Information for personal data processing through the Smart Axistance App C-19
(pursuant to art. 13 EU Regulation 2016/679)
The EU Regulation 2016/679 of the Parliament and European Council concerning personal protection with regard to personal data protection and processing, as well as the free circulation of such data (hereinafter GDPR EU 2016/679), guarantees that the processing is carries out in compliance with the fundamental rights and freedoms of natural persons, with particular reference to confidentiality and the right to protect this data. For these reasons, the Agostino Gemelli IRCCS University Polyclinic Foundation (hereinafter, for the sake of brevity, the
"Foundation") based in Largo Francesco Vito n.1, 00168 Rome, as the "Owner" of data processing, is required to provide you, pursuant to 'art. 13 of the GDPR EU 2016/679, a precise information regarding the personal data concerning you. The Data Owner has appointed Enel X Italia S.r.L., based in Via Flaminia, 970, 00100 ROME, as Data Processor. The Data Processor has appointed ADILIFE Srl Via Mosca 52, 00142 ROME as Sub-Manager. In particular, the Foundation, due to the epidemiological emergency COVID-19 and limited to the emergency period, intends to offer the following palliative care services to chronic patients included in the home network:
telemonitoring of vital parameters using electro-medical devices;
videoconsulting and / or teleconsulting with medical staff.
Service is available by accessing the COVID-19 Smart Axistance App (hereinafter the "APP") on the online stores.
TYPE OF DATA PROCESSED
In addition to your personal data, the Foundation may process particular categories of personal data pursuant to art. 9 of the GDPR EU 2016/679, in particular, data relating to the state of health. The common personal data relating to the state of health that, by way of example, may be processed are: name, surname, email address, telephone number, vital parameters, video images.
PURPOSE AND LEGAL BASIS OF THE PROCESSING
For treatments carried out for the purposes of diagnosis, assistance, health or social therapy, or management of health and social systems and services, (hereinafter "treatment purposes"), as clarified by the Provision of the Data Protection Authority "Clarifications on the application of the rules for the treatment of data relating to health in the health sector" (hereinafter "Clarifications") - 7 March 2019, the patient's consent is not required, as, pursuant to art. 9 paragraph 2 lett. h) of the GDPR and of articles 2-septies and 75 of Legislative Decree 196/2003 as amended and supplemented by Legislative Decree 101/2018 GDPR, the processing is necessary to achieve the purposes of care and is carried out within a health facility by professionals subject to professional secrecy or by another person also subject to the obligation of secrecy.
In the particular case, as reported in the Clarifications, the treatments connected to the use of medical apps require the explicit consent of the interested party (Article 9, paragraph 2, letter a) of the Regulation, in the absence of which, it is not allowed the provision of the service.
METHOD OF TREATMENT
The data processed is provided directly by the interested party (via electromedical tools supplied or entered manually) or acquired or processed as part of the provision of services.
The abovementioned purposes involve the carrying out of the operations of collection, recording of data, video and audio recording, storage and modification of personal data, using manual and IT tools, with logic strictly related to the purposes themselves and, in any case, in order to guarantee the security, confidentiality, integrity and availability of data.
Access to mobile functions by the APP itself for the provision of the Service, for example include:
Bluetooth: for the acquisition of vital parameters from electro-medical devices;
Network (internet): to connect with the Data Center of the Telemedicine Service of the persons specifically appointed as Data Processors, for the purposes related to the use of this APP as well as the related services offered;
Information on the device and Operating System installed: to allow a personalized experience based on the type of device on which the App is installed (eg: different views based on the video resolution of the device).
The data may only be processed by previously authorized personnel subject to office secrecy, as well as the legal obligation of confidentiality.
CATEGORIES OF SUBJECTS TO WHOM THE DATA MAY BE COMMUNICATED
Personal data processed only for the aforementioned purposes may be transmitted to subjects to whom communication is required by law or regulation, or on the basis of existing legal relationships with the Foundation.
DATA STORAGE TIMES
The Personal Data processed for the aforementioned purposes will be kept in compliance with the principles of proportionality and necessity, and in any case until the purposes of the processing have been pursued.
The paper documentation relating to medical reports and records is subject to the obligation of unlimited storage as provided for by the circular of 19 December 1986 n.900 2 / AG454 / 260 of the Ministry of Health.
EXERCISE OF RIGHTS
We inform you that for the purposes of the GDPR EU 2016/679:
Thea Data Owner is the Agostino Gemelli IRCCS University Polyclinic Foundation, based in Largo Francesco Vito n.1, 00168 Rome.
Pursuant to art. 15, 16, 17, 18, and 21 of the GDPR EU 2016/679, we inform you that:
a) you have the right to ask the Data Owner for access to personal data, rectification, integration, cancellation of the same, regulation of the processing of data concerning or to oppose the processing of the same if the required conditions are met from the EU GDPR 2016/679;
b) you can exercise the rights referred to in letter a) by writing to the Foundation at the above address;
c) you have the right to lodge a complaint with the Guarantor for the protection of personal data, following the procedure and the indications reported on the official website of the Authority: www.garanteprivacy.it.
We also inform you that the Foundation, pursuant to Article 37 of the GDPR EU 2016/679, has designated the Data Protection Officer (DPO) who can be contacted at the e-mail address email@example.com