language
En
EN
KR
language
En
EN
KR

How we protect your privacy

For the purposes of “processing of personal data” means any operation or set of operations performed, whether or not by automated means, and applied to personal data or sets of personal data, even if not recorded in a database, such as collection, recording, organization, structuring, storage, processing, selection, blocking, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

PiùMedical S.p.A. pays the utmost attention to the protection of personal data and has adopted appropriate and necessary measures to safeguard and retain such data, in accordance with the applicable national and European legislation, having assessed all risks connected with the activities referred to above.

Access to certain sections of the website and/or any requests for information or services by website users may be subject to the provision of personal data, which will be processed by PiùMedical S.p.A. in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) and the applicable national legislation, with which PiùMedical S.p.A. has always complied.

This privacy notice is intended to enable users, even before accessing the various sections of the website and providing their data, to understand how PiùMedical S.p.A. processes users’ personal data. In any event, the user must read this notice before providing any personal data by filling in the relevant fields in the various sections of the website and giving consent to the processing of personal data.

Processing will be carried out manually (e.g., collection of paper forms) and electronically, or otherwise with the aid of computerized or automated tools.

In accordance with the Privacy Code and the Regulation, processing carried out by the Data Controller will be based on the principles of fairness, lawfulness and transparency, and on the protection of confidentiality.

The Data Controller processes personal and identifying data (for example: first name, last name, address, tax code, telephone number, email address, bank and payment details)—hereinafter “personal data” or “data”—provided by the Data Subject in connection with the conclusion of the contract for the services offered by the Data Controller.

The personal data processed were collected directly from the Data Subject.

In addition to the personal data provided directly by the user, when connecting to the website, the IT systems and software procedures used to operate the website may indirectly acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols.

Definition

Providing data is optional; however, it is partly necessary (i.e., for those data fields marked with an asterisk) in order for PiùMedical S.p.A. to meet the user’s needs in connection with the website’s functionalities.

Failure to provide, or partially or inaccurately providing, the personal data marked with an asterisk—since such data are necessary to perform the requested service—will make it impossible to perform that service; whereas failure to provide, or partially or inaccurately providing, optional personal data that are not necessary will have no consequences.

Personal data will be processed by the Data Controller primarily and exclusively for purposes strictly connected with and instrumental to the performance of obligations relating to the contractual relationship, pre-contractual and tax obligations, and compliance with legal obligations under applicable law, and in particular:

  • to enter into contracts for the services offered by the Data Controller;
  • to fulfill pre-contractual, contractual and tax obligations arising from existing relationships with the Data Subject;
  • to manage collections/payments;
  • to comply with obligations imposed by civil and/or tax laws;
  • to comply with obligations imposed by regulations, whether national or international, EU legislation or an order of an Authority (e.g., anti-money laundering);
  • to exercise the Data Controller’s rights, for example the right of defense in court.

Access to, disclosure and dissemination of personal data for the pursuit of the primary purposes of processing. In all the cases described above, for the pursuit of the primary purposes, the Data Subject’s data may be made accessible to and disclosed to:

  • employees, workers and internal consultants responsible for administrative, secretarial, technical or other tasks, as well as collaborators of the Data Controller, who, operating under the direct authority of the latter, have been appointed as persons authorized to process the data and have received adequate operating instructions in this regard;
  • third-party companies or other entities (by way of example: professional firms, consultants appointed to perform legal and/or tax activities, entities that provide data processing and/or accounting services and related compliance activities on behalf of the Data Controller) that carry out activities on behalf of the Data Controller, as external data processors, and which have in turn issued adequate operating instructions to their employees and managers.

The Data Controller may also disclose personal data externally to the following third parties where such disclosure is necessary for the performance of the contract and the obligations arising therefrom, pre-contractual and tax obligations, and, more generally, for compliance with legal obligations.

In this context, personal data may be disclosed by the Data Controller to the following:

  • judicial and law enforcement authorities or other public administrations to comply with legal obligations;
  • credit institutions for the management of collections and payments;
  • companies that provide management and maintenance services for electronic communications equipment;
  • any natural or legal persons where disclosure is necessary for the primary purposes of processing.

These entities will process the data in their capacity as independent data controllers.

No requirement to obtain consent for the processing of personal data. In all the cases described above (including disclosure to third parties), the Data Controller is not required to obtain specific consent for processing, as all the above processing activities serve primary purposes for which Article 24 of the Privacy Code and Article 6(1)(b), (c), (e) and (f) of the Regulation exclude the need to obtain specific consent, either because processing is necessary to comply with a legal obligation (and consequently with regulatory and statutory provisions), or because processing is necessary to perform obligations arising from the contractual relationship to which the Data Subject is a party, or to comply, prior to entering into the contract, with specific requests by the Data Subject.

Where the Data Subject nevertheless does not wish to provide the required and necessary personal data, the consequence will be the impossibility for the Data Controller to fulfill its obligations and perform the contract.

1.1 Secondary purposes of processing personal data for promotional, advertising and marketing purposes

Personal data collected in connection with the signing of the contract or previous relationships that led to its formalization may also be processed by the Data Controller, both in paper form (e.g., completion of paper forms, coupons and similar documents, subsequently used electronically) and by automated/IT means, for purposes of commercial promotion, advertising communications, solicitation of purchasing behavior, market research, surveys (including by telephone, online or via forms), statistical processing (in identifiable form), other sampling marketing research (including prize events, games and competitions), hereinafter collectively referred to as “Processing for Marketing Purposes”.

By giving consent to Processing for Marketing Purposes, the Data Subject specifically acknowledges these promotional, commercial and marketing purposes of the processing (including related management and administrative activities) and expressly authorizes the Data Controller to carry out such processing pursuant to Article 23 of the Privacy Code (where the means used are telephone calls with an operator or other non-electronic, non-telecommunication or non-automated means), and pursuant to Article 130 of the Privacy Code (where the means used include email, fax, SMS, MMS, automated systems without operator intervention and similar means, including electronic platforms and other telematic means), and, finally, pursuant to Article 6(1)(a) of the Regulation.

Pursuant to the Italian Data Protection Authority’s General Provision of 15 May 2013 entitled “Consent to the processing of personal data for ‘direct marketing’ purposes through traditional and automated contact tools”, the Data Subject is specifically informed that:

  • any consent given to receive commercial and promotional communications pursuant to Article 130(1) and (2) of the Privacy Code (i.e., via email, fax, SMS, MMS, automated systems without operator intervention and similar means, including electronic platforms and other telematic means) will imply receiving such communications not only through those automated means, but also through traditional means, such as postal mail or calls through an operator;
  • the Data Subject’s right to object to the processing of personal data for “direct marketing” purposes via the automated means listed above will in any event also extend to traditional means, and, even in that case, the Data Subject may exercise this right in part, as provided by Article 7(4) of the Privacy Code, either with respect to certain means or certain processing operations;
  • the Data Subject who does not wish to provide consent as described above may express a wish to receive communications for the above Marketing Purposes exclusively through traditional means (where available) by sending a simple email to: garante.privacy@piumedical.it

For the purposes of simplifying privacy compliance obligations for the Data Controller (Article 2 of the Privacy Code) and pursuant to the above-mentioned General Provision of 15 May 2013, the Data Controller informs the Data Subject that the specific consent wording made available under the relevant consent collection procedure will be single and comprehensive and will refer to all possible means of marketing processing under Articles 23 and 130 of the Privacy Code, without prejudice to the Data Subject’s right to notify, by email to: garante.privacy@piumedical.it, a different preference as to the use of certain means and not others for receiving marketing communications, subject to consent. Furthermore, for the same simplification purposes, the Data Controller informs the Data Subject that the consent wording will be single and comprehensive and will also refer to all the different marketing purposes set out herein, without multiplying consent requests for each distinct marketing purpose, without prejudice to the Data Subject’s right to notify, by email to: garante.privacy@piumedical.it, a different selective preference as to consent or refusal for individual marketing purposes.

To proceed with Processing for Marketing Purposes, it is mandatory to obtain specific, express, documented, prior and entirely optional consent.

Accordingly, if the Data Subject decides to give such consent, the Data Subject must be informed in advance and be aware that the purposes pursued are specifically commercial, advertising, promotional and marketing in a broad sense. For full transparency, the Data Controller informs the Data Subject that data will be collected and processed following the granting of specific consent:

  1. to send advertising and informational material (e.g., newsletters) of a promotional or commercial solicitation nature, pursuant to Articles 23 and 130 of the Privacy Code;

  2. to carry out direct sales activities or placement of the Data Controller’s products or services;

  3. to send commercial information; to carry out interactive commercial communications also pursuant to Article 58 of Legislative Decree 206/2005, through the use of email;

  4. to prepare studies, research and market statistics;

  5. to send unsolicited commercial communications pursuant to Article 9 of Legislative Decree 70 of 9 April 2003 implementing Directive 2000/31/EC (e-Commerce Directive), which provides that unsolicited commercial communications must be immediately and unequivocally identifiable as such and must contain an indication that the recipient may object to receiving such communications in the future.

By giving optional consent, the Data Subject specifically acknowledges and authorizes these further possible secondary processing activities.

In any event, even where the Data Subject has given consent authorizing the Data Controller to pursue all the purposes mentioned in points 1 to 5 above, the Data Subject remains free at any time to withdraw such consent by sending a clear communication to: garante.privacy@piumedical.it, without any formality.

Upon receipt of such opt-out request, the Data Controller will promptly remove and erase the data from the databases used for Processing for Marketing Purposes and will inform, for the same deletion purposes, any third parties to whom the data may have been disclosed. Receipt of the deletion request will automatically constitute confirmation that deletion has occurred.

As specifically and separately required by Article 21 of the Regulation, where personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of personal data relating to him/her for such purposes; and where the Data Subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

1.1 bis Disclosure of personal data to third-party commercial partners

For the same purposes set out in points 1 to 5 of the preceding Paragraph 1.1, the Data Controller informs the Data Subject that the data may also be disclosed to third-party commercial partners. Consent to Processing for Marketing Purposes—if given by the Data Subject—does not also cover the separate and additional marketing processing consisting of disclosure of data to third parties for the same purposes. To proceed with such external disclosure, it is mandatory to obtain from the Data Subject an additional, separate, informed, documented, express and entirely optional consent.

As clarified in the Italian Data Protection Authority’s General Provision of 4 July 2013 containing Guidelines against spam:

  • as regards disclosure to third parties for marketing purposes in general, the disclosure or transfer to third parties of personal data for marketing purposes cannot be based on the acquisition of a single, generic consent from the data subjects for such purpose;
  • where the Data Controller intends to collect personal data from Data Subjects also to disclose (or transfer) them to third parties for their promotional purposes, it must first provide the data subjects with an appropriate notice identifying each third party, or alternatively indicating the economic/product categories to which such third parties belong;
  • the Data Controller must obtain specific consent for the disclosure (and/or transfer) to third parties of personal data for promotional purposes, distinct from the consent required by the Data Controller to carry out its own promotional activities;
  • where the Data Subject gives such consent for disclosure to third parties, those third parties may carry out promotional activities towards the Data Subject via the automated means under Article 130(1) and (2) of the Privacy Code without needing to obtain a new consent for promotional purposes.

Pursuant to the above-mentioned General Provision of 4 July 2013, the third-party recipients of disclosures of data for subsequent Processing for Marketing Purposes may be identified by reference to the following product/economic categories: publishing, sports clubs, providers of electronic communications goods and services, Internet service providers, communication agencies, insurance and financial services companies, companies in the food and catering sector, clothing, ICT hardware and software, banks and credit institutions, travel agencies, companies offering tourism services, companies offering services and goods for individuals, including health goods and services.

Personal data processed for Marketing Purposes will not be disseminated.

Where, for the purposes described in paragraphs 1.1 and 1.1 bis, the Data Subject’s telephone number is requested and the Data Subject has given the optional and specific consent to the processing of such personal data for commercial promotion and marketing purposes, the Data Controller informs the Data Subject that both the Data Controller and any third parties may lawfully process the telephone number for marketing purposes even if it is registered in the Public Register of Oppositions, since it is obtained from a source other than public telephone directories and is covered by specific consent, without prejudice to the Data Subject’s right to object subsequently, where consent is formally withdrawn.

2.1 Consent to processing

It is emphasized that providing personal data to the Data Controller and giving both consent to Processing for Marketing Purposes and the separate consent to disclosure to third parties for Processing for Marketing Purposes, for the purposes and with the methods described in paragraphs 1.1 and 1.1 bis, are entirely optional and elective (and in any case may be withdrawn without formality even after being given), and failure to provide such consent will not result in consequences other than the impossibility for the Data Controller and any third party to carry out the marketing processing mentioned.

In the event of refusal to provide marketing consent, there will be no interference with and/or consequences for the contractual relationship or obligations arising therefrom or otherwise, and the processing of personal data falling within the primary purposes of processing described in paragraphs 3.1 and 3.2 of this privacy notice.

With exclusive reference to the use of the email address provided by the Data Subject at the time of entering into the contract, it is specified that the Data Controller may send (without the need to obtain specific consent, as provided by Article 130(4) of the Privacy Code) informational and advertising material only if it relates exclusively to products and/or services similar to those for which the Data Subject originally gave marketing consent. In this specific case, the Data Subject’s right to object at any time to the processing, easily and free of charge, remains in place (by notifying opt-out to: garante.privacy@piumedical.it). In any event, on the occasion of each email communication sent by the Data Controller for the purposes provided herein, the Data Subject will be duly informed of the possibility to object at any time to processing, easily and free of charge. Such objection will have no effect on the contractual relationship or obligations arising therefrom or otherwise, and any processing of personal data falling within the primary purposes of processing of this privacy notice.

Definition

It is possible that, for marketing purposes and to improve services, the Data Controller carries out “profiling” processing to assess certain aspects or to analyze or predict aspects relating to the Data Subject’s economic situation, preferences, interests, reliability, etc.

Profiling may concern “individual” personal data or “aggregated” personal data derived from detailed individual personal data. By way of example, profiling may involve:

  • data are structured and coordinated based on predefined parameters identified from time to time according to business needs (regardless of marketing, contractual, administrative purposes, etc.);
  • the initial data, considered individually, may include a wide range of personal information, but only following profiling (i.e., structuring according to predefined parameters) is it possible to infer further information relating to the Data Subject, which would not derive from the mere informative value of the data considered separately.

In other words, profiling in the strict sense can result in the availability of information that goes well beyond the individual information relating to each data subject; moreover, profiling provides added value through the multiple correlations that can be established between the individual data collected, in order to derive additional useful information.

Key elements of profiling processing include:

  • predefining parameters for structuring individual data;
  • comparing, cross-referencing, correlating and analyzing such data based on predefined parameters, also through automated processes (i.e., clustering);
  • obtaining a profile through the above activities, enabling identification of the Data Subject and additional analytical insights beyond the individual data, allowing dynamic profile creation.

The processing activities described above are hereinafter collectively referred to as “Profiling Processing”.

Consent to processing

To proceed with Profiling Processing, it is mandatory to obtain a specific, separate (also from marketing consent), express, documented, prior and entirely optional consent.

Accordingly, if the Data Subject decides to give such consent, the Data Subject must be informed in advance and be aware that the purposes pursued are specifically commercial, advertising, promotional and marketing purposes in a broad sense based on Profiling Processing.

For full transparency, the Data Controller informs the Data Subject that, based on the granting of specific consent, the data collected may be subject to Profiling Processing for the same purposes set out in paragraph 1.1 of this privacy notice, while the scope of disclosure to third parties will, where applicable, be the same as already described for Marketing Processing in paragraph 1.1 bis.

It is emphasized that providing personal data to the Data Controller and giving both consent to Profiling Processing and the separate consent to disclosure to third parties for Profiling Processing are entirely optional and elective (and in any case may be withdrawn without formality even after being given), and failure to provide such consent will not result in consequences other than the impossibility for the Data Controller and any third party to carry out the processing mentioned.

In the event of refusal to provide consent to Profiling Processing, there will be no consequence or interference with the contractual relationship or obligations arising therefrom or otherwise, and any processing of personal data falling within the primary purposes of processing of this privacy notice.

It is informed that certain personal data of the Data Subject may be transferred to third countries or international organizations located outside the European Union in order to pursue only the primary purposes of processing.

From time to time, the lawful basis for the transfer of personal data may be:

a) the existence of adequacy decisions issued by the European Commission for certain countries that guarantee the same level of protection for transferred data as that ensured within the European Union (as a consequence, data may be transferred without constraints or consent, for example in the case of transfers to Australia, Argentina, New Zealand, Uruguay, Israel, Hong Kong, Switzerland);

b) the necessity to perform obligations relating to the established contractual relationship, or to perform commitments undertaken by the Data Controller in the interest and for the benefit of the Data Subject.

The Data Controller therefore informs that it is not necessary to obtain consent in order to proceed with processing consisting of the transfer of personal data to third countries or international organizations located outside the European Union, based on the lawful bases described above.

Personal data will be processed predominantly by automated means, with logic strictly related to the above purposes, by the Data Controller’s personnel and internal collaborators, and by external parties expressly appointed as data processors.

Outside these cases, the data will not be disclosed to third parties nor disseminated, except in cases expressly provided for by national or EU law.

Data will be processed for the entire duration of the contractual relationships established and also thereafter for the period during which the Data Controller is subject to retention obligations for legal and tax purposes and other purposes, as required by law and/or regulations.

With reference to personal data processed for Marketing Purposes or Profiling Purposes, such data will be retained in compliance with the principle of proportionality and in any event until the purposes of processing have been achieved or, if earlier, until consent is withdrawn by the Data Subject.

Data Controller: Mr. Elio Ettore Maroni – email: garante.privacy@piumedical.it

The Data Processor can be contacted at the following email address: garante.privacy@piumedical.it

Any change in the name of the Data Processor will be communicated also upon renewal of this consent, by updating the name of the Data Processor as provided therein.

Pursuant to Article 7 of the Privacy Code and Articles 13(2)(b) and (d), 15, 18, 19 and 21 of the Regulation, the Data Subject has the following rights:

a) the right to request from PiùMedical S.p.A., as Data Controller, access to personal data, rectification or erasure of such data, restriction of processing relating to him/her, or to object to processing, in the cases provided for;

b) the right to lodge a complaint, as a Data Subject, with the Italian Data Protection Authority, following the procedures and instructions published on the Authority’s official website at www.garanteprivacy.it;

c) any rectifications, erasures or restrictions of processing carried out at the request of the Data Subject—unless this proves impossible or involves a disproportionate effort—will be communicated by the Data Controller to each recipient to whom the personal data have been disclosed. The Data Controller may communicate those recipients to the Data Subject if requested.

In particular, the Data Subject may:

  1. obtain confirmation as to whether or not personal data concerning him/her exist, even if not yet recorded, and have such data communicated in an intelligible form;

  2. obtain an indication of:

a) the origin of the personal data;

b) the purposes and methods of processing;

c) the logic applied in the event of processing carried out with the aid of electronic tools;

d) the identification details of the data controller, the processors and the designated representative pursuant to Article 5(2) of the Privacy Code and Article 3(1) GDPR;

e) the entities or categories of entities to whom the personal data may be disclosed or who may become aware of them in their capacity as designated representative within the territory of the State, data processors or persons authorized;

  1. obtain:

a) updating, rectification or, where there is an interest, integration of data;

b) erasure, anonymization or blocking of data processed unlawfully, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;

c) certification that the operations referred to in letters a) and b) have been brought to the attention, including as regards their content, of those to whom the data were disclosed or disseminated, except where this proves impossible or involves a manifestly disproportionate effort compared to the right protected;

  1. object, in whole or in part:

a) on legitimate grounds, to the processing of personal data concerning him/her, even if relevant to the purpose of collection;

b) to the processing of personal data concerning him/her for the purpose of sending advertising material or direct selling, or for carrying out market research or commercial communication, through automated calling systems without operator intervention, by email and/or through traditional marketing methods by telephone and/or postal mail. It is noted that the Data Subject’s right to object, described in point b) above, to direct marketing via automated means extends to traditional means, and the Data Subject may also exercise the right to object only in part.

Therefore, the Data Subject may decide to receive only communications through traditional means, or only automated communications, or none of the two types of communication.