Privacy Policy

Privacy is serious business for us!

PRIVACY ISSUES

While we collect information relevant to the purposes of the Control Group and its mission to empower and inform through sharing our health data, its important that this is done in anonimity and your identity is never compromised. As a result we limit any personally identifying data to the minimum necessary to enable our website and services to function properly (for example we only ask for your exact address if we need to ship anything to you). You identity will never knowlingly be shared by the Control Group, unless compelled to do so via law.

We defend your privacy by saying no to Google Analytics, Facebook tracking points and other such data harvesting services.

We use a third party bot detection system from friendlyCaptcha, to stop our data being polluted by bots, usage of which is limited to initial registration only. We choose this becuase of their Privacy-First policy, you can read more about this at friendlycaptcha.com.

Please note that health and demographic information you provide as part of our study will be shared with third parties for comparison and anaylsis as per our mission, but will will only be shared in a completely anonymous manner, which will never include any personal identifying information such as date of birth, address, name, email, telephone etc..

We will never share your email address with anyone unrelated to this project, but we may contact you on behalf of a third party if they require further information to assist in the assessment of health outcomes, at which time we will pass on specific privacy notices agreed with the entity conducting the study.

Any changes and updates to our Privacy Policy will be binding as soon as they are published. In the event of non-acceptance of the changes made to the Privacy Policy, the Interested Party must cease to use this Application and may request the Owner to delete his/her Personal Data.

Health Card - Privacy Policy

You are in complete control of what elements of you data are to shown when your Control Group Health Card QR code is scanned, and this data will be shown alongside a copy of your Health Card so anyone attending you in any emergency can cofirm that the data shown is accurate for you.

You must understand that it is your choice to allow the sharing of this data via your Health Card and it is your responsibility to keep your Health Card safe and secure, and if you feel this is compromised you will be able to cancel your Health Card at anytinme rendering access to your Health data to be rejected.

You are also responsible for keeping your Health Data up-to date and accurate.

Please understand that if images of your Health Card are shared anywhere online or otherwise, the QR code will still be scannable and will compromise the privacy of your health data.

On scanning or your Health Card QR code, we will display a privacy request to asking the user to confirm that they will not share any of your personal data and that they respect your privacy.

We will provide you with a dashboard showing as best we can when and where your Health Card was scanned so you are aware of any potential breaches in your privacy, enabling you to act accordingly.

You can cancel a Health Card QR code at anytime via your dashboard and recreate a new card as and when required.

EU/UK GDPR

Data collection takes place in compliance with the Protection Regulation of 2021 (EU GDPR) and the Law Enforcement Directive (LED) of 2021. The European Commission has recognised the UK legislation as adequate to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals regarding the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Note: This legislation is transposed into Italian law by Legislative Decree 101 of 2018.

Our data is stored in multiple data respositories, separating a persons health data from any personal indentity compromising information. And best practices are followed to ensure all data is encrypted at rest and that all data is transferred using secure protocols when required.

The data is collected and stored using appropriate methods that allow the person concerned to be identified only in case of need, in which case a privacy policy statement will be submitted. At present, considering the anonymity of the data, we can exclude the processing of data according to Articles 3 and 4, paragraph 1, letter b) and n) of the Privacy Code (Legislative Decree 10.08.2018 n 101).

Please note that health and demographic information you provide as part of our study will be shared with third parties for comparison and anaylsis as per our mission, but will will only be shared in a completely anonymous manner, which will never include any personal identifying information such as date of birth, address, name, email, telephone etc..

We will never share your email address with anyone unrelated to this project, but we may contact you on behalf of a third party if they require further information to assist in the assessment of health outcomes, at which time we will pass on specific privacy notices agreed with the entity conducting the study.

1: Categories of Personal Data processed

The Data Controller processes the following types of Personal Data voluntarily provided by the Data Subject:

  • Contact Data: first name, last name, address, e-mail, telephone, pictures, authentication credentials, any further information sent by the Data Subject, etc.
  • Special (sensitive) data: Personal data revealing health-related data collected with the consent of the data subject. The data subject may withdraw consent at any time.

The Data Controller processes the following types of Personal Data collected automatically:

  • Technical Data: Personal Data produced by the devices, applications, tools and protocols used, such as, for example, information about the device used, IP addresses, browser type, Internet Service Provider (ISP) type. Such Personal Data may leave traces which, in particular when combined with unique identifiers and other information received by the servers, can be used to create profiles of individuals.

The Data Subject who communicates to the Data Controller the Personal Data of third parties is directly and exclusively responsible for their origin, collection, processing, communication or dissemination.

2: Cookies and similar technologies

Cookies are not used to transmit information of a personal nature, nor are persistent cookies of any kind, or systems for tracking data subjects, used. Therefore, the Application does not acquire the Personal Data of the Interested Parties using these technologies. Use is made of session technical cookies (not persistent), strictly limited to what is necessary for the safe and efficient navigation of the Application.

3: Legal basis and purpose of processing

The processing of Personal Data is necessary

  • for the execution of the contract with the Data Subject and precisely:
    1. registration and authentication of the Data Subject: to allow the Data Subject to registering with the Application, access and be identified, also via external platforms
    2. support and contact with the Data Subject: to respond to the Data Subject's requests
  • based on the legitimate interest of the Controller, for:
    1. statistics with anonymous data: to perform statistical analysis on aggregated and anonymous data

4: Processing methods and recipients of Personal Data

The processing of data is carried out following Article 13 EU general data protection regulation 2016/679 (GDPR).

The processing of Personal Data is carried out employing computerised tools with organisational methods and logic strictly related to the purposes indicated and through the adoption of appropriate security measures.

Personal Data are processed exclusively by:

  • persons authorised by the Data Controller to process Personal Data who have committed themselves to confidentiality or have an adequate legal obligation of confidentiality;
  • subjects that operate independently as separate data controllers or by subjects designated as data processors by the Data Controller to carry out all the processing activities necessary to pursue the purposes set out in this policy (for example, business partners, consultants, IT companies, service providers, hosting providers);
  • subjects or entities to which it is mandatory to communicate Personal Data by law or by order of the authorities.

The entities listed above are required to use appropriate safeguards to protect Personal Data and may only access Personal Data that is necessary to perform the tasks assigned to them.

Personal Data will not be disseminated indiscriminately in any way.

5: Location

Personal Data is processed in the UK, outside the EEA if necessary. Whenever Personal Data is transferred outside the EEA and UK territory, the Controller will take all appropriate and necessary contractual measures to ensure an adequate level of protection for Personal Data.

6: Personal Data Retention Period

Personal Data will be kept for the period necessary to fulfil the purposes for which it was collected, in particular:

  • for purposes relating to the performance of the contract between the Data Controller and the Data Subject, it will be kept for the entire duration of the contractual relationship and, after termination, for the ordinary limitation period of 10 years. In the event of legal disputes, for the entire duration of such disputes, until the time limit for appeals has expired
  • for purposes related to the legitimate interest of the Controller, they will be kept until the fulfilment of such interest
  • for the fulfilment of a legal obligation, by order of authority and for legal protection, they shall be kept in compliance with the timeframes provided for by such obligations, regulations and in any case until the expiry of the prescriptive term provided for by the rules in force
  • for purposes based on the consent of the data subject, they will be stored until the consent is revoked.

At the end of the storage period, all Personal Data will be deleted or stored in a form that does not allow the identification of the Data Subject.

7: Rights of the Data Subject

Interested parties may exercise certain rights concerning the Personal Data processed by the Controller. In particular, the Data Subject has the right to:

  • be informed about the processing of their Personal Data
  • withdraw consent at any time
  • limit the processing of his or her Personal Data
  • object to the processing of their Personal Data
  • access their Personal Data
  • verify and request the rectification of your Personal Data
  • Restrict the processing of your Personal Data
  • obtain the deletion of your Personal Data
  • transfer your Data to another data controller
  • to complain with the supervisory authority for the protection of their Personal Data and/or take legal action

To exercise their rights, Data Subjects may send a request to the following e-mail address data_controller@controlgroup.coop. Requests will be taken care of by the Data Controller immediately and processed as soon as possible, in any case within 30 days.