PRIVACY STATEMENT FOR SENSITIVE AND PERSONAL DATA PROCESSING UNDER ART. 13 AND 14 OF THE EU GENERAL DATA PROTECTION REGULATION (GPDR) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016

Dear Patient,

Please find below some of the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“Regulation“) on data processing performed at UPMC Institute for Health Chianciano Terme (“Center“).

UPMC Institute for Health Chianciano Terme (“Center“) is an outpatient medical center offering preventive medicine services with a special focus on digestive system and cardiovascular diseases, metabolic syndromes, and associated diseases.  The goal of the Center is to offer personalized prevention by studying the cardiovascular and gastrointestinal systems (with a special focus on the liver and its functions), prescribing physical activity programs, and modifying lifestyles. The Center is the result of collaboration between the Municipality of Chianciano Terme, USL7 in Siena, Terme di Chianciano, and UPMC (University of Pittsburgh Medical Center), and benefits from the experience and know-how of UPMC and its hospitals (“UPMC Group“), with which there is an ongoing exchange of information. In its day-to-day operations the Center also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence, patients referring to the Center are required to authorize the transfer of their data, including sensitive data, to the UPMC Group in the United States. According to EU regulations the laws in force in the United States fail to guarantee adequate levels of personal data protection. By undersigning the Standard contractual clauses approved by the European Commission the UPMC Group committed to adopt the necessary security measures to protect patient data. In the scope of the Center, the following institutions operate in compliance with their respective autonomous authorizations:

  • UPMC Italy S.r.l. (“UPMCI“) that manages the medical gym (“Gym“): a state-of-the-art innovative facility offering educational and tutoring programs to have an healthy lifestyle for primary and secondary prevention of cardiovascular, hepatic, and metabolic diseases. . The Gym programs are addressed to both private patients and public patients under an agreement with the Italian NHS.
  • UPMC Italy Health Services S.r.l. (“UPMCIHS“), fully controlled by UPMCI and managing the diagnostic activity (“Diagnostic activity“): offers specialty consults and tests to private patients, with a focus on digestive system and cardiovascular diseases, metabolic syndromes, and associated diseases.

UPMCI and UPMCIHS share the administrative and support staff and the tools used for data processing, hence qualifying for these tasks as co-data controllers (“Co-data controllers“).  Clinical data are instead only processed by the institution treating the patient. If the patient decides to benefit from the services offered by both institutions, and provides his/her consent, the medical and nursing staff of UPMCI and UPMCIHS will also have access to the clinical data collected by the other institution. The co-data controllers have undersigned an agreement governing their roles and responsibilities. An extract of this agreement is available at the following link: https://www.upmcchianciano.it/en/accordo-di-contitolarita/

The information on your health status provided by you or by third parties (e.g. your family doctor) will be collected on paper forms or electronic means by UPMCI and UPMCIHS. This is required in order for you to receive patient care, diagnosis, rehabilitation, and prevention services, and the related administrative and accounting purposes.

If you sign the informed consent UPMCI and UPMCIHS will process your data:

  • for scientific research in the medical field that will not influence your treatment and require no additional tests or therapies (CONSENT #1);
  • to receive e-mails, surface mail or SMS containing informational material on the Center’s initiatives (CONSENT #2);
  • to issue reminders of your upcoming appointments at UPMCI and UPMCIHS and instructions on how to prepare for the test  (CONSENT #3);
  • to create your dossier (i.e., your clinical history at our institutions), allowing the institution that created it to access more complete information on your health status and improve patient care (CONSENT #4); to allow the clinical and nursing staff of the other institution to access your dossier (CONSENT #4-BIS);
  • to monitor and assess the effectiveness of the patient care delivered, its appropriateness and quality, and the risk factors (CONSENT #5).

With reference to the foregoing (Consents #1, #2, #3 and 5#), failure to sign your informed consent shall in no way affect the medical treatment you will receive. Failure to sign CONSENT #4 may instead negatively affect the medical treatment that will in any case be provided to you by UPMCI and UPMCIHS, entailing a release of liability for the institutions’ physicians and health care providers.  Please note you may withdraw your consents at any time.

Your data shall be processed by the clinical and administrative staff of UPMCI and UPMCIHS authorized for data processing and notified to third parties, either independent data controllers or appointed data processors, to whom some of the institutions’ ancillary services are outsourced (e.g. consultants, external laboratories).

Information on your health status will be stored for the mandatory minimum retention period established by the Region of Lombardy in the “Massimario di scarto” enforced for the health care system. Data and samples processed for research purposes are stored for the duration of the project and for the 10 years following its conclusions, and are transformed in an anonymous form. Data collected for marketing purposes will be retained for 24 months.

You have the right to access your data collected by the institutions at any time, to check that they are accurate, complete and up-to-date, and to exercise any other right granted under art. 15 of the Regulation (including the right to know who accessed your dossier and, if the conditions apply, obtain personal data in a structured form) contacting the Center’s operations manager at dossier upmcchianciano@upmc.it. or the UPMCI Data Protection Officer at DPO@upmcchianciano.it and UPMCIHS Data Protection Officer at DPO@upmcihs.it, or at the following address: Viale Roma 97/99, 53042 Chianciano Terme (SI), Italy. If conditions apply, you also have the right to file a complaint to the Italian Data Protection Authority, as supervisory authority, according to the mandatory procedures.

Addresses UPMC Italy S.r.l. and UPMC Italy Health Services, both with registered offices in Via Discesa dei Giudici 4, 90133 Palermo (Italy); UPMC Institute for Health with registered offices in Viale Roma 97/99, 53042 Chianciano Terme (SI), Italy.

Please take some time to review the additional information contained in the leaflet you received.

Last update: August 2018