Privacy Policy - Martha - Music ART House Academy

Privacy Notice Pursuant to Articles 13 and 14 of Reg. (EU) 2016/679

Dear visitor

, the Privacy legislation (in particular, the EU Regulation 2016/679,the “General Data Protection Regulation.

data” – known by the English acronym “GDPR

“) requires us to provide you with the following information about the processing of your

personal data
pursuant to Art. 13 and 14 of the GDPR.

The “

processing of personal data
“, simply put, is any operation concerning any “information relating to a natural person, identified or identifiable.” For example, first and last name, or an e-mail address with a “username” that identifies you (e.g., mariorossi@….), are considered “personal data
“, and collecting them, registering them with us, and using them to send you a communication, are considered operations of “processing
“; so also (again, for example) communication to other parties and archiving. The indication of the pathology from which you possibly suffer is data “falling into special categories,” requiring specific protection in which we are constantly engaged. The website of the Data Protection Authority contains additional information useful to you to better understand the subject (see e.g.: http://www.garanteprivacy.it/home/diritti).

MARTHA SRLS are defined as “

data controller
“, an entity that determines how and for what purposes to process information about individuals.

You, as the “natural person to whom the personal data “, is defined as “ interested “, and is entitled to receive the following information about who we are, such as personal data we treat, why, how and for how long we treat them, and what obligations and rights you have in this regard.

Depending on whether you are a mere visitor to our websites or want to take advantage of our services , we collect and/or need you to provide us with certain data, necessary for us to allow you to navigate the website and/or access to our services ; in the first case it is information that does not allow us to identify you (and therefore we will not process personal data, only “browsing data”).

Definitions of terms and expressions used (shown in bold) are contained in the Glossary.

Who are we? (“Data Controller”)

MARTHA SRLS
,headquartered at 32 Via Siracusa, 90141 Palermo, Pa.

Data Protection Officer: Chiara Volpes – chiara.volpes@marthapalermo.it

What categories of personal data do we process?

Common personal data (e.g., first and last name, social security number, telephone number, addresses, etc.) and special data

(relating to health or sexual life or sexual orientation, or revealing racial or ethnic origin or religious beliefs), to the minimum extent necessary to achieve each of the Purposes set forth below, by persons subject to obligations of secrecy and under the responsibility of health care professionals and/or the Medical Director.

What is the origin of your personal data?

You may have transmitted them to us yourself or we may have obtained them from third parties (e.g., a family member booking a service with us on your behalf).

Why do we process personal data (purpose) and what is the basis for the processing (legal basis) of each category of data?

n.	Purpose	Categories of personal data	Legal Basis
1	allow you to navigate the site	Municipalities (to the extent that the information collected consists of personal data)	Our legitimate interest (that of being able to present our services to you)
2	fulfill your requests regarding our services	Common Personal Data	The need to take pre-contractual measures at your request
3	To provide you with our services and everything related to them (e.g., reservations, appointments, exam pickup, sending reports, reminders, complaints, etc.), for the purpose of prevention, diagnosis, treatment, rehabilitation, health care or therapy	Common and Particular Personal Data	The need to perform the contract with you, and the need to pursue purposes of prevention, diagnosis, treatment, rehabilitation, health care or therapy, or management of health care systems and services
4	Inform her about preventive health initiatives	Common and Particular Personal Data	Significant public interest (to the safety and health of the population)
5	To send you advertising, commercial or marketing communications regarding services similar to those you use, or to inform you about our news (e.g., opening of new clinics, promotions, events, etc.), if you are already one of our users or a newsletter subscriber	Common Personal Data	Our legitimate interest (to carry out promotional activities)
6	Send you questionnaires to check your satisfaction	Common Personal Data	our legitimate interest
7	Send you advertising, commercial or marketing communications, and/or conduct market research, even if you are not yet one of our users	Common Personal Data	Your explicit consent, freely given and revocable at any time
8	Analyze or predict your habits and/or preferences regarding our services through profiling activities	Common and Particular Personal Data	Your explicit consent, freely given and revocable at any time
9	fulfill legal obligations, including those related to the need to provide you with our services, or comply with orders from Authorities	Common Personal Data	The duty to fulfill legal obligations to which CMS is subject
10	ascertain, exercise and/or defend a right of ours in the appropriate forums	Common and Particular Personal Data	the need to ascertain, exercise or defend a right
11	statistical purposes, but with the use of anonymized information (which no longer allows us to trace your identity)	Anonymous information	None, because the information does not consist of personal data

To whom do we disclose the Data (Recipient Categories)?

To the minimum extent necessary to achieve each of the Purposes, based on Applicable Law and/or a contractual agreement with the Owner:

Subjects necessary for the performance of activities related and consequent to the execution of the Contract, acting as data processors

or as autonomous Owners

(e.g. providers of IT, banking, insurance, shipping and transportation, commercial agency, accounting, tax, legal, etc.);
Consultants and/or professionals appointed by us, self-employed Owners of treatment
(e.g., medical personnel and Health Care Workers);
subjects authorized by us
authorized(e .g., our workers), committed to confidentiality, or recipients of a legal obligation to confidentiality;
private organizations belonging to the same business group as CMS;
public organizations and Authorities

, if and to the extent required by applicable law or by their orders, or for the exercise, establishment and/or defense of a right in court.

We do not give dissemination

a personal data

, except when it is required, in accordance with the law, by Authorities, information and security bodies or other public entities for purposes of defense or state security or prevention, detection or prosecution of crimes.

A list of external data processors is available upon request, with additional data useful for their identification.

How long do we keep the Data?

We process Data for purposes of marketing until your consent is revoked (e.g., until you unsubscribe from a newsletter ); for other purposes, the maximum retention time is linked to the provisions of the applicable regulations that allow us to (or require us to) retain data for the protection of our rights.

Do we transfer Personal Data outside the European Union?

No. No extra Eu transfers are made.

Do we perform profiling activities?

If (and only if) you expressly allow us to do so, we will process your profile of user through the detection of the biographical data and the type of services enjoyed, so that you can stay up-to-date on services and novelties in line with your goals of prevention, treatment and health care.

Does the site make use of cookies?

Yes. To learn more and to view our policy in this regard, you may consult the cookies

policy.

Are you obliged to provide us with personal data?

The communication of navigation data

(which, moreover, does not normally

consist of personal data

) is mandatory in order for us to allow you to navigate the site.

You, of course, are not obliged to use our services or sign up for our newsletter, but if you wish to do so, you must provide us with the personal information we request from you.

What happens if you refuse to disclose your data?

Due to the operation of the Internet, it cannot refuse the communication of browsing data; it can refuse the installation of certain

cookies.

If you do not agree to disclose your information, we will not be able to provide you with our services or pursue one or more of the other purposes.

What rights do you have?

You have the right to:

Access your Personal Data in our possession;
Request rectification of any incomplete or inaccurate Personal Data;
Request their cancellation if the conditions are met;
request the limitation of treatment, where the conditions are met;
Object to processing based on legitimate interest or public interest, for reasons related to your particular situation;
object to the treatment

for purposes of marketing , by not giving consent initially or revoking it later;
object to the activity of profiling
, by not giving consent initially or revoking it later;
Request Data portability, where the conditions are met and to the maximum extent technically possible;
Propose a complaint to the Garante per la Protezione dei Dati Personali (in Italy, www.garanteprivacy.it), or to the Garante Authority of the EU state where he or she normally resides or works, or of the place where the alleged violation occurred.

Who can you contact?

You may contact Martha SRLS.. for matters pertaining to the treatment

of your personal data

by sending an email to info@marthapalermo.it .

This Privacy Policy is effective as of 25/July/2022; we reserve the right to change its contents, in part or in full, including as a result of changes in privacy regulations; we will make the publication at website of the updated version of the Privacy Policy and from that time it will be binding: You are therefore invited to visit this section regularly.

Glossary

“
Control authority“ means the independent public authority established by a European Union state, or by the European Union itself, charged with overseeing the application of privacy legislation (for Italy, the Garante per la Protezione dei Dati Personali, http://www.garanteprivacy.it).

“

Authority ” means a body or organization, public or private, with administrative, judicial, police, disciplinary, and supervisory powers.

“Authorized” means the natural person, placed under the direct authority of the controller, who receives instructions from the controller on the processing of personal data, pursuant to and for the effects

Of Art. 29 of the GDPR.

“Privacy Code
“: the Legislative Decree. 196/2003 as amended and/or supplemented (in particular by Legislative Decree No. 101/2018).

“

Committee” o “

EDPB“: the European Data Protection Board, established by Art. 68 of the GDPR and governed by Articles 68 to 76 of the GDPR, replacing WP29 as of 25/5/2018.

“Communication
” means “the giving of knowledge of personal data to one or more specified persons other than the data subject, the data controller’s representative in the territory of the European Union, the data processor or its representative in the territory of the European Union, the persons authorized under Article 2-quaterdecies to process personal data under the direct authority of the data controller or the data processor, in any form, including by making them available, consulting them or by interconnecting them” (as defined in Article 2-ter, paragraph 4, letter a of the Privacy Code).

“Cookie“: short text fragments (letters and/or numbers) that allow the web server to store information on the browser to be reused during the same visit to the site (session cookies) or later, even days later (persistent cookies). Cookies are stored, based on user preferences, by the individual browser on the specific device being used (computer, tablet, smartphone). The following categories are considered:

Technical cookies : these are cookies that are indispensable for the proper functioning of the site and are used for the sole purpose of “carrying out the transmission of a communication over an electronic communications network, or to the extent strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide such a service” (see Art. 122, c. 1, of the Privacy Code).

Analytical cookies : are cookies used to anonymously collect and analyze site traffic and usage. These cookies, while not identifying the user, allow, for example, detection of whether the same user returns to log on at different times. They also allow the system to be monitored and improve its performance and usability. Disabling these cookies can be done without any loss of functionality.

Profiling cookies: these are persistent cookies used to identify (anonymously and non-anonymously) user preferences and improve the user’s browsing experience.

Third-party cookies (analytical and/or profiling) : these are cookies generated by organizations outside the Site, but embedded in parts of the Site page. Think, for example, of Google “widgets” (e.g., Google Maps) or “social plugins” (Facebook, Twitter, LinkedIn, Google+, etc.).

“
Navigation Data“: these are the data that the computer systems and software procedures used to operate the site acquire, in the course of their normal operation, and whose transmission is implicit in the use of Internet communication protocols. This information is not collected to be associated with identified data subjects, but by its very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes IP addresses or domain names of the computers used by users connecting to the site, the URI (Uniform Resource Identifier) notation addresses of the requested resources, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters related to the user’s operating system and computer environment. This data is used for the sole purpose of obtaining anonymous statistical information about the use of the site and to check its correct operation and is deleted immediately after processing.

“Particular Data
“: personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, […] relating […] to a person’s sex life or sexual orientation” (Art. 9.1 GDPR), “relating to health” (“personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information relating to his or her state of health,” as defined by Article 4, subsection 1, no. 15, of the GDPR) and “personal data relating to criminal convictions and offenses or related security measures” (Art. 10 of the GDPR), as well as “genetic” data (“personal data relating to hereditary or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of that natural person,” as defined by Art. 4, subsection 1, no. 13, of the GDPR); “biometric” (“personal data obtained by specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person that enable or confirm his or her unambiguous identification, such as facial image or dactyloscopic data,” as defined by Art. 4, subsection 1, no. 14, of the GDPR).

“Data

” means one or more of the categories indicated as personal data and special data.

“

Personal Data” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is any natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural, or social identity,” as defined by Art. 4, subsection 1, no. 1, of the GDPR).

“Recipient ” means “the natural or legal person, public authority, service or other body receiving communication of personal data, whether or not it is a Third Party,” as defined by Art. 4, subsection 1, no. 9, of the GDPR.

“Spread” means “the giving of knowledge of personal data to unspecified subjects, in any form, including by making them available or consulting them” (as defined in Article 2-ter, paragraph 4, letter b of the Privacy Code).

“

GDPR“: the EU Regulation 2016/679 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).”

“Interested” means “identified or identifiable natural person” as defined by Art. 4, subsection 1, no. 1, of the EU Regulation 2016/679 (the so-called “GDPR”).

“
Joined“: the data subject who has activated the newsletter service.

“
Limitation” means “the marking of personal data stored with the aim of limiting their processing in the future,” as defined in Art. 4, subsection 1, no. 3, of the GDPR.

“Contact Form“: the section on the main page of the site through which visitors can send inquiries.

“

Marketing“: singularly or cumulatively, the purposes of sending advertising material, commercial communication, direct sales and carrying out market research.

“Newsletter“: editorial and promotional content sent to Subscribers.

“Applicable Legislation
” means any provision, of whatever rank, belonging to Italian or European Union law, in any way applicable to the site and/or services.

“

Privacy Policy“: the Legislative Decree. 196/2003 as amended and/or supplemented (“Privacy Code”), as well as the General Measures issued pursuant to Art. 154 paragraph 1 of the same Code, the EU Regulation 2016/679 (“GDPR”) and additional applicable legislation of any rank, including the opinions and guidelines developed by the WP29 and, as of 25/5/2018, the Committee.

“Profiling” means “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects of that natural person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements,” as defined in Art. 4, subsection 1, no. 4, of the GDPR.

“

Publication” means the action by which the owner communicates a piece of information on the site, without the implementation of procedures that require the Visitor to view it.

“Responsible” means “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller,” as defined by Art. 4, subsection 1, no. 8, of the GDPR.

“Services“: the services provided by Santagostino Medical Center.

“

Website“: the web pages exposed through www.cmsantagostino.it, including subdomains.

“

Third ” means “the natural or legal person, public authority, service or other body other than the data subject, the controller, the processor and persons authorized to process personal data under the direct authority of the controller or processor,” as defined by Art. 4, subsection 1, no. 10, of the GDPR.

“

Holder” means “the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data,” as defined by Art. 4, subsection 1, no. 7, of the GDPR.

“

Treatment” means “any operation or set of operations, whether or not involving automated processes, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction,” as defined by Art. 4, subsection 1, no. 2, of the GDPR.

“User.” the person who uses the services of Santagostino Medical Center.

“Visitor“: the natural person who uses a device and navigates, through the Internet network, on the public pages of the site.

“WP29.”
The Working Group for the Protection of Individuals with Regard to the Processing of Personal Data, established under Art. 29 of Directive 95/46/EC, whose duties are set out in Art. 30 of Directive 95/46/EC and Art. 15 of Directive 2002/58/EC.

To whom do we disclose your data (categories of recipients)?

Your data will be disclosed, to the minimum extent necessary to achieve the purposes , based on applicable legislation and/or contractual agreement with the Controller, to:

Physicians performing the individual health care service;
Other physicians involved in your overall care pathway;
additional physicians who have performed services at other clinical events handled within the Company;
other natural persons authorized to process (e.g., administrative, nursing, technical personnel, etc.), obligated by law or contract to confidentiality;
Providers of services related and/or consequent to health care provision, acting as Data Processors, as Joint Data Controllers or as autonomous Data Controllers (e.g., providers of IT, banking, insurance, accounting, tax, legal services, etc.);
public and private organizations (e.g., other public and/or private health agencies and local, regional, national and international public bodies, welfare and social security agencies, research organizations, Social Services of municipalities for activities related to the assistance of weak individuals, etc.);
private organizations belonging to the same business group as the Santagostino;
public authorities, if and to the extent required by applicable law or by their orders, or for the exercise, establishment and/or defense of a right in court.

We do not disseminate personal data, except when we are required to do so by law, by Authorities or other public entities for purposes of defense or state security or the prevention, detection or prosecution of crimes. A list of external data processors is available upon request, with additional data useful for their identification.

Do we transfer personal data outside the European Union?

For some activities we use services that involve the transfer of personal data outside the European Union, only with entities (countries and/or international organizations) for which there is an adequacy decision by the European Commission, or on the basis of one of the other guarantees or exemptions provided by Chapter V of the EU Regulation 2016/679 (GDPR). The list of such persons, with an indication of the service for which they are employed, is available upon request of the person concerned.

Do we perform profiling activities?

Only if you give us your consent will we process your user profile through the collection of identifying data, the type of services you use, and the pages of our website you visit, so that you can stay up-to-date on services and news in line with your goals for prevention, diagnosis, treatment, and health care.

Are you obliged to provide us with your data?

Yes, by virtue of legal and/or contractual obligations, to the extent strictly necessary to achieve the purposes stated above, except for the purpose stated in no. 6.

What happens if I refuse to give you my information?

Failure to provide the data referred to in purposes no. 1 and 2 results in the inability to provide health care. In contrast, your right to the provision of health care will not be affected in the other cases where refusal to disclose data is permissible.

In case of refusal to disclose data for purpose nr. 6, we will not be able to send advertising communications or conduct market research.

In case of refusal to the communication of data for the purpose nn. 10, 11, and 12, the Santagostino will not be able to pursue them.

What are your rights?

You have the right to:

Access personal data in our possession, and request copies;
Request rectification of any incomplete or inaccurate personal data;
request cancellation, subject to the exclusions set forth in Art. 17.3 GDPR;
Request restriction of processing, subject to the exclusions set forth in Art. 18.2 GDPR;
Obtain a list of data processors, with additional data useful for their identification;
to request data portability (i.e. to receive the data in a structured, commonly used, machine-readable format, e.g., a computer, in order to transmit them to another data controller without hindrance), to the maximum extent technically feasible, and within the limits of processing based on consent or performance of a contract, and except in cases: – of processing necessary for the performance of a task in the public interest; – where the exercise of the right affects the rights and freedoms of other natural persons;
Propose a complaint to the Garante per la Protezione dei Dati Personali (in Italy, www.garanteprivacy.it), or to the Garante Authority of the EU state where he or she normally resides or works, or of the place where the alleged violation occurred.

Right of opposition

You can object to Treatment Based:

on consent (for the purpose of Marketing – No. 6 -, including Profiling insofar as it is related to them, as well as automated decision-making processes in accordance with Article 22 GDPR), not giving consent initially or revoking it subsequently (with the caveat that any subsequent revocation of consent does not affect the lawfulness of the data processing carried out in the period prior to such revocation);
on legitimate interest (Purposes Nos. 5 and 7) or public interest (Purposes Nos. 3, 5 and 9), at any time for reasons related to your particular situation (e.g., injury to honor, reputation, decorum), subject to the Holder’s demonstration of a compelling and overriding legitimate interest under Art. 21.1 GDPR, and unless the processing is necessary for the establishment, exercise or defense of a right in court. The exercise of the above rights may also be delayed, limited or excluded in the cases provided for in Art. 2-undecies d.lgs. 196/2003.

Who can I contact with questions or to exercise my rights?

You can contact MARTHA SRLS, P.Iva 06914480824 based in Via Siracusa 32, 90141 Palermo, PA

For questions regarding the processing of your personal data by sending an email to info@marthapalermo.it

This Privacy Policy is effective as of July 2022; we reserve the right to change its contents, in part or in full, including as a result of changes in the Privacy Policy.

Glossary

“ Supervisory Authority ” means the independent public authority established by a European Union state, or by the European Union itself, responsible for overseeing the application of privacy legislation (for Italy, the Garante per la Protezione dei Dati Personali, http://www.garanteprivacy.it).

“ Authority ” means a body or organization, public or private, with administrative, judicial, police, disciplinary, and supervisory powers.

“ Authorized ” means the natural person, placed under the direct authority of the controller, who receives instructions from the controller on the processing of personal data, pursuant to Art. 29 of the GDPR.

“ Privacy Code “: the Legislative Decree. 196/2003 as amended and/or supplemented (in particular by Legislative Decree No. 101/2018).

“ Committee ” o “ EDPB “: the European Data Protection Board, established by Art. 68 of the GDPR and governed by Articles 68 to 76 of the GDPR, replacing WP29 as of 25/5/2018.

“ Communication ” means “the giving of knowledge of personal data to one or more specified persons other than the data subject, the data controller’s representative in the territory of the European Union, the data processor or its representative in the territory of the European Union, the persons authorized under Article 2-quaterdecies to process personal data under the direct authority of the data controller or the data processor, in any form, including by making them available, consulting them or by interconnecting them” (as defined in Article 2-ter, paragraph 4, letter a of the Privacy Code).

“ Particular Data “: personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, […] relating […] to a person’s sex life or sexual orientation” (Art. 9.1 GDPR), “relating to health” (“personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information relating to his or her state of health,” as defined by Article 4, subsection 1, no. 15, of the GDPR) and “personal data relating to criminal convictions and offenses or related security measures” (Art. 10 of the GDPR), as well as “genetic” data (“personal data relating to hereditary or acquired genetic characteristics of a natural person which provide unambiguous information about the physiology or health of that natural person, and which result in particular from the analysis of a biological sample of that natural person,” as defined by Art. 4, subsection 1, no. 13, of the GDPR); “biometric” (“personal data obtained by specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person that enable or confirm his or her unambiguous identification, such as facial image or dactyloscopic data,” as defined by Art. 4, subsection 1, no. 14, of the GDPR).

“ Data ” means one or more of the categories indicated as personal data and special data.

“ Personal Data ” means “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is any natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as a name, an identification number, location data, an online identifier, or to one or more characteristic elements of his or her physical, physiological, genetic, mental, economic, cultural, or social identity,” as defined by Art. 4, subsection 1, no. 1, of the GDPR). All personal data not falling under the category of “Particular Data” are considered common personal data.

“ Recipient ” means “the natural or legal person, public authority, service or other body receiving communication of personal data, whether or not it is a Third Party,” as defined by Art. 4, subsection 1, no. 9, of the GDPR.

“ Dissemination ” means “the giving of knowledge of personal data to unspecified persons, in any form, including by making them available or consulting them” (as defined in Article 2-ter, paragraph 4(b) of the Privacy Code).

“ GDPR “: the EU Regulation 2016/679 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“ Interested ” means “identified or identifiable natural person” as defined by Art. 4, subsection 1, no. 1, of the EU Regulation 2016/679 (the so-called “GDPR”).

“ Limitation ” means “the marking of personal data stored with the aim of limiting their processing in the future,” as defined in Art. 4, subsection 1, no. 3, of the GDPR.

“ Marketing “: singularly or cumulatively, the purposes of sending advertising material, commercial communication, direct sales and carrying out market research.

“ Applicable Legislation ” means any provision, of whatever rank, belonging to Italian or European Union law, in any way applicable to the site and/or services.

“ Privacy Policy “: the EU Regulation 2016/679 (“GDPR”), the Legislative Decree. 196/2003 as amended and/or supplemented (“Privacy Code”), as well as the measures adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and additional applicable legislation of any rank, including the opinions and guidelines developed by the Committee.

“ Profiling ” means “any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects of that natural person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements,” as defined in Art. 4, subsection 1, no. 4, of the GDPR.

“ Responsible ” means “the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller,” as defined by Art. 4, subsection 1, no. 8, of the GDPR.

“ Services “: the services provided by the Santagostino.

“ Third ” means “the natural or legal person, public authority, service or other body other than the data subject, the controller, the processor and persons authorized to process personal data under the direct authority of the controller or processor,” as defined by Art. 4, subsection 1, no. 10, of the GDPR.

“ Holder ” means “the natural or legal person, public authority, service or other body which, individually or jointly with others, determines the purposes and means of the processing of personal data,” as defined by Art. 4, subsection 1, no. 7, of the GDPR.

“ Treatment ” means “any operation or set of operations, whether or not involving automated processes, applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction,” as defined by Art. 4, subsection 1, no. 2, of the GDPR.

“ User “: the person who uses the services of the Santagostino.

“ WP29 “: the Working Group for the Protection of Individuals with Regard to the Processing of Personal Data, established under Art. 29 of Directive 95/46/EC, whose duties are set out in Art. 30 of Directive 95/46/EC and Art. 15 of Directive 2002/58/EC.