PURSUANT TO ARTICLE 13 OF LEGISLATIVE DECREE 196/2003 AND ARTICLE 13 OF REGULATION (EU) 679/2016
To ensure fair and transparent processing1, taking into account the specific circumstances and context in which the personal data will be processed, the Data Controller provides the data subject with the following information in accordance with the provisions of Article 13 of Legislative Decree 196/2003, as amended and supplemented by Article 13 of Regulation (EU GDPR) 679/2016.
Identity and Contact Details of the Data Controller and the Data Protection Officer
The Data Controller is Fondazione Telethon, with registered office in Rome at Via Varese 16/B, represented by its Representative Ms. Francesca Pasinelli, by virtue of Board of Directors’ resolution dated 7 February 2013 (henceforth the “Data Controller” or “Controller”).
The Data Protection Officer (“DPO”) is Ms. Michela Maggi, Esq., whose contact details are: Address: Piazza del Liberty 8; City: Milan; Post Code: 20121; Province: MI; Telephone: 02-49450269; Fax: 02-47977003; Website: www.maggilegal.it; E-mail: firstname.lastname@example.org; Certified electronic mail: email@example.com
Purposes and Methods of Processing
The Data Controller informs you that your data will be processed for the following purposes:
Legal Basis: Pursuant to the joint provisions of Article 6.1(a) of GDPR 679/16 and Article 23 of Legislative Decree 196/03, the Controller informs you that personal data processing for the aforementioned purposes shall be deemed lawful only and insofar as you have freely given specific consent to processing.
Processing for the purposes of archiving for scientific research purposes and carrying out statistical surveys is however deemed necessary in order for the Controller’ to carry out its institutional task, which, in light of its public service value, can be deemed carried out in the public interest under Article 6.1(e) of GDPR 679/16.
Personal data will be processed in digital form and stored in a database held by the Controller under a licence for use granted by third parties.
- registration and subsequent access to the website http://biobanknetwork.telethon.it to request biological samples that are useful to your research;
- handling your request for contact with the biobank(s) holding the biological sample that you have identified as being of interest to your research. For that purpose, the Controller will transmit your data to the biobank concerned for the sole purpose of enabling it to get back to you to directly handle your biological sample access request;
- sending newsletters and communications via phone, regular and email;
archiving for scientific research purposes and carrying out statistical surveys.
Recipients or Categories of Recipients and Scope of Personal Data Dissemination
Your personal data will not be disseminated but may be disclosed to and shared among i) the Data Controller’s staff, with a focus on those employees and co-workers carrying out specific activities involving data processing and authorised for processing; ii) third parties responsible for development and maintenance of IT systems or providing work or services instrumental to the specific purposes thereof (e.g., companies responsible for, or involved in, the management and/or maintenance of the websites and electronic and/or IT systems used), in their capacity as appointed processors or parties to confidentiality agreements; and iii) the biobanks holding the biological samples of your interest, to enable them to get back to you directly to handle your sample access request.
The Controller informs you that your personal data will be stored for a period of 10 years from the last use and for a further period of time for archiving for scientific research purposes, in the latter case putting appropriate safeguards in place to protect the rights and freedoms of the data subject, in accordance with the GDPR, such as any appropriate technical and organisational measures to ensure respect for the principle of data minimisation, where this does not prevent or seriously impair the achievement of the specific objective.
Data Subject’s Rights
In relation to the above data processing, you will be entitled to exercise the rights referred to in Article 13 of GDPR 679/16, as specified in Articles 15, 16, 17, 18, 20, 21 and 22 of GDPR 679/16, namely:
- the right to obtain confirmation as to whether personal data concerning you exists, even if not yet processed, and the communication of such data in an intelligible form;
- the right to request from the Data Controller access to your personal data, in addition to the right to data portability;
- the right to obtain the updating and rectification or, where interested therein, the addition of data;
- the right to object, wholly or partly: a) on legitimate grounds, to the processing of your personal data, even if relevant to the purpose of collection; b) to the processing of your personal data for direct marketing or sending advertising material or for carrying out market research or commercial communication;
- the right to obtain the erasure and transformation into an anonymous form, or the blocking, of any data processed in breach of the law, including any data not to be stored in relation to the purposes for which it was collected or subsequently processed;
- the right to withdraw your consent (only in cases where consent is required as a legal basis for processing) at any time without adversely affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with a supervisory authority.
Please note that, under Article 17 of the GDPR, the right to erasure of personal data shall not be exercisable insofar as processing is required for the purposes of archiving for scientific research purposes and carrying out statistical surveys.
Nature of the Provision of Personal Data and Consequences of Refusal
The provision of data in relation to the processing under B) above for which consent is required is not mandatory and such data, where provided, shall not be processed without consent.
Rome, 25 May 2018
General Manager of Fondazione Telethon
in her capacity as Representative of the Data Controller
1 Pursuant to and for the purposes of the joint provisions of Article 13 of Legislative Decree 196/2003 and Article 13 of Regulation (EU) 679/2016, “processing” means any operation or set of operations performed, whether by automated means or not, on personal data or on sets of personal data, even if not recorded in a database, such as collection, recording, organisation, structuring, processing, storage, adaptation or alteration, selection, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, interconnection, blocking, restriction, erasure or destruction.