Co-Data Controllers Agreement

  • As of June 2014, UPMC Italy S.r.l. (“UPMCI”) has established within Terme di Chianciano S.p.a., in the scope of a collaboration with the latter, and with the Municipality of Chianciano and USL7, an important project under the name of UPMC Institute for Health, which includes a medical and integrated preventive medicine center (“Medical Center”) and a center for physical exercise and cardiology rehabilitation (“Medical Exercise and Wellness Center”).
  • As part of its reorganization process, UPMCI has decided to separate the activities of the Medical Center and confer them to a fully-owned company named UPMC ITALY HEALTH SERVICES S.r.l. (“UPMCIHS”).
  • In order to pursue and further develop its tasks, UPMCIHS will resort to resources and to training, administrative, clinical, technical, and general supporting services that will be provided by UPMCI, in a group-like rationale and operational framework. Since the operational decisions concerning personal data processing performed at the Medical Center are jointly enforced by UPMCIHS and UPMCI, these data is subject to co-data controllers pursuant to art. 26 of the EU 2016/679 Regulation. As required by this article of the Regulation, UPMCIHS and UPMCI have entered an agreement to establish their respective responsibilities. In particular, UPMCI has the task to formulate management and guidance proposals, so that data processing in the scope of the Medical Center’s operations complies with the Regulation and with the Italian privacy regulations. To this end, UPMCI provides UPMCIHS with:
    • Data processing tools (including IT systems) and indications on how to select these tools.
    • Policies, procedures, and recommendations on organizational, technical, and IT measures to adopt.
      UPMCIHS, on the other hand, is responsible for implementing the tools, policies, and measures indicated by UPMCI.

UPMCIHS and UPMCI have appointed a Data Protection Officer (DPO) to whom interested parties may refer to exercise their rights pursuant to the Regulation at