The processing of the Users’ personal data will take place in full compliance with the applicable data protection legislation.
1. REDIRECT TO OTHER WEBSITES
The Website may incorporate links which allow you to connect to other websites run both by other companies of the Orthofix Group and by third parties. The Controller assumes no responsibility regarding the processing of personal data which may take place through and/or in connection with all of these third-parties’ websites.
Therefore, each User who accesses such web pages and/or social platforms through the Website must carefully read their applicable privacy policies, in order to understand how their personal data will be processed by the third parties, as autonomous controllers pursuant to the data protection legislation in force.
2. CATEGORIES OF PERSONAL DATA COLLECTED
A. Traffic data
The computer systems and software procedures used to operate this Website need to acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This category of data may include, by way of example: IP addresses, browser type, operating system, domain name and website addresses, information on the pages visited by User within the Website, time of access, time period of User’s staying on a single page, the internal path analysis and other parameters regarding the User’s operating system and computer environment.
This technical / IT data is collected and processed only in aggregated manner, so that no User can be identified by the Controller, for the purpose to ascertain liabilities in case of hypothetical crimes committed within or against the Website, or upon competent authorities’ request. Should this information be used to single-out any data subject, then it will be Orthofix’s duty to comply with applicable requirements and identify the appropriate legal basis for such processing operations.
B. Personal data provided directly from User
There are some sections of the Website (e.g. ‘Request product info’, ‘Request service info’, ‘Request support’, or ‘Contact us’) which allow the collection of those personal data that the User will decide to share with Orthofix as part of the request.
The data provided by the User will be processed by the Controller exclusively to follow-up and fulfil the requests received. Accordingly, if the User prefers that Orthofix does not collect his/her personal data, he or she is invited not to send any request. However, in case of refusal to provide such data, Orthofix will likely be prevented from satisfying the User’s requests, or provide the latter with the services requested.
There are other sections of the Website which incorporate a specific form whereby the User is requested to provide some data (first and last name, email address, hospital the HCP works for, post code, city, country), on a totally spontaneous basis, in order to be allowed to access products’ interactive demos or download the products’ technical or guidance materials.
As said, the User will always be free to decide whether or not to share his/her personal data by filling out the specific forms available on the Website.
In any case, Orthofix will never request/collect particular categories of personal data.
3. PURPOSES AND LEGAL BASES OF THE PROCESSING
The Website has been designed with the main goal of providing information regarding the activities, products and services offered by Orthofix, or in some cases by other companies belonging to Orthofix Group. This is the reason why, in most cases, the collection of the User’s personal data is not necessary.
In any case, according to the principles set forth by the GDPR, the Website is set to minimize the collection of personal data, as well as to exclude the processing of such data in all cases when the purposes described hereunder can be achieved with different means and/or by anonymous data.
That being said, the Users’ personal data identified above will be processed by Orthofix for the purposes of:
a) allowing the User to navigate the Website and easily enjoy its contents and services, based on the Controller’s legitimate interest pursuant to Art. 6.1, (f) of the GDPR;
b) allowing the Controller to answer and fulfil the Users’ requests, including for support to the use of a product, pursuant to Art. 6.1, (b) of the GDPR;
c) making such data available to other Orthofix Group’s companies or, where necessary, to their or Controller’s distributors, based on Orthofix’s legitimate interest pursuant to Art. 6.1, (f) of the GDPR, exclusively to enable them to properly answer and fulfil any Users’ direct requests (received by Orthofix), as autonomous data controllers, if concerning products or services they market or distribute under Orthofix brand;
d) allowing the Controller to send promotional communications and follow-ups to the Users regarding Orthofix-branded products and services, or training opportunities as well as other initiatives and events sponsored or organized by or on behalf of the Controller, on condition that the User has provided his/her specific consent for this purpose (receiving marketing communications) pursuant to Art. 6.1, (a) of the GDPR;
e) transmitting such data to other Orthofix Group’s companies or to the Controller’s or their distributors, in order to enable them, as autonomous data controllers, to send promotional communications to the User regarding Orthofix-branded products and services, or other initiatives and events sponsored or organized by or on behalf of such Orthofix Group’s companies or their distributors, as long as the User has provided his/her specific consent for this purpose (namely, allowing communication of his/her data to third parties for receiving their own marketing and commercial follow-ups) pursuant to Art. 6.1, (a) of the GDPR;
f) to comply with obligations provided for by applicable laws and/or to fulfil requests or orders issued by competent authorities, pursuant to Art. 6.1, (c) of the GDPR;
g) establishing, exercising or defending legal claims, based on the Controller’s legitimate interest pursuant to Art. 6.1, (f) of the GDPR.
The User is entitled to withdraw at any time the consent given in relation to the activities described under d) and e) above, it being understood that any processing operations carried out until the moment of such withdrawal shall remain fully lawful and valid.
Should the data be collected in the future also for purposes other than those described above, it will be duty of Orthofix, on one hand, to provide adequate information to the Users relating to such new purposes in order to enable transparency and user awareness and, on the other hand, ensure that a valid legal basis (such as the data subject’s consent) exists, where needed, to undertake the relevant processing activities.
4. METHODS OF PROCESSING AND DATA SECURITY
The personal data are collected and processed lawfully and fairly, exclusively for the purposes described above and in accordance with the fundamental principles established by the applicable legislation, with special regard to the GDPR.
Processing operations may take place both manually and electronically, in any case under technical and organizational measures that ensure the security and confidentiality of the data, especially in view of preventing or however minimizing the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to the Users’ personal data.
The processing operations will be carried out, under the direct authority of the Controller, only by persons who have been duly authorized to access and process the Users’ data in accordance with the instructions provided by Orthofix, on a need-to-know basis, and the applicable data protection laws and regulations.
5. COMMUNICATIONS TO THIRD PARTIES
Except for the cases described in c) and e) above, the Users’ personal data will not be shared with third parties.
Should the data be made available by Orthofix to any other third-party suppliers or partners (such as marketing and communication agencies, service or hosting providers, IT companies or else) in order to enable them to perform specific services connected to or necessary for the fulfilment of the purposes listed above, it will be the responsibility of the Controller to appoint such third parties as data processor by virtue of their capacity, experience and reliability and to provide them with specific instructions regarding the needed level of protection and security of the data, according to Art. 28 of the GDPR. The updated list of data processors can be accessed at any time by sending a written request to Orthofix, as specified below.
It remains understood that the Users’ personal data will be communicated to third parties, such as public or judicial authorities, to comply with their binding orders and requests, as well as with applicable legal obligations.
6. DATA RETENTION
Personal data will be kept in a format that allows the identification of the User for no longer than necessary to fulfill the purposes for which the data have been originally collected.
In more detail:
a) the data collected in connection with the requests made by the Users will be retained:
i. for one (1) month following the response and/or fulfillment of such requests;
b) the data provided by the User through the forms available in the Website will be retained:
i. for 36 months, in relation to the Controller’s direct follow-ups and communications described under d) above.
Subject to the above, the Users’ personal data will be kept in identifiable form for those further periods which are required or expressly permitted by the applicable laws, e.g. in order to fulfil orders issued by competent Authorities, as well as to enforce or protect the rights of the Controller (consistent with the retention periods and statutes of limitations provided for by the laws and regulations in force, also locally).
As soon as no longer necessary in accordance with the above, the data will be cancelled or definitively made anonymous.
7. TRANSFER OF DATA ABROAD
Given the international nature of Orthofix’s business activities, the data may be transferred abroad, still for the sole purposes described above, to other companies belonging to the Orthofix Group and/or to the Controller’s or such other Orthofix Group companies’ distributors established outside the territory of the European Union.
In these cases, it will be the Controller’s responsibility to ensure that the relevant transfer abroad is made in accordance with adequate data protection guarantees, as required by the law, e.g. through the adoption of Standard Model Clauses as approved by the European Commission, or other equivalent safeguards.
8. DATA SUBJECTS’ RIGHTS
The User can at any time exercise his/her rights in accordance with the applicable data protection legislation, including:
a) accessing his/her personal data, obtaining evidence – among others – of the purposes pursued by the Controller, the categories of data involved, the recipients to whom they may be disclosed, the applicable storage period, the existence of automated decision-making processes;
b) having incorrect personal data referred to him/her rectified without delay;
c) having his/her data erased, in the cases provided for by the law;
d) obtaining restrictions to processing operations, where possible;
e) objecting to processing activities described under c) and d) above, in the cases provided for by law;
f) requesting portability of the data provided to the Controller – through the forms available in the Website or in connection with the requests made to Orthofix – receiving them in a structured, commonly used and machine-readable format, also for transmitting such data to another controller, without any hindrance by Orthofix, in all situations where it is required by the law in force;
g) withdraw his/her consent for those processing which are based on this legal ground (let. d) and e) above), without this may affect in any manner the lawfulness of the processing operations carried out until that moment;
h) lodge a complaint to the competent Supervisory Authority (link).
To exercise these rights, or for any further information and/or clarifications regarding the data processing operations carried out through and in connection with the Website, please write to firstname.lastname@example.org.
9. DATA CONTROLLER
The Data controller is Orthofix S.r.l., a company duly incorporated under Italian law, with registered at Via Vittor Pisani no. 16, Milan (Italy).
10. POLICY UPDATING
Below is highlighted the date when the last version of this policy has been uploaded.
Last Update: 01/09/2020