PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA
PRIVACY NOTICE FOR THE PROCESSING OF PERSONAL DATA, INCLUDING SENSITIVE AS WELL AS GENETIC DATA – Pursuant to section 13 of the General Data Protection Regulation no. 679/2016 (hereinafter “GDPR”).
Pursuant to section 13 of the GDPR, the company BIOREP Srl, with registered office in Via Olgettina, 60, 20132, Milan (hereinafter “Company” or
“Controller”), hereby represented by its pro tempore legal representative, provides you the following information on the processing of your personal and genetic data, as well as data concerning health, as defined in section 4, paragraph 1, 13 and 15 of the GDPR, for the performance of NIPT non-invasive prenatal test (hereinafter “Test”).
1. Data processing purpose
I.) For the performance of the Test of your choice the Company shall process your Personal Data and Genetic Data, as below defined, for the following
a) common personal data (hereinafter “Personal Data”), obtained also orally prior to the sampling, directly from you or through third parties,
shall be processed in order to provide you with the service requested, to manage the related administrative/legal activities, as well as for
compliance with applicable law;
b) with your explicit consent, data concerning health and genetic data (hereinafter collectively “Genetic data”), which arise from the processing
of data obtained from the genomic test (genetic information) shall be processed by the Company for the sole purpose of the Test’s execution
and for reporting laboratory results, in order to safeguard your health, with specific reference to genetic pathologies and genetic identity.
II.) Moreover, with your consent, which is optional, the Company will process your Personal Data for marketing and promotional purposes, including market research, performed by the Company, by means of both Automated Contact Solutions (e-mail, SMS, telefax, phone calls without the use of an operator), as well as Traditional Contact Solutions (ordinary post or phone calls with the use of an operator), including the sending of communications for events and initiatives promoted by the Company.
2. Data processing conditions and retention period
Personal Data shall be processed in written form and/or magnetic, electronic or telematics form as well as with automated means, using logics strictly related to the mentioned purposes and, by all means, in order to ensure the protection and confidentiality of said data. Furthermore, your Personal Data, already at the time of the data collection, shall be separated from your Genetic Data.
In particular, with regard to Genetic Data, the Company informs you that:
• The sampling, use of biological samples and the processing of your Genetic Data shall be carried out according to procedures which ensure the protection of your rights, fundamental freedom and dignity;
• the information obtained through the Test shall be retained and stored in accordance to the GDPR and the relevant decisions of the Italian Data Protection Authority;
• the storage, use and transport of biological samples shall be carried out according to procedures which ensure the safeguard of their quality, integrity, availability and traceability;
• the transfer of Genetic Data in electronic form shall be carried out through certified e-mail with prior encryption of the information transmitted and digital signature;
• access to Genetic Data processed with electronic tools shall be available upon adoption of authentication systems based on the use of information known to the persons in charge of the processing, also biometric identifiers based on digital imprint recognition;
• Genetic Data and biological samples included in lists, registers or data banks, shall be processed by means of identification codes in order to temporarily avoid their readability also to individuals authorized to access said data and the identification of the data subject is possible only in
case of necessity, in order to minimize accidental or non-authorized access to said data;
• access to the premises shall be controlled by means of surveillance guards or electronic tools which provide specific identification procedures also
by means of biometric equipment. Individuals accessing the premises following closing time shall be identified and registered through nominal badge.
3. The provision of data
The provision of your Personal Data is necessary for the purposes listed in section 1) letters I.) a) and I.) b), therefore refusal to provide such data may not allow the Company to provide you with the requested service. The provision of Personal Data for marketing and promotional purposes described in section 1) letter II.) above is optional, therefore refusal to provide such data will only prevent the Company from sending you promotional messages, but it will not affect performance by the Company of the service that you requested.
With regard to consent for the processing of Genetic Data, the Company informs you of the following:
• You may revoke your consent and/or object to the processing of your Genetic Data for legitimate reasons; it is however understood that this will
not allow the Company to perform the Test and consequently reporting laboratory results;
• You have the right to limit the communication of Genetic Data and the transfer of biological samples; it is understood that the exercise of such
right may determine the impossibility for the Company to perform the requested service;
• Unexpected additional information the Company may obtain following the Test results shall not be processed without your explicit consent.
4. Communication of Personal Data
Your Genetic Data shall be made available directly to you or to an individual you have authorized in writing, upon adoption of all means necessary to
avoid unauthorized access.
Your Genetic Data may be made available to the Processor of the Business Technology function and the Controller’s duly appointed individuals as well as to external Processors, the list of which is available upon your request.
Genetic Data shall not be disseminated, and the biological samples shall not be made available to third parties.
Your Personal Data may be transferred to the following recipients, for purposes functional to providing you with the requested service, compliance with applicable laws and regulations:
• Subsidiaries, associated or controlled companies (the list of companies is available upon request);
• Credit institutions;
• Credit recovery companies;
• Credit insurance companies;
• Professionals and consultants;
Your Personal Data shall not be transferred to a third country out of the European Union.
Your Personal Data may also be transferred to appointed “External Processors” (including companies involved in commercial promotion used by
the Controller for the purposes described above) and “Persons authorized to the data processing” appointed by the Controller such as staff members of the Business Technology and Customer Care functions.
5. Data retention
Your Personal Data and Genetic Data shall be stored only for the period necessary to perform the service requested and the related legal/administrative obligations.
6. Data subject’s rights
As data subject you may exercise your rights granted by section 15 of the GDPR and thus, you have the right to lodge a complaint with the competent data protection supervisory authority, to access to your Personal Data, to obtain from the Company confirmation as to whether or not data concerning you is processed, to request rectification of your Personal Data, to obtain from the Company the rectification of inaccurate Personal Data, to request erasure of Personal Data, to request restriction of processing of Personal Data, to request data portability, to object to the processing of Personal Data (including the processing of Genetic Data) You can exercise your rights, with no formalities, by contacting the Controller.
Furthermore, as data subject, should you wish to object to the processing of your Personal Data for the marketing and promotional purposes, with regards to the sending of communications for marketing and promotional purposes, by means of Automated Contact Solutions, we inform you that such objection shall concern also the Traditional Means of Contact, without prejudice to the possibility to restrict your objection right to one of the two contact solutions (Automated or Traditional).
7. Data Controller and Data Processor
The Controller is the company BIOREP Srl, with registered office in Via Olgettina, 60, 20132, Milan, hereby represented by its pro tempore legal
representative, Tel. 02 58014369, Fax. 02 58010471, internet website: www.biorep.it. The data protection officer can be contacted at the following address: GDPR@biorep.it.
The updated list of the processors which may access your data is available upon request to the Controller.