UPMC Salvator Mundi International Hospital Patient Privacy Disclosure (Long Text)

PRIVACY POLICY ARTT. 13 E 14 DEL REG. 2016/679 (EU) – GDPR

Dear Patient,

As provided in the European Union Regulation no. 679/2016, "GDPR", Salvador Mundi International Hospital Srl, (VAT number 09023871008), with registered office in Rome (RM) - Viale delle Mura Gianicolensi 67, hereinafter "SMIH" as data controller according to articles 13 and 14, provides the following information on how to collect and use the information concerning you.¹

WHO IS SMIH? AND WHY MY DATA WILL BE TRANSFERRED?

Salvator Mundi International Hospital is a private clinic and private hospital ("SMIH" or "Hospital" or “Data Controller”)) managed by UPMC Italy S.r.l. (hereinafter "UPMC"). The hospital's excellence is guaranteed by a multidisciplinary approach, investments in research and innovation, constant dialogue with the University of Pittsburgh, the University of Pittsburgh Medical Center, the network of oncological centers, and other hospitals that make part of the UPMC Group. In its activity, the hospital also uses networks, data, and computer systems shared with the UPMC Group. Because the structures are integrated, patients who decide to contact the Center accept that their data, including those relating to particular categories, such as data about healthcare, will be transferred to the UPMC Group in the United States. To guarantee an adequate level of protection of personal data transferred to the United States, the UPMC Group has signed Standard Contractual Clauses approved by the European Commission.

WHAT DATA WILL BE COLLECTED? HOW?

The hospital will collect the data communicated by the patient or by third parties (for example, your doctor). The Hospital can collect identification data (name, surname, contact details, etc.) as well as information relating to your state of health (pathologies, results of examinations, diagnostic tests and therapies in progress) and, if necessary to provide health services, to your life. Moreover, your images can be collected, if necessary, to obtain, even with telemedicine techniques, any consultations from external professionals and to control your state of health during treatment. To verify your identity securely, the hospital is equipping with systems (es. bracelet with an RFID chip) that record information for your identification (name, surname, date of birth, patient code and service code). This device allows you to safely associate laboratory tests, test tubes, blood bags and other information to your person.

FOR WHAT PURPOSES ARE MY DATA PROCESSED?

a. To provide health services and related obligations, administrative activities, security of company assets:

Your data are processed to provide you with the health services requested as well as for the related administrative and accounting purposes. The legal basis of these treatments is represented by the necessity of follow up on contractual services, to fulfill legal obligations and to obtain funding for the Data Controller as well as to protect its rights (Article 6, paragraph 1, letters b), c) and f)) and from 'art. 9 co. 2, lett. h) of the GDPR ("treatment necessary for purposes of diagnosis, assistance or health or social therapy following a contract with a health professional").

To improve the provision of services, we will send you by email the preparation rules for the exams that you will have to carry out and we will remind you, also through your mobile phone number, of the date of your next visits to the hospital or in video consultation, using the contact details indicated by you. The legal basis of the processing is the legitimate interest of the Data Controller in better execution of the service and you can oppose this treatment at any time by having to collect the material at the Hospital, still being able to take advantage of the care provided by the Hospital. same.

About that, it may be necessary to communicate your data to the following subjects:

• Family doctors or treating doctors;
• Social security and welfare institutions, insurance companies, bodies or organizations in general that cover civil liability towards third parties of the Hospital, as well as professionals who may be involved in the protection of the Hospital and its staff; insurance companies, banks, and financial institutions for the protection of the rights of the hospital and its staff, companies or professionals who carry out accounting, administrative, tax, and legal consultancy. The invoices issued to you and the underlying documents may be provided in copies to banks / financial intermediaries for financing transactions and therefore for the exercise of related legal rights, credit protection, and anti-money laundering obligations;
• Health Service, Insurance, organization that manage insurance policies or the services they insure, for the reimbursement of medical services provided and health control and surveillance bodies for verification activities on the provision of health services;
• Institutions and Supervisory Organization for verification activities on the provision of health services (eg. ASP); Certifying bodies (eg Joint Commission International), for the issue of the related certifications and other third parties who carry out quality and appropriateness checks of the health services provided, to promote the improvement of the quality of services and assistance provided;
• Firms, companies, or external doctors if necessary for the billing of services by these subjects.

At the headquarters of Data Controller there are also active external video surveillance systems that monitor the perimeter of the company structure. The shots have the sole purpose of improving and ensuring the safety of the external areas of the building as well as ensuring the integrity and protection of the corporate assets. The video footage, concerning the places where the cameras are installed, may relate to your person, means of transport and other assets in the area affected by the surveillance. The registrations are communicated to the staff of the company if it is necessary to ascertain any offenses or to the judicial authority in the event of a specific request by the latter; apart from these hypotheses, the data will not be communicated. The legal basis of this processing is the legitimate interest of SMIH in protecting the company assets and guaranteeing the safety of the premises (Article 6, paragraph 1, letter f) of the GDPR).

b. To conduct scientific studies and research in the medical field - (CONSENT 1)

The hospital participates in research projects (both internal and in collaboration with other centers located within the European Union or outside the latter), to improve its health services and contribute to the general development of medical knowledge. Many of these studies can be conducted using information collected the course of normal care activities or in the context of clinical studies. Participation in such research projects does not, therefore, influence in any way the normal care of patients make it necessary to submit them to further examinations or treatments. In addition, to protect confidentiality, the information and health data used in these studies are deprived of the patient's identification data and marked with a code consisting of letters and numbers, which does not allow to directly trace the patient's identity. The list that allows this code to be associated with patient identification data will be held exclusively by the principal investigator and kept as confidential documentation. The list of studies in progress at SMIH is available at the hospital. Furthermore, if interested, you can meet the principal investigator to obtain further information or contact the Controller.

In particular, encoded data are used in the processing and archiving phases of the information, as well as in those of transmission to other subjects involved in the studies (the list of centers participating in the studies can be found at the Data Processor at the addresses indicated below). Access to data directly attributable to the patient can only take place in the phase of extracting information from the original clinical documentation and in any monitoring activity (i.e. checking the correspondence of the data used for research with those contained in the outpatient card) as well as where it becomes necessary to update the research data. The data and samples are transformed into anonymous form 10 years after the conclusion of the research projects. Furthermore, encryption techniques are adopted to store and transfer data, thus preventing access to unauthorized parties. The research results are disseminated only in aggregate form, or in ways that do not make the interested parties identifiable.

To use the health information of a patient for research purposes, the latter must give his consent, as the legal basis of the treatment (Article 9.2.a) of the Regulation - "explicit consent of the data subject"). Therefore, if you intend to allow the Hospital (also in collaboration with centers based in non-EU countries, in which an adequate level of protection of personal data may not be guaranteed, according to European legislation) to use your health information already collected or that will be collected in the future as part of the treatment activity (or in the course of other research projects in which you have participated), please give your consent. We remind you that you are free to give consent or not. You may not consent or oppose, at any time, the processing of your data for research purposes, without this, resulting in any prejudice to your care.

The Center also intends to participate in research projects regulated by law, always in the areas indicated above. For the use of data in the context of these studies, it is not necessary to collect the consent of patients as provided for by the legislation (Article 9, paragraph 2, letter j) GDPR - "scientific research required by law").

c. For the verification of the quality of care and assistance (CONSENT 2)

With your consent, we intend to use your data for monitoring and evaluating the effectiveness of the health treatments provided, the appropriateness and quality of care as well as the health risk factors, both provided for by law (for which the patient's consent is not required) and further to the latter. In particular, the hospital aims to evaluate and compare (between population groups or between different structures) the adequacy, appropriateness, effectiveness and efficiency of the assistance provided, also concerning specific pathologies or problems. To use the personal data of patients for these purposes, they must express their consent, as the legal basis of the processing (Article 9, paragraph 2, letter a) GDPR - "explicit consent of the data subject"). If you wish to authorize the hospital to process your data, including those collected in the past, to conduct such important analyzes, which could also provide useful information for your care, please give your consent. If you do not give your consent, we will not be able to use the data for the aforementioned analyzes, but you will still be able to take advantage of the care provided by the hospital. SMIH also intends to participate in surveillance systems and registers required by law. For the use of data in the context of these activities it is not necessary to collect the consent of patients as required by law (Article 9, co. 2, lett. i) GDPR - "treatment necessary for the guarantee of high quality and safety parameters of health care and medicines and medical devices, required by law").

d. To send informative material - (CONSENT 3)

If you consent, we will send you - via e-mail, text message, paper mail - information material on projects, initiatives, or services launched by the Hospital as well as on awareness and donation campaigns or fundraising activities (for example, the destination of the 5 x one thousand). For this purpose, the legal basis of the processing is therefore represented by consent (Article 6, paragraph 1, letter a) GDPR - "explicit consent of the data subject"). The data will be kept for a period of 24 months from collection. If you do not give your consent, we will not be able to send you the aforementioned material.

In addition, in the same way - by e-mail, text message, or paper mail - your data may be processed to send you promotional communications relating to services similar or similar to those you benefited from at the hospital. In this case, the legal basis on which this treatment is based is the legitimate interest of the Hospital in proposing offers and initiatives relating to the services and you will have the right at any time to oppose this treatment in the manner indicated in this statement.

e. To allow hospital health workers to consult the documentation relating to all health services that will be provided to me at the hospital, thus having a more complete picture of my state of health - (CONSENT 4)

The hospital is activating an IT archiving tool, called a health dossier, which allows health professionals to access all documentation relating to the services provided at the hospital, even in the past. This tool, which allows healthcare professionals to have more complete information on the patient's state of health (so-called clinical history), thus facilitating treatment, can only be activated with the patient's consent.

Therefore, only if you give your consent to the constitution of your health record (as the legal basis of the treatment according to art. 9, co. 2, Lett. A) GDPR - "explicit consent of the data subject"), the Hospital professionals who will treat you will be able to access information relating to your treatment episodes at SMIH, even at different times. You can freely decide that certain information is not included in your health dossier, by asking the Health Director for "obscuration", by writing to the address below, or by sending an email to info@salvatormundi.it. You may, in the same way, oppose, at any time, the further implementation of the dossier, while still being able to take advantage of the care provided by the Hospital, as well as revoke the choices made at any time. You will be asked to express a specific manifestation of will for the inclusion in your dossier also of information subject to greater protection of anonymity (such as, for example, data relating to acts of sexual violence or pedophilia, voluntary termination of pregnancy, HIV infections or the use of drugs, psychotropic substances and alcohol).

If you do not consent to the formation of your dossier, only the data relating to the specific treatment episode will be available to doctors and healthcare professionals. Without prejudice to the fact that you are free to give your consent to the creation of the dossier, we draw your attention to the fact that the lack of knowledge by the aforementioned subjects of certain examinations or episodes of treatment could negatively affect the assistance provided, with exemption from liability of this 'last.

Finally, we point out that the health dossier could be consulted, even without your consent, if this is deemed essential for the protection of the health of a third party or the community.

f. To send reports online or by email - (CONSENT 5)

To facilitate relations with its patients, the hospital has activated an online consultation service for clinical reports in digital format, accessible through the website www.upmc.it, including laboratory tests, diagnostic imaging reports, endoscopy, with the possibility of downloading the report for 45 days following the production of the document.

You may also request that your report be sent to you by email. To ensure the security and confidentiality of your data, the report will be transferred (i) to the email address indicated by you after validation of the same, through a specific online verification procedure; (ii) which encrypted file; the password for opening the file will be made known to you at the time of acceptance or through a communication channel other than that used for sending the report (eg via SMS). To use the online consultation services and to send your reports by email, your consent is required as the legal basis of the processing (articles 6, paragraph 1, letter a) and 9, co. 2, lett. a) GDPR - "explicit consent of the data subject").

Concerning the aforementioned services, it is specified that:

• where you have signed up for the service, the reports will always be published, unless otherwise indicated by you, to be communicated to the operator at the time of acceptance to carry out the single exam;
• will be notified by text message or email (depending on when you indicated when joining the service) of the availability of the online report. The message will contain only and exclusively the news of the availability of the document;
• the reports will be available online, in the dedicated area of the portal, for 45 days following production. In this period, you can always request the blackout of one or more reports;
• the service does not provide laboratory test results subject to special laws (eg seropositivity, drug use) or those relating to genetic tests.

g. To allow me to benefit from the guarantees of the insurance policy - (CONSENT 6)

The data collected for the provision of health services at the hospital may be disclosed to those who perform services related to the management of the same. For example, they may be communicated to the social security and welfare body, or the insurance company, or mutual health care, to the bodies and organizations that manage the health policies or the services reimbursed under them, or to other national and international health bodies with which you have possibly signed an insurance policy, as well as may be communicated to the agreement bodies to assert the rights covered by the agreement. This communication will take place exclusively to allow you to benefit from the guarantees of the policy, such as, for example, the reimbursement of expenses incurred or the direct payment by the aforementioned bodies of the health service provided.

The health documentation concerning you may be transferred to the aforementioned subjects, as requested by the latter, and, in particular, medical prescriptions, description of specialist and outpatient diagnostic services as well as, in case of hospitalization, a copy of the medical record. To proceed with the aforementioned communication, your consent is required as the legal basis of the processing (articles 6, co. 1, Lett. A) and 9, co. 2, lett. a) GDPR - "explicit consent of the data subject"). Finally, we inform you that in the absence of the aforementioned consent, we will not be able to proceed with the transmission to the indicated subjects of the necessary documentation to allow you to benefit from the guarantees of the policy you have contracted.

HOW WILL MY DATA BE PROCESSED?

The data processing is performed both with paper supports and with IT tools, adopting suitable security measures to guarantee the confidentiality and security of your data.

The processing of your personal data does not concern automated decision-making processes according to art. 22 of the GDPR.

WHO CAN KNOW MY DATA?

Your personal data will be processed by the hospital's health and administrative staff following specific instructions provided regarding the purposes and methods of processing and are required to respect professional secrecy and confidentiality. Health services may take place in the presence of observers for educational purposes. In this case, precautions will be taken to limit any inconvenience, respecting any contrary will of yours.

Your data may also be disclosed, in addition to the subjects already indicated in lett. a), to third parties, who, as Data Processors or Authorized, provide ancillary services to the Hospital's activities, such as:

• professionals who have been asked for specific advice,
• voluntary associations for patient assistance activities,
• companies that carry out maintenance activities
• other subjects who provide services that are instrumental to the hospital's activities

Your data may also be disclosed to other data Controller in fulfillment of legal obligations or for the protection of their rights in court (for example, Institutions, Municipalities, Sick Registers, Insurance Companies and entities and bodies for the management of insurance benefits, firms, companies, or external doctors if necessary for the billing of services by these subjects).

The updated list of the hospitals that are part of the UPMC Group, of the persons appointed as Data Processors and other third parties to whom your data may be disclosed, is available from the Data Processor - Health Department or the Head for the protection of data, reachable at the addresses indicated below.

TRANSFER OF DATA OUTSIDE THE EU

The Hospital has signed standard contractual clauses as "data exporter" with the parent company UPMC, U.S. Steel Tower, 60th Floor, 600 Grant Street, Pittsburgh Pennsylvania 15219, USA (“data importer”), to regulate the flow of data being transferred. Therefore, we inform you that the following categories of data may be sent²: patient data, diagnosis, operational notes, investigations, required examinations and related results, disease progression status, therapeutic plans, diagnostic images, procedures, drugs used, billing information, name of the doctor treating the patient.

The standard contractual clauses provide for adequate levels of protection for the interested parties also against the importer date and allow the exercise of the rights provided for by the law.

WHOM WILL YOU PROVIDE INFORMATION ABOUT MY HEALTH STATUS?

We will provide information on your state of health only to family members and acquaintances indicated by you, except as required by law.

HOW LONG WILL YOU PROCESS MY DATA?

In addition to the foregoing, we inform you that your personal data will be kept following the provisions of the waste data sheet adopted by the Lombardy Region relating to the health and socio-sanitary system (waste collection "Version 04" of the "Title and Massimary of the Lombard Social and Health System , formerly the Health and Social Health System of the Lombardy Region", approved by Decree of DG Welfare no. 11466 of 17.12.2015 and sim) and by the" Document published by the general directorate for archives, handbook for selection for the archives of local health companies and of hospitals "(so-called Salernitana School), available at: http://www.archivi.beniculturali.it, as possibly modified by other regulatory sources. More information can be obtained by contacting the Data Processor - Health Department or the Data Protection Officer, who can be contacted at the addresses indicated below.

Data retention is necessary for administrative, civil and tax purposes will be kept for a period of 10 years following the conclusion of the last contract for which the service was performed.

Furthermore, following the provisions of art. 80 of Legislative Decree. 196/2003 updated by Legislative Decree. 101/2018 we inform you that from the moment of providing the data, the same may be used, for administrative purposes, in the event of any further admissions of your person to the hospital that occur during the data retention period.

YOUR RIGHTS

Articles 15 and ss. of the Regulation³ give you the right to obtain:

• confirm that personal data concerning you are contained in the archives of the Hospital (both paper and electronic), to obtain a copy on paper or electronic media and to obtain information relating to the processing (purposes, categories of data, recipients, retention period, etc. .);
• the rectification, integration of data;
• the deletion of data in the event of withdrawal of consent if there is no other legal basis for the processing;
• where the conditions are met, copy of the personal data in a structured format.

We also remind you that you can revoke the consent already given at any time or oppose the processing of data based on the legitimate interest of the Data Controller.

Always fulfilling the conditions, he also has the right to lodge a complaint with the Guarantor⁴ for the protection of personal data, as supervisory authority, according to the established procedures. A model for the exercise of rights prepared by the Guarantor Authority can be found at the following address: https://www.garanteprivacy.it/en/home/docweb/-/docweb-display/docweb/1089924

If your dossier has been created, you can:

• withdraw consent to the implementation of the same;
• ask for some clinical events to be blacked out;
• Ask to view the accesses that have been made.

If you have consented to the use of your data for research purposes and for verifying the quality and appropriateness of care and assistance as well as for health planning, you can:

• withdraw your consent, at any time, to the processing of your data and your biological materials for research purposes, without this resulting in any prejudice to your care;
• request the rectification and integration of the data: in this case the requests for changes will be noted without changing the data, when the result of these operations does not produce significant effects on the search result;
• ask for the anonymization of your data used for research purposes;
• obtain information on the projects in which your data were used as well as the list of centers participating in these projects.

The Data Controller has appointed a Data Protection Officer who can be contacted by you for any clarification or to exercise your rights by writing to the e-mail address: smih_dpo@upmc.it.

HOW CAN I EXERCISE MY RIGHTS?

You can sand a simple request to the Data Controller (Health Management Area) writing to the following address: Salvator Mundi International Hospital Srl, Via delle Mura Gianicolensi 67/77, 00152 Rome or sending an email to info@salvatormundi.it, or contacting the Hospital's Data Protection Officer writing to Salvator Mundi International Hospital - Personal Data Protection Officer, Viale delle Mura Gianicolensi 67/77, 00152 Rome; or sending an email to smih_dpo@upmc.it.

CONTACTS

The data controller is Salvator Mundi International Hospital S.r.l., with registered office in 00152 Rome, Via delle Mura Gianicolensi 67/77.

Last update: MAY 2020

---

[1] Specific documents will be delivered to you if you are involved in particular activities (for example, for the possible execution of genetic tests or enrollment in clinical trials of drugs).

[2] Annex 1, Standard Standard Contractual Clauses between Salvador Mundi International Hospital ("data exporter") and UPMC ("data importer").

[3] https://www.garanteprivacy.it/documents/10160/0/Conosci+i+principali+diritti+previsti+dal+Regolamento+UE+2016+679

[4] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524