Privacy policy

PRIVACY INFORMATION PURSUANT TO ART. 13 AND 14 OF THE REG. (EU) 2016/679

A. Who are we and why are we providing you with this document?

Zenais S.r.l. is a company incorporated under Italian law, with registered office in Via Tarchetti 5, 20121 Milan (Italy), registered in the Register of Companies of the Milan Chamber of Commerce CF. and VAT number. 08661160963

Zenais S.r.l. considers the protection of the personal data of its own and / or potential customers and users to be of fundamental importance, ensuring that the processing of personal data, carried out in any manner, both automated and manual, takes place in full compliance with the protections and rights recognized by the 2016 EU Regulation / 679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (hereinafter the “GDPR”), by Legislative Decree 196/2003 (“Privacy Code”), as well as the measures adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and by other applicable legislation, of any rank, including opinions and guidelines.

The GDPR provides that, before proceeding with the processing of personal data, it is necessary that the person to whom such personal data belongs is informed about the reasons for which such data are requested and how they will be used.

In this regard, this document is intended to provide you, in a simple and intuitive way, with all the useful and necessary information so that you can provide your personal data in a conscious and informed manner and, at any time, request and obtain clarifications and / or adjustments.

This information, therefore, has been drawn up on the basis of the principle of transparency and all the elements required by the aforementioned rules and is divided into individual sections, each of which deals with a specific topic in order to make reading faster, easier and more efficient. easy understanding.

If necessary, this information may be accompanied by a specific form for the release of consent as required by article 7 of the GDPR, articulated on the basis of the further type of use we intend to make of your personal data.

B. Who will process your Personal Data?

The company that will process your Personal Data for the purposes referred to in Section G of this Notice and which, therefore, will play the role of Data Controller according to the relevant definition contained in Article 4 at point 7) of the GDPR, is:

Zenais S.r.l., with registered office in Via Tarchetti 5, 20121 – Milan (MI), Italy, registered in the Milan Company Register, Tax Code and VAT no. 11610580968 (hereinafter the “Data Controller“).

C. Who can you contact?

In order to facilitate relations between you, as an interested party, and the Data Controller and / or the Joint Data Controllers, the GDPR has provided, in some specific cases, for the appointment of a control and support figure who, among the various tasks entrusted, also acts as a point of contact with the interested party.

Zenais S.r.l. has adopted this figure of “data protection officer”, so-called “Data Protection Officer“, pursuant to Article 37 of the GDPR (hereinafter the “DPO“).

The DPO, pursuant to and for the purposes of Article 39 of the GDPR, is required to carry out, inter alia, the following activities:

inform and advise the Data Controller, the Joint Data Controllers, the Data Controller as well as the employees who carry out the Processing regarding the obligations deriving from the GDPR as well as from other provisions of the Union or of the Member States relating to the protection of personal data;
monitor and supervise compliance with the GDPR, the applicable regulations regarding the protection of personal data as well as the policies and procedures adopted by the Data Controller and the Joint Data Controllers;
provide support in the feedback to the interested party;
cooperate with the competent Authority for the Protection of Personal Data.

As required by article 38 of the GDPR, you can freely contact the DPO for all questions relating to the processing of your personal data and / or if you wish to exercise your rights as provided for in Section I of this information, by sending a written communication to the e-mail address info@zenais.it and / or by writing to the Data Protection Officer of Zenais S.r.l., via Tarchetti 5, 20121 – Milan (MI) and / or by calling +39 02 36573690.

At any time you can consult the “Privacy” section of the sites www.zenais.it and www.dna-lab.online within which you will find all the information concerning the use and processing of your personal data, updated information on the contacts and communication channels made available to all interested parties by the Data Controller.

D. What categories of Personal Data do we process?

The Personal Data we process can be both Common Personal Data and particular Personal Data.

Common personal data: in order to allow you to register on the portals www.zenais.it and www.dna-lab.online and the subsequent booking of the service, we will collect common personal data such as, but not limited to, name and surname, tax code , telephone number, e-mail address, home address.
Particular data: in order to provide the service requested by you, we also process particular data pursuant to art. 9 of the GDPR, including, in particular, data relating to health.

The data relating to health includes, by way of example, the required examination, the report, the medical prescription, the results of the examinations. In this regard, Zenais S.r.l. informs that the registration procedure on its site and activation of the diagnostic kits does not allow the execution of HIV tests anonymously which, therefore, cannot be provided.

All Particular Data are processed in compliance with the obligations of secrecy and under the responsibility of health professionals and / or the Medical Director. The processing of data relating to health and genetic data is carried out in accordance with the GDPR and the Provision containing the provisions relating to the processing of particular categories of data, pursuant to art. 21, paragraph 1 of the legislative decree. 10 August 2018, n. 101 of the Authority for the Protection of Personal Data.

E. Why do we have your Personal Data?

You passed them on to us yourself:

filling out forms on our website (or other forms we ask you to fill out);
giving us your business card (or similar documents);
communicating with us by telephone, post, e-mail or other means of communication;

or we may have obtained them from a third party (e.g. a family member of yours when he contacted us).

F. Information our website and other systems collect about you:

When you visit our website, we automatically collect certain information about you and your visit, including your Internet protocol (IP) address and other information, such as the type and version of the browser you use and the pages of the site you have visited. Our website may also download so-called “cookies” to your device, as described in the separate section on Cookie Policy.
If you exchange emails, telephone conversations or other electronic communications with our employees and other staff members, our computer systems will record the details of those conversations and sometimes their content as well.

G. For what main purpose will your Personal Data be processed?

The Data Controller needs to collect some of your Personal Data. The processing of such data will be conducted by the Data Controller solely and exclusively for the following purposes:

Purpose		Legal basis
1) To allow you to browse the site.		Legitimate interest to be able to present our services to you).
2) To carry out prevention, treatment, diagnosis, rehabilitation and health or social assistance or therapy, pursuant to art. 6, par. 1, let. e) and 9, par. 2, lett. h) of the GDPR.		Need to provide health care and to pursue the purposes of care. For this purpose, the data will be processed under the responsibility of a professional subject to professional secrecy or by other subjects bound by the obligation of secrecy in accordance with European Union law or national law or the rules established by the competent national bodies, pursuant to ‘article. 9, par. 3, of the GDPR.
3) To carry out administrative activities such as issuing any documents strictly connected and essential for achieving the purposes of prevention, treatment, diagnosis or health or social therapy indicated above and in general for the protection of life and physical safety.		Need to provide the health service. The legal basis is of significant public interest pursuant to art. Need to provide the health service.
4) To allow the patient to consult, through digital channels, the exams carried out, also for prevention purposes.		Possible need to pursue the purposes of care and reasons of significant public interest. It is possible to object to this treatment at any time by writing to the Data Controller.
5) To respond to requests from the interested party regarding our services.		Possible need to execute a contract to which you are a party, as in the case in which your request relates to a service or product you have already purchased, or to the execution of pre-contractual measures adopted at the request of the same, as in the case in you are a potential customer. The provision of data is optional but necessary, since in case of failure to provide it we will not be able to answer your question or provide you with what is requested.
6) To process the administrative / accounting activities arising from the request for service.		Legal obligation arising from the relationship between the Data Controller and the Data Subject.
7) For the fulfillment of legal obligations (also related to the need to provide our services) and / or for the execution of orders from public authorities.		Need to pursue this purpose and reasons of significant public interest (e.g. protection from the spread of epidemics).
8) For carrying out customer satisfaction surveys in the health sector pursuant to art. 6, par 1, lett. e) and 9, par. 2, lett. i) of the GDPR.		Our legitimate interest in carrying out promotional activities. It is possible to object to this treatment at any time by writing to the Data Controller.
9) To send marketing communications on products and services or information on our news.		Our legitimate interest in carrying out promotional activities. It is possible to object to this treatment at any time by writing to the Data Controller. In no case will we use this information to create a profile related to your tastes or characteristics.
10) To analyze or predict your habits and / or preferences regarding our services through profiling activities.		Your explicit consent, freely given. It is possible to object to this treatment at any time by writing to the Data Controller.

H. Nature of the provision and refusal

Except in cases of urgency, the provision of data requested for the purposes of health care and administrative purposes strictly related to these referred to in points 2) and 3) of section G is essential: failure to provide it could make it impossible for the interested party to access the service.

The communication of navigation data is mandatory to allow us to browse the site, but you can refuse the installation of some cookies.

If you do not agree to communicate your data, we will not be able to provide you with our services or pursue one or more of the other purposes.

I. To which subjects may your Personal Data be disclosed?

As far as possible, Zenais S.r.l. interacts with its suppliers without providing your Personal Data. However, such data may occasionally be disclosed to specific subjects considered Recipients. In this perspective, in order to correctly carry out all the processing activities necessary to pursue the purposes referred to in this Notice, the following Recipients may be in a position to process your Personal Data:

Data processors such as, for example, IT, banking, insurance, accounting, tax, tax, legal, etc service providers;

We do not disclose Personal Data, except in the event that it is requested, in accordance with the law, by Authorities, information and security organizations or other public entities for defense or state security or prevention purposes, detection or repression of crimes.

J. Where will your Personal Data be processed?

We transfer your data abroad, essentially through the use of the IT services of Google LLC, a US company based in Mountain View (California) which adheres to the EU-U.S. Agreement. “Privacy Shield” (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

K. Do we carry out profiling activities?

Only if you give us your consent will we process your user profile through the detection of identification data, the type of services used and the pages of our website you visit, to allow you to stay updated on services and news in line with your objectives. of prevention, diagnosis, treatment and health care.

L. Does the site use cookies?

Yes. To learn more and to read our policy in this regard, you can consult the information on cookies.

M. How long will your Personal Data be processed?

In consideration of the principle of limitation of the retention period, governed by Article 5, par. 1, point e), GDPR, your personal data will be processed by the Data Controller limited to what is necessary for the pursuit of the purpose referred to in Section G of this information. In particular, your personal data will be processed for a period of time equal to the minimum necessary, as indicated by Recital 39 of the GDPR, i.e. until the termination of the contractual relationships between you and the Data Controller without prejudice to a further retention period. which may be imposed by law as also required by Recital 65 of the GDPR.

The subjects referred to in letter I may lawfully process your personal data until you communicate, in one of the methods provided for in this information, your desire to withdraw consent to one or all of the purposes for which it was asked of you. Any withdrawal of consent will in fact require the subjects referred to in letter I to cease the processing of your personal data for these purposes.

The navigation data does not persist for more than seven days (except for any need to ascertain crimes by the judicial authorities).

If you have filled out a contact form on our website or contacted us at the contact details on our website, we will keep your data until we have provided you with what you requested, unless further data retention is necessary to fulfill legal obligations or to pursue our legitimate interest in exercising or defending any right in court or out of court.

If you have signed up for one of our newsletters, we will process your Personal Data until you have unsubscribed or you have revoked your consent to the processing. However, even in this case, we will keep the information necessary to prove your initial consent (e-mail address; IP address; other IT evidence) for 10 years from the date of cancellation or revocation of consent, or from the last possible interruption of the prescription.

Zenais S.r.l. undertakes to keep your personal information accurate and up-to-date.

N. Is it possible to revoke the consent given and how?

As required by the GDPR, if you have given your consent to the processing of your personal data for one or more purposes for which it was requested, you can, at any time, revoke it totally and / or partially without prejudice to the lawfulness of the processing based on on the consent given before the revocation.

The methods for withdrawing consent are very simple and intuitive, just contact the Data Controller and / or the DPO using the contact channels listed in this information in section C.

O. What are your rights?

As required by article 15 of the GDPR, you will be able to access your personal data, request its correction and updating, if incomplete or incorrect, request its cancellation if the collection took place in violation of a law or regulation, as well as oppose the processing for legitimate and specific reasons.

In particular, we report below all your rights that you can exercise, at any time, towards the Data Controller and / or the Joint Data Controllers:

Right of access: you will have the right, pursuant to Article 15, par. 1 of the GDPR, to obtain from the Data Controller confirmation as to whether or not your personal data is being processed and, in this case, to obtain access to such data and the following information: a) the purposes of the processing; b) the categories of Personal Data in question; c) the Recipients or categories of Recipients to whom your Personal Data have been or will be communicated, in particular if Recipients from third countries or international organizations; d) when possible, the retention period of the Personal Data envisaged or, if not possible, the criteria used to determine this period; e) the existence of the right of the interested party to ask the Data Controller to rectify or delete personal data or limit the processing of data concerning him or to oppose their processing; f) the right to lodge a complaint with a supervisory authority; g) if the personal data are not collected from the interested party, all available information on their origin; h) the existence of an automated decision-making process, including the profiling referred to in Article 22, par. 1 and 4 of the GDPR and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of this processing for the interested party.

All this information can be found in this Information which will always be available to you in the Privacy section of the websites www.zenais.it and www.dna-lab.online.

Right of rectification: you will be able to obtain, in accordance with Article 16 of the GDPR, the rectification of your personal data that are inaccurate. Furthermore, taking into account the purposes of the processing, you will be able to obtain the integration of your personal data which are incomplete, also by providing an additional declaration.
Right to cancellation: you will be able to obtain, pursuant to Article 17, par. 1 of the GDPR, the deletion of your personal data without undue delay and the Data Controller will be obliged to delete your personal data if there is even one of the following reasons: a) the Data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) you have revoked the consent on which the processing of your data is based and there is no other legal basis for their processing; c) you have opposed the processing pursuant to Article 21, paragraph 1 or 2 of the GDPR and there is no longer any legitimate overriding reason to proceed with the processing of your personal data; d) your data has been unlawfully processed; e) it is necessary to delete your data to fulfill a legal obligation provided for by a community regulation or internal law.

In some cases, as required by Article 17, par. 3 of the GDPR, the Data Controller is entitled not to delete your personal data if their processing is necessary, for example, for exercising the right to freedom of expression and information, for the fulfillment of an obligation by law, for reasons of public interest, for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, for the assessment, exercise or defense of a right in court.

Right to limit the processing: you can obtain the limitation of the processing, in accordance with Article 18 of the GDPR, in the event that one of the following hypotheses occurs: a) you have contested the accuracy of your personal data (the limitation will continue for the period necessary for the Data Controller to verify the accuracy of such data); b) the processing is unlawful but you have opposed the cancellation of your data, requesting, instead, that its use be limited; c) although the Data Controller no longer needs it for the purposes of processing, your data is used to ascertain, exercise or defend a right in court; d) you opposed the processing pursuant to Article 21, par. 1, of the GDPR and you are awaiting verification of the possible prevalence of the Data Controller’s legitimate reasons with respect to yours.

In case of limitation of processing, your personal data will be processed, except for storage, only with your consent or for the ascertainment, exercise or defense of a right in court or to protect the rights of a ‘other natural or legal person or for reasons of significant public interest. We will inform you, in any case, before this limitation is lifted.

Right to data portability: you can, at any time, request and receive, in accordance with Article 20, par. 1 of the GDPR, all your Personal Data processed by the Data Controller and / or by the Joint Data Controllers in a structured, commonly used and legible format or request its transmission to another data controller without.In this case, it will be your responsibility to provide us all the exact details of the new data controller to whom you intend to transfer your Personal Data by providing us with written authorization.
Right to object: pursuant to Article 21, par. 2 of the GDPR and as also reaffirmed by Recital 70, you can object, at any time, to the processing of your personal data if these are processed for direct marketing purposes, including profiling to the extent that it is connected to such direct marketing.
Right to lodge a complaint with the supervisory authority: without prejudice to your right to appeal to any other administrative or judicial office, if you believe that the processing of your personal data conducted by the Data Controller and / or the Joint Data Controllers occurs in violation of the GDPR and / or applicable legislation, you can propose complaint to the competent Personal Data Protection Authority.

To exercise all your rights as identified above, simply contact the Data Controller in the following ways:

by writing to the Privacy Office at Zenais S.r.l., Via Tarchetti 5, 20121 – Milan (Mi), Italy;
by sending an e-mail to the e-mail address info@zenais.it for the kind attention of the Privacy Office;
by calling the telephone number +39 02 36573690 and asking for the Privacy Office.

We remind you that, at any time, you can also contact the DPO in the manner provided for in Section C of this Notice.

P. Glossary

Communication; to give knowledge of Personal Data to one or more specific subjects other than the interested party, the owner’s representative in the territory of the European Union, the manager or his representative in the territory of the European Union, the authorized persons, pursuant to Article 2 -quaterdecies, to the processing of personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or by interconnection (Article 2-ter, paragraph 4, letter a of the Code Privacy).

Cookie: small text strings that the sites visited by the user send to their terminal (usually the browser), where they are stored before being re-transmitted to the same sites at the next visit by the same user. While browsing a site, the user can also receive cookies on his terminal that are sent from different sites or web servers (so-called “third parties”), on which some elements may reside (such as, for example, images, maps, sounds, specific links to pages of other domains) present on the site that the same is visiting.

Navigation Data: these are the data that the computer systems and software procedures used to operate the site acquire, during their normal operation, and the transmission of which is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data are used only to obtain anonymous statistical information on the use of the site and to check its correct functioning and are deleted immediately after processing.

Biometric data: Personal data obtained from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification, such as facial image or fingerprint data (Article 4, par. 1 , n.14 GDPR).

Genetic data: Personal Data relating to the inherited or acquired genetic characteristics of a natural person that provide univocal information on the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of the natural person in question (Article 4 , par.1, n.13, GDPR).

Health-related data: Personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health (Article 4, paragraph 1, no. 15, GDPR).

Particular data: are Personal Data that reveal a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data and biometric data intended to uniquely identify a natural person and the data relating to the health or sexual life or sexual orientation of the person (Article 9.1 GDPR).

Personal data: any information relating to an identified or identifiable natural person (“data subject”); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social (art.4, par.1, n.1, GDPR).

Recipient: the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it is a third party (Article 4, par. 1, no. 9, GDPR).

Dissemination: the disclosure of Personal Data to indeterminate subjects, in any form, including by making them available or consulting (Article 2-ter, paragraph 4, letter b of the Privacy Code).

Interested: identified or identifiable natural person to whom the Personal Data refer (Article 4, paragraph 1, No. 1, GDPR).

Limitation: the marking of personal data stored with the aim of limiting their processing in the future (Article 4, par. 1, no. 3, GDPR).

Authorized Persons: persons authorized to process personal data under the direct authority of the Data Controller or Data Processor (Article 4, par. 1, no. 10, GDPR).

Profiling: any form of automated processing of Personal Data consisting in the use of such Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health, personal preferences , the interests, reliability, behavior, location or movements of said natural person (Article 4, paragraph 1, No. 4, GDPR).

Publication: the action by which the owner communicates information on the site, without the implementation of procedures that require the visitor to view it. destruction (art.4, par.1, n.2, GDPR).

Data processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller (Article 4, paragraph 1, no. 8, GDPR).

Third: the natural or legal person, public authority, service or other body other than the data subject, the data controller, the data controller and the persons authorized to process personal data under the direct authority of the data controller. or of the manager (art.4, par.1, n.10, GDPR).

Data Controller: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data (Article 4, paragraph 1, n.7 , GDPR).

Treatment: any operation or set of operations, carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, storage, adaptation or the modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction (Article 4, par . 1, n. 2, GDPR).

For all other definitions, please refer to EU Regulation 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data (GDPR) and to Legislative Decree 196/2003 (Codice Privacy).