PRIVACY POLICY
2016/679 and with the Privacy Codice (Leg. Decree no. 196/2003) as amended by Leg. Decree no 101/2018
(General Conditions for Use and for visiting the Web Site)
The ISTITUTO SUPERIORE DI SANITÀ with registered office in viale Regina Elena n. 299 - 00161 Rome, Tax Code 80211730587 – V.A.T. number 03657731000, as Data Controller, informs you, in pursuance of Article 13 EU Regulation no. 2016/679 (hereinafter "GDPR"), that the personal data of the Users who visit the www.eduiss.it site will be processed in the manner and for the purposes described below.
This Privacy Policy refers only to the www.eduiss.it website and not to other websites accessed by the User via the links found therein.
Following visits to this site, the data of identified or identifiable persons may be processed.
This Privacy Policy also takes into account Recommendation no. 2/2001 adopted on 17 May 2001 by the European Authorities for the Protection of Personal Data (in particular via the Data Protection Working Party set up by Article 29 of Directive no. 95/46 / EC), which sets forth certain minimum requirements for collecting personal data on-line, and, in particular, the Recommendation lays down the methods, timing and nature of the information that the Data Controllers are to provide to Users when they connect to their web pages, regardless of the purpose of the connection.
Furthermore, this Privacy Policy takes into account the provisions of the national legislator - Legislative Decree 196/2003 of the Privacy Code, as amended by Legislative Decree 101/2018 - and has been updated in accordance with the new European directives referred to in EU Regulation 2016/679.
The purpose of this Privacy Policy is to provide maximum transparency regarding the information that the site collects and how it is used.
1. Object of the data processing
Following visits to this site, the data concerning identified or identifiable persons may be processed.
Personal data are processed when Users visit the www.eduiss.it website.
2. Purpose of the treatment
The personal data of the people (data subjects) who access the site indicated above will be processed for a variety of purposes, depending on the category of the data processed.
The "navigation data" are processed in an automated manner for the sole purpose of gathering anonymous statistical data on the use of the site and to check that it functions properly. These data are stored in area networks external to the ISS. The data could be used to ascertain responsibility in case of computer crimes committed against the site: except in the occurrence of this latter case, the data on web contacts will be deleted.
The "data provided voluntarily by the User" are processed for the purpose of participating in training and scientific dissemination activities organized and co-organized by the ISS that are delivered on-line through the EDUISS web platform.
Lawfulness of the processing
The lawfulness of the processing lies in the legitimate interest of the Data Controller in ensuring safe and efficient navigation on the website, which also includes interactive functions.
The lawfulness of the processing lies in the consent given by the data subject to the processing of his or her personal data pursuant to Article 6 of the GDPR. By using or accessing this site, visitors and Users explicitly approve this Privacy Policy and consent to the processing of their personal data in accordance with the methods and for the purposes described above, including disclosure to third parties where this is necessary for delivering a service.
Providing one’s data, and therefore giving consent to the gathering and processing of data, is optional. Users can deny their consent, and can revoke a consent that they had provided at an earlier time. However, denying consent may make it impossible to deliver the services that the User has requested or has applied for on the website.
The data thus collected will be deleted from the system after 5 years or following a direct request by the data subject.
3. Categories of data processed
Navigation data
The computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of the Internet communication protocols (log files).
These data are not collected to be associated with identified data subjects, but which by their very nature could, through processing and association with data held by third parties, enable the identification of the Users.
This category of data includes the IP addresses or domain names of the computers used by Users who connect to the site, the addresses in the Uniform Resource Identifier (URI) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the User's IT environment.
These data are used for the sole purpose of obtaining anonymous statistical information on how the site is used, to check that it functions properly, provide assistance to the Users and improve the contents of the platform.
Data provided voluntarily by the User
The data provided voluntarily by the User are his or her contact details, personal data, data regarding the User’s profession, entered optionally, explicitly and voluntarily in the formats contained on this site.
4. Provision of data
Apart from the specifications provided above for the navigation data, the User is free to provide the ISS with his or her personal data contained in the registration forms for training events and courses held on the EDUISS platform.
Nonetheless, failure to provide the information could make it impossible to deliver the service for which the User has accessed the site.
For sake of completeness, it is worth recalling that in some cases (not subject to the ordinary management of this site) the Authority may request information and data associated with the protection of personal data, for the purpose of monitoring the processing of personal data. In these cases, replying to such a request is mandatory under penalty of an administrative sanction.
5. Places and methods of processing
Data processing associated with the web services provided by this site takes place at the ISS headquarters. The data are processed only by the technical staff of the office in charge of data processing.
The processing of personal data, for various reasons, is in any case carried out in accordance with the indications of Article 4 (2) of the GDPR: collection, recording, organisation, storage, consultation, selection, retrieval, comparison, use, transmission, erasure or destruction.
Personal data are processed with automated tools and will be kept for a period of 5 years starting from 1 January of the year following the date of collection.
This site processes User data in a lawful and correct manner. Specific technical and organizational security measures are observed to prevent data loss, illicit or incorrect use and unauthorized access (data breach).
6. Access to personal data
For the purposes described above, personal data may be accessible to the Data Controller's staff in their capacity as persons authorized to process the data and / or the system administrators, and to other Institutions, Bodies and Authorities, including, by way of example, AGENAS, CNOAS and the Ministry of Education; towards the latter Ministry, the Data Controller has disclosure obligations required by law. The Controller can disclose the information for the purpose and on the legal grounds referred to in Point n. 2.
7. Rights of the data subject
The owner of the personal data, in his or her capacity as data subject, has the rights referred to in Article 15 of the GDPR et seq., and in particular, the right of access his or her data, right of rectification, right to erasure of the data, right to restriction of processing, right to data portability, right to object, as well as the right to lodge a complaint with the Supervisory Authority (Article 77 of the GDPR and 141 of the Privacy Code, as amended by Legislative Decree 101/2018).
The data subject has the right to withdraw his or her consent at any time and without formalities, in pursuance of Article 17 (1) letter b) of the GDPR.
However, this revocation does not affect the lawfulness of the processing carried out on the basis of the consent given previously and will have the sole effect of terminating the processing of the data subject's personal data for the future.
8. Procedures for exercising rights
The data subject may at any time exercise his or her rights in writing and sending the letter via certified email to the PEC address of the Data Controller:
- L’ISTITUTO SUPERIORE DI SANITÀ with registered office in viale Regina Elena n. 299 – 00161 Roma, C.F. 80211730587 - Partita I.V.A. 03657731000
Identity and data of the contact of the:
Data Controller– ISTITUTO SUPERIORE DI SANITÀ
In the person of the current President as the ISS Legal Representation
PEC: protocollo.centrale@pec.iss.it
DPO (RPD) – SCUDO PRIVACY S.r.l.
In the person of the Legal Representative: Dott. Carlo Villanacci