The following Data Protection Policy has been drafted within the H2020-MSCA-RISE-2018 – ARISE Project – GA n. 824021 to fulfil the Requirement No. 27 listed in WP8 – Ethics requirements.
In compliance and with reference to the European General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and its national implementation Legislative Decree No. 101/2018, Fondazione per la Ricerca Farmacologica Gianni Benzi Onlus (FGB) respects the rights of any Data Subject it interacts with, such as patients, subjects of research programs, associates, collaborators and staff and has taken the necessary technical and organizational measures for their protection.
2. Definitions (General Data Protection Regulation – GDPR art.4 Definitions)
The most fundamental definitions with respect to this policy are as follows:
- Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others that determines the purposes and means of the processing of Personal Data [..];
- Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
- Special categories of Personal Data (‘sensitive data’) include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This document aims to describe the procedures followed by FGB while processing Personal Data in compliance with GDPR scope (GDPR- Article 2).
4. Principles relating to the processing personal data
The following principles are applied when FGB staff process Personal Data according to Article 5 of the GDPR:
- Personal Data are processed fairly, lawfully and in a transparent manner in relation to the Data Subject;
- Personal Data are collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Personal Data could be further processed for historical, statistical or scientific reasons;
- Data minimisation is considered by limiting Personal Data collection to what is necessary in relation to the purposes for which they are processed;
- Accuracy is considered by keeping Personal Data updated and every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Personal Data are kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed, according to the storage limitation criteria;
- Appropriate technical and organizational measures are taken against unauthorized or unlawful processing of Personal Data, against accidental loss or destruction of and /or against damage to Personal Data to ensure data integrity and confidentiality.
5. Processing special category of personal data
The processing of Special categories of Personal Data will be performed only if at least one of the following conditions stated in the Article 9 of the GDPR is satisfied:
(a) the Data Subject has given explicit consent to the processing of those Personal Data for one or more specified purposes;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment and social security and social protection law;
(c) processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent;
(d) processing relates to Personal Data which are made public by the Data Subject;
(e) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(f) processing is necessary for reasons of substantial public interest, on the basis of Union or Italian law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject;
(g) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Italian law or pursuant to contract with a health professional and subject;
(h) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Italian law which provides for suitable and specific measures to safeguard the rights and freedoms of the Data Subject, in particular professional secrecy;
(i) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Article 89 which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject.
6. Data subject rights and FGB organisational measures
FGB has implemented organisational measures to respect Data Subjects’ rights as stated in the GDPR:
- to be informed (Articles 13 and 14): Data Subjects will be provided with all the information included in Articles 13 and 14 of the GDPR and any communication under Articles 15 to 22 and 34 relating to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The information will be provided in writing, or by other means, including, where appropriate, by electronic means. Ad hoc information sheets, consent forms and DSAs will be prepared to be used in the clinical studies foreseen by the project. In addition, ad hoc information packages will be prepared for paediatric patients using material and wording appropriate for age, psychological and intellectual maturity.
- to access (Article 15): Data Subjects will be provided with the confirmation that their Personal Data is being processing and with a copy of their Personal Data according to Article 15 and with the list of organizations with which FGB has signed Data Sharing Agreements (if requested).
- to rectification (Article 16): each rectification request will be evaluated in order to verify if the data is accurate and to rectify the data if necessary. If FGB has disclosed the Personal Data to others, each recipient will be informed of the rectification or completion of the Personal Data – unless this proves impossible or involves disproportionate effort.
- to erasure (‘right to be forgotten’) (Article 17): each erasure request will be evaluated in order to verify if Article 17 – paragraphs 1 and 2 – applies; in this case FGB will erase those Personal Data.
In cases that FGB has disclosed the Personal Data to others, each recipient will be informed of the request, unless this proves impossible or involves disproportionate effort. If asked to, FGB must also inform the individuals about these recipients. Where Personal Data has been made public in an online environment, reasonable steps should be taken to inform other Controllers who are processing the Personal Data to erase links to, copies or replication of that data. FGB must also take steps to ensure erasure from backup systems as well as production systems but that the data will remain within the backup environment for a certain time until the request will be fulfilled. In case of Personal Data collected for scientific purposes, they will be no more processed but could be not erased if it could render impossible or seriously impair the achievement of the objectives of that processing (Article 17 – paragraph 3 comma d).
- to restriction of processing (Article 18): when a request to restrict the processing is submitted by a Data Subject, FGB will evaluate it according to the conditions listed in Article 18. Personal Data will not be deleted, and restriction means will be put in place (e.g., temporarily moving the data to another processing system to avoid the main processing, making the data unavailable to users or temporarily removing published data from a website). Each recipient following a request to restrict processing will be informed by FGB – unless this proves impossible or involves disproportionate effort.
- to data portability (Article 20): the right to data portability applies only according with condition stated in Article 20. The right does not apply if the transmission would adversely affect the rights and freedoms of others and in case of anonymized data. Each request will be assessed, and all the recipients of data will be informed.
- to object (Article 21): in the cases that the purpose of the Processing is scientific research or statistical purposes, the right to object is more limited. Each request will be assessed and FGB will decide whether or not continuing the processing of data. If FGB does not take action on the request of the Data Subject, FGB will inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The rights can be exercised by any Data Subject in person or by a person authorized by the Data Subject. The authorized person shall be identified through the presentation of an appropriate method of identification. If FGB receiving the request has doubts about the identity of the subject requiring information, he/she can ask for more information. However, it is important that he/she only requests information that is necessary to confirm the identity of the requestor.
All the requests will only be processed if a Data Access Request is submitted by email to the address firstname.lastname@example.org. A Data Access Request form is annexed to this document (Annex 1). FGB will provide information on actions taken on a request under Articles 15 to 22 to the Data Subject without undue delay and in any event within one month of receipt of the request according to Article 12 of the GDPR. That period may be extended by two further months where necessary, taking into account the complexity and the number of requests. FGB shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject. One shall calculate the time limit from the day after they receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
In case the request is manifestly unfounded or excessive FGB can request a “reasonable fee” to deal with the request or refuse to deal with the request by justifying the decision, according to Article 12 (5).
All the requests will be kept in a secure place and the following information will be included: type of request; date recorded; method received in writing; details of the request; contact details of the Data Subject (or his/her representative); evidence sought and obtained to verify their identity; the decision to satisfy the request or not; the reasons for the decision and the date of fulfilling the request of informing of the decision.
7. Data security
FGB must comply with this Data Protection Policy. The FGB Data Protection Policy is updated and/or revised when necessary (e.g., changes of the legal framework; roles and responsibilities; new data processing). Any document regarding the processing of Personal Data produced by FGB in the framework of the ARISE project must include reference to this Data Protection Policy.
Staff is trained to store files or written information of a confidential nature, including Personal Data, in a secure manner so that data can be only accessed by people who have the right to access them and to ensure that screen locks are implemented in all PCs, laptops etc. when unattended. No files or written information of confidential nature are to be left where they can be accessed by unauthorized people.
Staff always use the passwords to access the computer system and must not abuse them by passing them to people who should not have them.
8. Transfers of personal data to third countries
To perform the activities for which Personal Data are collected, some Personal Data may be transferred by FGB to third countries. These activities will be performed according to Articles 45-46 of the GDPR.
9. Data breach notification process
Whilst it is the responsibility of FGB to put in place suitable measures to prevent, react and address a breach, the following steps will be followed in case of a breach:
- Information concerning all security-related events should be directed towards FGB by the Data Processor without undue delay and no later than 24 hours after becoming aware of a Personal Data breach;
- A risk assessment will be performed to assess the level of risk to the affected Data Subjects;
- When required, a notification for the breach will be sent to the Supervisory Authority and the affected Data Subjects will be informed;
- FGB shall act to contain and recover the breach;
- FGB shall document all actions taken for managing the breach and will be responsible for running any required assessments. The documentation shall include the causes, the description of the incident, the types of Personal Data affected and the effects and consequences of the breach along with the safeguard measures taken by FGB.
10. Processing non-European personal data
The processing of Personal Data related to non-European Data Subjects will be performed by FGB according both to the European General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 and its Italian implementation Legislative Decree No. 101/2018, the applicable Italian laws and the laws on the processing of Personal Data applicable in the country of the Subject.
If the case, an additional evaluation of the adequacy of FGB’s organisational measures to respect Data Subjects’ rights will be performed. If deemed needed, an informed consent will be signed by those Subjects also including additional measure (if any) required to fully comply with those applicable national/international laws.
11. Roles and responsibles
11.1. Data Controller:
Fondazione per la Ricerca Farmacologica Gianni Benzi Onlus
Address: Via Abate Eustasio 30 – 70010 Valenzano, Bari, Italy
Email address: email@example.com
11.2. Data Protection Officer:
11. Document history
- Draft 0.9 (05/09/2019)
- Approved 1.0 (20/05/2019)
- Updated 2.0 (23/01/2023)