INFORMATION FOR THE PROCESSING OF PERSONAL DATA
Dr. Federico Usuelli, C.F. SSLFRC79A07F205F, VAT number 02186250961, born in Milan, 07/01/1979, professionally domiciled in Piazzale Principessa Clotilde, 4, 20121, Milan (MI), subsribed in the Professional Register of the Medical Association of Milan no. 38699, specialized in Orthopedics and Traumatology, – hereinafter “Owner”;
as Data Controller, informs you pursuant to art. 13 EU Regulation no. 2016/679 (hereinafter “GDPR”) that your data will be processed, in compliance with the principles of correctness, lawfulness and relevance, with the methods and for the following purposes:
Object of the treatment
The Data Controller processes personal, identification data (for example name, surname, address, telephone, e-mail, bank and payment references) – hereinafter, “personal data” or even “data” – and of particular relevance (suitable for reveal the state of health, sexual life or genetic data, pursuant to art.4.15 GDPR), communicated by you as necessary for the performance of the professional activities carried out by the Owner, as well as those spontaneously provided by you.
Purpose of the treatment
Your personal data are processed:
Without your express consent for the following purposes:
Providing the services offered by the Data Controller, in the regular exercise of the profession of Surgeon specialized in Orthopedics and Traumatology for the performance of health services in your favor;
Recording and archiving of radiographic exams on the OsiriX management software;
Provide technical assistance, support and contact in the performance of the services offered by the Owner;
To fulfill the pre-contractual, contractual and tax obligations deriving from relationships with you;
Operational, organizational, managerial, fiscal, financial, insurance and accounting needs related to the contractual and / or pre-contractual relationship established;
To fulfill the obligations established by law, by a regulation, by a community legislation or by an order of the Authority;
Exercise the rights of the owner (such as the right to defense in court);
Access control, corporate security and video surveillance needs;
Needs for monitoring the methods of providing professional services, the progress of relations with suppliers and the analysis and management of risks associated with the contractual relationship;
Your health data are processed without your specific and distinct consent, exclusively for the following purposes:
Carrying out medical services in your favor, in particular diagnosis, treatment or therapy, inclusion in waiting lists, booking and reporting of specialist examinations;
Providing technical assistance, support and contact in the management and performance of medical services, with the primary purpose of protecting the health of the person concerned.
Your health data will not, in any case, be processed for marketing purposes, commercial and / or promotional purposes.
The treatments that are essential for the achievement of one or more specific purposes explicitly connected to health care and are carried out by (or under the responsibility of) a healthcare professional subject to professional secrecy or by another person also subject to The obligation of secrecy does not require consent from the interested party for processing, even if they belong to the category of data of particular relevance pursuant to art. 9 GDPR.
Processing methods and retention period
The processing of your personal and health data will be carried out in a non-automated manner and is carried out by means of the following operations: collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data.
The processing of your personal and health data will be carried out both with the use of paper supports and with the aid of electronic, IT and telematic tools, according to the methods and with suitable tools to guarantee the security and confidentiality of the data, in compliance with the provisions of art. 32 GDPR and the various Provisions subsequently issued, so that at least the adequate level of data protection security required by law is guaranteed. In particular, the generation and storage of radiographic images will take place by the use of the OsiriX software.
In compliance with the provisions of art. 5, paragraph 1, lett. e) of the GDPR, your personal data are stored in a form that allows the identification of the interested party for a period of time not exceeding the achievement of the purposes for which the data are processed or according to the deadlines set by the rules of law. The verification of the obsolescence of the data stored in relation to the purposes for which it was collected is carried out periodically.
When the processing is necessary for the execution of a contract and / or the execution of pre-contractual measures, the data will be processed until the execution of this contract is completed and will be kept for the next 10 years, subject to the hypotheses of legitimate interest of the Owner in the event of lawsuits;
When the processing is necessary to fulfill a legal obligation to which the Data Controller is subject, the data will be kept as long as the law allows it;
When the processing is necessary for the pursuit of the legitimate interest of the Data Controller, the data will be kept for as long as the law permits.
Personal data will in any case be kept for the fulfillment of the obligations (e.g. tax and accounting) which remain even after the termination of the contract (art. 2220 of the Italian Civil Code); for these purposes, the Data Controller will retain only the data necessary for its pursuit and for the following 10 years, without prejudice to the hypotheses of legitimate interest of the Data Controller in the event of legal cases.
Access to data
Your identification and health data may be made accessible for the purposes referred to in art. 2, also by simply consulting or making available your data:
To employees and collaborators of the Data Controller, in their capacity as persons in charge and / or internal managers of the treatment and / or system administrators;
Natural or legal persons who, as external data processors and / or agents, provide specific services essential for the purposes referred to in art. 2;
To third-party companies or other subjects (for example, credit institutions, professional firms, consultants, insurance companies for the provision of insurance services, web hosting, e-mail marketing etc.), who carry out outsourcing activities on behalf of the Owner, in their capacity as external data processors and / or processors.
In any case, your personal data may be processed exclusively by subjects specifically appointed by the Data Controller as their managers or processors and will not be disclosed.
In any case, you can always send a request, at any time, to the Data Controller, using the contact details indicated in this statement, a copy of your personal data, information regarding the location where your personal data are processed and an updated list with the identification details of all the managers and persons in charge of the processing and of the system administrators authorized to process your data.
Disclosure of personal identification data
Without the need for express consent (pursuant to art.24 lett. A), b), d) Privacy Code and art. 6 lett. b) and c) GDPR), the Data Controller may communicate your identification data for the purposes referred to in art. 2 A) to Supervisory Bodies (such as IVASS), judicial authorities and insurance companies for the provision of insurance services, as well as to those subjects to whom communication is mandatory by law for the fulfillment of the aforementioned purposes.
These subjects will process the data in their capacity as independent data controllers.
Your data may also be communicated to research bodies or companies, analysis laboratories, state administrations, regional administrations, local bodies (municipalities and provinces), bodies of the National Health Service, general practitioners (GP). In relation to the disputes / disputes procedures, the data may be communicated to insurance companies and law firms.
Your information will not be disseminated.
Place of data processing and storage
Your personal data are processed and are stored at the reference healthcare facilities duly appointed as Data Processors.
The list of facilities can be found at https://federicousuelli.com/contatti/. In any case, you can always ask the Owner for the exact place of storage of your data.
Nature of data provision and consequences of refusing to answer
The provision of data for the purposes referred to in art. 2 lett. A) and B) is indispensable. In the absence we cannot guarantee the services referred to in art. 2 lett. A) and B). Any refusal, albeit legitimate, to provide all or part of the above data, could compromise the smooth running of the relationship with our structure and could make it impossible for us to carry out the normal performance of the professional assignment and the regular provision of the professional services requested.
Types of data processed
The types of data processed by the Data Controller are:
Personal data: any information concerning an identified or identifiable natural person;
Health data: personal data relating to the physical or mental health of a natural person, including the provision of health care services that reveal health-related information.
Rights of the interested party
In your capacity as an interested party, you enjoy the rights referred to in art. 7 Privacy Code and art. 15 GDPR and, precisely, the rights of:
Obtain confirmation of the existence or not of personal data concerning you, even if not yet registered and their communication in an intelligible form;
Obtain an indication: a) of the origin of the personal data; b) the purposes and methods of treatment; c) the logic applied in case of treatment carried out with the aid of electronic instruments; d) of the identification details of the owner, of the managers, of the representative appointed pursuant to art. 5, paragraph 2, Privacy Code and art. 3, paragraph 1, GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the State, managers or agents;
Obtain: a) updating, rectification or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including data which need not be kept for the purposes for which the data were collected or subsequently processed; c) the certification that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment occurs proves impossible or involves a commitment of means manifestly disproportionate to the protected right;
To object, in whole or in part: a) for legitimate reasons, to the processing of personal data concerning you, even if pertinent to the purpose of the collection; b) to the processing of personal data concerning you for the purpose of sending advertising materials or direct selling or for carrying out market research or commercial communication, through the use of automated call systems without the intervention of an operator by e-mail and / or through traditional marketing methods by telephone and / or paper mail. It should be noted that the right of opposition of the interested party referred to in point b), for direct marketing purposes through automated methods extends to traditional ones and that in any case the possibility remains for the interested party to exercise the right of opposition also only partially. Therefore, the interested party can decide to receive only communications using traditional methods or only automated communications or neither of the two types of communication.
Where applicable, it also enjoys the rights referred to in articles 16-21 GDPR (right of rectification, right to be forgotten, right to limitation of processing, right to data portability, right of opposition) as well as the right of complaint to the Guarantor Authority.
How to exercise your rights
You can, at any time, exercise your rights by sending:
An email to [email protected]
Owner, manager and assignments
Data Controller Dr. Federico Usuelli, C.F. SSLFRC79A07F205F, VAT number 02186250961, born in Milan, 07/01/1979, residing in Milan in Piazzale Principessa Clotilde 4, 20121 Milan, subscribed to the Professional Register of the Medical Association of Milan no. 38699, specialized in Orthopedics and Traumatology.
The updated list of data processors and appointees is kept at the registered office of the Data Controller.
For more information regarding your privacy rights, please visit the website of the Guarantor for the protection of personal data, at the address www.garanteprivacy.it.
“The undersigned patient, user of the medical opinion he will receive online from Dr. Federico Giuseppe Usuelli (hereinafter the Professional), made on the basis of the photographic documentation sent to him, DECLARES to adhere to the following contractual conditions, concerning:
WAIVER OF LEGAL ACTION AGAINST THE PROFESSIONAL