REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR) –
This page informs users of the application about the policies of the Data Controller regarding the collection, use and storage of personal data when using the YouDermoscopy Service and the choices associated with such data. As established by the GDPR, and in particular, among others, by Art. 13, the data subject (natural person to whom the data belong) may find the information concerning the processing of their personal data.
While using the Service, the User may be asked to provide some personally identifiable information, which may be used to contact or identify the User (“Personal Data”). Personally identifiable information may include, but is not limited to: email address, telephone number, name and surname, gender, date of birth, country, confirmation of exercising the medical profession, years of experience in Dermoscopy, and usage data.
Usage data: when accessing the Service on a mobile device, some information may be collected automatically. This information includes, but is not limited to, the type of mobile device, the unique ID of the mobile device, the IP address of the mobile device, the mobile operating system, the type of mobile Internet browser used, unique device identifiers and other diagnostic data.
Identity of the Data Controller and Contact details: Meeter Congressi Srl in the person of the legal representative pro tempore, with registered office in Rome, Largo Giampaolo Borghi 3, email firstname.lastname@example.org, phone: +390633680034, website: www.meeter.it;
Purposes and legal basis of the processing: The Data are collected to provide and improve the Service, in order to carry out every operation related to the data processing for the purposes indicated hereafter, including any activities related thereto, subsequent or connected, and each activity is to be interpreted as relevant to the case in question.
- A) – Functioning of the Application and making its features, implementation or any variations to the service available to the data subject; the use, at the User’s discretion, of the application’s interactive features (Contractual);
- B) – Ordinary operations and fulfillment of taxation, contribution and administrative obligations;
- C) – Answering received requests; exercising and protecting the data subject’s rights; fulfillment of the incurred costs (Legal protection);
- D) – Monitoring the use of the service and research aimed at the creation of reports containing aggregated data for internal/private statistics (Archive) or statistical/scientific purposes, with possible transfer of data to third parties in anonymous or aggregate form;
- E) – Solution and prevention of any technical problems;
- F) – Use of data, both through traditional and electronic communication methods, for sending satisfaction/preference questionnaires and for carrying out market research; forwarding informative and/or promotional communications about the activities and services promoted by the Data Controller or possibly by third parties; and other functional activities for such purposes. The data subject may exercise, fully or partially and free of charge, their rights of opposition as stated hereafter.
- G) – The User’s personal data may be used by the Data Controller, either through electronic means (such as text messages, instant messaging, email, etc.) or traditional communication methods (such as regular mail, phone), with prior consent of the user, also for the following purposes: 1) sending informative and promotional advertising material about new products/services of the Data Controller or third-party companies; 2) direct sales and/or distribution of products/services offered by the Data Controller or third-party companies;
- H) – Subject to his/her prior consent, the User’s personal data may be disclosed to third-party suppliers who carry out activities in the marketing, large retail, telecommunications and television sectors, financial institutions, insurance companies, consultants, and other companies connected to the Data Controller. These third parties, acting as independent data controllers, may in turn use the user’s data for the same purposes as mentioned in point (G), either through electronic means (such as text messages, instant messaging, email, etc.) or traditional communication methods (such as regular mail, phone, fax and/or annexed to invoices).
The personal data collected will not be in any way made available to the general public.
[Data collection procedures]: Personal Data are freely provided by the data subject. However, for the correct performance of each activity, the Data Controller has the right to request at any time any additional data required, and to integrate, verify and compare the data through access and consultation of internal databases, databases belonging to third parties promoting, participating or involved in activities carried out by the Data Controller, or public databases. Processing of personal data means any operation concerning the collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, deletion and destruction of data. The personal data being processed are: a) processed lawfully and fairly; b) collected and recorded for specific, explicit and legitimate purposes, and used in other processing operations that are compatible with these purposes; c) accurate and, if necessary, updated; d) relevant, complete and not excessive in relation to the purposes for which they were collected or subsequently processed; e) kept in a form which permits identification of the data subject for a period of time not exceeding that necessary for the purposes for which the data were collected and then processed.
The data are collected from the data subject. The data processing may be carried out with or without the aid of electronic or automated tools, including the use of databases, computer networks, software and processing systems. The Data Controller reserves the right to use specific data processing services or other services provided by third parties (whose categories are listed hereafter), which may be physically performed at facilities outside the headquarters. The data will be processed favouring methodologies and logics that allow their classification, consultation and analysis according to different criteria depending on the needs (e.g. quantitative or territorial criteria, score, contributions, type of activated features, etc.), all within the limits necessary for the pursuit of the aforementioned purposes.
[Categories of recipients of Personal Data]: Personal Data may be disclosed to (and consequently the Data Controller may receive them from) natural or legal persons included in the following categories, as subjects involved in the processing, or whose knowledge of the data is required for the indicated purposes:
- Institutions and their bodies; Professional boards and associations; other public entities; as well as those subjects to whom the communication is mandatory by law either in general (e.g. the Police, judicial authorities) or for the accomplishment of the purposes mentioned above.
- Third-party service operators or resellers of related products or object to contractual commitments towards the data subject, for which the communication of the personal data is required, such as: utility or payment service providers or e-commerce; channel suppliers or providers of content relating to the information society, the publishing or journalistic sector.
- Natural or legal persons, i.e. consultants and freelance professionals, individually or collectively, the Data Controller uses to obtain services in the following sectors: fiscal; social security; legal; trade union or labour; medical; insurance; advertising.
- Natural or legal persons, i.e. consultants and freelance professionals, individually or collectively, the Data Controller uses to obtain, for example, the following services: IT resources for data processing, purchase, installation, configuration and/or management of information and application systems, cloud services, networks and security, backup and recovery; filing, registration; supervision and surveillance.
- Representatives, internal control or supervisory bodies, members of the corporate structure, promoters, participants, related entities, affiliated or other related parties. A complete list of data processors can be consulted at the headquarters of the Data Controller. For any activities, carried out by recipients for additional purposes or legal matters other than those of the Data Controller, they must be considered as independent data controllers.
[Location of data processing and Transfer of data abroad]: The processing and preservation of the processed data in electronic or paper archives may take place at the Data Controller’s operating headquarters or in any other place where the parties involved in the processing are located, which should anyway be based in the territory of the European Union. The data processed with the help of applications, platforms or virtual spaces developed by macro-suppliers can also be stored at their offices, even outside the European Union.
Where the transfer of data to parties located in a third country or to an international organisation is necessary or appropriate, these transfers will be made:
- In compliance with the adequacy decisions;
- In compliance with the appropriate guarantees that are applicable;
- In compliance with the Binding Corporate Rules, if applicable.
[Period of preservation]: The personal data will be processed and stored in full compliance with the necessity principles, data minimisation and limitation of the preservation period, by adopting technical and organisational measures that are appropriate to the risk level of the data processing, and for a period of time not exceeding that necessary for the purposes for which they were processed or for the period prescribed by law. The data are stored for the time strictly necessary to carry out any processing operation that concerns the User, according to his own preferences and instructions. The data will be stored for the period of time permitted, or required, by the applicable laws and regulations in order to: fulfill the obligations imposed on the Data Controller (e.g. tax, social security); allow the availability of the activated functions, any verifications and post-supply initiatives, and the legal protection of the Data Controller regarding matters of both contractual and extra-contractual nature, involving the possible positions of third parties. They will anyway be stored until termination of the contractual relationship and for a subsequent period of 10 years. At the end of the applicable preservation period, the personal data concerning the data subject will be deleted or preserved in a form that does not allow the identification of the data subject, unless further processing is required for one or more of the following purposes:
- resolution of pre-contentious and/or contentious procedures initiated prior to the expiration of the preservation period;
- to respond to inquiries from the Italian and/or foreign public authorities received by/notified to the Data Controller prior to the expiration of the preservation period.
[Nature and necessity of data] – The data collected and processed are of a common personal nature; the provision of the requested data is obligatory, as in its absence it will not be possible to make use of the functionalities of the Application and to implement the processing of personal data for the above-mentioned purposes; without prejudice to any promotional purposes, for which the provision of personal data is optional and does not affect the data processing requested and/or carried out for the other purposes. The data subject has the right to limit or withdraw, according to the same procedures used for the provision, the consent for the legitimate processing of personal data, without prejudice to what has been processed up to that point. It remains the responsibility of the data subject to communicate any updates regarding his/her personal data.
[Disclosure] – If not already indicated in the categories of data recipients, the data provided by the data subject may be disclosed to parties – in the capacity of data processors or individuals in charge of the data processing – involved in the following activities: entering, comparing and updating data; practical processing; correspondence with third parties; stipulating or implementing contracts, agreements and projects, including with third parties, for the implementation of aspects of the service or the data processing; consultancy and technical or regulatory development at each stage of the operation; control and maintenance of the resources used, including information technology and telematic networks and external services; monitoring regularity checks of the operation; workload assessment of the internal and external bodies for the optimisation of the services and the distribution of powers.
[Dissemination] – The dissemination of personal data is not intended, if not in forms that do not allow the identification, directly or indirectly, of the single individual (in anonymous or similar aggregate forms).
[Rights]: The data subject may exercise all rights pursuant to Art. 15-22 of the GDPR to: I. Obtain confirmation as to whether or not personal data concerning him or her are being processed, even if not yet registered, and the communication of the existing data in an intelligible form; II. Receive information on: a) the source of personal data; b) the purposes and methods of data processing; c) logics applied in case of data processing by electronic means; d) the identity of the Data Controller, responsible and other appointed personnel; e) subjects or categories of persons to whom the data may be communicated or who can learn about them as appointed representative in the State, managers or individuals authorised to process personal data under the direct authority of the Data Controller or the responsible in charge; III. Obtain a) updates, rectification or, when interested, integration of data; b) cancellation, modification in any anonymous form or blocking of the unlawfully processed data, including data that are not required to be preserved for the purposes upon which they were collected or subsequently processed; c) confirmation that the operations in points a) and b) have been notified, also regarding their content, to the persons to whom the data were communicated or disclosed, unless this requirement is impossible or involves the use of means that are clearly disproportionate to the protected right; IV. Object, in whole or in part: a) for legitimate reasons, to the processing of personal data, even if the processing is pertinent to the purposes of the data collection; b) to the processing of personal data for the purpose of sending advertising materials or direct sales or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by email and/or through traditional marketing methods by telephone and/or paper mail; V. Lodge a complaint to the Garante for the protection of personal data; VI. Obtain, where applicable, data portability and the right to erasure (‘right to be forgotten’).