(pursuant to article 13-14 of the UE Regulation 2016/679)
The EU Regulation 2016/679 on “the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter “EU Reg. 2016/679” or “GDPR”) lays down rules aimed at protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Browsing this Site, data relating to identified or identifiable persons may be processed.
- Data controller and Data Protection Officer
Pursuant to art. 13 and 14 of the GDPR Fondazione Ferrata Storti (hereinafter also “Foundation”) with registered office in Pavia, Via Giuseppe Belli, 4 (PV-27100), in the person of the Legal Representative, is the data controller and is required to provide information regarding the processing of personal data of the data subjects.
The contact data are as follows:
The Foundation has appointed a Data Protection Officer (DPO) who can be contacted at the following e-mail address: firstname.lastname@example.org
- Type and source of data processed
Browsing data provided by user’s devices
(Facebook: https://www.facebook.com/help/cookies/; Twitter: https://twitter.com/privacy?lang=en).
Data voluntarily provided by users
The Foundation processes personal data such as name, last name, e-mail address. These are personal data freely released by users and collected through the domain www.haematologica.org.
The personal data processed by the Foundation are usually collected directly from the data subject. In particular, the data subject may provide his/her personal data submitting forms available in various sections of the Site to access and request information on the services offered by the Foundation.
The free, explicit and voluntary email to the addresses available in this Site entails the subsequent acquisition of the sender’s address, which is necessary to answer to requests, as well as any other personal data contained in the message.
The information that users will consider to make public through the services and tools made available to them, are provided by the User knowingly and voluntarily, exempting this Site from any liability for any violations of laws. It is up to the User to verify that he/she has given his/her consent for the input of personal data of third parties or content protected by national and international regulations.
The processing of personal data will be based on the principles of correctness, lawfulness, transparency and protection of confidentiality and rights of the person concerned.
- The purposes of processing personal data and the legal basis for processing
Personal data will be processed for the following purposes:
- a) to verify requests for contact or information relating to the activity carried out by Haematologica;
- b) to analyze feedback, suggestions, questions or examine access problems;
- c) manage the registration of authors, reviewers, editors in the personal area of the Site;
- d) to publish editorials, scientific articles and clinical cases;
- e) to send summaries, researches, quotations of articles and other notices by e-mail;
- f) to send the newsletter relating to Haematologica contents by e-mail;
- g) to comply with the obligations provided for by laws, regulations and Community legislation.
- h) for historical and cultural interest.
Data processing for purpose a) and b) is based on legitimate interest of data controller to verify requests, analyze feedback, suggestions, questions or examine access problems (art. 6, (i), (f), GDPR).
Data processing for purpose c) is based on necessity to take steps at the request of data subject prior to entering into a contract (art. 6, (i), (b), GDPR).
Data processing for purpose d) is based on necessity to take steps at the request of data subject prior to entering into a contract (art. 6, (i), (b), GDPR).
Data processing for purpose e) and f) is based on data subject consent (art. 6, (i), (a), GDPR).
Data processing for purpose g) is based on necessity to comply with a legal obligation to which data controller is subject.
Data processing for purpose h) is based on legitimate interest of data controller to pursue historical and cultural interest (art. 6, (i), (f), GDPR).
The provision of personal data for the purposes listed above and their communication to the categories of persons indicated in paragraph 8, is not mandatory, but any refusal by the interested party to provide such personal data will make it objectively impossible for the Foundation to provide the services requested and / or to comply with legal obligations relating to the operation of the same.
The data subject has the right to withdraw the consent that he has given at any time. This will not affect the lawfulness of the treatment based on the consent given before the withdrawal. The data subject may at any time contact the data controller to withdraw the consent at the addresses published in this information notice.
- How personal data are processed
Personal data are processed by using manual, computer and telematic tools with methods strictly related to the purposes stated in this document and, in any case, in such a way as to ensure the security and confidentiality of the data in accordance with current regulations.
In the event of processing by electronic or other methods, and by management and storage systems, including advanced hardware and software, the Foundation may use third-party service companies that will be made aware of their responsibilities by notice of appointment as data processor pursuant to art. 28 of the GDPR.
The updated list of Data Processors is kept at the registered office of the data controller.
- Data retention policy
The data collected will be stored for a period of time not exceeding the achievement of the purposes for which they are processed (“principle of storage limitation”, art. 5 GDPR), without prejudice to cases of compliance with an obligation of law or order of an authority. The check on the obsolescence of stored data in relation to the purposes for which they were collected is carried out periodically. At the end of the retention period, personal data will be deleted, destroyed or made anonymous, subject to any statutory retention periods. With regard to the purposes referred to in paragraph 4 sub e) and f), the data will be processed by the data controller, until the data subject communicates his willingness to withdraw consent to one or all of the purposes for which it was requested.
Therefore, after the end of this term, the right of access, erasure, rectification and the right to data portability may no longer be exercised.
- Categories of recipients
In some cases, the execution of all the activities connected with and/or instrumental to the management of the Foundation involves the communication of data subjects personal data - in addition to those whose right to access them is recognized by law - to external companies or entities, such as, for example:
- a) other companies as service providers, or other subjects carrying out activities in outsourcing on behalf of the data controller;
- b) companies in charge of the management of computer connections and other activities connected to those indicated, whose collaboration the Foundation avails itself of;
- c) to all those public and/or private subjects, natural and/or legal persons, if the communication is necessary or functional to the correct fulfilment of contractual obligations and legal obligations.
The subjects belonging to the categories of recipients will process the data and will use them, as data processors expressly appointed by the data controller in accordance with the law, or alternatively as independent data controllers.
The data controller appoints all employees and collaborators, including occasional ones, who carry out tasks involving the processing of personal data as authorised subjects for processing.
- Where personal data are processed
Personal data will be processed by the data controller at its registered office located in Via Giuseppe Belli, 4, Pavia (PV- 27100).
- Transfer of personal data outside the EU
If for technical and/or operational reasons it is necessary to use subjects located outside the European Union, such subjects will be appointed as data processors and the transfer of personal data to such subjects, limited to the performance of specific processing activities, will be regulated in accordance with the provisions of the GDPR. In this case, the data controller hereby guarantees that the transfer of non-EU data will be regulated in accordance with the provisions of Chapter V of GDPR and authorised on the basis of specific decisions of the European Union. All necessary precautions will therefore be taken in order to guarantee the most complete protection of personal data, basing this transfer on: a) adequacy decision determined by the European Commission on the basis of article 45 GDPR; b) appropriate safeguards provided by the third party to which it is addressed, pursuant to art. 46 GDPR; c) the adoption of binding corporate rules.
- Rights of the data subjects
Data subject have the following rights:
- right of access to the personal data;
- right to data portability;
- right to object to processing personal data;
- right to rectification, erasure, restricion to processing personal data;
- right to withdraw consent;
- right to lodge a complaint with the Data Protection Supervisory Authority.
- How to exercise data subjects rights
Data subjects may exercise their rights contacting the data controller at Fondazione Ferrata Storti, via Giuseppe Belli, 4, Pavia (PV-27100) or sending an email to email@example.com
Alternatively, the subject may contact the Data Protection Officer sending an email to firstname.lastname@example.org
Minors under the age of 18 must not submit any information or personal data to the Foundation without the consent of the individual exercising the parental responsibility on them. In the absence of such consent, it will not be possible to verify the requests of the child.
The data controller has the right to change to this information at any time by informing users on this page. We therefore ask you to review this page periodically, taking as a reference the date of the last change indicated at the bottom. In case of non-acceptance of the changes made to this Policy, the user is required to notify the data controller and may request to remove their personal data. Unless otherwise specified, the above Information will continue to apply to personal data collected up to that time.