Dear Customer,
Dermacademy Institute srl (hereinafter the Institute), Data Controller with registered office in Pisa, Via Darsena, 2 – ZIP Code 56121, hereby provides information on the methods by which personal data are processed, in accordance with Articles 13 and 14 of the GDPR.
The Data Controller, who may be contacted at the following email address: dottgiovannimenchiniermacademy.it or certified email address dermacademy@pec.it, informs you about the ways in which personal data are processed for the following purposes:
- booking medical consultations;
- diagnosis, treatment, and related administrative purposes;
- tax and accounting obligations;
- management of contractual and pre-contractual relationships.
For certain processing activities, the Institute will process data as joint controllers together with Dermacademy srl pursuant to Article 26 of the GDPR, following the signing of a specific agreement.
In carrying out the above-mentioned activities, both personal data (e.g. first name, surname, tax code, residence, year of birth, domicile, etc.) and special category data (e.g. data relating to health status) are processed.
The provision of personal data is necessary for the delivery of the institutional activities of the Institute, and failure to provide them will make it impossible to ensure such activities.
Data Protection Officer
The Data Controller has appointed, pursuant to Article 37 of the GDPR, a Data Protection Officer who may be contacted at the email address dermacademy.dpo@gmail.com.
Categories of data subject to processing
The data subject to processing include identification data such as first and last name, personal details, residential address and/or domicile address if different from the residential address, contact details such as telephone number and email address.
With reference to special categories of data pursuant to Article 9 of the GDPR, the Data Controller may process, by way of example and not limited to, data relating to health status or data relating to criminal convictions or offenses pursuant to Article 10 of the GDPR.
Legal basis for processing
The processing of personal data necessary for the management of the institutional activities of the Institute is based on points a), b), and c) of Article 6 and points a) and h) of paragraph 2 of Article 9 of the GDPR.
Source from which personal data originate
The personal data processed by the Institute are provided by the data subjects themselves or, where provided for by the joint controllership agreement, by Dermaveris Institute, or may be obtained from third parties.
Methods of processing
The processing of personal data, in both paper and electronic form, is carried out by specifically authorized individuals pursuant to Articles 28 and 29 of the GDPR and Article 2 quaterdecies of Legislative Decree no. 196/03, following the adoption of appropriate security measures pursuant to Article 32 of the GDPR and in compliance with the principles of lawfulness, purpose limitation, and data minimization pursuant to Article 5 of the GDPR.
Retention period of personal data or criteria used to determine such period
Personal data are retained by the Data Controller, pursuant to Article 5 of the GDPR, for 10 years from the last service provided and in any case no longer than the period required by applicable legislation, after which they are destroyed whether processed in paper or electronic form.
Recipients or categories of recipients to whom personal data may be disclosed
The Data Controller may disclose the personal data of Data Subjects exclusively to the healthcare and medical personnel collaborating with the Institute, to Dermaveris Institute where provided for by the Joint Controllership Agreement, and to parties to whom disclosure is required by law, who will subsequently process the data as independent Data Controllers. Your data will not be disseminated.
Transfer of personal data
The personal data subject to processing are not transferred outside the European Union and the European Economic Area. It is understood that, should it become necessary, the Institute may transfer servers outside the EU, ensuring from now on that any such transfer will take place in compliance with applicable legal provisions, following the signing of the standard contractual clauses provided by the European Commission and in accordance with Chapter V of the GDPR.
Rights of the data subject
The Institute informs you that you may exercise the rights provided for in Articles 15 to 22 of the GDPR, namely obtaining access to personal data, rectification if inaccurate, completion if incomplete, and, in the cases established by law or regulation, restriction, deletion, or objection to processing by sending a specific request to the above-mentioned Data Controller or to the Data Protection Officer, who may be contacted at the following email address: dermacademy.dpo@gmail.com. In cases involving rights related to activities carried out under joint controllership with Dermaveris, you may contact the Institute’s DPO at the following email address: rpd@dermaveris.it. In any case, if the data subject believes that their data are being processed in a manner not compliant with current legislation, they may lodge a complaint with the Data Protection Authority or file an appeal with the competent judicial authority.
