UPMC Salvator Mundi International Hospital Patient Privacy Disclosure (Short Text)

SUMMARY INFORMATION ON THE PROCESSING OF PERSONAL DATA, INCLUDING SPECIAL DATA PURSUANT TO ARTICLES. 13 AND 14 OF REGULATION 2016/679 (EU) – GDPR

Dear Patient,

the Salvator Mundi international Hospital S.r.l. is a private clinic and private hospital (“SMIH”, “Hospital” or “Owner”) managed by UPMC Italy S.r.l. (hereinafter “UPMC”). The excellence of the Hospital is guaranteed by a multidisciplinary approach, by the huge investments in research and innovation, but above all by the constant dialogue with the University of Pittsburgh, the University of Pittsburgh Medical Center, the network of oncology centers and the other hospitals that are part of the UPMC Group. In carrying out its activities, the Hospital also uses networks, data and IT systems shared with the UPMC Group. Due to this integrated structure, patients who decide to contact the Hospital therefore accept that their data, even relating to particular categories, such as health data, are transferred to the UPMC Group in the United States. Given that the legislation of this country, according to the legislation of the European Union, does not guarantee an adequate level of protection of personal data, the UPMC Group has undertaken, by signing the Standard Contractual Clauses approved by the European Commission, to adopt adequate security measures to protect the personal data of patients.

The information relating to your state of health, provided by you or which will be collected from third parties (e.g. your doctor), will be processed, both with paper supports and with IT tools, to provide you with the healthcare activities requested as well as for communications and related administrative-accounting obligations. The legal basis of these treatments is represented by art. 6 lett. b) and by art. 9, co. 2, letter. h) of the GDPR (“processing necessary for the purposes of health or social diagnosis, assistance or therapy in accordance with a contract with a healthcare professional”).

For the purposes of better execution of the service, if you have indicated e-mail or mobile telephone numbers, the Data Controller will send you the preparation rules for the exams you will have to take as well as remind you of the date of your next appointments. The legal basis of the processing is the legitimate interest of the Data Controller in a better execution of the service for you, and you may object to this processing at any time by having to collect the material from the Hospital, while still being able to benefit from the care provided by the Hospital itself.

The healthcare services could take place, for educational purposes, in the presence of observers. In this case, precautions will be taken to limit any inconvenience to you, respecting any contrary wishes you may have.

Your data will be processed by the healthcare and administrative staff of the Hospital, who act on the basis of specific instructions provided regarding the purposes and methods of the processing itself and communicated to third parties, appointed as Data Processors, who provide ancillary services to the Hospital's activity (such as, for example, professionals who have been requested specific advice, etc.) or to autonomous Data Controllers, in fulfillment of legal obligations or for the protection of their rights (for example, Health Service, Institutions, Municipalities, Social security and welfare institutions, insurance companies, financial institutions, companies, businesses, or external doctors if necessary for the invoicing of services by such entities). The updated list of subjects operating as Data Processors can be requested from the Data Protection Officer or the Data Processing Contact, available at the addresses indicated below.

The processing of your personal data does not concern automated decision-making processes referred to in art. 22 of the GDPR.

Upon explicit consent, your personal data may be used for:

• scientific research activity in the medical field, which will not influence the care that will be provided to you or make further tests or treatments necessary (CONSENT 1);
• verify the quality of the care and assistance received, as well as for health planning (CONSENT 2);
• send you, via e-mail, text message or paper mail, information material relating to Hospital initiatives (CONSENT 3);
• compile your health dossier (also by inserting previous clinical events) in order to allow the hospital health workers to obtain more complete information on your state of health, thus facilitating your treatment (CONSENT 4);
• deliver your reports to you via e-mail or online (CONSENT 5);
• archive the reports online (over 45 days after the production of the document) (CONSENT 6)
• allow you to benefit from the guarantees of the insurance policy you may have subscribed to (CONSENT 7).

In relation to the aforementioned purposes (CONSENTS 1, 2, 3, 4, 5, 6 and 7) the provision of consent is free and the lack of it will not influence in any way the healthcare services that will be offered to you. On the other hand, failure to provide CONSENT 4 could negatively impact the healthcare services that will still be provided to you by the Hospital, with exemption from liability of the doctors and healthcare workers of the Hospital itself.

The information relating to your state of health will be stored in accordance with the provisions of the waste maximum adopted by the Lombardy Region relating to the health and social-health system. The data and samples processed for research purposes are kept for the duration of the research project and for 10 years following its conclusion, and are then transformed into anonymous form. The data collected to send informative material will be kept for a period of 24 months from collection. The data whose conservation is necessary for administrative, civil and tax purposes will be kept for a period of 10 years following the conclusion of the last contract for which the service was carried out.

In accordance with the provisions of the art. 80 of the Legislative Decree. 196/2003 updated by Legislative Decree. 101/2018 from the moment the data is provided, the same may be used, for administrative purposes, in the event of any further hospitalizations of your person at the hospital that occur during the data retention period.

The issued invoices and any underlying documents may be provided as copies to Banks, Insurance Companies and Financial Intermediaries for the purposes of financing operations and therefore for the exercise of related legal rights, credit protection and for anti-money laundering obligations.

Information on your state of health will only be provided to the people specifically indicated by you, without prejudice to what is required by law.

In the cases provided for, you will have the right to exercise the rights referred to in articles 15 to 22 of the Regulation by means of a simple request to be forwarded to the Treatment Contact - Health Management Area by writing to the following address: Salvator Mundi International Hospital S.r.l., Via delle Mura Gianicolensi 67/77, 00152 Rome or by sending an email to info@salvatormundi.it, or by contacting the Data Protection Officer of the Hospital by writing to: Salvator Mundi International Hospital - Personal Data Protection Officer, Viale delle Mura Gianicolensi 67/77, 00152 Rome, or by sending an email to smih_dpo@upmc.it

If you believe that the processing of personal data relating to you is in violation of the provisions of the Regulation, you have the right to lodge a complaint with the Italian Guarantor, as provided for by the art. 77 of the Regulation itself, or to take action in the appropriate judicial offices (art. 79 of the Regulation).

The data controller is Salvator Mundi International Hospital S.r.l., with registered office in 00152 Rome, Via delle Mura Gianicolensi 67/77.

This information is formulated in a concise manner. The complete information is available for all patients on the website https://upmcsalvatormundi.it/ and at all our offices responsible for receiving patients.

Last update date: FEBRUARY 2025