REGULATION (EU) 2016/679
OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of April 27th 2016 concerning
THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA
(General Data Protection Regulation or GDPR)
ON THE PROCESSING OF PERSONAL DATA
1. THE PROCESSING DATA CONTROLLER
GELESIS Srl, with registered office in Calimera (Lecce) – Italy, via Giuseppe Verdi n. 188, CF/VAT N. 06508451215, is the Processing Data Controller (“Controller” or “the Company”).
You can contact the Controller writing to the registered office or sending an e-mail to the following address: EUprivacy@gelesis.com
2. PROCESSING PURPOSES
The Controller processes the Personal Datai of the Data Subjectii, for the following purposes:
a) performing the activities and services covered by a contract (commercial and/or professional agreement) with third parties, the pre-contractual measures required by the same and/or the requests management for assistance or information;
b) accounting, tax, social security and employment obligations or other legal rules;
c) adoption of measures and solutions aimed at ensuring the business continuity, the requirements of the adopted management systems and the preservation of the Company’s assets and image;
d) fulfilments in the context of safety reporting or in the context of an inspection by national competent authority, or the retention of clinical trial data in accordance with archiving obligations set up by the Clinical Trial Regulation or, as may be the case, relevant national laws.
In addition, for the following purposes:
e) participation to clinical trial projects – promoted by the Data Controller also through third companies – as well as the possible use of data from clinical trial projects for scientific purposes other than the specific and undersigned clinical trial protocol;
f) solicitation and management for applications to recruit the workforce.
3. CATEGORIES OF PERSONAL DATA PROCESSED
The Controller processes common Personal Data for the purposes mentioned in the paragraph n. 2.
In some cases, it may be necessary for the Controller to process Special Categories of Dataiii and Judicial Dataiv.
If Special Categories of Data are processed for the purposes indicated at lett. d), these Data are masked by a pseudonymized code (Alias-code) issued by the Research Unit which is the only Entity able of know this link with the natural person of the Data Subject.
4. NATURE OF THE PROVISION OF SUCH DATA
The provision of data for the purposes referred to the paragraph n. 2, letters from a) to d) must be considered mandatory for the execution of the services contractually agreed.
The provision of data for the purposes referred to the paragraph n. 2, letter from e) to f) is optional and the Controller carries out the processing on the basis of consent, i.e. through the explicit approval of this General Information.
5. CONSEQUENCES OF THE POSSIBLE FAILURE TO PROVIDE DATA
Taking into account the purposes of the processing as above illustrated, if the provision of data is to be considered mandatory, its failure provision, partial or incorrect, may determine, as a consequence, the inability to perform the agreed activities and may preclude the Controller to fulfilment of the contractual obligations assumed.
6. LEGAL BASIS FOR THE PROCESSING
For the purposes referred to the paragraph n. 2, letters from a) to c), processing is necessary for the execution of a contract of which the Data Subject is party or or in order to take steps at request of the Data Subject prior to entering into a contract. Such treatments will also have, as a legal basis, the need to fulfil legal obligations, establish, exercise or defend rights in court, the exercise of jurisdictional functions or the pursuit of a legitimate interest of the Company. In the latter case, the processing will be carried out if an interest, right or fundamental freedom of the Data Subject does not have to prevail.
For the processing referred to in point 2, letter d), the legal basis is found in Article 6, paragraph 1, letter c), in conjunction with Article 9, paragraph 1, letter i), of the General Protection Regulation some data.
For the purposes referred to the paragraph n. 2, letters from e) to f), and, in any case, for the processing of Special Categories of Personal Data, the legal basis of the indicated purpose is normally represented by the express consent, except in cases in which – limited to the processing referred to in letter e) for which a legitimate interest of the Data Controller may result in accordance with Article 6, paragraph 1, letter f), in conjunction with Article 9 (2) (j) of the General Data Protection Regulation.
The possible processing of Judicial Data, for the purposes referred to the paragraph n. 2, has, as legal basis, the fulfillment of obligations or the exercise of faculties expressly provided for by law or regulation.
7. DATA PROCESSING DURATION
The data is kept – normally – for the duration of the contractual relationship. Starting from the contractual relationship’s termination, for any reason or cause determined, the data will be kept for one year after the period of the applicable prescription terms ex lege.
The data relating to the treatments referred to in letter d) are stored in accordance with the provisions of the Clinical Trials Regulation in relation to the obligation to archive the permanent clinical trial dossier for a period of 25 years pursuant to Article 58 of the mentioned Regulation.
With regard to the purposes referred to the paragraph n. 2, letter e), without prejudice to the withdrawal of the consent, which can be exercised at any time, the data is kept for the duration of the contractual relationship and for no more than 6 months from contractual relationship’s termination or from the last contact with the Data Subject.
8. CONSENT WITHDRAWAL
With regard to the purposes for which consent is required for data processing, Data Subject will be able, at any time, to exercise the right to withdraw consent, using the data contact indicated in this information. Once the consent has been revoked, the Controller won’t be able to continue to use the Personal Data for the purposes indicated, without prejudice to the lawfulness of the processing based on consent before revocation.
9. PROCESSING METHOD
Personal Data will be processed using paper, computerized and electronic means, or by means of the operations indicated in art. 4, n. 2), GDPR, with suitable procedures to guarantee security and confidentiality, in compliance with the provisions of article 32 GDPR.
In particular, the personal data related to the processing mentioned to point 2, letters d) and e) will be treated exclusively by assigning a pseudonym code issued by another Data Controller (medical-health centers where the clinical trial takes place), such to not allow any connection with the natural person of the Data Subject.
10. SUBJECTS TO WHICH PERSONAL DATA MAY BE COMMUNICATED OR SUBJECTS WHO MAY COME TO KNOWLEDGE AS PROCESSOR OR AUTHORIZED PERSONS, AND THE SCOPE OF DIFFUSION OF DATA
For the pursuit of the purposes described in point 2 above, the Controller may need to communicate the Personal Data to third parties belonging to the following categories:
a. Authorities and/or Supervisory bodies and, in general, public or private subjects with public functions, recipients of mandatory communications;
b. subjects who, for the Controller, handle administrative, commercial, legal or fiscal/social security obligations, or personnel selection;
c. subjects who provide services for the installation, management and maintenance of the Information Technology infrastructure of the Controller.
d. International organizations and/or individuals who carry out their activities in Third countries and resulting instrumental or linked to the institutional purposes of the Company;
The subjects belonging to the above categories operate, in some cases, in complete autonomy as separate data controllers, in other cases, as Data Processors specifically appointed by the Controller.
Furthermore, for the pursuit of the aforementioned purposes referred to in point 2, Personal Data are processed and known by the employees and collaborators of the Controller, specifically designated as authorized persons, due to the different tasks assigned to each of them and the instructions given.
The list of appointed Data Processors and of the authorized persons is made available by the Controller for consultation, upon request to his contact details.
Personal Data, processed by the Controller, may be transferred to persons legitimated by virtue of current contractual relationships, in compliance with the relevant regulations.
11. TRANSFERRING DATA ABROAD
The management and storage of personal data will be carried out on servers of the Company (Data Controller) and/or of Third Companies in charge and duly appointed as Data Processor or recognized – on the basis of formalized agreement – as independent Data Controller. These servers are located within the European Union and also outside the European Union, in Countries that do not offer an adequate level of protection for such personal data, including the United States (USA).
In particular, the transferring of personal data to the USA takes place on the basis of the following provisions of art. 49 GDPR:
– lett. a) the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
– lett. b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
The transfer of Data towards Country that do not offer an adequate level of protection imply that the political and legislative system of that Country is not fully compatible with the fundamentals Rights acknowledged by EU and local and governmental Authorities of that Country may access to Data, especially for national security reasons.
The transfer of data abroad may concern the treatments referred to in point 2 letter d) and is subject to obtaining the consent of the Data Subjects. Failure to provide consent may prevent the processing from being carried out.
If the transfer of data abroad concerns the treatments referred to in point 2 other than letter d), where it is not possible to rely on an assessment of adequacy pursuant to art. 45 GDPR, the Data Controller will request prior consent for the transfer of Data based on the provisions of art. 49 GDPR.
12. DATA SUBJECT RIGHTS
In addition to what has already been indicated in point 8 and in relation to the purposes described in paragraph 2 above, using the contact details of the Controller indicated in this information, as Data Subject, you may exercise rights with respect to the Controller expressly recognized in Articles 15 et seq. of the GDPR including:
i. to obtain confirmation of the existence or non-existence of personal data concerning you, even if not yet registered, and their communication in an intelligible form;
ii. to obtain the indication: a) of the origin of personal data; b) of the purposes and methods of the processing; c) of the logic applied in case of processing carried out with the aid of electronic instruments; d) of the identification details of the Controller, of the Processors pursuant to art. 3, paragraph 1, GDPR; e) of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as processors or authorized persons;
iii. to request and obtain – in the event that the legal basis is a contract or consent – that the data are transmitted in a structured and legible format by automatic device, also in order to communicate such data to a new data controller (so-called right to portability);
iv. to obtain: a) the updating, rectification or, when there is interest, the integration of data; b) cancellation (so-called right to be forgotten), transformation into anonymous form or blocking of data processed unlawfully, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disclosed, except in case such fulfillment is impossible or involves a manifestly disproportionate to the protected right use of means;
v. to proceed to: a) the opposition, in whole or in part, for legitimate reasons to the processing of personal data provided, even if pertinent to the purpose of the collection; b) to the request to be informed about the existence of a decision-making process aimed at sending advertising material or carrying out market research or commercial communication. Once the opposition to the processing data has been received at the address indicated in the epigraph, the personal data will no longer be processed, except to the extent permitted by applicable laws and regulations;
vi. to limit the processing of data, i.e. to allow processing within the limits of retention, for the assessment, exercise or defense of a right in court or to protect the rights of another natural or legal person or for reasons of relevant public interest of the Union or of a Member State, in the cases provided for by the GDPR (a. the Data Subject disputes the accuracy of personal data for the period necessary for the Controller to verify the accuracy of such personal data; b. the processing is unlawful and the Data Subject opposes the cancellation of personal data and asks instead for its use limitation; c. personal data are necessary for the Data Subject to ascertain, exercise or defend a right in court; d. the Data Subject has opposed the processing, pending verification of the possible prevalence of the legitimate reasons of the Controller with respect to those of the Data Subject).
vii. Finally, the Data Subject has the right to complain to the Guarantor Authority, which may be exercised:
a) by registered letter, with return receipt, addressed to Garante per la Protezione dei Dati, Piazza Venezia n. 11 – 00187 Roma;
b) by e-mail to: email@example.com, or firstname.lastname@example.org; fax to the number: 06 / 69677.3785.