A. Who are we and why are we providing you with this document?
Zenais S.r.l. is a company incorporated under Italian law, with registered office in Via Tarchetti 5, 20121 Milan (Italy), registered in the Register of Companies of the Milan Chamber of Commerce CF. and VAT number. 08661160963
Zenais S.r.l. considers the protection of the personal data of its own and / or potential customers and users to be of fundamental importance, ensuring that the processing of personal data, carried out in any manner, both automated and manual, takes place in full compliance with the protections and rights recognized by the 2016 EU Regulation / 679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter the “GDPR”), by Legislative Decree 196/2003 (“Privacy Code”), as well as the measures adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and by other applicable legislation, of any rank, including opinions and guidelines.
The GDPR provides that, before proceeding with the processing of personal data, it is necessary that the person to whom such personal data belongs is informed about the reasons for which such data are requested and how they will be used.
In this regard, this document is intended to provide you, in a simple and intuitive way, with all the useful and necessary information so that you can provide your personal data in a conscious and informed manner and, at any time, request and obtain clarifications and / or adjustments.
This information, therefore, has been drawn up on the basis of the principle of transparency and all the elements required by the aforementioned rules and is divided into individual sections, each of which deals with a specific topic in order to make reading faster, easier and more efficient. easy understanding.
If necessary, this information may be accompanied by a specific form for the release of consent as required by article 7 of the GDPR, articulated on the basis of the further type of use we intend to make of your personal data.
B. Who will process your Personal Data?
The company that will process your Personal Data for the purposes referred to in Section G of this Notice and which, therefore, will play the role of Data Controller according to the relevant definition contained in Article 4 at point 7) of the GDPR, is:
Zenais S.r.l., with registered office in Via Tarchetti 5, 20121 – Milan (MI), Italy, registered in the Milan Company Register, Tax Code and VAT no. 11610580968 (hereinafter the “Data Controller“).
C. Who can you contact?
In order to facilitate relations between you, as an interested party, and the Data Controller and / or the Joint Data Controllers, the GDPR has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks entrusted, also acts as a point of contact with the interested party.
Zenais S.r.l. has adopted this figure of “data protection officer”, so-called “Data Protection Officer“, pursuant to Article 37 of the GDPR (hereinafter the “DPO“).
The DPO, pursuant to and for the purposes of Article 39 of the GDPR, is required to carry out, inter alia, the following activities:
As required by article 38 of the GDPR, you can freely contact the DPO for all questions relating to the processing of your personal data and / or if you wish to exercise your rights as provided for in Section I of this information, by sending a written communication to the e-mail address info@zenais.it and / or by writing to the Data Protection Officer of Zenais S.r.l., via Tarchetti 5, 20121 – Milan (MI) and / or by calling +39 02 36573690.
At any time you can consult the “Privacy” section of the sites www.zenais.it and www.dna-lab.online within which you will find all the information concerning the use and processing of your personal data, updated information on the contacts and communication channels made available to all interested parties by the Data Controller.
D. What categories of Personal Data do we process?
The Personal Data we process can be both Common Personal Data and particular Personal Data.
The data relating to health includes, by way of example, the required examination, the report, the medical prescription, the results of the examinations. In this regard, Zenais S.r.l. informs that the registration procedure on its site and activation of the diagnostic kits does not allow the execution of HIV tests anonymously which, therefore, cannot be provided.
All Particular Data are processed in compliance with the obligations of secrecy and under the responsibility of health professionals and / or the Medical Director. The processing of data relating to health and genetic data is carried out in accordance with the GDPR and the Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of the legislative decree. 10 August 2018, n. 101 of the Authority for the Protection of Personal Data.
E. Why do we have your Personal Data?
You passed them on to us yourself:
or we may have obtained them from a third party (e.g. a family member of yours when he contacted us).
F. Information our website and other systems collect about you:
When you visit our website, we automatically collect certain information about you and your visit, including your Internet protocol (IP) address and other information, such as the type and version of the browser you use and the pages of the site you have visited. Our website may also download so-called “cookies” to your device, as described in the separate section on Cookie Policy.
If you exchange emails, telephone conversations or other electronic communications with our employees and other staff members, our computer systems will record the details of those conversations and sometimes their content as well.
G. For what main purpose will your Personal Data be processed?
The Data Controller needs to collect some of your Personal Data. The processing of such data will be conducted by the Data Controller solely and exclusively for the following purposes:
Purpose | Legal basis | |
1) To allow you to browse the site. | Legitimate interest to be able to present our services to you). | |
2) To carry out prevention, treatment, diagnosis, rehabilitation and health or social assistance or therapy, pursuant to art. 6, par. 1, let. e) and 9, par. 2, lett. h) of the GDPR. | Need to provide health care and to pursue the purposes of care. For this purpose, the data will be processed under the responsibility of a professional subject to professional secrecy or by other subjects bound by the obligation of secrecy in accordance with European Union law or national law or the rules established by the competent national bodies, pursuant to ‘article. 9, par. 3, of the GDPR. | |
3) To carry out administrative activities such as issuing any documents strictly connected and essential for achieving the purposes of prevention, treatment, diagnosis or health or social therapy indicated above and in general for the protection of life and physical safety. | Need to provide the health service. The legal basis is of significant public interest pursuant to art. Need to provide the health service. | |
4) To allow the patient to consult, through digital channels, the exams carried out, also for prevention purposes. | Possible need to pursue the purposes of care and reasons of significant public interest. It is possible to object to this treatment at any time by writing to the Data Controller. | |
5) To respond to requests from the interested party regarding our services. | Possible need to execute a contract to which you are a party, as in the case in which your request relates to a service or product you have already purchased, or to the execution of pre-contractual measures adopted at the request of the same, as in the case in you are a potential customer. The provision of data is optional but necessary, since in case of failure to provide it we will not be able to answer your question or provide you with what is requested. | |
6) To process the administrative / accounting activities arising from the request for service. | Legal obligation arising from the relationship between the Data Controller and the Data Subject. | |
7) For the fulfillment of legal obligations (also related to the need to provide our services) and / or for the execution of orders from public authorities. | Need to pursue this purpose and reasons of significant public interest (e.g. protection from the spread of epidemics). | |
8) For carrying out customer satisfaction surveys in the health sector pursuant to art. 6, par 1, lett. e) and 9, par. 2, lett. i) of the GDPR. | Our legitimate interest in carrying out promotional activities. It is possible to object to this treatment at any time by writing to the Data Controller. | |
9) To send marketing communications on products and services or information on our news. | Our legitimate interest in carrying out promotional activities. It is possible to object to this treatment at any time by writing to the Data Controller. In no case will we use this information to create a profile related to your tastes or characteristics. | |
10) To analyze or predict your habits and / or preferences regarding our services through profiling activities. | Your explicit consent, freely given. It is possible to object to this treatment at any time by writing to the Data Controller. |
H. Nature of the provision and refusal
Except in cases of urgency, the provision of data requested for the purposes of health care and administrative purposes strictly related to these referred to in points 2) and 3) of section G is essential: failure to provide it could make it impossible for the interested party to access the service.
The communication of navigation data is mandatory to allow us to browse the site, but you can refuse the installation of some cookies.
If you do not agree to communicate your data, we will not be able to provide you with our services or pursue one or more of the other purposes.
I. To which subjects may your Personal Data be disclosed?
As far as possible, Zenais S.r.l. interacts with its suppliers without providing your Personal Data. However, such data may occasionally be disclosed to specific subjects considered Recipients. In this perspective, in order to correctly carry out all the processing activities necessary to pursue the purposes referred to in this Notice, the following Recipients may be in a position to process your Personal Data:
We do not disclose Personal Data, except in the event that it is requested, in accordance with the law, by Authorities, information and security organizations or other public entities for defense or state security or prevention purposes, detection or repression of crimes.
J. Where will your Personal Data be processed?
We transfer your data abroad, essentially through the use of the IT services of Google LLC, a US company based in Mountain View (California) which adheres to the EU-U.S. Agreement. “Privacy Shield” (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
K. Do we carry out profiling activities?
Only if you give us your consent will we process your user profile through the detection of identification data, the type of services used and the pages of our website you visit, to allow you to stay updated on services and news in line with your objectives. of prevention, diagnosis, treatment and health care.
L. Does the site use cookies?
Yes. To learn more and to read our policy in this regard, you can consult the information on cookies.
M. How long will your Personal Data be processed?
In consideration of the principle of limitation of the retention period, governed by Article 5, par. 1, point e), GDPR, your personal data will be processed by the Data Controller limited to what is necessary for the pursuit of the purpose referred to in Section G of this information. In particular, your personal data will be processed for a period of time equal to the minimum necessary, as indicated by Recital 39 of the GDPR, i.e. until the termination of the contractual relationships between you and the Data Controller without prejudice to a further retention period. which may be imposed by law as also required by Recital 65 of the GDPR.
The subjects referred to in letter I may lawfully process your personal data until you communicate, in one of the methods provided for in this information, your desire to withdraw consent to one or all of the purposes for which it was asked of you. Any withdrawal of consent will in fact require the subjects referred to in letter I to cease the processing of your personal data for these purposes.
The navigation data does not persist for more than seven days (except for any need to ascertain crimes by the judicial authorities).
If you have filled out a contact form on our website or contacted us at the contact details on our website, we will keep your data until we have provided you with what you requested, unless further data retention is necessary to fulfill legal obligations or to pursue our legitimate interest in exercising or defending any right in court or out of court.
If you have signed up for one of our newsletters, we will process your Personal Data until you have unsubscribed or you have revoked your consent to the processing. However, even in this case, we will keep the information necessary to prove your initial consent (e-mail address; IP address; other IT evidence) for 10 years from the date of cancellation or revocation of consent, or from the last possible interruption of the prescription.
Zenais S.r.l. undertakes to keep your personal information accurate and up-to-date.
N. Is it possible to revoke the consent given and how?
As required by the GDPR, if you have given your consent to the processing of your personal data for one or more purposes for which it was requested, you can, at any time, revoke it totally and / or partially without prejudice to the lawfulness of the processing based on on the consent given before the revocation.
The methods for withdrawing consent are very simple and intuitive, just contact the Data Controller and / or the DPO using the contact channels listed in this information in section C.
O. What are your rights?
As required by article 15 of the GDPR, you will be able to access your personal data, request its correction and updating, if incomplete or incorrect, request its cancellation if the collection took place in violation of a law or regulation, as well as oppose the processing for legitimate and specific reasons.
In particular, we report below all your rights that you can exercise, at any time, towards the Data Controller and / or the Joint Data Controllers:
All this information can be found in this Information which will always be available to you in the Privacy section of the websites www.zenais.it and www.dna-lab.online.
In some cases, as required by Article 17, par. 3 of the GDPR, the Data Controller is entitled not to delete your personal data if their processing is necessary, for example, for exercising the right to freedom of expression and information, for the fulfillment of an obligation by law, for reasons of public interest, for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, for the assessment, exercise or defense of a right in court.
In case of limitation of processing, your personal data will be processed, except for storage, only with your consent or for the ascertainment, exercise or defense of a right in court or to protect the rights of a ‘other natural or legal person or for reasons of significant public interest. We will inform you, in any case, before this limitation is lifted.
To exercise all your rights as identified above, simply contact the Data Controller in the following ways:
We remind you that, at any time, you can also contact the DPO in the manner provided for in Section C of this Notice.
P. Glossary
Communication; to give knowledge of Personal Data to one or more specific subjects other than the interested party, the owner’s representative in the territory of the European Union, the manager or his representative in the territory of the European Union, the authorized persons, pursuant to Article 2 -quaterdecies, to the processing of personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or by interconnection (Article 2-ter, paragraph 4, letter a of the Code Privacy).
Cookie: small text strings that the sites visited by the user send to their terminal (usually the browser), where they are stored before being re-transmitted to the same sites at the next visit by the same user. While browsing a site, the user can also receive cookies on his terminal that are sent from different sites or web servers (so-called “third parties”), on which some elements may reside (such as, for example, images, maps, sounds, specific links to pages of other domains) present on the site that the same is visiting.
Navigation Data: these are the data that the computer systems and software procedures used to operate the site acquire, during their normal operation, and the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing.
Biometric data: Personal data obtained from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification, such as facial image or fingerprint data (Article 4, par. 1 , n.14 GDPR).
Genetic data: Personal Data relating to the inherited or acquired genetic characteristics of a natural person that provide univocal information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of the natural person in question (Article 4 , par.1, n.13, GDPR).
Health-related data: Personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health (Article 4, paragraph 1, no. 15, GDPR).
Particular data: are Personal Data that reveal a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data and biometric data intended to uniquely identify a natural person and the data relating to the health or sexual life or sexual orientation of the person (Article 9.1 GDPR).
Personal data: any information relating to an identified or identifiable natural person (“data subject”); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social (art.4, par.1, n.1, GDPR).
Recipient: the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is a third party (Article 4, par. 1, no. 9, GDPR).
Dissemination: the disclosure of Personal Data to indeterminate subjects, in any form, including by making them available or consulting (Article 2-ter, paragraph 4, letter b of the Privacy Code).
Interested: identified or identifiable natural person to whom the Personal Data refer (Article 4, paragraph 1, No. 1, GDPR).
Limitation: the marking of personal data stored with the aim of limiting their processing in the future (Article 4, par. 1, no. 3, GDPR).
Authorized Persons: persons authorized to process personal data under the direct authority of the Data Controller or Data Processor (Article 4, par. 1, no. 10, GDPR).
Profiling: any form of automated processing of Personal Data consisting in the use of such Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health, personal preferences , the interests, reliability, behavior, location or movements of said natural person (Article 4, paragraph 1, No. 4, GDPR).
Publication: the action by which the owner communicates information on the site, without the implementation of procedures that require the visitor to view it. destruction (art.4, par.1, n.2, GDPR).
Data processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller (Article 4, paragraph 1, no. 8, GDPR).
Third: the natural or legal person, public authority, service or other body other than the data subject, the data controller, the data controller and the persons authorized to process personal data under the direct authority of the data controller. or of the manager (art.4, par.1, n.10, GDPR).
Data Controller: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data (Article 4, paragraph 1, n.7 , GDPR).
Treatment: any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, storage, adaptation or the modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (Article 4, par . 1, n. 2, GDPR).
For all other definitions, please refer to EU Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (GDPR) and to Legislative Decree 196/2003 (Codice Privacy).