INFORMATION ON THE PROTECTION OF PERSONAL DATA
(pursuant to Legislative Decree no. 196 of 30/06/2003 ss.mm.ii., the so-called “Privacy Code” and of the EU Regulation 2016/679 so-called “GDPR”)
Dear Madam/Sir,
this “Informative Note” intends to provide you with information on the processing of data, as specified below, which will be provided by you to Dr. Franco Baldo, in the act of filling out the form on the website, and that will be processed by the latter. Pursuant to Articles 13 et seq. of the Privacy Code and Articles 13 et seq. of the GDPR, Dr. Franco Baldo, a medical surgeon specializing in Orthopaedics and Traumatology, in his capacity as owner of the website and owner of the processing of your Personal Data (from now on, the “Owner”), is required to provide you with the information contained herein regarding the processing of your Personal Data, common (such as: personal data, tax code, health card number, telephone number, address of residence, etc.) and details (such as, for example: information on your state of health), which will be defined respectively as “Data” and “Sensitive Data” (or, jointly, even just “Personal Data”).
For completeness of information, the definition of Sensitive Data provided by art. 4 of the Privacy Code, i.e. “Data suitable for detecting racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data disclosing your state of health and sex life”, as well as the definition of “Particular Data” contained in the GDPR (hereinafter always defined as “Sensitive”) because they are characterized by a particular nature and suitable for disclosing your state of health and sex life.
As a “Patient” or potential future patient, you will also be hereinafter referred to as “Interested” in the processing of your Personal Data.
Origin and nature of your Data and Sensitive Data
Your Personal Data is collected by the Owner directly from the website, when you fill in the data sheet (so-called form) on the aforesaid website and request a specific service (for example, the setting up of an outpatient medical examination) and, following the examination or medical service, the data you spontaneously provide via e-mail or those communicated to the Owner by your general practitioner or paediatrician of your choice. The collection of your Personal Data is essential for the execution of the requests made by you through the website and for the possible provision and management of the medical services requested.
Purpose and legal basis of the treatment
The Data and Sensitive Data are processed within the normal activity of the Owner, for the purposes indicated below:
purposes strictly connected and instrumental to the management of relations with the patient (administrative, accounting and fiscal activities) – the legal basis of the treatment is represented by the need to process your Data in order to be able to contact you by phone, e-mail, sms, WhatsApp or through any equivalent electronic instrument or by e-mail, or to proceed to the conclusion and execution of the conferral of the professional mandate pursuant to art. 6, 1st paragraph, letter b) GDPR;
purposes related to the protection of the patient’s health (prevention, diagnosis, treatment and rehabilitation, health care or therapy, prescription of drugs and any health checks, as well as certification activities) – the legal basis of the treatment is represented by the need to process your data for the purpose of diagnosis and treatment, therefore pursuant to art. 9, par. 2, letters a) and h), as well as pursuant to paragraph 3 of the same article, as well as pursuant to art. 6, I° paragraph, letter a) of GDPR;
in compliance with the obligations provided for by laws, regulations and Community legislation (in particular in the field of hygiene and health and in relation to tax compliance; administrative checks, inspections of bodies responsible for health surveillance; investigations by the judicial police, etc.) – the legal basis of the treatment is represented by legal obligations and the legitimate interest of the Owner, pursuant to Article 6, paragraph 1, letters b) and f) of the GDPR.
Consent to the processing of data and consequences of any refusal to respond
The processing of your Personal Data, mainly for the purposes of health protection, diagnosis and treatment, can only be carried out with your consent. If you do not give your consent to the processing of your Personal Data, it will therefore be impossible to provide the medical and health service requested and will not allow the Owner, at first, even the possibility to reply by e-mail and/or to contact you to arrange a first visit. In order for the Data Controller to provide the services aimed at treating your health, it is therefore essential that you give your consent to the processing of Personal Data concerning, in particular, your state of health.
Methods of processing and storage period of the Data
Your Personal Data will be used, in compliance with professional and official secrecy, according to the principles of correctness, lawfulness, legitimacy, transparency, indispensability and not excessive with respect to the purposes for which they are collected, in paper and/or electronic form and on various types of support, with methods that guarantee confidentiality and security. Your Data will be kept for the entire duration of the relationship and subsequently for 10 years starting from the end of the medical-health relationship (at the end of such relationship the data of the interested party will therefore be kept in order to comply with regulatory obligations, such as, for example, tax obligations, and to protect the legitimate interests of the Owner).
In any case, in order to prevent their destruction, theft, loss or misuse, their security, custody and confidentiality will be guaranteed through the adoption of appropriate security measures and appropriate electronic devices. Your Personal Data will be kept for the entire duration of the relationship and in any case for the time necessary to fulfill legal obligations or, in the case of medical records created by the Owner, unlimited. In the latter case, the Data Controller may use them on the occasion of your possible subsequent access to the Data Controller’s office in order to guarantee you and ensure more appropriate medical assistance. However, you are always guaranteed the right to have your Personal Data deleted.
Appointment of the person in charge and the person responsible for the processing of Personal Data
The Data Controller may appoint as “Data Processors” or “Persons in charge” of the processing of his/her Personal Data natural or legal persons, his/her own employees as well as internal and external collaborators of the medical practice, limited to the performance of his/her duties or tasks. The updated list of data processors and persons in charge of processing is kept, and may be consulted, at the registered office of the Data Controller. The Data Controller hereby informs you that he will appoint the Italian company “SXO – Servizi per Ortopedia s.r.l.” as the “Data Processor” for the processing of your Personal Data. “Unipersonale”, with registered office in Rome 00192, Piazza Cola di Rienzo n. 69, share capital of Euro 10.000,00 int. vers., tax code and registration number with the Register of Companies of Rome 08437581005, R.E.A. RM-1094714, so that the aforesaid Company can perform administration and management functions of the website, in the name and on behalf of the Owner.
Categories of subjects to whom the data may be communicated
In the performance of his professional activity and for the pursuit of the purposes referred to in point 2) above, the Data Controller may communicate your Personal Data, also regarding your state of health, to third parties, such as your family members, your Doctor or Paediatrician of free choice, only if expressly authorized by you by issuing the relevant consent or to the public or private healthcare facility where the medical service will be provided.
The Data Controller may freely communicate your Personal Data to external companies – appointed as Persons in charge and/or External Data Processors – that carry out services strictly related and functional to the activity of the Data Controller, to health control bodies, to public administration bodies, public security authorities or judicial authorities, only in the cases expressly provided for by law, social security agencies, companies and insurance companies that may be appointed by the Data Controller.
Your Personal Data may also be communicated to third parties for the fulfilment of legal, contractual, administrative, accounting and fiscal obligations and/or to carry out any other fulfillment required by law.
Your Personal Data may also be processed in the event of disputes regarding liability or, in any case, to enforce or defend a right in court, confirming that the same will be processed exclusively for these purposes and for the period strictly necessary to pursue them.
Scope of dissemination of Personal Data
The Data and Sensitive Data are not, and will not be, disseminated (by which is meant giving knowledge of personal data to unspecified subjects, in any form, including by making them available or consulting them), except in cases where disclosure is required, in accordance with the law, by police forces, judicial authorities, information and security bodies or other public entities for purposes of defence or state security or the prevention, detection or prosecution of crime. No electronic health dossier or file will be created by the Owner with your Personal Data, nor will your Data be shared with other outpatient clinics or other health facilities, when such communication is not necessary for the purposes of the medical service you have requested.
Rights of the interested party
Pursuant to GDPR, the Patient, as the Data Subject, has the right to obtain, from the Data Controller and/or the Data Processor, confirmation as to whether or not personal data concerning him/her exist, even if not yet recorded, and communication of such data in intelligible form.
In particular, the interested party has the right to: (i) obtain confirmation as to whether or not personal data concerning him/her exist, regardless of their being already recorded, and communication of such data in intelligible form; (ii) obtain indication of such data: a) the origin of the personal data; b) the purposes, methods of processing and storage period; c) the logic applied in case of processing with the aid of electronic instruments; d) the identity of the owner, manager and the representative appointed under applicable law; e) the subjects or categories of persons to whom the personal data may be communicated or who can learn about them as appointed representatives in the State, managers or agents; (iii) obtain: a) the updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected; (iv) to object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning you, even if pertinent to the purpose of collection; b) to the processing of personal data concerning you, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, using automated calling systems without the intervention of an operator by means of email and/or traditional marketing methods by telephone and/or paper mail. It should be noted that the right of opposition of the interested party, set forth in point b) above, for direct marketing purposes by means of automated methods extends to traditional methods and that in any case the interested party may exercise the right of opposition even only in part. Therefore, the Interested Party may decide to receive only communications by traditional means or only automated communications or neither of the two types of communications.
We also inform you that – where technically possible – you may exercise the rights recognized by the applicable legislation including, by way of example, the right (v) to request that the processing be limited to a part of the information concerning you; (vi) to the extent technically possible, to receive in a structured format or to transmit to you or to third parties indicated by you the information concerning you (c.(d. “portability” of information about you and information voluntarily provided by you); (vii) and to withdraw your consent at any time, if this constitutes the basis for processing. The revocation of consent does not, however, affect the lawfulness of the processing based on the consent given before the revocation. The aforementioned rights may be exercised by you by sending a written request to the Company to the contacts indicated in article 1 above. The Data Controller shall do so without delay and, in any case, at the latest within one month of receipt of the request. The deadline may be extended by two months, if necessary, taking into account the complexity and number of requests received by the Owner. In such cases, the Cardholder shall, within one month of receipt of your request, inform you and inform you of the reasons for the extension. The Data Controller also reminds you that if the response to your requests has not been satisfactory in your opinion, you may contact and lodge a complaint with the Guarantor Authority for the Protection of Personal Data, with registered office in Rome 00186, Piazza di Montecitorio n. 21 (http://www.garanteprivacy.it/) in the manner provided for by the applicable regulations.