Privacy policy

Kind User,

GSD Sistemi e Servizi S.c. a r.l. with registered offices in Milan (Milan), Via Spadolini no. 4 (“GSDSS”) is committed to protecting the on – line privacy of the users of our websites (hereinafter, “Website”). As such, this Privacy Policy has been written in accordance with art. 13 of the Regulation (EU) 2016/679 (“Regulation”) in order to allow you to understand GSDSS’s policy regarding your privacy, as well as how your personal information will be handled when using the Website. This Privacy Policy will also provide you with information so that you are able to consent to the processing of your personal data in an explicit and informed manner, where appropriate.

In general, any information and data which you provide to GSDSS over the Website, or which is otherwise gathered via the Website by GSDSS, in the context of the use of GSDSS’s services (“Services”), will be processed by GSDSS in a lawful, fair and transparent manner in accordance with Regulation’s provisions.

To this end, and as further described below, GSDSS takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data accuracy and confidentiality. 

 

CONTENTS 

1. Data controller and Data Protection Officer 
2. Data Subject
3. Personal Data processed 
4. Purposes of processing, legitimate basis and data retention  
5. Recipients of Personal Data 
6. Transfers of Personal Data 
7. Data Subjects’ rights 

 

1. Data controller and Data Protection Officer 

The Data Controller of the processing activities of the data collected through the Site is GDSS, as identified at the top of this Privacy Policy, who can be contacted, for any information concerning the processing of personal data, at the following address: amministrazione.gsdss@grupposandonato.it

The Data Controller has appointed a Data Protection Officer ("DPO"), who can be contacted at the following email address: rpd.gsdss@grupposandonato.it.

We inform you that your Personal Data are processed, in some sections of the Site, such as “Request an appointment” and “Request a second opinion”, as Independent Data Controllers  by the Medical Insitution of the Gruppo San Donato selected or indicated by you (hereinafter only “Medical Insitution”). 

In particular:

• Policlinico San Donato S.p.A. 
• Ospedale San Raffaele S.r.l. 
• Ospedale Galeazzi-Sant'Ambrogio S.p.A. 
• Casa di Cura La Madonnina S.p.A. 
• Istituti Clinici Zucchi S.p.A. 
• Istituti Ospedalieri Bergamaschi S.p.A. 
• Istituti Ospedalieri Bresciani S.p.A. 
• Istituti Clinici di Pavia e Vigevano S.p.A. 
• Istituto Clinico Villa Aprica S.p.A. 
• Villa Erbosa S.p.A. 
• H San Raffaele Resnati S.r.l. 
• Smart Dental Clinic S.r.l. 

In such cases, GSDSS will act only as a supplier of the Site and therefore as Data Processor pursuant to art. 28 GDPR.

 

2. Data Subject

The Data Controller processes your personal data as a user of the Site ("Data Subject").

 

3. Personal Data Pocessed 

When you use the Website, GSDSS will collect and process information regarding you (as an individual) – such as a name,  an online identifier or data concerning health- which allows you to be identified either by itself, or together with other information which has been collected. GSDSS may also be able to collect and process information regarding other persons in this same manner, if you choose to provide it to GSDSS.

This information may be classified as “Personal Data” and can be collected by GSDSS both when you choose to provide it (e.g., when you subscribe to the newsletter or request other Services provided by GSDSS over the Website) or simply by analysing your behaviour on the Website.

Personal Data which can be processed by GSDSS through the Website are as follows: 

• Browsing data

The Website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While GSDSS does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.

This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.

These data are used to compile statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days. 

• Special categories of Personal Data 

Certain areas of the Website (e.g. the section “Booking”), may include free text fields, where you can write messages to GSDSS, or otherwise allow you to post various types of content on the Website, which may contain Personal Data. 

Where these fields are completely free, you may use them to disclose (inadvertently or not) more sensitive categories of Personal Data as set forth in Article 9 GDPR, such as data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The content you upload in these fields may also (inadvertently or not) include other types of sensitive information relating to you, such as your genetic data, biometric data or data concerning your health, sex life or sexual orientation. 

GSDSS asks that you do not disclose any sensitive Personal Data on the Website, unless you consider this to be strictly necessary. As it is totally optional to provide this information, if you nonetheless choose to do so, please mind that in any case GSDSS will not be held responsible for the processing of special categories of personal data, since, in this situation, the processing will be performed on personal data made public by you in accordance with Article 9(1)(e) Regulation. In any case GSDSS underline the importance to give your explicit consent to the processing of special categories of personal data, if you decide to share this information. 

• Other persons’ Personal Data 

As mentioned in the previous section, certain areas of the Website include free text fields where you can write messages to GSDSS, or otherwise allow you to post various types of content on the Website. These messages and content may (inadvertently or not) include Personal Data related to other persons. 

In any situation where you decide to share Personal Data related to other persons, you will be considered as an independent data controller regarding that Personal Data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify GSDSS against any complaints, claims or demands for compensation for damages which may arise from the processing of this Personal Data, brought by the third parties whose information you provide through the Website.

As GSDSS does not collect this information directly from these third parties (but rather collects them, indirectly, from you), you must make sure that you have these third parties’ consent before providing any information regarding them to GSDSS; if not, then you must make sure there is some other appropriate grounds on which you can rely to lawfully give GSDSS this information. 

• Cookie 

Cookie Policy is available on GSDSS’s Website at the following link. 

 

4. Purposes of processing, legitimate basis and data retention 

GSDSS intends to use your Personal Data, collected through the Website, for the following purposes: 

a. To allow to provide the services which you may request on the wesite

Through the sections "Request an appointment" , “Second Opinion” or “Call me back”  the User is asked for his  personal data such as:  identification data  (first name, last name, date of birth, gender, nationality, country of residence), contact data (e-mail address and telephone number), as well as any additional personal data that the User provides within the message text, including also Special categories of Personal Data.

Legal basis: art. 6, paragraph 1, lett. b) of GDPR, "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"; and, for Special categories, art. 9, paragraph 2, lett. a) “explicit consent”.

Data retention: Personal Data will be kept for the period strictly limited to fulfill the User's request.

b. To send surveys related to the User’s care experience

The Data Controller processes your data to understand how to provide a better service based on your care experience. You can oppose the processing by giving notice to the Controller without this preventing you from accessing the care path

Legal basis: art. 6, paragraph 1, lett. f) of GDPR “processing is necessary for the purposes of the legitimate interests pursued by the controller”.

Data retention: Personal Data will be kept for the period strictly limited to fulfill the purpose. 

c. Marketing communications

The Data Controller processes your data to send you promotional and direct marketing communications, including newsletters, through automated tools (such as SMS, e-mail, telephone without operator) and non-automated tools (mail, telephone with operator) with the right to choose between all or some of said tools during the consent collection phase.

Legal basis: art. 6, paragraph 1, lett. a) of GDPR “the data subject has given consent to the processing of his or her personal data” and, for Special categories, art. 9, paragraph 2, lett. a) “explicit consent”.

Data Retention: Persona Data will be kept for 24 months from the consent collection or from the withdrawal.

d. Profiling

The Data Controller processes your data to send you promotional communications personalized thanks to the use of automated profiling mechanisms.

Legal basis: art. 6, paragraph 1, lett. a) of GDPR “the data subject has given consent to the processing of his or her personal data” and, for Special categories, art. 9, paragraph 2, lett. a) “explicit consent”.

Data Retention: Persona Data will be kept for 12 months from the consent collection or from the withdrawal.

e. Extrajudicial and/or judicial ascertainment, exercise and defense of rights

The Data Controller, where necessary, processes your Personal Data, collected through the Site, in order to ascertain, exercise or defend one's rights in extrajudicial and/or judicial proceedings or whenever judicial authorities exercise their jurisdictional functions.

Legal basis: art. 6, paragraph 1, lett. f) of GDPR “processing is necessary for the purposes of the legitimate interests pursued by the controller”.

Data retention: Personal Data will be kept for the period strictly limited to the duration of the litigation, until the time limits for appeal actions are exhausted.

f. Website security

The Data Controller, where necessary, processes your Personal Data, collected through the Site, in order to ensure the security of the Site.

Legal basis: art. 6, paragraph 1, lett. f) of GDPR “processing is necessary for the purposes of the legitimate interests pursued by the controller”.

Data retention: Personal Data will be kept for the period strictly limited to verify the security of the Site.

 

5. Recipients of Personal Data 

Your Personal Data may be shared with the following list of persons / entities (“Recipients”):

• Entities which act as data processors in accordance with Article 28 of the Regulation and specifically;
• Persons, companies or professional firms providing GSDSS with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services and which act typically as data processors on behalf of GSDSS;
• Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers);
• Persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks);
• Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities.
• Persons authorised by GSDSS to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees of GSDSS).

 

6. Transfers of Personal Data 

Your Personal Data may be transferred to Recipients located in several different countries. GSDSS implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand. The Operator will not transfer Your personal data outside the EU territory. In the event it is absolutely necessary, Your personal data will be processed by one of the methods permitted by the applicable legislation such as Standard Regulations Approved by the European Commission, by the entities participating in international programs of data free circulation or operating in the countries the European Commission considers to be safe. Further information may be received from the Operator or data protection officer (DPO) using the above contact details. 

More information on these transfers is available upon written request to the Data Controller or to the DPO at the addresses indicated in the paragraph 1.

 

7. Data Subjects’ rights 

The User has the right, pursuant to art. 15 to 22 of the GDPR, to:

• obtain from the Data Controller the confirmation that personal data concerning him or her are being processed or not, obtain access to personal data and all information relating to the processing carried out by the data controller;
• ask the Data Controller to correct or delete the data or restrict the processing of the data concerning it; 
• object to the processing of data, without prejudice to the right of the Data Controller to assess your request, which may not be accepted if there are compelling legitimate reasons to proceed with the processing that override your interests, rights and freedoms;
• if the data are not collected from the Data Subject, receive all available information about their origin;
• be made aware of the existence of an automated decision-making process, including the profiling referred to in art. 22, par. 1 and 4 of the GDPR, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences for such processing against the Data Subject;
• in the cases and with the limits provided for by the GDPR, the Privacy Code and any industry regulations, to obtain data portability, that is, to receive them from the Data Controller, in a structured, commonly used and machine-readable format, and transmit them to another Data Controller without hindrance;
• withdraw the consent given, at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

We also inform you that pursuant to art. 140-bis of the Privacy Code, you may lodge a complaint with the Guarantor for the Protection of Personal Data or appeal before the Judicial Authority.

Requests should be sent in writing to the Data Controller or to the DPO at the addresses indicated in the paragraph 1. 

 

 

Date last update: June 26, 2025