PROCESSING OF PERSONAL DATA RELATED TO CUSTOMERS/USERS ('data subjects')

EU Regulation 2016/679

Within the framework of the continuous updating of our procedures aimed at respecting the Privacy of our Customers/Users and the obligations imposed by the legislation on the protection of personal data, we have deemed it appropriate to summarise in this document all the elements concerning the processing of personal data already present in the documentation made available to users, supplemented with more specific indications with a view to conferring maximum transparency on our work.

1. WHAT DATA ARE PROCESSED

> data provided by the User/Customer, or by a person/entity acting on his/her behalf (treating doctor, ASL/USL) including personal data (name and surname, residence/domicile, place and date of birth, nationality), tax code, identity document details, contact details (telephone/fax number, e-mail address);

> data, again provided by the data subject, contained in any reports/requests;

> data on payments made by the Customer.

The legislation establishes special protections for judicial data (relating to criminal convictions and offences) and for 'special categories of data' as defined in Article 9 of EU Reg. 2016/679: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to a person's health or sex life or sexual orientation.

FOR ORDERS RELATING TO specific immunotherapy products for identified and identifiable patients  Siva Igiene Ambientale s.r.l. will inevitably process data relating to health, which may also appear in reports forwarded by users to the customer service, for which reason specific consents will be requested from the person concerned, should the characteristics or modalities of the processing require it.

With regard to this point, particular care has been taken to request only the data and to carry out only those processing operations that are necessary to fulfil the data subjects' requests.

The data may be processed in connection with the purposes set out below:

> in so far as they are necessary to fulfil obligations arising from a contract to which the data subject is party, and related legal obligations (in particular for the purpose referred to in point 3 a b c below)

> in so far as they are necessary for the pursuit of a legitimate interest of the data controller, consisting in the optimisation of the organisation of activities, security of systems, protection of credit (in particular for the purpose referred to in point 3 d e f h i below)

> as necessary to assert or defend a right in court or to assess whether there is a right to be protected usefully in court

> as originating from public registers accessible to anyone and/or made manifestly public by the person concerned;

> the data subject having given his or her consent, (in particular in relation to the processing of certain special categories of personal data communicated by the data subject and the use of contact details other than the e-mail address provided upon conclusion of the contract for commercial communications and advertising as referred to in point 3 letters f g h below)

2 DATA SOURCE

Recording and updating of personal data may take place:

- through the person concerned or, if a minor, through the person exercising parental authority (parents or guardians);

- through intermediaries authorised by the person concerned (e.g. family members, GP, ASL/USL) ;

- from sources freely accessible to anyone.

3. PURPOSE OF PROCESSING - WHY THE DATA ARE PROCESSED

The processing carried out has the following purposes:

a) to meet requests from organisations (hospitals, health authorities, etc.), which order specific immunotherapy products for identified and identifiable patients, or from private customers who order specific immunotherapy products for themselves or their family members by prescription; 

b) fulfilling obligations arising from laws, community rules and regulations, regional laws; fulfilling provisions issued by the Judicial Authority, or by other Authorities to which current legislation confers such power.

(c) fulfil contractual, accounting and tax obligations;

d) management of customer master data, address books and internal statistical calculations, - Statistical analyses carried out only by aggregation of previously anonymised data;

(e) possibly protecting a legitimate interest, asserting or defending a right;

f) feed the customer knowledge acquisition system, necessary for the verification, improvement and therefore the design of a service that is increasingly in line with demand by means of surveys and surveys, also anonymously, of the degree of customer satisfaction, carried out also by means of telephone interviews or requests to fill in questionnaires;

g) purposes related to publics relations, marketing, advertising, promotional proposals.

In particular, the contact details, postal and e-mail addresses that may be provided may be used to send communications relating to promotional initiatives and/or the products of Siva Igiene Ambientale s.r.l.. It is understood that the user may object to this processing at any time

In this regard, we would like to point out that Paragraph 4 of Article 130 of Legislative Decree 196/2003 permits the use for this purpose of the e-mail address provided by the person concerned at the time of purchase of a ticket/subscription on condition that he/she does not refuse such use;

And, as far as the handling of reports from users is concerned:

h) Ensure a certain and timely response to user reports, facilitating the creation of an effective communication channel between the company and the customer-user

i) Feeding the system of systematic recording and analysis of service failures in order to correct them

4. HOW THE DATA ARE PROCESSED and stored

In relation to the aforementioned purposes, the processing of personal data may take place using paper, computer and telematic tools. Always guaranteeing absolute confidentiality, relevance and non-excessiveness with respect to the purposes described above, in terms of recording and data retention periods. 

The personal data referred to in point 1 above, without prejudice to the provisions of the rules on the retention of administrative documents, will only be retained for the time allowed/imposed by the current legislation applicable to the specific purpose for which the data are processed.

5. MANAGERS AND APPOINTEES

For the same purposes, the data may be processed by the following categories of appointees and/or managers: 

  • Direction and management,
  • production and logistics personnel, 
  • marketing and communication officers,
  • administrative staff to manage administrative aspects, 
  • the company's Information Technology, which is responsible for ensuring the functionality of systems, data security and backup operations,
  • other offices of Siva Igiene Ambientale s.r.l. within the limits of its competences, always for the purposes indicated in point 3 above,
  • other subjects (companies/professionals appointed as Data Processors) who need access to certain data as they are in charge of carrying out activities ancillary to the purposes indicated above, to the extent strictly necessary to carry out the tasks entrusted to them such as assistance in the fulfilment or direct execution of tax/accounting fulfilments, management of information systems, financial services, online sales; in this regard, please note that these subjects will always and in any case be bound to full compliance with the rules and procedures aimed at guaranteeing the widest protection and safeguard of personal data adopted and imposed by the Data Controller also and not only in compliance with the regulations in force.
  • for user reports: in addition to the personnel assigned to receive user reports, the data may be processed, with the exclusion of the data subject's identification elements, by the corporate functions concerned with the subject of the report for the preparation/realisation of internal investigations and for the resolution of cases, always and only to the extent necessary to perform their functions.

6. SCOPE OF COMMUNICATION TO WHOM THEY MAY BE COMMUNICATED

Notwithstanding communications made in fulfilment of legal obligations, the personal data in question may be communicated or made available:

  • to persons who can access the data by virtue of a provision of law, regulation or EU legislation, within the limits provided for by these rules,

- the public or private body that placed the order for a specific immunotherapy product intended for the person concerned

  • limited to data of an accounting and tax nature to banks, credit institutions, data processing companies and credit card issuing companies, for activities pertaining to the performance of the service provided to users and/or related administrative and financial aspects, 
  • to other subjects (companies/consultants) who need access to certain data for purposes auxiliary to the management of the services requested by the interested parties, to the extent strictly necessary to perform the tasks entrusted to them, such as: assistance in the fulfilment or direct execution of tax/accounting/assistance obligations, management of information systems, financial services,

- to bodies, consortia, professionals and companies with the purpose of credit recovery and protection; credit insurance companies, commercial information companies,

Of course, all the communications described above are limited to the data necessary for the recipient body/office (which will remain the autonomous data controller for all consequent processing) to perform its tasks and/or achieve the purposes connected with the communication itself. 

6.1 transfer abroad

Personal data will only be transferred to entities located outside the European Union to the country in which the data subject resides or is located if the prerequisites of legitimacy set out in point 1 are met and in compliance with the legislation in force.

6.2 DIFFUSION

THE DATA IN QUESTION WILL NOT BE DISSEMINATED 

7 COMMUNICATION AND UPDATING OF DATA - WHEN IT IS MANDATORY TO COMMUNICATE YOUR DATA

The communication and updating of one's own data is compulsory only insofar as it relates to the performance of contractual and fiscal obligations provided for by the laws in force and the performance of obligations arising from the contract (ref. Letters a-b-c of point 3). Failure on the part of the data subject to comply with this obligation would make it impossible for Siva Igiene Ambientale s.r.l. to fulfil your requests and process your order. Obviously, on a case-by-case basis, an indication is always given of the data whose disclosure is mandatory in relation to the aforementioned purposes depending on the medium used. 

It should be noted that most of the processing carried out is not subject to the obligation to obtain consent since:

- are collected and held on the basis of obligations under EU laws, rules and regulations

- come from public registers, lists, deeds or documents that are publicly available; 

- are necessary to fulfil the requests of the person concerned or for the fulfilment of legal and/or contractual obligations; 

8. DATA CONTROLLER

The data controller is: Siva Igiene Ambientale s.r.l. Registered Office: via della Resistenza n.6

postal code 50039 Vicchio (Fi)

Siva Igiene Ambientale s.r.l.. has appointed a Data Protection Officer, whose task is to monitor compliance with data protection legislation in complete independence and without conflicts of interest. The Data Protection Officer can be contacted by e-mail: info@sivaonline.it

With regard to the processing necessary to process orders for specific immunotherapy products intended for a named data subject, in some cases Siva Igiene Ambientale s.r.l. will act as the Data Processor pursuant to Art. 28 of EU 679/2016 appointed by the entity that placed the order itself, already known to the data subject, who will remain the Data Controller. 

9. RIGHTS OF THE DATA SUBJECT

The data subject has the right:

> to request from the data controller access to and rectification or erasure of personal data or restriction of the processing of personal data concerning him/her and to object to their processing, 

> if the processing is carried out by automated (IT) means and on the basis of his or her consent, to receive in a structured, commonly used and machine-readable format the personal data concerning him or her and/or to obtain the direct transmission of those data to another data controller, if technically feasible,

> to withdraw one's consent at any time (without prejudice to the lawfulness of the processing based on the consent before revocation), of course for processing carried out on that basis,

> to lodge a complaint with a supervisory authority: Garante per la protezione dei dati personali - Piazza di Monte Citorio n. 121 00186 ROMA - Fax: (+39) 06.69677.3785 - Telephone switchboard: (+39) 06.696771 - E-mail garante@gpdp.it  - certified mail protocollo@pec.gpdp.it

Interested parties may contact the Data Controller: by telephoning 055 293030, specifying to the operator the nature of the request or problem highlighted, by e-mail info@sivaonline.itbearing in mind that it will not be possible to answer requests received by telephone if there is no certainty as to the identity of the applicant.

CONTACT US our toll-free number 800-017-763 or write to info@antitarli.it