Authorities to which the current legislation confers this right.
c) fulfill contractual, accounting and tax obligations;
d) management of customer data, address books and internal statistical calculations of the company, - Statistical analysis carried out only through the aggregation of previously anonymous data;
And) possibly protect a legitimate interest, assert or defend a right;
f) feed the system for acquiring customer knowledge, necessary for verifying, improving and therefore designing a service that is increasingly suited to demand through surveys and surveys, even anonymously, of the degree of customer satisfaction, also carried out with telephone interviews o request to fill in questionnaires;
g) purposes related to public relations, marketing, advertising, promotional proposals.
In particular, the contact details, postal and e-mail addresses provided may be used for sending communications in any case relating to promotional initiatives and / or ANALLERGO SpA products. It is understood that the user has the right to oppose this treatment at any time.
In this regard, it should be noted that Paragraph 4 of art. 130 of Legislative Decree 196/2003 allows the use for this purpose of the e-mail address provided by the interested party when purchasing a travel ticket / season ticket on condition that the same does not refuse such use;
And, as regards the management of reports from users:
h) Ensure a certain and timely response to user reports, facilitating the creation of an effective communication channel between the Company and the customer-user
the) Feed the registration system and systematic analysis of the discrepancies of the service to correct the defects
4. HOW THE DATA ARE PROCESSED methods of treatment and storage
In relation to the aforementioned purposes, the processing of personal data may take place with paper, IT and telematic tools. Always guaranteeing the most absolute confidentiality, relevance and not excess with respect to the purposes described above, in terms of registration and data retention periods.
The personal data referred to in point 1 above, without prejudice to the provisions of the regulations on the conservation of administrative documentation, will be kept exclusively for the time allowed / imposed by the law. applicable to the specific purpose for which the data are processed.
5. RESPONSIBLE AND RESPONSIBLE
For the same purposes, the data may be processed by the following categories of appointees and / or managers:
- Direction and management,
- production and logistics personnel,
- marketing and communication staff,
- administrative staff for the management of administrative aspects,
- the corporate Information Technology which has the task of guaranteeing the functionality of the systems, data security and backup operations,
- other offices of ANALLERGO SpA within the limits of their competences, again for the purposes indicated in point 3 above,
- other subjects (companies / professionals appointed as Managers) who need to access some data as they are responsible for carrying out auxiliary activities for the purposes indicated above, within the limits strictly necessary to carry out the tasks entrusted to them such as: assistance in carrying out or direct execution of fiscal / accounting obligations, management of information systems, financial services, online sales; in this regard, it should be noted that these subjects will always and in any case be bound to full compliance with the rules and procedures aimed at guaranteeing the widest protection and protection of personal data adopted and imposed by the Data Controller also and not only in compliance with the legislation in force.
- for user reports: in addition to the staff assigned to receive user reports, the data may be processed, with the exception of the identification elements of the interested party, by the company functions involved in the subject of the report for the preparation / implementation of surveys internal and for the resolution of causes always and only within the limits of what is actually necessary to carry out their functions.
6. SCOPE OF COMMUNICATION TO WHO CAN THEY BE COMMUNICATED
Without prejudice to communications made in compliance with legal obligations, the personal data in question may be communicated or made available:
- to subjects who can access the data by virtue of the provision of law, regulation or community legislation, within the limits set by these rules,
- to the public or private body that placed the order for a specific immunotherapy product intended for the person concerned
- limited to accounting and tax data to banks, credit institutions, data processing companies and credit card issuers, for related activities the execution of the service provided to users and / or related administrative and financial aspects,
- to other subjects (companies / consultants) who need to access some data for purposes auxiliary to the management of the services requested by the interested parties, within the limits strictly necessary to carry out the tasks entrusted to them such as: assistance in the fulfillment or direct execution of tax obligations / accounting / assistance, information systems management, financial services,
- to entities, consortia, professionals and companies with the purpose of credit recovery and protection; credit insurance company, commercial information company,
Naturally, all the communications described above are limited only to the data necessary for the recipient body / office (which will remain the independent Data Controller for all subsequent processing) for the performance of its duties and / or for the achievement of the purposes connected to the communication itself.
6.1 transfer abroad
Personal data will be transferred to subjects located outside the European Union to the country in which the interested party resides or is located exclusively in fulfillment of the legitimacy conditions referred to in point 1 and in compliance with current legislation.
THE DATA IN QUESTION WILL NOT BE DISCLOSED
7 COMMUNICATION AND UPDATING OF DATA - WHEN IT IS COMPULSORY TO COMMUNICATE YOUR DATA
The communication and updating of one's data is compulsory limited to what concerns the performance of contractual and fiscal fulfilments provided for by the laws in force and the execution of the obligations deriving from the contract (ref. Letters abc of point 3). Failure by the interested party to comply with this obligation would make it impossible for ANALLERGO SpA to satisfy his requests and to process the order. Obviously, on a case-by-case basis, an indication is always given of the data whose communication is mandatory in relation to the aforementioned purposes depending on the means used.
It should be remembered that most of the treatments carried out are not subject to the obligation to obtain consent because:
- they are collected and held on the basis of obligations established by EU laws, rules and regulations
- they come from public registers, lists, deeds or documents known to anyone;
- they are necessary to satisfy the requests of the interested party or for the fulfillment of legal and / or contractual obligations;
8. HOLDER OF THE TREATMENT
The data controller is: Anallergo SpA Viale Nilde Iotti, 7 - 50038 Scarperia and San Piero (FI).
ANALLERGO SpA has appointed a Data Protection Officer, who has the task of supervising, in full independence and in the absence of conflicts of interest, compliance with the legislation on the protection of personal data. The Data Protection Officer can be contacted at the e-mail address: firstname.lastname@example.org
With regard to the treatments necessary for the fulfillment of orders relating to specific immunotherapy products intended for the person identified by name, in some cases ANALLERGO SpA will act as Manager pursuant to art. 28 eg. EU 679/2016 appointed by the body that forwarded the order itself, already known by the interested party, which will remain the Data Controller.
9. RIGHTS OF THE INTERESTED PARTY
The interested party has the right:
> to ask the data controller to access personal data and to correct or delete them or limit the processing of personal data concerning him and to oppose their processing,
> if the processing is carried out by automated (computer) means and on the basis of your consent, of receive in a structured format, commonly used and readable by an automatic device, the personal data concerning him and / or to obtain direct transmission to another data controller, if technically feasible,
> to withdraw their consent at any time (without prejudice to the lawfulness of the processing based on consent before the withdrawal), obviously for the processing carried out on the basis of this assumption,
> to lodge a complaint with a supervisory authority: Guarantor for the protection of personal data - Piazza di Monte Citorio n. 121 00186 ROME - Fax: (+39) 06.69677.3785 - Telephone switchboard: (+39) 06.696771 - E-mail: email@example.com - certified mail firstname.lastname@example.org
Interested parties can contact the Data Controller: by calling 055 293030 specifying to the operator the nature of the request or the problem highlighted, via the e-mail box email@example.com , bearing in mind that it will not be possible to respond to requests received by telephone if there is no certainty about the identity of the applicant.