In accordance and for the purposes of (i) the Italian Decree Law No. 196 of 30 June 2003, il “Codice Privacy”, (ii) EU regulation No. 2016/679 on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data,” art. 13 and 14 GDPR, and (iii) the Italian Decree Law No. 101 of 10 August 2018, regarding provisions for adapting the national legislation to the EU regulation No. 679/2016, together referred to as “Privacy legislation”, there are a number of obligations for those who process the Treatment – intended as “the access, collection, use, processing, storage, sharing, distribution, transfer, disclosure, security, destruction, or disposal of any personal, sensitive, or confidential information or data, whether in electronic or any other form or medium (hereinafter referred to as the ‘Treatment’).
In this regard, the Istituto di Ricerche Farmacologiche Mario Negri IRCCS (hereinafter referred to as ‘Mario Negri’), is required to provide you, as an interested party for the Treatment (the ‘Interested party’), some information about the means and purposes of the Treatment of personal data you have directly supplied.
2. Data Controller
The data controller is the entity who determines the purposes and the means of data Treatment (the ‘Data Controller) and is identified in the Mario Negri Institute in the person of Prof. Giuseppe Remuzzi
in his capacity of Director.
Data Controller is the Istituto di Ricerche Farmacologiche Mario Negri IRCCS, with registered office in Via Mario Negri 2, 20156 Milano, Italy. E-mail address: firstname.lastname@example.org
The Data Protection Officer (DPO) can be contacted by email at: DPO@marionegri.it
3. Personal data categories
Except for navigation Data (collected automatically by the system), the treatment concerns personal data you provided voluntarily by filling the contact form (https://respectmri.com/contact/).
4. Purposes and legal basis of the Treatment
Your personal data are treated so that researchers involved in the RESPECT project can contact you providing the requested information.
To ensure the efficiency of the service, we also inform you that Data could be used to carry out technical tests and verification.
Legal basis of the treatment: consent given as Interested party for the Treatment (GDPR art. 6, par. 1, letter a). you will always retain the right to object to this type of Treatment.
Data retention policy: the personal data collected will be retained until the end of the RESPECT project, and then destroyed or anonymized.
5. Data Treatment methods
In relation to the purposes described, personal Data are processed with the use of manual, computer, and telematic tools, applying logic procedures correlated strictly to the stated purposes, and in any case in such a way as to ensure the utmost security and confidentiality of the Data. We also inform you that the Mario Negri Institute treats Data in full compliance with principles of fairness, legality and transparency as provided by GDPR art. 5.
6. Nature of Data provision
Data provision is optional, but in the absence of data provision it won’t be possible for Mario Negri Institute to pursue the purposes under paragraph 3.
7. Categories of persons to whom personal data may be communicated
Data may be treated by employees of the Mario Negri Institute authorised to do so for the purposes indicated above, who have been expressly authorised to treat the Data and have received suitable operating instructions.
Data may be treated, on behalf of the Mario Negri Institute, by external parties offering services for the fulfilment of the purposes indicated in this policy (media agencies, IT suppliers, etc). Data may be also treated, on behalf of the Mario Negri Institute, by researchers working in the other partners of the RESPECT consortium, and in particular at the Institution Clínica Universidad de Navarra, Pamplona, Spain. Those individuals will be designated as Data Processors and will receive proper operating instructions.Data may be treated by external Third Parties acting as Data Processors, e.g. supervisory and control authorities and bodies and, in general, public or private subjects, entitled to request Data.
8. Transfer of data to non-EU countries
Personal data will be mainly treated within the EU and stored on servers located there. It is anyway intended that the Data Controller may transmit such data to a third country or to an international organization and/or can also transfer servers out of the EU. Moreover, since one of the partners of the RESPECT project is outside the EU (UK), data may be transferred there. The Data controller ensures that extra-EU data transfer will take place in accordance with the applicable legal provisions (GDPR art. 44)
9. Rights of the interested party
As interested party, according to the procedures and within the limits established by law, you may exercise the following rights:
- Request confirmation of the existence of your details (access right);
- Know the origin of the Data;
- Request their communication in an intelligible form;
- Receive information about the reasoning, uses and processing objectives;
- Require updating, correction, integration or deletion, anonymization, blocking of the treated Data in breach of the law, including data that is no longer necessary for the purposes it was collected;
- In the case of consent-based Treatment, receive the Data supplied to the Data Controller at no extra cost than that of the medium used, and in a structured and legible form and a format commonly used by electronic devices;
- The right to make a complaint to the Supervisory Authority (Privacy Guarantor)
and, in general, exercise all rights recognised by current applicable law.
If you would like to know more about the Treatment of your personal Data and exercise the rights listed above, as well as to simplify the submission procedures and reduce response time, you are invited to submit the requests in writing to the attention of the Data controller, at the address above.
In case of request from you for information concerning your Data, you will receive a response as soon as we can – unless this proves impossible or involves a disproportionate effort. The impossibility to fulfil the request by the Data Controller and any delays will be adequately motivated.