As per section 13 of Italian Law Decree n. 196 dated June 30, 2003 (“Privacy Law”), section 13 of the European Regulation n. 679 dated 2017 (“Data Protection Regulation”), Ruling n. 229 dated 2014 of the Italian Personal Data Protection Authority as well as Recommendation n. 2 dated 2001 adopted as per section 29 of Directive n. 95/46/CE, AIM Italy S.r.l. (hence, the “Controller” or “AIM”) intends to inform its Users on the use of their personal data, of the log files and of the so-called cookies gathered by means of navigation of the Site https://www.cipa2023florence.org/ (hence the “Site of the Congress”) and the subscription to the related “keep me updated” service (hence, the “Keep me update Service”), which has the purpose of updating the Users on all initiatives held during the CIPA 2023 (hence the “Congress”).
1. Controller, Processor and Data Protection Officer
The controller of the personal data processing is AIM Italy S.r.l., with legal offices in Via Giuseppe Ripamonti n. 129, 20127 Milano, Italy, Italian fiscal code 00927270587, Italian VAT number 00943621003, phone 02566011, fax 0256609045 ed email email@example.com
The updated list of Data Processors, where nominated, can be provided upon request by the Users.
In case a Data Protection Officer is nominated (as per section 37 of the Data Protection Regulation), his/her identity will be announced by means of publication of an integration to the current information sheet.
2. Information and data collected automatically by the Site of the Congress
Similarly to all web-sites, Site of the Congress uses log files in which information is automatically collected and preserved during the Users’ visits.
The collection information regards the following:
internet protocol address (IP);
type of browser and parameters used to create connection to the Site of the Congress;
name of the internet service provider (ISP);
date and time of the visit;
web-page of provenance (referral) and destination after exit by the User;
number of clicks, where applicable.
This information is processed automatically and collected exclusively in an aggregated way in order to monitor the correct functioning of the Site of the Congress.
3. Data voluntarily introduced by the Users: ways and purposes of use
For simple navigation of the Site of the Congress, there is no need to register, but, in order to be able to receive the Keep me update Service, we need to gather some information regarding the Users. In any case, AIM commits to using the personal data of Users exclusively in the ways, terms and for the purposes listed as follows. The Controller processes personal data of Users for the following purposes:
· executing the Keep me updated Service, updating the Users on all of AIM’s initiatives held during the Congress;
· performing administrative obligations related to the usage of Keep me updated Service (e.g. for information requests, complaints, etc.);
· performing legal obligations;
· executing technical management of the Site of the Congress;
· sending AIM documentation to update the Users on all other projects, initiatives and future events promoted by AIM, by means of both automated tools (such as newsletters, e-mails, SMS’s, MMS’s, robocalls, etc.) and traditional communication tools (hardcopy mail and/or operator calls).
The Keep me updated Service will be provided by means of automated tools (such as, e-mail, SMS, MMS, robocalls, etc.).
The data provided by Users will be processed predominantly with information systems under the authority of the Controller, by third parties specifically commissioned, authorized and instructed to the processing as per section 30 of the Privacy Law and of sections 28 and 29 of the Data Protection Regulation. Appropriate security measures, also as per sections 5 and 32 of the Privacy Data Protection, will be adopted to prevent loss of data, illicit or inappropriate uses and unauthorized access.
4. Optional or mandatory nature of data transfer, consequences of denial and juridical basis of the processing
In order to provide the Keep me updated Service, as well as for the purposes listed at items (ii), (iii) and (iv) of preceding section 3, transfer of the Users’ personal data is mandatory, as otherwise the the Users could not be updated on all initiatives promoted and organized during the Congress.
On the contrary, the transfer of the Users’ personal data is not mandatory but optional for the purpose listed at item (v) of preceding section 3 and denial of transfer will have the only consequence of not being able to receive the AIM documentation to update the Users on all other projects, initiatives and future events promoted by AIM.
Thus, with reference to the items (i), (ii), (iii) and (iv) of preceding section 3, the juridical basis of the processing is the provision of the Keep me updated Service (as per section 6, paragraph 1, letter b) of the Data Protection Regulation); instead, with reference to the purpose listed at item (v) of preceding paragraph 3, the juridical base for processing is the Users’ consent (as per section 6, paragraph 1, letter a) of the Data Protection Regulation).
5. To whom and in which context the Controller may transmit the Users’ personal data
The Users’ personal data may be communicated within the European Union, in full compliance of the provisions of the Privacy Law and the Data Protection Regulation, to the following entities:
· to public authorities, where this is mandated by law or required by the authorities;
· to the external structures/companies the Controller uses for the execution of activities related to the provision of the Keep me updated Service;
· to external consultants, if not nominated Data Processor;
Above entities, to whom the Users’ data can be communicated (if not nominated Data Processor or co-responsible), will treat the Users’ personal data in their quality of Controllers as per the applicable norms, in full autonomy, not being connected to the original processing executed by AIM.
6. Users’ rights
Individual Users can exercise their rights as per section 7 of the Privacy Law and subsequent modifications and integrations, as well as sections 15, 16, 17, 18, 20 and 21 of the Data Protection Regulation at any time, by sending a written note to the Controller’s addresses as listed in preceding section 1 and thus obtain:
· confirmation or denial of the existence of personal data of the User with indication of the related origin;
· access, rectification, cancellation of the personal data or their limitation of processing;
· cancellation, anonymization or blocking of personal data processed in violation of the law.
Individual Users may moreover oppose to the processing of the data that relate to them, as well as revoke at any time their consent to personal data processing (without prejudice to the legitimacy of the processing based on the consent conceded previously to revocation).
As any consent conceded by Users to be contacted by means of automated tools for the purpose listed at item (v) of preceding section 3 extends to traditional tools as well, the Users may contact AIM at any time at the addresses indicated above, to exercise their right of (partial) opposition with reference to one or another of the above mentioned modalities.
7. Duration of the processing
Except for legal obligations and for the hypothesis in which Users conceded their specific consent for the receiving, from AIM, of updates on all other projects, initiatives and future events promoted by the latter, the Users’ personal data will be conserved for the mere duration of the Congress. In any case, the processing will not have a duration exceeding 5 years from the date of registration to the Keep me updated Service, as long as Users have not requested cancellation before. Notwithstanding the above, AIM may conserve some personal data of Users also after the request for termination of processing, exclusively for the scope of defending or safeguarding its rights, or in those cased as defined by law or by order of a judicial or government authority.
8. Security measures
By means of the Site of the Congress, the Users’ personal data are processed in respect of applicable law and adopting appropriate security measures, in compliance with the regulations in force, also as per sections 5 and 32 of the Data Protection Regulation.
In this regard, we confirm, among other things, the adoption of appropriate security measures with the scope of inhibiting unauthorized access, theft, publication, modification of unauthorized destruction of the Users’ data.
9. Modifications to the Privacy Information Sheet
The current Information Sheet is subject to modifications by the Controller; AIM will communicate the modifications to the Users by mail, with a prenotice period of at least 15 days with respect to the date in which the new Information Sheet will apply.
DATA PROTECTION INFORMATION SHEET FOR PARTICIPANTS TO EVENTS
AIM Italy S.r.l. (hence, the “Controller” or “AIM”), in its quality of Data Processing Controller, as per section 13 of the EU Regulation n. 679/2016 (hence, the “Data Protection Regulation”), and subsequent modifications and integrations, collects and subsequently processes personal data of the participants (hence, the ’“Data Subject”) – including as teachers or learner – to the congress and/or other scientific or training event (hence, the ’“Event”), also held remotely.
The contact details of the Data Protection Officer (as per section 37 of the Data Protection Regulation) designated by AIM can be found at the following link https://www.aimgroupinternational.com/company-information.
1. Scopes and ways of processing.
The personal data of Data Subjects are processed in the context of AIM’s commercial activity, for the following scopes:
subscription and participation to the Event;
fiscal, administrative and accounting duties strictly connected to above participation;
execution of specific duties prescribed by law, regulation or EU norms (such as administration of credits for Continuing Medical Education);
distribution free of charge of documentation relating to the Event;
use of the imagine and/or voice of the Data Subject as recorded during the Event, or sent/uploaded by the Data Subject itself, in videos, audio recordings and/or photographs of the Event published on the web-site and social networks of AIM Group as well as on the web-site, the social networks and the digital platform of the Event, if any
receipt of documentation from AIM in order to be updated on all its projects, initiatives and events, both my means of automated tools (such as newsletters, e-mails, SMS, MMS, robocalls, ecc.) and by means of traditional tools (hardcopy mail and/or operator calls) in the same area of interest.
The processing of the personal data is executed, under authority of the Controller, by entities specifically Designated, authorized and instructed for the processing as per section 2-quaterdecies of Italian Law Decree n. 196 dated June 30, 2003, as amended by Italian Law Decree n. 101 dated August 10, 2018 (hence, the “Privacy Law”) and as per sections 29 of the Data Protection Regulation, by means of manual, automated or telecom tools, with logics strictly connected to the scopes and in any case in such a way as to guarantee confidentiality and security of the personal data.
2. Juridical basis for processing, nature of transfer and consequences of denial, consent by Data Subject.
With reference to the scopes listed at preceding section 1, items 1., 2., 3., 4.,5. and 6, transfer of the personal data is mandatory and represents a necessary condition to the subscription and subsequent participation to the Event and receipt of documentation from AIM about future projects, initiatives and events in the same area of interest; indeed, failure to transfer will determine impossibility of subscribing the Data Subject to the Event and of involving him/her in any initiative of the Event or other AIM’s future projects, initiatives and events of the same area of interest; thus, the juridical base of the related processing is the full participation to the Event and the next update on AIM’s future projects, initiatives and events of the same area of interest, as per section 6, paragraph 1, letter b) of the Data Protection Regulation.
3. Entities and categories of entities to which the personal data may be communicated and context of communication.
With regards to the scopes of the processing as indicated above, and within the strict boundaries of pertinence to these scopes, the personal data of the Data Subject will be communicated in Italy, in the European Union or beyond the European Union, to the following entities, for the scope of subscription and subsequent participation to the Event:
(i) to fiscal Authorities and other public Authorities, where mandatory by law or upon their request;
(ii) to financial institutions for the execution of payments related to the subscription;
(iii) to the structures and/or external companies that AIM uses for the scope of executing connected activities, instrumental or consequent to subscription and subsequent participation to the Event (such as press services, data processing and IT consultancies, promotional activities by companies participating to the Event, mailing of the event’s program, credits for Continuing Medical Education, hotel reservations etc.);
(iv) to external consultants (e.g. for management of fiscal duties) if not designated Processors in writing;
(vi) taking into account the fact that AIM is part of an international Group: to controlling, controlled or connected companies, for administrative and accounting scopes.
Above entities, to whom the personal data of the Data Subject will be or may be communicated (insofar as not being designated Processors), will treat the personal data as Controllers according to the Data Protection Regulation, in full autonomy, being completely separated from the original processing executed by AIM.
Without the consent to communication of the personal data and to related processing, in those cases where it is foreseen as by Data Protection Regulation, the operations which require the communication might not be executed, with consequences known to the Data Subject.
A detailed and constantly updated list of these entities, including their respective offices, is always available at AIM’s legal offices.
As mentioned before, the image or the voice of the Data Subject recorded over the course of the Event, or sent/uploaded by the Data Subject itself, may be used in videos, audio recordings and/or photographs of the Event, published on the web-site and the social media of AIM Group, as well as on the web-site, the social media and the digital platform of the Event itself, if any.
Whenever necessary for the execution of the contract, the personal data of the Data Subject may be transferred to countries within the European Union and/or to countries outside the European Union, in full compliance with the norms of the Data Protection Regulation, the rulings and decisions of the related data protection authority as well as the EU regulations.
In particular, where necessary, AIM commits to complying with the norms defined by, respectively, decisions 2001/497/CE, 2004/915/CE and 2010/87/EU (according to the specific case), which oblige to the signing of so-called “typical contractual clauses” between the juridical entities involved in data processing outside of the European Union.
4. Rights of the Data Subject.
Sections 15 and following of the Data Protection Regulation grant the Data Subject the right to obtain:
confirmation or denial of existence of personal data related to the Data Subject, even if not yet registered and their communication in an understandable format;
indication of the origin of the personal data, of their scopes and of their ways of processing, of the logic applied in case of processing by means of electronic tools and of the identifying details of the Controller;
update, rectification, integration, cancellation, transformation into anonymous data or blocking of data treated in violation of the law – including data for which conservation is not necessary for the scopes for which they were collected and subsequently processed. Documentation of these operations, also pertaining to their content, is brought to the attention of the Data Subjects whose data have been communicated or published, except for the case in which this duty is impossible to perform or requires the use of tools which are obviously disproportionate in relationship to the granted right.
Moreover, the Data Subject has the right to:
oppose, partially or completely, for legitimate reasons, to processing of his/her personal data, even if coherent with the scope of collection;
propose a complaint to the Data Protection Authority as foreseen by the Data Protection Regulation.
In order to know the detailed and constantly updated list of the entities to whom personal data of the Data Subject may be communicated and to exercise the rights granted by sections 15 and following of the Data Protection Regulation, in accordance with section 12 of Data Protection Regulation and within the limits of section 2-undecies of the Privacy Law, the Data Subject may contact the Data Processing Controller at the following addresses:
AIM Italy S.r.l.
Via Giuseppe Ripamonti n. 129 – 20141 Milan – Italy
Phone: +39 02 56601.1 – Email: firstname.lastname@example.org.
5. Duration of the processing.
Except for legal obligations and for the Data Subject’s updates on all other projects, initiatives and future events promoted by AIM, the personal data of the Data Subjects will be conserved only for the Event’s duration. In any case, the processing will not have a duration exceeding 5 years from the date of the provision of the update service from AIM, as long as the Data Subject has not requested cancellation before. Notwithstanding the above, AIM may conserve some personal data of the Data Subject also after the termination of processing, exclusively for the scope of defending or safeguarding its rights, or in those cased as defined by law or by order of a judicial or government authority.
 As per section 4 of the Data Protection Regulation, “personal data” means any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.