Personal data processing agreement
Premises
In its technical assistance activities MIR s.r.l. may access personal data registered on products that are purchased. This document governs the procedures for the processing of personal data by MIR s.r.l. in order to execute the request for assistance.
1.Designation of personal data processing Manager
1.1. In the execution of the above service MIR s.r.l. is the designated personal data processing manager pursuant to and for the effects of art. 28 of the Regulation.
1.2 The processing Manager agrees to carry out the above activities as provided for in this document.
2. Guarantees
2.1 MIR guarantees that:
2.1.1 it processes the personal data contained in the data base/application only for the purpose of technical support requests
2.1.2 it does not transfer personal data to third parties
2.1.3 it does not process or use personal data for other purposes
2.2 MIR, also pursuant to the provisions of art. 30 of the Regulation, maintains and completes a personal data processing log that contains all the information required by law.
3. Security measures
3.1 MIR shall not retain the personal data that it accesses for the purposes of technological support requests.
3.2 MIR shall, in the execution of the technology support activities, take appropriate technical and organisational security measures to protect the personal data from any unlawful or accidental loss or destruction, damage, alteration, disclosure or unauthorised access, particularly where the processing involves the transmission of data over a network, or from any other unlawful forms of processing.
3.3 MIR shall adopt appropriate technical and organisational measures to safeguard the security of any electronic communications network or services provided, with specific reference to measures aimed at preventing the interception of communications or unauthorised access to any computer or system.
3.4 In line with the principles of privacy-by-default, processing is applied, by default, only to the personal data necessary for the execution of the of technology support activity.
4. Persons authorised to perform the processing - Designation
4.1 MIR guarantees the expertise and reliability of the employees and associates (hereinafter also assignees) it authorises to perform the personal data processing for the provision of the technology support request service.
4.2 MIR guarantees that the assignees have received appropriate training in personal data protection and information security, with proof of this training supplied to the company.
4.3 with regard to personal data protection and management, MIR imposes confidentiality obligations on its assignees in relation to the information they access for the execution of the support activity.
5. Personal data processing sub-managers
5.1 In the context of the execution of the agreement, MIR is hereby authorised to the designate other processing managers ("sub-managers"), who, with regard to personal data processing, are subject to binding conditions no less onerous than those contained in this Agreement.
6. Processing of personal data outside the European Economic Area
6.1 MIR does not transfer personal data outside the European Union.
7. Deletion of personal data
7.1 MIR does not record personal data when performing the technology support request activities. If this happens necessarily for the purposes of the administration of the service, the data shall be immediately deleted upon completion of the support operation.
8. Breach of personal data
8.1 If, in the execution of the support activity, MIR detects a breach of personal data in the database/software being processed, it shall, pursuant to the provisions of art. 33 of the Regulation, communicate in the shortest time possible, and in any case not later than twenty-four (24) hours from receiving notification, the aforesaid breach that has caused the accidental or unlawful destruction, loss, modification, unauthorised disclosure or access to personal data transmitted, retained or otherwise processed, including data relating to its sub-suppliers. This communication contains all pertinent information for the management of the data breach. It also:
a) describes the nature of the personal data breach
b) discloses the approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
c) the contact details of the person handling the data breach;
d) a description of the probable consequences of the personal data breach;
e) a description of the measures adopted or intended to be adopted to address the security breach, including, where appropriate, measures to mitigate its possible negative effects
8.2 MIR provides all necessary support to the Company not just for the purposes of investigations and for evaluations of data breaches but also to identify, prevent, and mitigate their negative effects.
1. Premise
Pursuant to art. 13 of EU Regulation 679/2016 (hereinafter also merely “Regulation”), MIR S.r.l., as "Data Controller", is obliged to provide you with information regarding the use of your personal data.
2.
Identity and contact details of the Data Controller
The Data Controller of the personal data referred to in this disclosure is MIR S.r.l., with registered offices in Rome, 00155, Via del Maggiolino 125.
In order to simplify forwarding procedures and reduce reply times, please submit requests relating to paragraph 10 to: mir@spirometry.com.
3. Data Protection Officer
MIR is not obliged to appoint the Data Protection Officer.
4. Data Managers
The Company may use third parties for the completion of activities and related processing of personal data under its control. In accordance with legislation, these parties shall ensure appropriate levels of experience, capacity and reliability to guarantee compliance with current provisions on processing, including data security.
Formalised Instructions, duties and tasks are issued to such third parties with their appointment as "Data managers". These parties undergo periodic checks in order to ascertain the continued existence of the guarantee levels recorded when the initial appointment is conferred.
5. Parties authorised to perform the processing
Your personal data is processed by internal staff previously authorised and designated as processing assignees, for which they are given appropriate instructions regarding measures, mechanisms and modus operandi, all intended to effectively protect your personal data.
6. Purpose and legal basis of the processing
The processing of your personal data is performed by MIR S.r.l. for purposes related to the registration and traceability of the medical product you have purchased. In this case, the legal basis of the processing is provided by Legislative Decree 507/1992 in implementation of Directive 90/385/EEC as amended by Legislative Decree 37/2010 in implementation of Directive 2007/47/EC.
Your personal data is also processed for the purposes of distributing MIR promotional initiatives and market research, as well more general purposes of marketing and commercial communications through different media, including electronic and telematic (e-mail, text message) and traditional (paper mail, telephone)channels.
The legal basis of this processing is constituted by your consent, pursuant to and for the effects referred to in art. 6, paragraph 1, letter a) of the Regulation.
You may refuse such use of your data, at no charge and at any time.
7. Recipients of personal data
Your personal data will not be transmitted to third parties, except for the parties referred to in point 4.
8. Transfer of personal data outside the EU
Your personal data will not be transferred outside the European Union.
9. Retention period
Your personal data will be retained for a period no longer than is necessary for the purposes mentioned above. To this end, periodic checks will be made to check the continuous strict relevance, non-excess and indispensability of the data used with respect to the relationship, service or assignment under way, also with reference to the data that you provide on their own initiative. Any data which is found, also as a result of the checks, to be in excess, not relevant or not indispensable, is not used, except in the case of the possible storage, in accordance with the law, of the act or document that contains it.
10. Your rights
As the data subject, you are entitled to:
• access to the personal data;
• obtain the correction or deletion of the personal data or the restriction of the processing applied to it;
• object to the processing;
• the portability of your data;
• petition the Antitrust Authority for the protection of personal data.
11. Provision of data
The provision of your data is optional but necessary for the execution of the purposes indicated above. Failure to provide the data will make it impossible to execute your requests.