UPMC Hillman Cancer Center Villa Maria Patient Privacy Disclosure (Short Text)

INFORMATION NOTE PURSUANT TO ART. 13 AND 14 OF EU REGULATION GDPR 2016/679

Dear patient,

UPMC Hillman Cancer Center Villa Maria (hereinafter "Center") that provides innovative radiotherapy treatments and advanced care protocols such as image-guided radiation therapy and intensity-modulated radiation therapy (IGRT/IMRT), and stereotactic radiosurgery (SRS).

The Center is accredited by Joint Commission International (JCI), an international body that certifies excellence of health care organizations, and their compliance with high standards of quality and safety recognized by the international scientific community. The Center's excellence is also guaranteed by a multidisciplinary approach to cancer treatment, by large investments in research and innovation, but above all by the daily interaction with the University of Pittsburgh, the University of Pittsburgh Medical Center (UPMC) and the network of UPMC's cancer centers (over 60 centers in the United States, Ireland and Italy - collectively referred to as the "UPMC Oncology Network"). In its day-to-day operations, the Center also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence, patients referring to the Center are asked to authorize the transfer of their data, including sensitive data (such as health-related data), to the UPMC Group in the United States of America. Due to the fact that legislation in the U.S.A. does not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses for Data Transfers Between EU and non-EU Countries available at https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32021D0914&from=IT the UPMC Group commits to enforce safety measures for patient personal data protection.  A copy of these contractual clauses can be obtained contacting the Data Protection Officer (DPO) at the addresses indicated below.

The information on your health status provided by you or by third parties (e.g. your family doctor) will be collected on paper or electronic means. This is required for you to receive the requested care and for communications and related administrative and accounting fulfillments. The legal basis for data processing is art. 6.1(b) of the Regulation ("processing is necessary for the performance of a contract to which the data subject is party') and, as regards the exemption from the prohibition on the processing of special categories of personal data, of art. 9.2(h) of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care systems and services pursuant to contract with a health professional”).

For training purposes, medical care may be delivered in the presence of student observers. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.

Furthermore, if you consent, as the legal basis for the processing, art. 6.1(a) of the Regulation and, as regards the exemption from the prohibition on the processing of special categories of personal data, art. 9.2(a) of the Regulation (“explicit consent of the data subject to processing”) your personal data may be:

• stored by the Center for scientific research that will not influence your medical care and will require no additional tests or therapies (CONSENT #1); If you decide to consent, your data (including genetic data) may be used without your consent for research activity authorized by legal provisions, see articles 6.1(e) and 9.2(j) of the Regulation;in all other cases, your data (including genetic data) may only be used with your prior permission. For this reason, you will be asked to provide your contact details in order to be reached and asked if you wish to participate in research activities that require your consent;
• request a consult from external professionals to evaluate your state of health during treatment, also electronically with facilities not part of the UPMC Oncology Network (CONSENT #2);
• receive e-mails, texts or mail containing informational material on the Center's initiatives (CONSENT #3);

In relation to the purposes outlined in CONSENTS #1 and #3 (data retention for scientific research activity and sending informational material) you are free to grant or withhold consent; the lack of consent will not affect the medical care you will receive in any way. Without prejudice to the fact that you are free to provide or to deny consent, please note however that failure to sign CONSENT #2 (consult by external professionals), may negatively affect the medical care you will in any case receive at the Center, with a release of liability of the physicians and health care providers of the Center. Please note you may withdraw your consents at any time.

Your personal data may also be processed to assess the quality of care and care provided, as well as for treatment planning. In this case, your consent is not required, as "the processing is necessary for the pursuit of the legitimate interest of the data controller or a third party", see art. 6.1(f) of the Regulation. In this case, you may object at any time to the processing for reasons related to your particular situation, and UPMC will be required to cease further use of the data, unless it can demonstrate the existence of compelling legitimate grounds to continue processing.

Your data shall be processed by a member of the clinical and administrative staff of the Center, acting in compliance with specific instructions on the objects and purposes of the data processing, and notified to third parties, appointed data processors, and providing ancillary services to the Center (e.g. professionals asked to provide specific consults, etc.) or to independent data controllers, in fulfillment of governing law or for the protection of their rights (e.g., NHS, institutions, municipalities, social security institutions, insurance companies). The updated list of these entities can be requested from the DPO, available at the contact details provided below.

Your health information will be stored for a maximum of 13 years. The data collected to send information materials are stored for 24 months.

Information regarding your health status will only be provided to your relatives and friends listed at the end of this information note, without prejudice to the provisions of law. You have the right to request authorization to access, delete, and to limit or deny the processing of your personal data (art. 15 and following of the Regulation). Requests must be submitted contacting the DPO of the Center at the following address: UPMC Hillman Cancer Center Villa Maria - Responsabile della Protezione dei dati personali, Contrada Pozzillo, 83036 Mirabella Eclano AV, or e-mailing DPO@upmcvillamaria.it.

The dedicated form is available in the "Forms" section on the website of the Italian Data Protection Authority (www.garanteprivacy.it).

Data subjects deeming the processing of their personal data violates the provisions of the Regulation have the right to file a complaint with the Italian Data Protection Authority ("Garante") using the form available in the "Forms" section of the website www.garanteprivacy.it), as provided under art. 77 of the Regulation. Alternatively, legal action may be pursued before the competent court, as provided under art. 79 of the Regulation.

The data controller is UPMC Italy S.r.l., with registered office in Discesa dei Giudici 4, 90133 Palermo, Italy.

Detailed information is included in the longer version of the information note available on our website for your consultation.

Last update: February 2025