Privacy

Privacy policy statement pursuant to Article 13 of the European Data Protection Regulation 679/2016, hereinafter referred to as GDPR
  

1. This privacy policy

1.1 Conscious of the importance of guaranteeing the security of private information, in compliance with the applicable Italian and European legislation, EDRA S.p.A. hereby describes the methods of processing of personal data of those people ("User", "Users") who connect to this Website, either directly or through a link from another website. 
 
1.2 This Website contains links to other websites: this Privacy Policy does not cover those other websites that may be consulted by the User via links. They may contain "information on the processing of personal data" that differs, in whole or in part, from this Policy. Therefore, Edra S.p.A. invites the User to examine the privacy policy of each website to which he or she is connected before entering any personal information therein. 
 
1.3 This Privacy Policy applies exclusively to personal data processed through and on this Website. It does not apply to the processing of data through other means (e.g. telephone, mail, etc.). 
 
1.4 This is the current Privacy Policy, updated to the date appearing at the bottom of the page: EDRA S.p.A. reserves the right to modify and update it at any time. 
 
1.5 EDRA S.p.A.'s statements hereinafter integrate the Legal Notes (Terms and Conditions of Use) of the Website but are not of a contractual nature and, therefore, do not generate contractual obligations towards the User and corresponding rights of the User. 
 
2. Data Controller

2.1 The Data Controller is EDRA S.p.A. With Tax Code and VAT number 08056040960, with registered office in Milan, via Spadolini 7, a company incorporated under Italian law. 
 
3. Personal data processing location  

3.1 The processing of personal data related to the consultation of the Website takes place at EDRA S.p.A.'s registered office indicated above. The data are stored at a Data Center located at EDRA S.p.A.'s registered office in Milan and at the Elmec Informatica Data Center located in via Pret n. 1 Brunello (VA), appointed as External Data Processor pursuant to Article 28 GDPR. 

4. Type of data processed

User traffic and browsing data provided by the user's computer 
 
4.1 During normal operation, the IT systems and software procedures used to operate the Website acquire certain personal data, the transmission of which is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of the computers used by Users who connect to the Website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User's operating system and computer environment. This data constitutes the access log. 
 
4.2 The Website also acquires and stores URL (Uniform Resource Locator) sequence data identifying the resources visited or searched for by the User on the Internet (e.g. web pages, documents, images, etc.), including the date and time of access and their content. 
 
4.3 The Website also acquires data and information from the User's computer through the use of cookies: permanent and/or "session" cookies: 
 - Permanent cookies: during normal operation, the Website's computer system sends some data from the EDRA S.p.A. server to the User's browser which are stored on the hard disk of the User's computer to allow him/her to browse some specific reserved areas of the Website. 
 - session cookies: the Website's computer system sends some data consisting of random numbers generated by the server, the so-called session cookies, which are not permanently stored on the User's computer and, therefore, disappear when the computer is shut down. The sending of such data serves to enable the transmission of session identifiers, which are necessary for the safe and efficient exploration of the Website and to collect information on the use of the Website by the User.
 Any profiling cookies are processed for the sole purpose of enabling the use of personalized banners. No targeted advertising will be sent through the use of such cookies. Consent to the use of these cookies must be expressed by accepting the use of the website in accordance with the Privacy Guarantor's Provision of June 4, 2014. 
 
4.4 Most of the Users' browsers are set up to automatically accept cookies, but the User can set his or her browser to deactivate the reception and saving of new cookies once and for all or on a case by case basis; or he or she can set his or her computer to receive a warning when it is about to store a cookie. If cookies are deactivated, the User will be able to access the Website but may not be able to browse specific and/or reserved areas of the same. 
 
4.5 Generally speaking, the Website acquires and stores - and sometimes discloses to third parties - all the browsing data described above exclusively in anonymous and aggregate form. The processing of this data allows the Data Controller to manage and control the proper functioning of the Website and to carry out statistics and sampling for promotional or scientific purposes.
 
Data provided by the User on a voluntary basis. 
 
4.6 Sometimes the Website may ask the User to provide certain personal information such as, for example, name and surname, professional domicile, telephone number, e-mail address, etc.. The provision of such data depends solely on the User's wishes and is, therefore, entirely optional. 
 
4.7 To access certain content of the Website in specific reserved areas and to be able to take advantage of the full functionality of the Website, the User is required to: 
 - obtain a set of unique keys (Username and Password) through a registration procedure;
 - then, at each new session, enter the Username and Password will be entered for recognition by the authentication system. 
 
4.8 The personal data collected from the form filled in by the User during voluntary registration (Registration Data) consists of information relating to the User's contacts, such as, for example: name and surname or company name, association or body, professional title, postal address, electronic address, telephone number, fax number. The Website's computer system automatically associates this data with the Username and Password chosen by the User and links them to an account. When accessing the Website after the initial access, it will only be possible to access the personal registration data by typing in the Username and Password; therefore, the User is fully responsible for the proper storage of his/her Username and Password. 
 
Data provided by third parties
4.9 Sometimes, the Website's computer system also processes personal data and contacts of Users published in public categorical lists (e.g. single database of telephone subscribers, databases of professional orders, databases of social security institutions of medical and health categories, etc.). As such, these data may be processed by EDRA S.p.A. as autonomous data controller, in compliance with the provisions of the GDPR and in particular with the provisions on unsolicited communications (e-mail, Sms, Mms, electronic fax). 

5. Processing purposes The personal data provided will be processed for the following purposes: 
 
5.1 Activities strictly related and functional to the operation of the services: for example, allowing the User access to the services offered and displaying the Website content; allowing the User to receive the products or services requested, fulfilling the orders received; responding to the User's questions and requests; 
 
5.2 Technical management of the Website and its IT system, including through the Medikey® certification platform: e.g. acquisition, matching and management of account information; securing and controlling the proper functioning of the Website; monitoring of the Website's activity; 
 
5.3 Enrichment or customization of the content, services or design of the Website during a single or repeated visit; 
 
5.4 Profiling in aggregate form (i.e. anonymously, without any prejudice to the privacy and confidentiality of the data of each registered controller), of Users and their accesses to the specialized reserved pages, for the purposes of scientific and/or market research, analysis, and for the preparation of reports, carried out directly by Edra S.p.A. or also through specialized third party companies; 
 
5.5 Communication with the User regarding changes or updates to the Website and its services; advertising communications, communications of special offers and promotions; requests for market surveys to which the User is free to choose whether or not to subscribe. 

6. Processing methods.

6.1 Personal data is processed by means of computerized, telematic and manual tools, both as EDRA S.p.A. and as Medikey® or under other names and trademarks of the LSWR Group. 
 
6.2 Data processing is carried out in compliance with the GDPR and with the provisions defined within EDRA S.p.A.'s organisation as described in the Processing Registers and in the Programmatic Security Document, which the Company regularly updates. 

7. Categories of entities processing the data.

7.1 The processing is carried out by the Data Controller and its Trustees: employees, agents, representatives, third-party suppliers (e.g. companies providing data processing services, invoice printing, enveloping and labeling of products purchased online, shipping, etc.). 
 
7.2 The processing is also carried out by the other companies of the EDRA S.p.A. group and by subjects (companies, associations, bodies) for which the Data Controller operates as agent, licensee, publisher for the purposes listed above. In the cases foreseen by Article 28 of the GDPR (i.e. when the Company carries out processing on behalf of other autonomous Data Controllers) EDRA S.p.A. is appointed as External Data Processor.
 
7.3 Data processing by EDRA S.p.A. and its Trustees may take place without the User's consent in the following cases: 
7.3.1 at the request of a judicial authority, or to defend or protect their rights in administrative, judicial or arbitration proceedings; 
7.3.2 where the processing of the data is necessary to allow investigations to be carried out for the purpose of combating unlawful activities or acts contrary to the law, or to ensure the safety of persons or property; in all cases, in general, where the transmission of the data is required by law; 
7.3.3 in the event that EDRA S.p.A. is acquired by, transferred to or merged with another company, or if the Website or some of its contents are transferred to third parties. 

8. Rights of data subjects
 8.1
 The User registered on the Website is solely responsible for the accuracy of the personal information entered therein. According to Articles from 15 to 21 of the GDPR, the Data Subject has the right to: 
 
1. obtain confirmation of the existence or otherwise of personal data concerning him/her, even if not yet recorded, and communication of such data in intelligible form.
 2. obtain indication of:
 a) the origin of the personal data;
 b) the processing purposes and methods
 c) the logic applied in the event of processing carried out with the aid of electronic instruments;
 d) the identification details of the data controller and data processors
 e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of the data in their capacity as designated representative in the territory of the State, processors or appointees.
 3. obtain:
 a) the updating, rectification or, when interested, the integration of the data;
 b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed;
 c) certification to the effect that the operations as per letters a) and b) have been made known, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.

 
 The User may exercise these rights recognized by law by contacting EDRA S.p.A. at the Contacts indicated in point 11 below. 
 
8.2 As of May 25, 2018, the Data Subject may also, pursuant to Articles 15-21 of the GDPR, exercise the following specific rights:
 
right of access
right of rectification
 right to erasure (right to be forgotten), except where the processing is necessary for the Data Controller, for the exercise of the rights to freedom of expression and information, for the performance of a legal obligation or in the performance of a task carried out in the public interest, for archiving purposes in the public interest, for scientific or historical research or statistical purposes, for the establishment, exercise or defense of legal claims.
right to restriction of processing
right to oppose
• right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent before withdrawal;
• right to lodge a complaint with the Data Protection Authority
 Therefore, if the User wishes to exercise this right, he or she may do so by contacting EDRA S.p.A. at one of the addresses indicated in paragraph 11 below. 
 
8.3 EDRA S.p.A. reserves the right to notify the User of changes or updates to the Website whenever necessary. 

9. Retention of personal data

9.1 EDRA S.p.A. retains the personal data collected from the User for as long as such information is deemed relevant for commercial purposes, and in any case up to a maximum of two years from the last interaction or until the User requests the deletion of such data by contacting EDRA S.p.A. at one of the addresses indicated in point 11, below. 

10. Information security

10.1 EDRA S.p.A. is aware of the importance of ensuring the security of the private information of which it becomes aware and, therefore, strives to protect the privacy of the Website's Users.

10.2 The personal and demographic information including the access credentials (username / login and password) of each User is sent and stored on servers equipped with a firewall and physically allocated in protected data centers. 

10.3 Logins and passwords travel over the Internet in encrypted form using the SSL protocol. Other personal information travels between the data centers on a private MPLS line in encrypted form. 

10.4 The implementation of lockout management systems (which block access in the event of repeated incorrect access) also helps to protect accounts from intrusion or hacking attempts by unauthorized third party users. 

10.5 Moreover, EDRA S.p.A. adopts internal security procedures described in the Security Policy Document (DPS) including, for example, the filtering of access and use of data by its employees. 

10.6 EDRA S.p.A. cannot, however, accept responsibility for any unauthorized access, loss of data (e.g. passwords), unlawful/incorrect use, or alteration of personal information beyond its control, nor can it guarantee the correct and safe use of the User's personal data by third parties.

11. Contacts

11.1 The User may exercise the rights recognized by Article 7 of Legislative Decree 196/2003 and submit any of his or her requests, questions, comments or objections regarding this Privacy Policy, or the way in which his or her personal data is processed on the Website, to 
 
EDRA S.p.A.
 via Spadolini n. 7, 20141 Milan
 tel +39 02 88184.1;
 fax +39 02 88184.301;
 e-mail privacy@lswr.it

12. DPO
 In accordance with Article 37, paragraph 1, letter b) of the GDPR, the Data Controller has appointed a Data Protection Officer ("DPO") who can be contacted as follows:
 
 e-mail dpo@lswr.it
 tel +39 02.88.184.1
 
 Privacy Policy updated May 20, 2018