(Made pursuant to EU Regulation 2016/679 and the Privacy Code, as amended by Legislative Decree 101/2018)
ISTITUTO SUPERIORE DI SANITA' with registered office in viale Regina Elena n. 299 - 00161 Rome, Tax Code 80211730587 - VAT number 03657731000 (hereinafter "ISS", together "Owner")
pursuant to art. 13 and 14 of the EU Regulation n. 679/2016 (hereinafter "GDPR") and of the Privacy Code, as amended by Legislative Decree 101/2018, that personal data will be processed in the following ways and for the following purposes:
1. Purpose and Legal Basis of the Processing
The personal data collected are processed exclusively for the purpose of managing requests for access to data relating to the Covid 19 epidemiological surveillance sent to the Istituto Superiore di Sanita' pursuant to OCDPC n. 691 of 4 August 2020.
The legal basis of the processing is found in art. 6, par. 1, lett. c) GDPR, as "the processing is necessary to fulfill a legal obligation to which the data controller is subject".
2. Categories of Personal Data
For the purposes referred to in point n. 1, the following categories of personal data may be collected and subsequently processed:
3. Methods of Treatment
The processing of personal data is carried out by means of the operations indicated in art. 4, par. 1, no. 2 GDPR and more precisely: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The data are processed by the Data Controller only with methods, tools and IT procedures, strictly necessary to achieve the purposes described in point n. 1.
The Data Controller prepares physical, technical and organizational security measures pursuant to art. 32 GDPR to prevent data loss, illicit or incorrect use and unauthorized access (Data Breach).
4. Retention period
Personal data will be kept for 12 months from receipt of the request or until the request for cancellation.
5. Access to personal data
Personal data may be accessible for the purposes referred to in point n. 1 by the staff of the Istituto Superiore di Sanita' in charge of receiving and managing data requests and / or from third parties to whom the Data Controller has a legal or contractual obligation to communicate.
6. Rights of the interested party
The interested party has the rights referred to in art. 15 GDPR et seq., More precisely right of access, right of rectification, right of cancellation, right of limitation of treatment, right to data portability, right of opposition, as well as the right to lodge a complaint with the Guarantor Authority (Article 77 of the GDPR and 141 of the Privacy Code, as amended by Legislative Decree 101/2018).
7. Methods of exercising rights
The interested party may at any time exercise the rights by sending a specific communication to the PEC address of the Data Controller:
ISTITUTO SUPERIORE DI SANITA' with registered office in viale Regina Elena n. 299 - 00161 Rome firstname.lastname@example.org
8. Identity and contact details of:
In the person of the President: Professor Silvio Brusaferro
In the person of Dr. Carlo Villanacci