UPMC Salvator Mundi International Hospital Patient Privacy Disclosure (Long Text)

EXTENDED INFORMATION ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTS. 13 AND 14 OF REGULATION 2016/679 (EU) GDPR

Dear Patient,

As provided for in the European Union Regulation No. 679/2016, ‘GDPR’, Salvador Mundi International Hospital S.r.l., (P.IVA. 09023871008), with registered office in Rome (RM) - Viale delle Mura Gianicolensi 67, hereinafter ‘SMIH’ as data controller and in accordance with Articles 13 and 14, provides the following information on the methods of collection and use of information concerning you [1].

WHO IS SMIH? AND WHY WILL MY DATA BE TRANSFERRED ABROAD?

Salvator Mundi International Hospital is a private clinic and hospital (‘SMIH’ or ‘Hospital’) managed by UPMC Italy S.r.l. (hereinafter ‘UPMC’). The excellence of the Hospital is guaranteed by a multidisciplinary approach, by the considerable investments in research and innovation, but above all by the constant dialogue with the University of Pittsburgh, the University of Pittsburgh Medical Centre, the network of cancer centres and the other Hospitals that are part of the UPMC Group. In carrying out its activities, the Hospital also uses networks, data and information systems that are shared with the UPMC Group. As a result of this integrated structure, patients who decide to apply to the Centre therefore accept that their data, including data relating to particular categories, such as health data, will be transferred to the UPMC Group in the United States. The UPMC Group has committed itself, by signing the Standard Contractual Clauses approved by the European Commission, to take security measures to protect patients' personal data.

WHAT DATA WILL BE COLLECTED? AND IN WHICH WAY?

The Hospital will collect from you or acquire from third parties (e.g. your attending physician) your identification data (name, surname, contact details, etc.) as well as information relating to your state of health (pathologies, test results, diagnostic tests and ongoing therapies) and, where necessary to provide healthcare services, your sexual life or your psychological and social sphere. Your images may also be collected, which are necessary to obtain, also by means of telemedicine techniques, any advice from external professionals and to assess your state of health during treatment. In order to be able to verify your identity in a secure manner, the hospital is equipping itself with systems (e.g. bracelet with RFID chip) that record your identification information (name, surname, date of birth, patient code and service code). Such a device allows laboratory tests, test tubes, blood bags and other information to be securely associated with your person.

FOR WHAT PURPOSES ARE MY DATA PROCESSED?

a. To provide health services, for related tasks and for administrative activities.

Your personal data are processed in order to provide you with the requested healthcare services as well as for related administrative and accounting purposes. The legal basis for such processing is represented by the need to fulfil contractual services, to comply with legal obligations and to obtain financing from the Data Controller as well as to protect your rights (Art. 6, para. 1, lett. b), c) and f)) and Art. 9, para. 2, lett. h) of the GDPR (‘processing necessary for the purposes of diagnosis, care or treatment in health or social care in accordance with a contract with a health professional’).

For the purpose of improving the provision of services, we will send you by e-mail the rules of preparation for the examinations you are to carry out and we will remind you, also by means of your mobile phone number, of the date of your next visits to the Hospital, using the contact details you have provided. The legal basis of the processing is the legitimate interest of the Controller in the better performance of the service to you, and you may object to this processing at any time by having to collect the material from the Hospital, while still being able to benefit from the treatment provided by the Hospital.

• In order to achieve the aforementioned purposes, it may be necessary to communicate your data to the following entities:
• family doctors or treating physicians;
• social security and welfare institutions, insurance companies, bodies or organisations in general covering the Hospital's third party liability, as well as professionals involved in the protection of the Hospital and its staff; insurance companies, banks and financial institutions for the protection of the rights of the Hospital and its staff, companies or professionals providing accounting, administrative, tax and legal consultancy. Invoices issued to you and the underlying documents may be provided in copy to banks/financial intermediaries for the purposes of financing operations and therefore for the exercise of related legal rights, credit protection and anti-money laundering obligations;
• Health Service, Insurance Companies, bodies and organisations managing insurance policies or the services they insure, for the reimbursement of medical services provided and health control and supervisory bodies for verification activities on the provision of health services;
• Institutions, Bodies and Control and Supervisory Bodies for the verification activities on the provision of healthcare services (e.g. ASP); Certifying Bodies (e.g. Joint Commission International), for the issue of the relevant certifications and other third parties that carry out quality and appropriateness checks on the healthcare services provided, in order to promote the improvement of the quality of the services and assistance provided;
• external firms, companies, or doctors if necessary for the billing of services by such parties.

b. To conduct scientific studies and research in the medical field - (CONSENT 1)

The Hospital participates in research projects (both in-house and in collaboration with other centres within or outside the European Union), in order to improve its health services and contribute to the general development of medical knowledge. Many of these studies may be conducted using information collected in the normal course of care or as part of clinical studies. Participation in such research projects does not, therefore, in any way influence normal patient care or make it necessary for patients to undergo further examinations or treatment. Furthermore, in order to protect confidentiality, the health information and data used in such studies are stripped of the patient's identification data and marked with a code consisting of letters and numbers, which does not allow the identity of the patient to be traced directly. The list allowing this code to be associated with the patient identification data will be held exclusively by the Principal Investigator and kept as confidential documentation.

In particular, coded data are used in the information processing and filing phases, as well as in those of transmission to other subjects involved in the studies (the list of centres participating in the studies is available from the Treatment Contact Person at the addresses indicated below). Access to data directly traceable to the patient may only occur in the phase of extracting information from the original clinical documentation and in any monitoring activity (i.e. checking that the data used for the research correspond to those contained in the outpatient file), as well as when it is necessary to update the research data. Data and samples are anonymised 10 years after the conclusion of the research projects. Encryption techniques are also used to store and transfer data, thus preventing access by unauthorised parties. Research results are only disseminated in aggregate form, i.e. in a way that does not make the data subjects identifiable. In order to be able to use a patient's health information for research purposes, it is necessary that the patient has given his or her consent as the legal basis for the processing (Art. 9.2.a) of the Regulation - ‘explicit consent of the data subject to the processing’). Therefore, if you intend to allow the Hospital (in collaboration also with centres based in non-EU countries, where an adequate level of protection of personal data may not be guaranteed, according to European legislation) to use your health information that has already been collected or that will be collected in the future within the framework of the treatment activity (i.e. during other research projects in which you have participated), we kindly ask you to express your consent. We remind you that you are free to give consent or not. You may, at any time, not consent or object to the processing of your data for research purposes, without prejudice to your treatment.

The Centre also intends to participate in research projects regulated by law in the above-mentioned areas. For the use of data in the context of such studies, it is not necessary to obtain the consent of patients, as this is provided for by law (Art. 9, para. 2, lett. j) GDPR - ‘scientific research provided for by law’).

c. For the verification of the quality of care and assistance as well as for health planning - (CONSENT 2)

With your consent, we intend to use your data for activities of monitoring and evaluating the effectiveness of healthcare treatments provided, the appropriateness and quality of care as well as health risk factors, both provided for by law (for which the patient's consent is not required) and in addition to the latter. In particular, the Hospital aims to assess and compare (between population groups or between different structures) the adequacy, appropriateness, effectiveness and efficiency of the care provided, also with reference to specific pathologies or health problems. In order to be able to use patients' personal data for these purposes, it is necessary for them to express their consent, as the legal basis for the processing (Art. 9, para. 2, lett. a) GDPR - “explicit consent of the data subject to the processing”). If you wish to authorise the Hospital to process your data, including data collected in the past, in order to conduct such important analyses, which could also provide useful information for your treatment, please express your consent. If you do not give your consent, we will not be able to use your data for such analyses, but you will still be able to benefit from the care provided by the Hospital.

SMIH also intends to participate in surveillance systems and registers provided for by law. For the use of the data in the context of these activities, it is not necessary to obtain the consent of the patients, as this is required by law (Art. 9, para. 2, lett. i) GDPR - ‘processing necessary for the assurance of high standards of quality and safety of health care and of medicinal products and medical devices, required by law’).

d. To send information material - (CONSENT 3) or propose similar services to you.

Should you consent, we will send you - via e-mail, text message or paper mail - information material on projects, initiatives or services launched by the Hospital as well as on awareness and donation campaigns or on any fundraising activities (e.g. 5 x mille allocation). For this purpose, the legal basis of the processing is therefore represented by consent (Art. 6, co. 1, lett. a) GDPR - ‘explicit consent of the data subject to the processing’). The data will be stored for a period of 24 months after collection.

By the same means - via e-mail, text message or paper mail - your data may be processed in order to send you promotional communications regarding services similar or similar to those you have benefited from at the Hospital. In this case the legal basis on which such processing is based is the Hospital's legitimate interest in proposing offers and initiatives relating to similar services to you, and you will have the right at any time to object to such processing in the manner indicated in this information notice.

e. To allow the hospital's health care workers to archive all my reports relating to services carried out in the hospital's laboratories. - (CONSENT 4)

The hospital has set up a computerised archiving tool, called the health file, which allows health workers to access documentation on the services provided at the hospital. This tool allows the health workers involved in the patient's treatment pathway to have more complete information on the state of health and on the progress of the services received (so-called clinical history), thus facilitating their treatment.

The health record can only be activated with the patient's consent.

Therefore, only if you give your consent to the establishment of your health record (as the legal basis for processing pursuant to Art. 9, para. 2, lett. a) GDPR - ‘explicit consent of the data subject to processing’), the professionals of the Hospital who will be taking care of you will be able to access the information relating to your previous episodes of treatment at SMIH in relation to the information necessary for the tasks entrusted to them, even at different times. You may freely decide that certain information or documentation relating to specific services should not be included in your health record, by asking the Medical Director to ‘black out’ it by writing to the address below or by sending an e-mail to info@salvatormundi.it. You may, in the same way, object at any time to the further implementation of the dossier, while continuing to be able to benefit from the care provided by the Hospital and from the archived documents, and you may also revoke the choices you have made at any time. You will be asked to express a specific manifestation of will for the inclusion in your file also of information subject to greater protection of anonymity (such as, for example, data relating to acts of sexual violence or paedophilia, voluntary interruption of pregnancy, HIV infections or the use of drugs, psychotropic substances and alcohol).

If you do not consent to the formation of your file, only the data relating to the specific treatment episode will be available to doctors and health professionals.

Finally, we would like to point out that the health record may be consulted, even without your consent, if this is considered essential for the protection of the health of a third party or the community.

f. For online or e-mail delivery of my reports - (CONSENT 5)

In order to facilitate relations with its patients, the Hospital has activated an online consultation service for clinical reports in digital format, accessible through the website www.upmcsalvatormundi.it, including laboratory examinations, diagnostic imaging reports, endoscopy, with the possibility of downloading the report itself for 45 days after the document has been produced.

You may also request that your report be sent to you by email. In order to guarantee the security and confidentiality of your data, the report will be transferred (i) to the email address you have indicated after validation of the same, by means of a specific on-line verification procedure; (ii) as an encrypted file; the password for opening the file will be made known to you at the time of acceptance or through a communication channel different from that used for sending the report (e.g. by text message).

In order to be able to use the services of online consultation for 45 days and emailing of your reports, your consent is required as the legal basis of the processing (Art. 6, para. 1, lett. a) and 9, para. 2, lett. a) GDPR - ‘explicit consent of the data subject to the processing’).

With regard to the aforementioned services, please note that

• where you have subscribed to the service, the reports will always be published, unless otherwise indicated by you, to be communicated to the operator at the time of acceptance for the individual examination;
• you will be notified by text message or email (as indicated by you when you signed up for the service) of the availability of the online report. The message will contain only and exclusively the news of the availability of the document;
• the reports will be available online, in the dedicated area of the portal, for 45 days following their production. During this time, you may always request that one or more reports be blacked out;
• the service does not provide laboratory test results subject to special laws (e.g. seropositivity, drug use) nor those relating to genetic tests.

g. For online archiving of my reports (more than 45 days after document production) (CONSENT 6)

Patients who have consented to online delivery of their reports may also choose to adhere to the online archiving service of clinical reports in digital format, accessible through the website www.upmcsalvatormundi.it, including laboratory examinations, diagnostic imaging reports, endoscopy, with the possibility of downloading the report itself beyond 45 days after the production of the document.

This additional service is provided by the hospital in order to facilitate subsequent consultation of the reports and the possibility for patients to download them directly from their reserved area.

Access to online reports is allowed only to the patient by accessing his or her own personal area with the credentials provided during check-in.

The reports will be available online, in the dedicated area of the portal, from the date of their production. You may always request that one or more reports be blacked out.

In order to be able to use the services of online consultation of your reports, your consent is required as the legal basis of the processing (Art. 6, co. 1, lett. a) and 9, co. 2, lett. a) GDPR - ‘explicit consent of the data subject to the processing’).

h. To enable me to benefit from the guarantees of the insurance policy that I may have taken out - (CONSENT 7)

The data collected for the provision of healthcare services at the Hospital may be communicated to the entities that perform said services and services related to the management of said services. For example, they may be communicated to the social security and welfare institution, or to the insurance company, or health mutual society, to the bodies and organisations that manage health policies or the services reimbursed under the same, or to other national and international health bodies with which you may have signed an insurance policy, just as they may be communicated to the convention bodies in order to enforce the rights covered by the convention.  This communication will be made exclusively to allow you to benefit from the guarantees of the policy, such as, for example, the reimbursement of expenses incurred or the direct payment by the aforementioned entities of the health service provided.

Health documentation concerning you may be transferred to the aforementioned subjects, as requested by them, and, in particular, medical prescriptions, descriptions of outpatient specialist and diagnostic services and, in the event of hospitalisation, a copy of your medical records. In order to proceed with the aforementioned communication, your consent is required as the legal basis for the processing (Art. 6, co. 1, lett. a) and 9, co. 2, lett. a) GDPR - ‘explicit consent of the data subject to the processing’). Lastly, we inform you that in the absence of the aforementioned consent, we will not be able to proceed with the transmission to the subjects indicated of the documentation necessary to allow you to benefit from the guarantees of the policy you have contracted.

HOW WILL MY DATA BE PROCESSED?

The processing of your data is carried out using both paper and IT tools, adopting appropriate security measures to ensure the confidentiality and security of your data.

The processing of your personal data does not involve any automated decision-making processes as referred to in Article 22 of the GDPR.

WHO CAN KNOW MY DATA?

Your personal data will be processed by the Hospital's medical and administrative staff, who will act on the basis of specific instructions on the purposes and methods of processing and are bound by professional secrecy and confidentiality. Health services may be carried out in the presence of observers for educational purposes. In this case, precautions will be taken to limit any inconvenience to you, respecting any wishes to the contrary.

Your data may also be communicated, in addition to the subjects already indicated in point a), to third parties who, in their capacity as Data Processors or Authorised Processing Agents, provide accessory services to the Hospital's activities, such as

• professionals who have been asked for specific advice
• voluntary associations for patient assistance activities
• companies that perform maintenance activities, and
• other subjects who provide services instrumental to the Hospital's activity.

Your data may also be disclosed to autonomous data controllers in fulfilment of legal obligations or for the protection of your rights in court (e.g. Institutions, Municipalities, Health Records, Insurance Companies and bodies managing insurance benefits, companies, or external doctors).

An up-to-date list of the hospitals that are part of the UPMC Group, of the persons appointed as Data Processors and of the other third parties to whom your data may be communicated, can be obtained from the Data Processing Contact - Health Management or the Data Protection Officer, who can be reached at the addresses indicated below.

TRANSFER OF DATA OUTSIDE THE EU

The Hospital has entered into standard contractual clauses with its parent company UPMC, U.S. Steel Tower, 60th Floor, 600 Grant Street, Pittsburgh Pennsylvania 15219, USA (‘data importer’), in order to regulate the flow of data subject to transfer. We therefore inform you that the following categories of data may be sent [2]: patient details, diagnosis, operative notes, investigations, requested examinations and their results, disease progression status, treatment plans, diagnostic images, procedures, drugs used, billing information, name of the doctor treating the patient.

The Standard Contractual Clauses provide for adequate levels of data subject protection also vis-à-vis the data importer and allow for the exercise of the rights provided for in the legislation.

TO WHOM WILL YOU PROVIDE INFORMATION ABOUT MY HEALTH STATUS?

We will only provide information about your health status to family members and acquaintances indicated by you, except as required by law.

HOW LONG WILL YOU KEEP MY DATA?

In addition to the above, we would like to inform you that your personal data will be stored in accordance with the discard ceiling adopted by the Lombardy Region in relation to the health and sociosanitary system (discard ceiling ‘Version 04’ of the ‘Title and ceiling of the Lombardy Sociosanitary System, formerly the Health and Sociosanitary System of the Lombardy Region’, approved by Decree of the D. G. Welfare no. 11466 of 17.12.2015 and subsequent amendments) and by the ‘Document published by the General Directorate for Archives, selection handbook for the archives of local health authorities and hospital authorities’ (c.d. Schola Salernitana), available at: http://www.archivi.beniculturali.it, as amended by other regulatory sources.

Further information can be obtained by contacting the Data Processing Contact - Health Management or the Data Protection Officer, who can be contacted at the addresses below.

Data whose storage is necessary for administrative, civil and tax purposes will be kept for a period of 10 years after the conclusion of the last contract for which the service was provided.

Furthermore, in accordance with the provisions of Article 80 of Legislative Decree 196/2003 updated by Legislative Decree 101/2018, we inform you that from the moment the data is provided, it may be used, for administrative purposes only, in the event of any further admissions of your person to the Hospital that occur during the data retention period.

In the case of processing for marketing purposes (Consent 3), the data will be kept until consent is revoked and in any case for a period of time not exceeding two years.

WHAT RIGHTS DO I HAVE UNDER THE LAW?

Articles 15 et seq. of the Regulations [3] give you the right to obtain

• confirmation that the Hospital's archives (both paper and electronic) contain personal data concerning you, to obtain a copy of them on paper or electronic media and to obtain information regarding the processing (purposes, categories of data, recipients, storage period, etc.);
• rectification, integration of data;
• deletion of the data if consent is withdrawn if there is no other legal basis for the processing;
• where applicable, a copy of the personal data in a structured format.

We also remind you that you may revoke any consent already given at any time or object to the processing of your data based on the legitimate interest of the Controller.

If the conditions are met, you also have the right to lodge a complaint with the Garante [4] per la protezione dei dati personali, as supervisory authority, in accordance with the established procedures. A model for the exercise of rights prepared by the Garante can be found at the following address: https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali.

Where your dossier has been created you will be able to:   

• revoke consent to its implementation;
• request the redaction of some clinical events;
• Ask to see the accesses that have been made.

If you have consented to the use of your data for research purposes and to verify the quality and appropriateness of treatment and assistance as well as for health planning, you may:

• revoke consent, at any time, to the processing of your data and biological materials for research purposes, without this resulting in any prejudice to your care;
• request the rectification and integration of the data: in this case the modification requests will be noted without modifying the data, when the result of these operations does not produce significant effects on the result of the research;
• request the anonymization of your data used for research purposes;
• obtain information on the projects in which your data have been used as well as the list of centers participating in such projects.

The Data Controller has appointed a Data Protection Officer who can be contacted by you for any need for clarification or to exercise your rights by writing to the email address: smih_dpo@upmc.it.

HOW CAN I EXERCISE MY RIGHTS?

Your rights may be exercised by means of a simple request to be forwarded to the Data Controller - Healthcare Management Area by writing to the following address: Salvator Mundi International Hospital S.r.l., Via delle Mura Gianicolensi 67/77, 00152 Rome or by sending an email to info@salvatormundi.it, or by contacting the Data Protection Officer of the Hospital by writing to: Salvator Mundi Internationa Hospital - Personal Data Protection Officer, Viale delle Mura Gianicolensi 67/77, 00152 Rome; or by sending an email to smih_dpo@upmc.it.

CONTACTS OF THE DATA CONTROLLER

The data controller is Salvator Mundi International Hospital S.r.l., with registered office in 00152 Rome, Via delle Mura Gianicolensi 67/77.

Last update date: JANUARY 2025

---

[1] Specific documents will be given to you if you are involved in particular activities (e.g. for the possible performance of genetic tests or enrolment in clinical drug trials).

[2] Annex 1, Standard Standard Contractual Clauses between Salvador Mundi International Hospital ("data exporter") and UPMC ("data importer").

[3] https://www.garanteprivacy.it/documents/10160/0/Conosci+i+principali+diritti+previsti+dal+Regolamento+UE+2016+679

[4] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524