PRIVACY POLICY

Introduction
The Company F.I.R.M.A. S.p.A. (“Company”) takes your privacy very seriously, and commits to respect it in accordance with the applicable law (Italian D. lgs. 196/2003 – Privacy Code, and Regulation 2016/679/EU). This document (“Privacy Policy”) provides information on the processing of all personal data collected by the Company through this website (“Website”, or “Site”), and constitutes an information notice pursuant to the mentioned legal instruments. In the sections of the Website where personal data are collected, a specific information notice is normally provided, which must be understood as being supplemented by this Privacy Policy.


Data Controller
The Data Controller is F.I.R.M.A. S.p.A. – Fabbrica Italiana Ritrovati Medicinali ed Affini, headquartered in Via di Scandicci 37 – 50143 Firenze, ITALY, Tel. +39 055-7399511 (“Data Controller”).


Purposes and methods of the personal data processing
The Data Controller may process your personal data including the sensitive personal data for the following purposes: management of the requests submitted through the Website (including pharmacovigilance notifications), fulfilment of the legal obligations stemming from laws, regulations, EU law. Furthermore, with your additional, optional consent, your data may also be used for institutional communications and/or promotional activities (marketing purposes), i.e. send at the address you have submitted promotional material and/or commercial information relating to the Company’s services, both by traditional (for example: hard copy mail, operator calls, etc.) and automated methods (for example: e-mail, fax, text messages, mobile and smartphone apps, social network accounts, i.e. via Facebook or Twitter, etc.).



Provision of Personal Data
Some of your personal data are necessary to manage the communications and the requests you submit. Such type of data are marked by an asterisk [*], which means that providing them is necessary to enable the Company to handle the query –otherwise, we would not be allowed to process it. Conversely, submitting data not marked by an asterisk is optional: if you do not wish to submit them there will be no consequence


Categories of processed personal data
The data that may be processed are: 1) the personal and sensitive data which you may provide when you interact with our Website and/or request some services (including registration to restricted access areas, participation to prize contests or other initiatives, use of Apps, information requests and other communications, including those submitted by means of our contact forms, etc.) 2) Navigation data, as specified under the following section


Navigation data
When you simply visit our Website (i.e. without sending any communication or using any of the services/functions available) we will only process your navigation data, i.e. the data transmitted to the Website and required to operate the computerised systems set up for the Website’s management, as well as Internet communication protocols. By way of example, the IP addresses or the domain names of the computers used to visit the Website and the other parameters relating to the operating system used to connect to the Website all fall in this category. The Company collects such and other data (for example, the number of visits and the time spent on the Website) for truly statistical purposes and in an anonymous manner in order to monitor the functioning of the Website and to improve it. In principle, the data in question are neither collected to be associated with other information of yours nor do they make your identification; however, due to their nature, such data may potentially lead to your identification if processed and associated with other data held by third parties. For this reason, navigation data are immediately de-identified after processing and may only be retrieved by the Company to ascertain, as well as identify the authors of, potential IT-related offenses committed to the detriment of the Website or through the Website. Notwithstanding the latter exception, navigation data as described above are only kept for a limited time, in compliance with the applicable legal provisions. The Site does not use cookies


Links to other Websites
The Website may include links to other sites (so-called “third party sites”). The Company does not perform any access or control on cookies, web beacons and other tracking technologies that may be used by third party sites to which you may access from the Website; it does in no way control the contents and materials published on, or obtained from, third party websites; and it does not control how your personal data are processed by such websites -thus, the Company expressly declines any liability/responsibility whatsoever which may arise in connection to all these circumstances. You should check the privacy policies of the third-party sites to which you connect through the Website and make yourself aware of the conditions applicable to the processing of your personal data. The present Privacy Policy only applies to the Website as defined above.


Retention and Storage of Personal Data
The Company ensures that the settings of its IT systems and programs are designed to minimise the use both of personal data and of any other information which may lead to your identification; all these sets of data are processed exclusively to achieve the goals for which they were obtained at the time of collection; in any event, the criteria used to determine the data’s storage period are based on the deadlines prescribed by the law, as well as on the principles of data minimisation and efficient management of our data bases.


Security and quality of personal data
The Company undertakes to protect the security of your personal data and to implement the safety measures established by the Privacy Code (with particular, but not exclusive, reference to Annex B to the Privacy Code -“Technical Disciplinary Guidelines on minimum security measures”-) and by all other applicable legal provisions in order to prevent data loss, illegal or illicit use and/or unauthorised access to your data. The Company implements appropriate technical measures, such as multiple, advanced safety technologies and procedures, to protect your personal data: for example, storing the data on servers located in rooms with restricted access and subject to controls. You may help the Company to keep the data up to date by informing it of any change to your own address, professional qualifications, contact information, etc.


Access to personal data
Your personal data are accessible within the company to those members of the staff who have been appointed as “persons in charge of the processing” and who may need to process such data in order to answer your queries or to deliver the services/functions available on the Website; in any case personal data processing is carried out only as far as necessary for the above purposes. Data may be communicated -even in Third Countries- to other companies of the Menarini Group for the same purposes as stated above and/or for administrative purposes, pursuant to art. 34.1-ter of the Privacy Code, art. 6.1.f and the Preamble’s 48th Recital of Regulation 2016/48//EU. Moreover, Data may be communicated -also in Third Countries- to (i) institutions, authorities, public entities for purposes pertaining to their institutional objectives; (ii) professionals, independent collaborators (including those working in partnership); other individuals/entities to which the Data Controller outsources technical or commercial services required to run the Website and its functions (such as IT and Cloud Computing service providers), to pursue the above-mentioned purposes and to provide the services requested by users; (iii) third parties in case of mergers/acquisitions, audits and other extraordinary operations; (iv) other companies of the Menarini Group, as specified in the Website’s Privacy Policy. Such individuals/entities will access only the personal data required to perform the relevant operations and will process them in accordance with the applicable Privacy Laws. Furthermore, data may be communicated to other recipients as permitted by the applicable laws and regulations. With the exception of the above, personal data are not shared with other Third Parties –whether legal or natural persons- which do not perform any commercial, professional or technical task on behalf of the Data Controller; in addition, data will not be disseminated. Data recipients will process data in the capacity of data controller, data processor or person in charge of the processing, as the case may be, for the above specified purposes and in accordance with the applicable Privacy Laws. As far as the potential transfer towards Third Countries is concerned --including transfers to Third Countries which may not ensure the same level of protection afforded by the Privacy Laws- the Data Controller informs that processing will take place in accordance with one of the methods set forth under Chapter V, Regulation 2016/679/EU.


User’s rights
You may at any time exercise the rights afforded by art. 7 of the Privacy Code and by arts. 15 (and following) of Regulation 2016/679/EU, such as, by way of example, receive the updated list of those who may access your Data; receive confirmation any of your personal Data is being processed by the Data Controller; verify their content, origin, exactness, location (including, where applicable, the Third Countries where the data might be), ask that the data are supplemented, updated, deleted, anonymised, frozen (if processed against the law), or to oppose to their processing for legitimate reasons, as well as to lodge a complaint with the competent Supervisory Authority. At any time, you may withdraw the consent you have previously conferred. For any requests concerning the processing of personal data by the Company, the rights afforded by the applicable law or the updated list of individuals/entities which have access to the data, you may contact the Data Controller at the addresses indicated above