Privacy Notice pursuant to EU Regulation 2016/679 and D.Lgs. 101/2018

This document explains the methods and purposes of the processing of personal data carried out by AREA QUALITA 'srl, as the owner (hereinafter, also the "Data Controller"), as well as any further information required by law, including all information on the rights of the data subject and their exercise.
The Regulation (EU2016 / 679 - D.Lgs. 101/2018) concerning the protection of personal data (hereinafter the "Regulation") establishes the rules concerning the protection of individuals with regard to the processing of personal data, as well as rules concerning the free movement of such data and protects the fundamental rights and freedoms of natural persons, with particular reference to the right to protection of personal data.
Article. 4, n 1 of the Regulation states that "Personal Data" must be understood as any information concerning an identified or identifiable natural person (hereinafter "Interested").
By "Treatment" must be understood any operation or complex of operations, carried out with or without the aid of automated processes and applied to Personal Data or set of Personal Data, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, portability, cancellation or destruction (Article 4, n2 of the Rules).
Pursuant to articles 12 and ss. Of the Regulation, it is also envisaged that the interested party should be made aware of the appropriate information concerning: (i) the processing activities that are carried out by the Data Controller and; (ii) the rights of the interested parties.

1. Purpose of the Processing and legal basis
With the express consent of the interested Party, the Data Controller will process your Personal Data (name, surname, e-mail address, telephone number, etc.) for sending communications containing information about Area Qualità and activities organized by the Data Controller (such as, Continuing Education events and the management of those events) including updates and / or informative material / medical-scientific publications, collection of statistical data, publications of articles printed or on line or related to events organized by Area Qualità.

2. Processing and conservation methods
In compliance with the provisions of Article 5 of the Regulation, the Personal Data processed are:
(i)Treated in a lawful, correct and transparent way towards the interested party;
(ii) Collected and registered for specific, explicit and legitimate purposes and subsequently processed in terms compatible with those purposes;
(iii) Appropriate, relevant and limited to what is necessary with respect to the purposes for which they are processed;
(iv) Exact and updated;
(v)Treated in such a way as to guarantee an adequate level of security;
(vi) Keep in a form that allows the identification of the interested party for a period of time not exceeding the achievement of the purposes for which they are processed.
Personal Data will be processed by the Data Controller with automated and non-automated tools; the electronic storage of Personal Data takes place in secure servers located in areas with controlled access and restricted access.
Specific security measures are observed to prevent data loss, illicit or incorrect use or unauthorized access.

3. Conferment of Personal Data
The provision of Personal Data is optional and any refusal by the interested party implies the inability of the Owner to send communications containing information relating to the Data Controller or relating to conferences or other activities organized by the Data Controller (such as, Continuing Education events and the management of those events) including updates and / or informative material / medical-scientific publications, collection of statistical data, publications of articles printed or on line or related to events organized by Area Qualità.

4. Storage of Data
Personal Data is kept for the time strictly necessary to achieve the purposes for which it was collected and submitted for treatment.
It is however understood that, once the purpose of the processing is exhausted or in the event of exercising the right to oppose the treatment or revoking the consent given, the Data Controller will in any case, or legitimately, retain the Personal Data, in whole or in part, for certain purposes such as asserting or defending a right in court (for example in the event of possible disputes with respect to the activities performed by the Data Controller) or for purposes of legal obligations.

5. Communications of Personal Data
Personal Data will be accessible to the persons in charge of processing and to any external collaborators

6). Dissemination of Personal Data
Personal data are not subject to disclosure

7. Transfer of Personal Data abroad
Personal Data may be transferred to countries of the European Union and to Third Countries with respect to the European Union for the purposes referred to in paragraph 1. In case of transfer of Personal Data outside the European Union, in the absence of a decision for the adequacy of the European Commission, the provisions of the applicable legislation regarding the transfer of Personal Data to non-EU countries will be respected.

8. Rights of the interested party
At any time the Data Subject will be able to access Personal Data in order to correct, delete or generally exercise all rights that are expressly recognized in accordance with the applicable legislation on the protection of Personal Data, and in detail: (i) the right to obtain confirmation of the existence or not of Personal Data and their communication in an intelligible form, to know the origin, purposes and methods of processing; (ii) the right to obtain an indication of the identity of the Data Controller, data processors and the subjects or categories of subjects to whom the Personal Data may be communicated; (iii) the right to verify the accuracy of Personal Data or request its integration or updating or correction; the right to request cancellation, transformation into anonymous form or blocking of personal data processed in violation of the law, as well as their limitation under the law and to oppose in any case, in whole or in part, for legitimate reasons to their Treatment; the right to the portability of their Personal Data, as well as the right to propose a complaint, a report or an appeal to the Guarantor for the protection of Personal Data, where the conditions are met.
The applicable law also recognizes the right of data subjects to oppose the processing of personal data for the purposes referred to in point (iv) paragraph 1 of this information document, as well as the right to withdraw their consent to the processing of personal data in any time, without prejudice to this, however the lawfulness of the processing put in place by the Data Controller on the basis of the consent given before the revocation.

9. Holder and Manager of the Treatment
Data Controller is AREA QUALITA 'S.R.L. based in Milan, Piazza Insubria n. 16, e-mail: info@areaqualita.com

10. Communications and exercise of the rights of the interested party
To exercise the rights referred to in paragraph 8, the interested party can contact at any time the Internal Responsible of the Treatment indicated in point 9, by writing an email to info@areaqualita.com
Article 13
Information to be provided where personal data are collected from the data subject

1.Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b)the contact details of the data protection officer, where applicable;
(c)the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d)where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(e)the recipients or categories of recipients of the personal data, if any;
(f)where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a)the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b)the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
(c)where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d)the right to lodge a complaint with a supervisory authority;
(e)whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f)the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4.Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

Article 14
Information to be provided where personal data have not been obtained from the data subject
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Article 45
Transfers on the basis of an adequacy decision
1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Article 46
Transfers subject to appropriate safeguards
1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Article 49
Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.

5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.

6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.”

© Copyright Area Qualità S.r.l. 2019. This message, together with its attachments, contains information to be deemed strictly confidential and is destined only to the addressee(s) identified above who only may use, copy and, under his/their responsibility further disseminate it. If anyone has received this message by mistake or reads it without entitlement be forewarned that keeping, copying, disseminating or distributing this message to persons other than the addressee(s) is strictly forbidden and you are asked to notify the sender immediately and erase the original message received. Thank you.