Information regarding the processing of Personal Data on the website www.giuriatigroup.com

The company, Giuriati Group Srl, (hereinafter, Giuriati Group or Controller), pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data (hereinafter GDPRGeneral Data Protection Regulation, in English)) and Legislative Decree 196/2003 and Legislative Decree 101/2018 (Jointly, Privacy Code), hereby provides you with the following information on the processing of your personal data, in your capacity as user or while browsing the website: www.giuriatigroup.com (hereinafter, the Site).).

Data Controller and Data Processor

The Data Controller is Giuriati Group Srl, with registered office in Uruguay 20/22 – 35137 Padua, email: privacy@giuriatigroup.it

The Data Processor is Dr. Michele Camin, Giuriati Group Srl, available at the addresses indicated above.

Purposes of processing and legal basis of processing

Your personal data will be processed, in compliance with current legislation, in a correct, lawful and transparent manner for the purposes indicated below and according to the following conditions of lawfulness (Legal Basis of Processing).

Purposes of the Processing

Legal Basis of Processing

Correct and complete management of any communication or request sent to the Giuriati Group using the contact details on the Site

The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (to be understood herein as a legal relationship established between you and the Data Controller following a possible request) (Art. 6.1.b, GDPR).

Correct and complete management of reports relating to any requested information or potential adverse effects (Supervisory Activity). In particular to: (i) provide information; (ii) investigate any adverse events; (iii) contact the reporting party to obtain, if necessary, further information than that already communicated (Follow-Up); (iv) compare the information on the adverse event with information on other adverse events received by the Controller to analyse the safety of the product or of a generic component or of an active ingredient as a whole; (v) provide the competent authorities with the information required by law, so that they can analyse the safety of the product as a whole or of a generic component or an ingredient thereof.

The processing of your personal data for this purpose constitutes a legal obligation (Art. 6.1.c, GDPR). With regard to the processing of particular categories of data, it is necessary for reasons of public interest in the health sector, such as the guarantee of high quality and safety parameters of products and, where applicable, of medical devices (Article 9.2.i, GDPR).

Compliance with legal obligations. In certain circumstances, the legislation obliges us to use your personal data (in particular, for communications required by law or for administrative, accounting or tax reasons or to inform you of any security breaches that have affected your data and the measures we have taken to deal with them).

The processing of your personal data for this purpose constitutes a legal obligation (Art. 6.1.c, GDPR).

Sending information and documents, in the form of newsletters or replies following the publication of communications on the site or through social media platforms.

The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (to be understood herein as a legal relationship established between you and the Data Controller following a possible request) (Art. 6.1.b, GDPR). Upon your request, the Controller may provide you with information on the assessment of said legitimate interest carried out by the Controller.

Purposes of the Processing

Correct and complete management of any communication or request sent to the Giuriati Group using the contact details on the Site

Legal Basis of Processing

The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (to be understood herein as a legal relationship established between you and the Data Controller following a possible request) (Art. 6.1.b, GDPR).

Purposes of the Processing

Correct and complete management of reports relating to any requested information or potential adverse effects (Supervisory Activity). In particular to: (i) provide information; (ii) investigate any adverse events; (iii) contact the reporting party to obtain, if necessary, further information than that already communicated (Follow-Up); (iv) compare the information on the adverse event with information on other adverse events received by the Controller to analyse the safety of the product or of a generic component or of an active ingredient as a whole; (v) provide the competent authorities with the information required by law, so that they can analyse the safety of the product as a whole or of a generic component or an ingredient thereof.

Legal Basis of Processing

The processing of your personal data for this purpose constitutes a legal obligation (Art. 6.1.c, GDPR). With regard to the processing of particular categories of data, it is necessary for reasons of public interest in the health sector, such as the guarantee of high quality and safety parameters of products and, where applicable, of medical devices (Article 9.2.i, GDPR).

Purposes of the Processing

Compliance with legal obligations. In certain circumstances, the legislation obliges us to use your personal data (in particular, for communications required by law or for administrative, accounting or tax reasons or to inform you of any security breaches that have affected your data and the measures we have taken to deal with them).

Legal Basis of Processing

The processing of your personal data for this purpose constitutes a legal obligation (Art. 6.1.c, GDPR).

Purposes of the Processing

Sending information and documents, in the form of newsletters or replies following the publication of communications on the site or through social media platforms.

Legal Basis of Processing

The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (to be understood herein as a legal relationship established between you and the Data Controller following a possible request) (Art. 6.1.b, GDPR). Upon your request, the Controller may provide you with information on the assessment of said legitimate interest carried out by the Controller.

Categories of data processed

The Controller will process the following categories of personal data concerning you:

– in the case of your communications or requests to Giuriati Group, your personal data necessary for the correct management of your communication or request (in particular, also depending on the communication tool used: name and surname, postal address, email, telephone number, image and voice), as well as any further personal data that may be present in your message or in any materials you send to Giuriati Group;

– in the event of your report relating to the Supervisory Activity of the products marketed by Giuriati Group, the data necessary to comply with the relevant legal obligations imposed on the Controller. In particular, as the reporting party, to ensure the accuracy and relevance of the data and their verifiability for the purposes of the scientific evaluation of the reports: email address (email) or telephone number, to obtain, if necessary, more information than those already communicated (Follow-Up); as well as, for the correct management of the report,

any qualification as a professional in the medical-health sector, or type of non-healthcare worker or person in relation to the data subject to which the report refers. As the data subject to which the report refers: initials name and surname, city and country of residence, age (or age group) and/or date of birth, gender, height and weight, as well as data relating to sex life or revealing racial or ethnic origin, to the health of the data subject (medical history, any current or previous pathologies, pharmacological and non-pharmacological therapies, pregnancy, breastfeeding) (the Special Categories of Data) subject to the obligations of Supervisory Activity, in particular relating to the so-called Product Safety Information, such as adverse reactions, special situations (abuse, overdose, improper use);

– any data necessary for the fulfilment of legal obligations (such as, for example, your contact details for communications required by law or by the authority).

Data sources

Your personal data will be obtained by the Controller:

– directly from you and your interaction with Giuriati Group;

– in relation to the purpose of the Supervisory Activity, also by the Reporting Party, if it is a person other than the person to whom the report refers, as well as other companies linked to the Controller by license and distribution contracts for products.

Provision of personal data

The provision of your personal data for management of your requests is a necessary requirement to enable the Controller to follow up on your possible communication: failure to provide it would make it impossible for you to follow up on your communication (in particular, to receive a response to a request for information, assistance or an appointment).

The provision of your personal data for the Supervisory Activity and for the fulfilment of legal obligations is compulsory as it derives from legal provisions.

Data processing methods

Your data is processed by automated and non-automated tools, within a logic strictly related to the processing purposes and with methods and procedures to ensure the security and confidentiality of said data.

Categories of recipients of personal data

For the purposes indicated above, your personal data may be disclosed:

– to persons authorised by the Controller to carry out data processing procedures (employees or collaborators of the Controller)

– to the Data Processors appointed by the Controller (IT, technological and telematic service providers; Internet operators; providers of management services of the Supervisory reports; any external providers of consumer service);

– to independent data controllers (for management of your requests: telecommunication and web-based/online communication service providers, couriers and freight forwarders; for the Supervisory Activity: national and European agencies, other companies linked to the Controller by license agreements and distribution of products; for the fulfilment of legal obligations: public authorities).

In accordance with law, your data may also be transmitted to tax authorities, police forces and judicial and administrative authorities, for the detection and prosecution of crimes, prevention and protection from threats to public safety, to allow the Controller to ascertain, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.

Period of data retention

We keep your personal data for a limited period of time, which varies depending on the purpose of processing. After this period, your data will be permanently deleted or become irreversibly anonymous.

Your personal data will be stored in compliance with the terms and criteria specified below:

– for the management of your requests for a maximum period of 12 (twelve) months from the correct and complete management of your request;

– for the Supervisory Activity until the product is authorised for marketing and for a further period of 10 (ten) years from the lapsing, for any reason, of such authorisation;

– for the fulfilment of legal obligations for a maximum period of 10 (ten) years from the end of the calendar year in which the Controller has fulfilled the legal obligation, in order to document and be able to demonstrate that it has correctly complied with the law (for example, having correctly informed you of any security breaches that have affected your data and the measures we have taken to address them).

For technical reasons, the cessation of the processing and the consequent erasure of your personal data will take place within 30 (thirty) days from the terms indicated above.

This is without prejudice to cases where retention for a later period is required for litigation, requests by competent authorities or pursuant to applicable law.

Non-EU/EEA transfer of personal data

Your personal data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) which, however, offer an adequate level of data protection, as established by specific decisions of the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

The transfer of your personal data to countries that do not belong to the EU/EEA and that do not ensure adequate levels of protection will be carried out only after conclusion between the Controller and the recipients of the data of specific agreements, containing safeguard clauses, so-called standard contractual clauses, and appropriate guarantees for the protection of your personal data, also approved by the European Commission, (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) or if the transfer is necessary for the management of your possible requests.

Rights of the data subject

As the Data Subject, you have the right to:

– to confirm whether or not personal data concerning you is being processed and, if so, to obtain access to the data and related information (in particular, the purposes of the processing; categories of personal data processed; recipients or categories of recipients to whom the data have been or will be communicated; the period of retention of the data or the criterion for determining it; the existence of the rights to rectification or erasure of the data or restriction or objection to the processing; the right to lodge a complaint with a supervisory authority; the origin of the data; the possible existence of an automated decision-making process, including profiling and, in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject; the appropriate guarantees in the event of a transfer of personal data outside the EU/EEA), as well as a copy of such personal data provided that this does not affect the rights and freedoms of others ((right to access);

– obtain the rectification of your personal data, i.e. to obtain the correction, modification or updating of any inaccurate or no longer correct data, as well as to obtain the integration of incomplete personal data, including by providing a supplementary statement (right to rectification);

– request the erasure of your personal data when they are, in particular, (i) no longer necessary with respect to the purposes for which they were collected or processed, or (ii) have been unlawfully processed, or (iii) must be erased to fulfil a legal obligation (right to erasure). Erasure cannot be carried out in the event that, in particular, the processing is necessary for the fulfilment of a legal obligation or for reasons of public interest or for the ascertainment, exercise or defence of a right in court;

– obtain the restriction of the processing of your personal data, that is, that the Controller retain such data without being able to use them. This right can be exercised only when, in particular, (i) the accuracy of the personal data is disputed, for the period necessary for the Controller to verify the accuracy of such personal data, or (ii) the processing of the data is unlawful and the restriction of their use is requested, instead of erasure, or (iii) although the Controller no longer needs it for the purposes of processing, the personal data are necessary for you to ascertain, exercise or defend a right in court (right to restriction);

– to obtain from the Controller your personal data processed on the basis of a contract, in a standard format, as well as to have it transferred, where technically possible, directly to a third party that you have specified (right to data portability).

To exercise these rights at any time, you may contact the Controller, Giuriati Group Srl, Via Uruguay 20/22 – 35127 Padua, email privacy@giuriatigroup.it in the person of

the Data Processor, Dr. Michele Camin, available at the addresses indicated above.

Complaint

If you believe that the processing of your personal data has been carried out illegitimately, you have the right to lodge a complaint with the supervisory authority (in Italy, the Guarantor for the protection of personal data, for more information www.garanteprivacy.it).

The complaint may also be submitted to a supervisory authority other than the Italian one, in the event that such supervisory authority is that of the EU State in which you habitually reside or work or that of the place where the alleged violation occurred.

Cookies and similar technologies

In relation to the use of cookies and similar technologies by the Site, see the appropriate Cookie Policy section.

Links to other websites

The Site may contain links to third-party websites (so-called third-party sites).

Giuriati Group does not guarantee or assume any liability for the content and information provided by these third parties, their completeness or accuracy, nor for the content of the websites of these third parties and the products and services that may be provided by them through these third-party sites, or for the processing of personal data of users/site browsers carried out by these third parties.

This privacy policy applies exclusively to the Giuriati Group Website.

Changes to the current policy

The constant evolution of our activities could lead to changes in the characteristics of the processing of your personal data thus far described. Consequently, this privacy policy may be amended and supplemented over time, which may also be necessary in reference to new regulatory measures regarding the protection of personal data.

The updated version of this privacy policy will be published on this page with the date of its last update. We therefore ask you to consult this page at the time of your access to the Site.