UPMC Salvator Mundi International Hospital Patient Privacy Disclosure (Short Text)

INFORMATION NOTE FOR INFORMED CONSENT TO PERSONAL AND SENSITIVE DATA PROCESSING PURSUANT TO ARTICLES 13 AND 14 OF GENERAL DATA PROTECTION REGULATION (EU) 2016/679 (GDPR)

Dear Patient,

Salvator Mundi International Hospital ("SMIH" or "Hospital") is a private hospital and medical center managed by UPMC Italy (hereinafter "UPMC"). The standards of excellence at SMIH are guaranteed by a multidisciplinary approach, considerable investments in research and innovation, and, above all, ongoing relations with the University of Pittsburgh, UPMC (University of Pittsburgh Medical Center), and with the network of cancer centers and other hospitals of the UPMC Group. In addition, in its day-to-day operations SMIH utilizes data networks and IT systems shared with the UPMC Group. As a consequence, patients referring to SMIH are asked to authorize the transfer of their data, including sensitive and health data, to the UPMC Group in the United States of America. Due to the fact that legislation in the U.S.A. would not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses approved by the European Commission, the UPMC Group commits to enforce adequate safety measures to protect transferred personal data. A copy of these contractual clauses can be obtained contacting the Data Protection Officer (DPO) at the addresses indicated below.

The information on your health status provided by you or by third parties (e.g., your family doctor) will be collected on paper or electronic means. This is required for you to receive the requested care and for communications and related administrative and accounting fulfillments. The legal basis of data processing is art. 9.2(h) of the GDPR ("processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to contract with a health professional"). For training purposes, medical care may be delivered in the presence of student observers. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.

The processing of your personal data does not concern automated decision-making processes pursuant to art. 22 of the GDPR.

Should you provide consent as legal basis for data processing according to art. 9.2(a) of the GDPR ("explicit consent by the data subject to data processing"), your personal data may be used:

• for scientific research that will not influence your care and require no additional tests or therapies (CONSENT #1);
• to verify the quality of care and medical treatment received, and also for planning care (CONSENT #2);
• to receive e-mails, SMS, or surface mail with informational material on SMIH initiatives (CONSENT #3);
• to receive, using the means indicated by you, information on how to prepare for a test and reminders for your upcoming appointments (CONSENT #4);
• to create your electronic file [dossier sanitario] (incorporating also previous clinical events) and allow SMIH health care providers to access updated and complete information on your health status, and provide better care (CONSENT #5);
• to receive your medical reports via e-mail or online (CONSENT #6);
• to benefit from your insurance policy, if any (CONSENT #7).

With reference to the foregoing (CONSENTS #1, #2, #3, #4, #5, #6, and #7), you are free to provide or deny consent. Failure to provide informed consent shall in no way affect your medical care. Without prejudice to the fact that you are free to provide or to deny consent, please note however that failure to sign CONSENT #5, may negatively affect the medical care you will in any case receive at SMIH, with a release of liability of the physicians and health care providers of SMIH. Please note you may withdraw your consents at any time.

Your data shall be processed by a member of the clinical and administrative staff of SMIH following specific instructions on the goals and purposes of data processing, and notified to third parties appointed data processors and providing ancillary services to SMIH (e.g., professionals asked to provide specific consults, etc.) or to independent data controllers, in fulfillment of governing law or for the protection of their rights (e.g., NHS, institutions, municipalities, social security bodies, insurance companies, financial institutions, companies, enterprises, or external medical practitioners if necessary for the billing of services by these subjects).   An updated list of all data processors can be requested to the DPO or to the Internal reference person for data processing at the addresses listed below.

The information relating to your health will be stored according to the Health Record Retention [Massimario di scarto] adopted by the Region of Lombardy for the health system. Data and samples processed for purposes of research are retained for the duration of the research project. These are transformed in anonymous form after 10 years from the conclusion of the research project. The data collected to send information materials are stored for 24 months. Data whose storage is required for administrative, civil and tax purposes, will be stored for a period of 10 years following the termination of the last contract for which the service was performed. In compliance with the provisions of art. 80 of Legislative decree 196/2003, updated by Legislative decree 101/2018, we inform you that from the moment data are provided, these may be used for administrative purposes in the event of additional hospitalizations occurring during the data storage period.

Copies of bills and related documents may be supplied to banks, insurance companies, and financial intermediaries for the purposes of financing transactions, and to exercise legal rights for protection of credit and mandatory measures against money laundering.

Information regarding your health status will only be provided to your relatives and friends listed at the end of this document, without prejudice to the provisions of law.

You have the right to request authorization to access, delete, and to limit or deny the processing of your personal data (art. 15 and following of the GDPR).

The rights may be exercised contacting the Internal reference person for data processing - Office of the Director of Health Care Activities at: Salvator Mundi International Hospital S.r.l., Via delle Mura Gianicolensi 67/77, 00152 Rome, Italy or contacting the DPO at: Salvator Mundi International Hospital S.r.l.- Responsabile della Protezione dei dati personali, Viale delle Mura Gianicolensi 67/77, 00152 Rome, Italy or emailing smih_dpo@upmc.it.

A template of the request prepared by the Italian Personal Data Protection Authority ("Garante") is available here:

https://www.garanteprivacy.it/en/home/docweb/-/docweb-display/docweb/1089924.

The data controller is Salvator Mundi International Hospital with registered office in Viale delle Mura Gianicolensi 67/77, 00152 Rome, Italy.

The complete privacy statement is available on the website www.upmc.it and at all our patient reception offices.

Last update: APRIL 2020