in compliance with the regulations on the protection of personal data, Fasi – Fondo Assistenza Sanitaria Integrativa – Gestione separata FasiOpen, as Data Controller, pursuant to the provisions of articles 13 and 14 of EU Regulation 2016/679 (regarding the protection of natural persons in relation to the processing of their personal data and on the free circulation of such data), intends to provide you with the information you need regarding the purposes and methods of processing your personal data, as well as the scope of its communication and possible circulation, the nature of the data in our possession and its transfer. Given that it is in FasiOpen’s primary interest to protect and guarantee your right to protection and confidentiality of data processed for the purpose of offering you the supplementary healthcare services that you may request in the context of our institutional aims, we inform you that your personal data will be used according to the principles of correctness, lawfulness and transparency,
taking into account our obligations and compliance with the above-mentioned regulations in order to protect your privacy and rights.
If, at the moment of registering with FasiOpen or at a subsequent stage you decide to extend our health services to the members of your family unit (spouse, civil partner, de facto cohabiting partner, children, foster children), please ask them to read this notice and everything is set out in it regarding both the purpose and method of processing and the rights that may be exercised by the member. On this point, FasiOpen also reminds you that it will process your family members’ data for the above-mentioned purposes on the necessary assumption that their implicit assent has been given through you. You will therefore personally assume all responsibility for all personal and sensitive data provided to the Fund.
1 – The purpose of data processing
The personal data provided by you and any changes to such data you may communicate in the future to FasiOpen, in its capacity as Data Controller, will be processed for the following purposes:
- To proceed with the registration of your membership and of the respective entitled persons, managing the relevant personal details for administrative purposes and support, as well as for processing that is in your legitimate interests (improvement of the service) or is expressly requested by you (e.g. the newsletter).
The data involved in this processing is both common and special: in accordance with the provisions of article 6 paragraph 1 letter b) of EU Regulation 2016/679, the processing of common data is lawful insofar as it is necessary for the performance of a contract to which the data subject is party. Common data may also be processed, pursuant to the subsequent letter f), for purposes related to the legitimate interests of the Controller and derived, for example, from its own institutional purposes or from legal obligations, in all cases without overriding the rights and freedoms of the member and of the entitled persons.
The special data communicated by you at registration is processed, on the other hand, in accordance with the provisions of Article 9 paragraph 2 letter a) of EU Regulation 2016/679, provided that you give your explicit consent. The absence of such consent or the omitted, partial or inaccurate provision of the data may make it impossible for Fasi to perform its activities of intermediation, precluding its fulfilment of the obligations arising from your membership.
- To manage and deal with claims for health services that you, as our member, and your family members through you, may submit to this Fund, together with any information with regard to these.
The data involved in this processing includes special data: similarly to that at the registration stage, its processing can be lawful only with your explicit consent.
2- Method of processing
- The processing is performed using manual and/or computerised and telematic tools using an organisational and processing logic strictly related to the purposes themselves and in all cases in such a way as to guarantee the security, integrity and confidentiality of the data itself in compliance with the organisational, physical and logical measures required by current regulations, in order to minimise the risk of destruction or loss, unauthorised access, unauthorised disclosure and modification.
- Should you cease to be a member of FasiOpen, your data will still be stored and processed by the Fund for a maximum duration of 10 years and may, if necessary, be transmitted to third parties if required by specific legal requirements or mandatory norms.
- Following this period your data will be pseudonymised. This process, pursuant to Article 32 of the GDPR, on the one hand enables the Fund to pursue its institutional purpose and to respect the statutory guarantees for your benefit, and on the other protects you by preventing identification.
- Should you, however, cease to be a member of FasiOpen and decide, at the same time, to exercise your right to be forgotten pursuant to article 17 of the GDPR, the Fund, to guarantee you a high and adequate level of security, will immediately proceed, in the absence of proceedings (tax authorities/judicial disputes), with the pseudonymisation of your data while always taking into account the circumstance specified above, i.e. that the deletion of data by the data subject may be requested only if it is no longer necessary for the purposes for which it was collected or otherwise processed.
- In order to perform certain activities, FasiOpen also has a need to communicate some data belonging to its clients to trusted external companies or individuals who may use it, in their capacity as data processors, to carry out procedures that are needed to provide the services requested, or to carry out activities to support the operation and organisation of the office work needed for refund procedures in general. Personal and sensitive data, as far as they relate to their respective remit, are communicated to the following parties:
- IT and medical services companies, as well as other companies providing collateral services, used by this Fund;
- banks that are required to process payment of the amount due for the service;
- the medical facility which you may contact or which is affiliated with us;
- companies managing computerised postal services;
- the Fund’s medical, legal, fiscal, accounting, actuarial and tax consultants;
- individuals/organisations for whom the right to access your data is recognised by law (e.g. the tax authorities).
- If you have given a mandate and/or authorisation to a third-party organisation to manage and process refund requests for healthcare services that you or your family members have received, FasiOpen will process the data provided by these organisations, together with those already in its possession, to issue the above-mentioned refund should the relevant conditions apply. It is therefore understood that FasiOpen does not and cannot assume any liability for any data breaches by the above-mentioned organisations, which should be solely ascribed to the third party organisation authorised by you.
- The data provided is not disseminated.
- Your personal data will not be transferred by FasiOpen to any countries outside the EU. Should any such need arise, this will be done pursuant to Articles 44 et seq. of EU Regulation 2016/679.
3- Rights of the data subject
As the data subject, you have the right to access, rectify and delete your personal data, together with the right to restriction, notification, portability and objection to the processing of personal data pursuant to Articles 15, 16, 17, 18, 19, 20 and 21 of the GDPR.
You can exercise these rights by contacting:
- the Data Controller, by sending a registered letter with confirmation of receipt to FasiOpen – Data Protection Officer – Via Vicenza 23, 00185 Roma;
- the Data Protection Officer (DPO) by telephoning +39 0646206282, or writing to SELDA Informatica S.c.a r.l., Via Palermo, 8 (00184) or by sending an email to: firstname.lastname@example.org.
You also have the right to file a complaint with the Italian Data Protection Authority (Autorità Garante per la Protezione dei Dati Personali) using the following methods:
- delivery by hand or registered post with return receipt addressed to: l’Autorità Garante per la Protezione dei Dati Personali, Piazza Venezia, 11 – 00187 Roma
- email message (including certified) addressed to: email@example.com
The Data Controller is Fondo Assistenza Sanitaria Integrativa (Fasi) – Via Vicenza 23, 00185 Roma, in the person of its President pro tempore.
A list of other Data Processors, if required, may be requested directly from the Data Controller.
In witness whereof
Marcello Santino Garzia