In general, any information and data which you provide to GSDSS over the Website, or which is otherwise gathered via the Website by GSDSS, in the context of the use of GSDSS’s services (“Services”), will be processed by GSDSS in a lawful, fair and transparent manner in accordance with Regulation’s provisions.
To this end, and as further described below, GSDSS takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data accuracy and confidentiality.
- Data controller and Data Protection Officer
- Personal Data processed
- Special categories of Personal Data
- Other persons’ Personal Data
- Purposes of processing
- Legitimate basis
- Recipients of Personal Data
- Transfers of Personal Data
- Retention of Personal Data
- Data subjects’ rights
1. Data controller and Data Protection Officer
To get in touch with GSDSS Data Protection Officer (hereinafter, “DPO”), please contact: firstname.lastname@example.org.
2. Personal Data Pocessed
When you use the Website, GSDSS will collect and process information regarding you (as an individual) – such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person - which allows you to be identified either by itself, or together with other information which has been collected. GSDSS may also be able to collect and process information regarding other persons in this same manner, if you choose to provide it to GSDSS.
This information may be classified as “Personal Data” and can be collected by GSDSS both when you choose to provide it (e.g., when you subscribe to the newsletter or request other Services provided by GSDSS over the Website) or simply by analysing your behaviour on the Website.
Personal Data which can be processed by GSDSS through the Website are as follows:
The Website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While GSDSS does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.
This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.
These data are used to compile statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days.
b. Special categories of Personal Data
Certain areas of the Website (e.g. the section “Booking”), may include free text fields, where you can write messages to GSDSS, or otherwise allow you to post various types of content on the Website, which may contain Personal Data.
Where these fields are completely free, you may use them to disclose (inadvertently or not) more sensitive categories of Personal Data as set forth in Article 9 GDPR, such as data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The content you upload in these fields may also (inadvertently or not) include other types of sensitive information relating to you, such as your genetic data, biometric data or data concerning your health, sex life or sexual orientation.
GSDSS asks that you do not disclose any sensitive Personal Data on the Website, unless you consider this to be strictly necessary. As it is totally optional to provide this information, if you nonetheless choose to do so, please mind that in any case GSDSS will not be held responsible for the processing of special categories of personal data, since, in this situation, the processing will be performed on personal data made public by you in accordance with Article 9(1)(e) Regulation. In any case GSDSS underline the importance to give your explicit consent to the processing of special categories of personal data, if you decide to share this information.
c. Other persons’ Personal Data
As mentioned in the previous section, certain areas of the Website include free text fields where you can write messages to GSDSS, or otherwise allow you to post various types of content on the Website. These messages and content may (inadvertently or not) include Personal Data related to other persons.
In any situation where you decide to share Personal Data related to other persons, you will be considered as an independent data controller regarding that Personal Data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify GSDSS against any complaints, claims or demands for compensation for damages which may arise from the processing of this Personal Data, brought by the third parties whose information you provide through the Website.
As GSDSS does not collect this information directly from these third parties (but rather collects them, indirectly, from you), you must make sure that you have these third parties’ consent before providing any information regarding them to GSDSS; if not, then you must make sure there is some other appropriate grounds on which you can rely to lawfully give GSDSS this information.
3. Purposes of processing
GSDSS intends to use your Personal Data, collected through the Website, for the following purposes:
a. To allow to provide the services which you may request on the Website;
b. to assist you and reply to your queries;
c. for compliance with laws which impose upon GSDSS the collection and/or further processing of certain kinds of Personal Data, financial laws and regulations;
d. to book medical examinations.
4. Legitimate basis
GSDSS’s legal bases to process your Personal Data, according to the purposes identified in Section 3, are as follows:
- Processing for the purposes set forth in Section 3 (a – b) is based on Article 6(1)(b) GDPR since the processing is necessary to provide the Services described above and, therefore, is necessary for the performance of a contract with you. It is not mandatory for you to give GSDSS your Personal Data for these purposes; however, if you do not, GSDSS will not be able to provide the Website’s Services to you.
- Processing for the purposes set forth in Section 3 (c) is necessary for GSDSS to comply with its legal obligations in accordance with Article 6(1)(c) GDPR. When you provide any Personal Data to GSDSS, GSDSS must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.
- Processing for the purposes set forth in Section 3(h) is based on consent according to Articles 6(1)(a) and 9(2)(a) GDPR. It is not mandatory for you to give consent to GSDSS for use of your Personal Data for this purpose, but you will not be able to book any medical examination if you choose not to.
5. Recipients of Personal Data
Your Personal Data may be shared with the following list of persons / entities (“Recipients”):
a. entities which act as data processors in accordance with Article 28 of the Regulation and specifically:
- Persons, companies or professional firms providing GSDSS with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services and which act typically as data processors on behalf of GSDSS;;
- Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers);
- Persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks); (collectively “Recipients”);
- medical institution You are going to register in for medical services. Please note that as soon as you have chosen a medical institution for medical services, it will become the only Operator of Your personal data, including those provided to GSD Sistemi e Servizi S.c. a r.l. for the above purposes.
- Policlinico San Donato S.p.A.
- Ospedale San Raffaele S.r.l.
- Istituto Ortopedico Galeazzi S.p.A.
- Casa di Cura La Madonnina S.p.A.
- Istituti Clinici Zucchi S.p.A.
- Istituti Ospedalieri Bermaschi S.p.A.
- Istituti Ospedalieri Brescaini S.p.A.
- Istituti Clinici di Pavia e Vigevano S.p.A.
- Istituto Clinico Villa Aprica S.p.A.
- Villa Chiara S.p.A.
- H San Raffaele Resnati S.r.l.
- Smart Dental Clinic S.r.l.
b. Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities ;
c. Persons authorised by GSDSS to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees of GSDSS).
6.Transfers of Personal Data
Your Personal Data may be transferred to Recipients located in several different countries. GSDSS implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.
- Data transfer outside the EU
The Operator will not transfer Your personal data outside the EU territory. In the event it is absolutely necessary, Your personal data will be processed by one of the methods permitted by the applicable legislation such as Standard Regulations Approved by the European Commission, by the entities participating in international programs of data free circulation or operating in the countries the European Commission considers to be safe. Further information may be received from the Operator or data protection officer (DPO) using the above contact details.
More information on these transfers is available upon written request to GSDSS at the following address: email@example.com.
7. Retention of Personal Data
Persona Data processed for the purposes set forth in Section 3 (a – b – d) will be kept by GSDSS for the period deemed strictly necessary to fulfil such purposes in accordance with minimisation and storage limitation principles. In any case, as these Personal Data are processed for the provision of the services, GSDSS may continue to store this Personal Data for a longer period, as may be necessary to protect GSDSS’s interests as regards potential liability related to the provision of the Services.
More information on retention of personal data and basis used by GSDSS for determining the storage period is available upon written request to GSDSS (Controller) or GSDSS’s DPO at the following address: firstname.lastname@example.org ; email@example.com.
8. Data subjects’ rights
As a data subject, you are entitled to exercise the following rights before GSDSS, at any time:
- Access your Personal Data being processed by GSDSS (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data;
- Correct or update your Personal Data processed by GSDSS, where it may be inaccurate or incomplete;
- Request erasure of your Personal Data being processed by GSDSS, where you feel that the processing is unnecessary or otherwise unlawful;
- Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;
- Exercise your right to portability: the right to obtain a copy of your Personal Data provided to GSDSS, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;
- Withdraw your consent to processing; or
- Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent GSDSS from processing your Personal Data: GSDSS will no longer process Your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override Your interests, rights and freedoms.
In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data, if you believe that the processing of your Personal Data carried out through the Website is unlawful.