DISCLOSURE PAPER ON PERSONAL DATA PROCESSING
pursuant to Article 13 of the EU Regulation 2016/679 of the European Parliament (so-called "GDPR")
1. This Statement
1.1 EDRA SpA, aware of the importance of ensuring the security of private information, in accordance with applicable Italian and European legislation, the following document describes how personal data is processed, pertaining to whoever ("User", "Users") connects to this site, either directly, or through a link from another site.
1.3 This policy applies only to personal data processed by means of and on the Site: it does not deal with the processing of data through other communication tools (e.g. telephone, mail, etc.).
1.4 This is the current policy in force, updated as at the date reported in the footnote: EDRA SpA reserves the right to modify, update or edit this policy at any given time.
1.5 EDRA SpA's statements are all set forth in the Site's Legal Notes (Terms and Conditions of Use), yet these do not have any contractual validity, and therefore do not constitute contractual obligations towards the User and corresponding User rights.
2. The Proprietor of Personal Data Processing
2.1 The proprietor of personal data is: EDRA SpA, Tac Code and VAT Number 08056040960, with its registered office in Milan, Via Spadolini n. 7, incorporated under Italian law.
3. Place of processing of personal data
3.1 The processing of personal data related to site consultation shall take place at the registered office of EDRA SpA, indicated hereinbefore. Data shall be stored in a data centre located in the registered office of EDRA SpA in Milan and at Elmec Informatica's Data Centre in Via Pret n. 1 Brunello (VA), nominated by Edra Spa as external data controller following art. 28 of GDPR.
4. Type of personal data treated
Traffic and navigation data provided by the user's computer
During their normal operation, computer systems and software procedures used on this Website acquire certain personal data for communication that are implicit in the use of internet communication protocols. This category of data includes IP addresses or domain names of computers used by persons who connect to the site, the URI (Uniform Resource Identifier) of requested resources, the time of request, the method used to submit the request to the server, the size of the file received in reply, the numerical code indicating the status of the reply provided by the server (successful, error, etc.) and other parameters regarding the User's operating system and computer environment. This data constitutes the access log.
4.2 The site also captures and stores the URL sequence-data (Uniform Resource Locator) identification of resources visited or searched on the Internet (e.g. Web-pages, documents, images, etc.), including date and time of access and their content.
- Permanent cookies: the computer system of the Site, in the course of its normal operation, some data is sent from the EDRA SpA server to the User's browser that gets stored on the hard disk of the User's computer to allow navigation in certain, specific, restricted areas of the Site.
- Session cookies: the Website's computer system sends data consisting of random numbers generated by the server, these so-called session cookies, are not stored permanently on the user's computer and disappear when the machine is turned off. The sending of such data is needed to enable the transmission of session identifiers, necessary for a safe and efficient exploration of the site and to gather information on Site usage by the User.
4.4 Most Users' browsers are designed to automatically accept cookies, although Users can set their browsers to off, either permanently, or temporarily in order to receive and save new cookies; alternatively computers can be configured to give alerts when they are going to store any cookie. In the event of deactivation of cookies, Users, can access the Site, although they may not be able to navigate to specific and/or protected areas.
4.5 In general, the site acquires and stores - and at times communicates to third parties - the hereinbefore described navigation data in an anonymous and aggregated form. The processing of such data allows the Owner to manage and monitor the Site's proper functioning and to make statistical analysis on samples for promotional or scientific purposes.
Data provided voluntarily by the User
4.6 The Site may sometimes require the User to provide certain personal information such as, for example, full name, business address, telephone number, email address, etc. Submission of such information is entirely at the User's discretion, and is therefore optional.
4.7 The User, to gain access to certain content in specific protected areas of the Site, and to take advantage of the site's full operational functions, has the responsibility to: - Obtain a pair of unique keys (username and password) through a registration procedure ;
- Thereafter, on every new session, enter his/her Username and Password for recognition by the authentication system.
4.8 Personal data collected from the form filled in by the user at the time of voluntary registration (registration data) consists of information concerning the User's contacts and so, e.g .: name and surname or company, association or institution name, job title, address, email, telephone number, fax. The site's computer system associates that data automatically to the Username and Password chosen by the user and connects this data to an account. In following visits to the site, users will have access to their personal registration data merely by typing their Username and Password; Users are therefore fully responsible for the proper custody of their Username and Password.
Data provided by third parties
4.9 The site's computer system may also manage personal and contact details of Users from public directories (e.g. database of telephone subscribers, databases of professional associations, databases of social security institutions of healthcare categories, etc.). As such, this data can be processed by EDRA SpA acting as independent data controller, in compliance with the requirements of the GDPR Privacy Code and in particular those provided with regard to unsolicited communications (email, SMS, MMS, fax).
5. Purpose of data processing
Users personal data shall be processed for the following purposes:
5.1 activities strictly connected and functional to business service operations: for example, allowing the user access to services offered and displaying Site contents; allowing the user to receive requested products or services, processing any received orders; answering User's questions and responding to requirements;
5.2 Technical management of the site and its information system, including the Medikey® certification platform: for example, acquisition, feedback and management of account information; rendering safe and verifications of Site's correct functionality; Site monitoring;
5.3 enrichment or customisation of content, services, or Site's design during a single visit, or repeated accesses;
5.4 profiling in aggregate form (that is, anonymous, without prejudice to data privacy and confidentiality of each registered holder), the Users and their access to confidential specialist pages, for scientific research purposes and/or market analysis, and report processing, performed directly by EDRA SpA or by other specialist third party companies;
5.5 messages to Users about Site changes or updates and its services; advertising messages, notification of special offers and promotions; requests for adhesion to market surveys to which the user can freely opt in or out.
6. Processing Methods
6.1 The processing of personal data takes place through information technology, electronic, and manual, both as EDRA SpA, and as Medikey® or other names and trademarks of the companies which belongs to the group of which Edra owns quotas (hereafter, the "LSWR group").
6.2 Data processing is performed in compliance with the GDPR and the requirements defined within EDRA SpA, described in the Security Policy Document and related technical documents.
7. Categories of subjects who process data.
7.1 The treatment is carried out by the Owner and his agents: employees, agents, representatives, suppliers, third parties (eg. companies providing data processing services, invoices printing, packing and labelling of products purchased online, shipping, etc.).
7.2 The treatment is also carried out by other LSWR group companies and entities (companies, associations, organisations) for which the owner operates as an agent, licensee, publisher in relation to the purposes listed above. In the situation mentioned in art. 28 of the GDPR (so when Edra Spa performs data processing activities on behalf of other entities), Edra Spa is nominated as data controller.
7.3 The processing of data by EDRA SpA and its Distributors may take place regardless of the User's consent in the following cases:
7.3.1 upon request of the judicial authorities, or to defend themselves or protect their rights in administrative, judicial or arbitration;
7.3.2 in the event that the processing of data is necessary to allow investigations aimed at countering illegal activities, fraudulent acts, or to ensure the safety of persons or property; in all cases, in general, in which the transmission of the data is required by law;
7.3.3 in the event Edra Spa is acquired by, transferred or merged with another company, or if this site or some of its contents are transferred to third parties.
8. Rights of persons concerned
8.1 The Users registered on the Website are solely responsible for the veracity and accuracy of the personal information they enter. Under Articles from 15 to 21 of the GDPR, the User has the right, at any time, to:
1. obtain confirmation of whether personal data concerning the same exists, even if not yet stored and whether its communication in intelligible form has occurred.
You have the right to obtain information:
a) on the origin of personal data;
b) on the purposes and methods of processing;
c) on the logic applied in case of computer-assisted processing;
d) on the identity of the owner, manager and the representative appointed under article 5, paragraph 2 ;
e) on subjects or categories of persons to whom the data may be communicated to or who can access such information as appointed representative, managers, or agents in that territorial State.
3. The interested party has the right to obtain:
a) updating, rectification or, when desired, integration of data;
b) cancellation, transformation into anonymous form or blocking of data processed unlawfully, including those that do not need to be kept for the purposes for which the data were collected or subsequently processed;
c) certification that the operations as per letters a) and b) were made known, including their contents, to those to whom the data were communicated or disclosed, except where this is impossible or involves a commitment of resources clearly disproportionate to the protected right.
The User can exercise these rights recognised by law by contacting EDRA SpA in the contact means listed in Section 11 below.
8.2 Beginning May 25 2018, following articles 15-21 of the GDPR, the Site User has the right to excercize the following right, in whole or in part:
• right of access;
• right of rectification
• right to cancellation (right to be forgotten), except in the event that the processing is necessary for the Data Controller, for the exercise of the rights to freedom of expression and information, for the fulfillment of a legal obligation or for the execution of a task carried out in the public interest, for purposes of archiving in the public interest, scientific or historical research or for statistical purposes, for the assessment, exercise or defense of a right in court.
• right to limitation of treatment
• opposition right
• right of withdrawal of consent at any time, subject to the lawfulness of the treatment based on consent before revocation;
• the right to lodge a complaint with the Guarantor for the protection of personal data.
If the Site User decides to exercise such right, it can express this willing contacting Edra Spa following instructions mentioned in the following Section 11).
8.3 EDRA SpA reserves the right to inform the User of any changes or updates to the Site whenever necessary.
9. Conservation of personal data
9.1 EDRA SpA retains the personal information of Users collected for as long as that information is relevant reputed for commercial purposes, and in any case not over 2 years from the last interaction or until the User requests the cancellation of aforesaid data by contacting EDRA SpA at one of the addresses listed in Section 11, herein.
10. Security of information
10.1 EDRA SpA is aware of the importance of ensuring the security of private information of which it becomes aware, and therefore strives to protect the privacy of its website Users.
10.2 Personal and demographic information including login credentials (username / login and password) for each user are sent and stored in servers equipped with firewalls and physically located in secure data centres.
10.3 Login and passwords circulating on the Internet are in encrypted form over SSL protocol. Other personal information flows between data centres of private line MPLS in encrypted form.
10.4 The implementation of lockout management systems (which provide the blocking of access in case of repeated incorrect access) further help protect User accounts from intrusion or hacking attempts by unauthorised third parties.
10.5 In addition to EDRA SpA establishing internal security procedures in the Security Policy Document (SPD) including, for example, filtering accesses and usage data by their employees.
10.6 EDRA SpA can not however be held responsible for any unauthorised access to data, loss (e.g. password), illegal/improper use, or alteration of personal information that occur outside of its control, nor can ensure the correct and safe use of the User's personal data by third parties.
11.1 The User may exercise the rights recognised by Articles 15-21 of GDPR and submit any request, question, comment, or complaint regarding this Statement, or the manner in which their personal data are processed in the Site to:
via Spadolini n. 7, 20141 Milan (Italy)
tel +39 02 88184.1;
fax +39 02 88184.301;
Edra Spa, following the article 37, co. 1, lettera b) of the GDPR has nominated Monica Gobbato as Data Protection Officer ("DPO"), who can be contacted at the following address: