PRIVACY AND COOKIE POLICY

INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA

Meedox application last update: March 2022

Before you provide us with your personal data – in accordance with the provisions of the European General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), and of the Italian Legislative Decree no. 196/03 – it is necessary that you read a series of information to help you to understand the reasons why your personal data will be processed, what your rights are and how you can exercise them.

1. Purpose and legal basis of the processing of personal data

By using the App and accessing the relevant Service, some of your personal data, and among these also data concerning health, will be processed in accordance with current legislation on the protection of personal data. The use of the App and the Service, in particular, is connected to the processing of the following types of data:

a) your authentication data (e-mail address, username, password) necessary to access the Application and the Service;

b) technical data (such as, by way of example: operating system version, browser used, type of device, etc.) which may be acquired, in a fully automated manner, by the computer systems queried by your device, at the time of the collection and / or the sending of the data and information related to the use of the App and the Web Service;

c) personal data (such as, name, surname, date of birth, place of birth and gender) which will be processed in order to authorize particular processes related to the execution of the Service (such as, by way of example, acceptance of legal notes, definition of the visibility criteria applied to specific documents or information, expression or withdrawal of consent to consultation of the health archive by socio-health professionals, management of authorization processes for access to socio-health documents relating to minors);

d) personal data and particular personal data, and among the latter also data concerning health, contained in the documents related to the health archive;

e) summary evaluation and profiling data (e.g. the Meedox rating, or other summary indices), generic, anonymized and in any case not suitable for disclosing data that allow you to reveal your health status.

With regard to your authentication data (a), the technical data (b), and those relating to the requests referred to in point c), you are informed that such data will be processed for the strictly connected and instrumental purposes to the execution of the App and to the website functionality (including, verifying your identity, guaranteeing the confidentiality of data, allowing your device to interconnect with the health archive, authorizing particular processes and services) and, as a result, to the provision of the Service requested by you in the context of the contractual relationship with the data Controller.

For the data processed referred to in letters a), b) and c), e) the legal basis of the processing for the purposes detailed above is the consent of the data subject, pursuant to art. 6, par. 1, lett. a) of GDPR. Such data may also be processed according to any legal obligations. Only your authentication data (a) and those of a purely technical nature (b) – subject to a complete anonymization – may also be processed to develop statistical information on the use of the Application and to verify its functioning.

Data referred to in letters a), b), c), and e) may be used, with your explicit consent, for sending commercial proposals also through focused and selected analysis: sending advertising and / or commercial proposals based on the anonymized profiling of your data, implemented to be able to highlight information and commercial proposals tuned to the interests you have expressed by accessing the pages and using the services available on this website.

This information, which governs specific processing of the App and the Web Service, does not – however – relate to the processing relating to your common personal data and to the data concerning your health status, contained in the documents connected and archived on the Meedox platform (d).

The Controllers of these processing are each Italian National Health System (NHS) Entity and each Regional and Private socio-health Service that deal with the health and social-health services provided in your interest and are carried out according to the information they have addressed, as well as to the consent to the consultation of the health archive, possibly given by you.

For more information, you can consult the Information on the data processing for the HEALTH ARCHIVE.

2. Methods of data processing

The processing will be carried out with the aid of electronic or automated means, in accordance with the principles of necessity and minimization, and so only for the time strictly required to achieve the purposes pursued. The data Controller adopts adequate technical and organizational measures to guarantee an appropriate level of security with respect to the type of data processed.

3. Controller

Independent data controllers are: Meedox Srl (VAT number 15776151001) with headquarters in Italy, having email privacy@meedox.com and PEC meedoxsrl@pec.it, with regard to the processing data specifically realized by the Application and the Service; Each National Health System (NHS) Entity and Regional and Private social and health Service with regard to the processing of the data transmitted to them, or to which they have been granted access, concerning the HEALTH ARCHIVE.

4. Data Protection Officer (DPO)

Meedox Srl DPO can be contacted by sending an e-mail to the following e-mail address: dpo@meedox.com.

5. Nature of data provision

The provision of your authentication data (a) and of those of a purely technical nature (b) must be understood as mandatory. Failure to provide such data will make it impossible for the user/ data subject to access the App and the Web Application and for Meedox Srl to provide the Service.

With regard to the data processed in occasion of the “transmission requests” submitted by you to authorize particular processes (c), the nature of their conferment changes according to the object and purpose of the request. In particular, with regard to the requests necessary for the execution of the App and the Service (e.g. the request concerning the acceptance of the terms of use) the provision of data must be understood as mandatory and failure to provide it will make it impossible for the user/ data subject to access the App and for Meedox Srl to provide the Service; in relation to the requests concerning the voluntary activation, by you, of specific processes or services (e.g. the requests relating to the definition of the visibility criteria applied to specific documents or information, or the requests to modify the consent to the consultation of ‘health archive’), the provision of data is optional and failure to provide it will make it impossible for Meedox Srl and for the Entity (belonging to the NHS, the Regional Health System, the Private Health Structure, the Health Professional appointed by you) to fulfill the request you have sent.

6. Recipients and scope of data communication

Your data will be processed exclusively by the data Controller, by the appointed Processors – Meedox Srl in person of the pro tempore administrator – and any other suppliers of the Controller, and by its personnel specifically trained in the processing and protection of such data, to ensure the same level of security offered by the Controller.

The legal basis of the data referred to in letters d) and e) will be your consent, which will be requested on specific pages of the website and preceded by Meedox Srl specific information or via cookies (see cookie policy dedicated section). In this case, the provision of data is completely free, and without it the data will not be collected nor used for such purposes. Furthermore, it is possible to withdraw the consent given at any time, without prejudice to the lawfulness of the processing already carried out according to the methods indicated in the following paragraphs.

Notwithstanding the foregoing, from time to time, the Information, which indicates, among other things, the legal basis of the processing related to the requested service, is available on the website.

Furthermore, your personal data will never be disclosed to third parties, except in execution of any legal obligations. The data will not be disclosed in any way.

7. Transfer of personal data to countries outside the European Union

Data collected and processed are not transferred to companies or other entities outside the EU territory.

8. Data retention period

The processing carried out by the App involve a data retention period equal to the period of use of the App and the Service. The authentication data relating to access the Service are kept for a maximum period of 12 (twelve) months and are erased immediately after their aggregation. Once the retention period has elapsed, data may be further stored only in execution of specific legal obligations. Aggregate and anonymous data can be stored for an unlimited time.

9. Automated processes and profiling

Personal data provided are not subject to any fully automated decision-making process, including profiling, which may produce legal effects on you, or which may significantly affect your person.

10. Data Subject Rights

As a Data Subject, in the cases expressly provided for by law (Article 15 et seq., GDPR), you have the following rights:

a) ask the Controller for access to personal data concerning you, and / or their eventual rectification or erasure;

b) ask the Controller to restrict the processing that concerns you, or to object the processing;

c) require the so-called “Data Portability” (or their communication in a structured, commonly used, and machine-readable format), to be able to transmit your personal data to another Controller;

d) withdraw, at any time, the consent to the processing of data concerning you (without prejudice to the lawfulness of the processing carried out before the withdrawal of consent); e) submit claims to the supervisory authority, the Italian Data Protection Authority (Garante per la protezione dei dati personali). Your requests for the exercise of your rights must be sent to the e-mail address privacy@meedox.com, or via PEC to meedoxsrl@pec.it, or by registered mail to Piazza Sallustio 3 00187 ROME.

INFORMATION ON THE PROCESSING OF PERSONAL DATA (ART. 13 OF THE 2016/679 EU REGULATION)

WHAT IS THE HEALTH ARCHIVE

THE HEALTH ARCHIVE is the tool which allow to rebuild your clinical history; it is constitutes, in fact, the set of data and digital health and socio-health documents also generated by subjects not operating in the NHS and regarding clinical events, including past ones, that concern you. Meedox Srl will also take care of its technical and IT management, to make it accessible to the health facilities of the NHS or accredited with it and to the public and private social and health services operating throughout the national territory.

 WHAT IT’S FOR AND WHO ACCESSES IT

Personal data in the HEALTH ARCHIVE are processed with electronic tools and telematic networks for purposes of care, medical and statistical research by the subjects indicated below.

Purpose of care: With your consent, the health professionals who will treat you on the national territory at the health facilities of the NHS, accredited private facilities and social and health services operating throughout the national territory (eg . Health Protection Agency, Territorial Social-Health Authority, general practitioner / family pediatrician – MMG/PDF -, accredited private health facility), will be able to access the HEALTH ARCHIVE, consulting health information concerning you, such as hospitalizations, reports, tests performed, allergies and health characteristics. The HEALTH ARCHIVE also contains information regarding the drugs prescribed and dispensed to you. To facilitate a quick classification of your health status to the health personnel who will take care of you, in the HEALTH ARCHIVE there may also be a synthetic health profile in which the data are entered and updated by you, by a person identified by you and by your family doctor. To integrate information on your health status, it is also expected that you can enter data and health documents in your possession (for example, reports issued by private individuals).

Medical and statistical research purposes: The HEALTH ARCHIVE (without your identifying data) may be used for social, medical, epidemiological and commercial research purposes by Meedox Srl;

A specific consent will be required to use your data for research projects, other than those indicated above.

With your consent, Meedox Srl and the health structures of the NHS or accredited with it and of the public and private social and health services, will be able to access the HEALTH ARCHIVE also for health planning, for verification of the quality of care and for health care evaluation purposes. Meedox Srl (Controller) processes the data from the HEALTH ARCHIVE individually but without any reference that allows direct connection with users/data subjects and in any case in ways that, while allowing the connection of information referring to the same users/data subjects over time, make the latter not identifiable.

CONTROLLERS

Autonomous data controllers are Meedox Srl as well as the National Health System Entities and the public and private Social and Health Services that take care of the patient, where the health documents that fill the HEALTH ARCHIVE are drawn up. The lists with the identification details of the Controllers are available on the web page accessible at the page https://www.meedox.com/en/affiliated-structures/.

LEGAL BASIS OF THE PROCESSING

We inform you that your HEALTH ARCHIVE is activated and filled with the data of present and past clinical events relating to you based on the individual authorizations that you will provide during the loading phase and / or to the facility that will carry out the examination / visit. The content of your HEALTH ARCHIVE will be available – for the purpose of treatment – only by the subjects and operators practicing the health professions who are treating you, operating both in the NHS and in the socio-health services and outside of these, according to defined access methods and only upon manifestation of your specific consent on the basis of art. 9 par. 2 lett. a) of the GDPR (so-called consent to the processing). In the absence of such consent, your Archive can only be consulted by you and used only for research purposes and will not be accessible to the healthcare professionals who will take care of you.

Your personal data, anonymized and in compliance with the principles of indispensability, necessity, relevance, and non-excess and with the explicit consent that is requested, are processed by Meedox Srl for the purposes of scientific research, pursuant to art. 9 par. 2 lett. j) of the GDPR.

Additional information concerning the HEALTH ARCHIVE

In case of a child or person under tutelage, the consent is expressed by the holder of parental responsibility.

You can withdraw your consent at any time according to the methods set out in the “Additional information concerning the HEALTH ARCHIVE”, in case of withdrawal of consent to processing, the HEALTH ARCHIVE will continue to be filled and consulted with the sole function of the archive.

If you have already given consent to consult the HEALTH ARCHIVE on the basis of the previous information on data processing, this consent will be considered valid and it will not be necessary to give consent again. However, there remains the possibility for you to withdraw this consent according to the methods set out in the document “Additional information concerning the HEALTH ARCHIVE”.

Erasure of personal data and documents: You have the right to request the erasure of the data and documents present in the HEALTH ARCHIVE concerning a specific clinical event. The erasure can be withdrawn over time and can be requested at the time of the medical service or after the service.

RECIPIENTS AND SCOPE OF DATA COMMUNICATION

Your personal data will be processed by the data Controller and by specifically appointed data Processors as well as, in compliance with and within the limits of their respective duties and qualifications, by their employees, collaborators, auxiliaries, or professionals, authorized for the purpose of data processing and adequately instructed in relation to the purposes and methods to be applied to the processing operations. Your data may be communicated, for the purposes of treatment of the Service, to the NHS or to Entities accredited with it who will take care of you on the national territory, for example, the Health Protection Agencies, the Companies Territorial Social-Healthcare Services, the General Practitioner or the Free Choice Pediatrician -MMG/PDL -, the pharmacists, doctors or, again, the accredited private health structures, as autonomous Data Controllers.

DATA PROTECTION OFFICER 

We inform you that the Data Protection Officer of Meedox Srl can be contacted at the following address: privacy@meedox.com.

RIGHTS OF THE DATA SUBJECT

At any time you can consult your HEALTH ARCHIVE and view the accesses that have been made to it. As a Data Subject, in the cases expressly provided for by the GDPR (Article 15 et seq.), you have the following rights:

a) ask the Controller for access to personal data concerning you, and / or their eventual rectification or erasure;

b) ask the Controller to restrict the processing that concerns you, or to object the processing in the cases provided for by GDPR;

c) require the so-called “Data Portability” (or their communication in a structured, commonly used, and machine-readable format), to be able to transmit your personal data to another Controller;

d) withdraw, at any time, the consent to the processing of data concerning you (without prejudice to the lawfulness of the processing carried out before the withdrawal of consent); 

e) submit claims to the supervisory authority, the Italian Data Protection Authority (Garante per la protezione dei dati personali). Your requests for the exercise of your rights may be sent to the Controller.For more information on how to submit applications, you can contact the Italian Data Protection Authority (website address https://www.garanteprivacy.it/).

STORAGE PERIOD

The data in your HEALTH ARCHIVE will be kept for 1 year from death and treated anonymously exclusively for the purposes of study and scientific research in the medical, biomedical and epidemiological fields and for purposes of health planning, verification of the quality of care and evaluation of sanitary assistance. For the methods of access after death, by the heirs and / or legitimized, it is necessary to consult the FAQ (https://www.meedox.com/en/faq/).

TRANSFER OF PERSONAL DATA TO COUNTRIES NOT BELONGING TO THE EUROPEAN UNION

We inform you that your personal data will not be transferred to Countries that do not belong to the European Union.

Regulatory references: EU Regulation 2016/679; Legislative Decree of 30 June 2003, n. 196; D.L. 19 May 2010, n. 34.

Indemnity statement

The content provided by Meedox is for informational purposes only. Meedox does not provide a medical diagnosis, it is not medical advice, and it does not replace it.

The information provided by Meedox should not be considered as a substitute for advice from a doctor, specialist or other healthcare professionals.

Meedox Srl declines all responsibility for damages that could derive or be related in any way from the imprudent behavior of users. Meedox Srl refuses to acknowledge any damages deriving from the respect and / or no observance of the information provided by the Meedox applications, nor damage resulting from improper use and / or accidental malfunctions of Meedox applications and / or accidental malfunctions of the network connection.

Express consent for the use of cookies and other profiling technologies necessary for registration

In line with the company policy which provides for the utmost respect for the protection of privacy, Meedox uses:

1. Technical cookies necessary for the operation of the application:
   1. user profile
   2. registration account
   3. device information (operating system version, browser used, type of device) 
2. “Profiling cookies”. These are used to create user profiles and to send targeted advertising messages based on the preferences of the person concerned. In this case, the consent of the person is required.
3. Third party cookies. These are the cookies installed on the site / app by third parties. The Controller provides the links that guide the data subject to the information and to the consent forms provided by third parties. The data subject will give or not his consent directly to the third party.
4. Non-technical profiling cookies.

The information provided by the Controller and stored in the Controller’s computer systems (including through the use of cookies) may be cross-checked with other information obtained by the Controller. This is for analytical and profiling use and all information is pseudo anonymized.

If you wish to access or rectify the personal data in our possession, or to submit a claim, send an e-mail to privacy@meedox.com.