Information pursuant to articles 13 and 14 of Regulation (EU) 2016/679 - App privacy policy. mobile BRM Follow-up

In this disclosure, pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter referred to, for the sake of brevity, simply as "GDPR"), the information

relating to the processing of personal data connected to the use of the BRM Follow-up mobile application.

The data controller

data controller is BRM Extremities Srl (VAT number 08683610961), based in Civate (LC), in via Papa Giovanni XXIII n. 9 – 23862, tel.: 0341 1693087, ordinary e-mail:

info@brm-extremities.com, PEC: brlextremitiesrl@legalmail.it, in the person of its pro tempore legal representative.

The interested parties and the data processed

The interested parties are the natural persons whose personal data the Data Controller processes through the BRM Follow- up application and its functions, who

are identified or identifiable:

the doctors who register on the application (hereinafter referred to, for brevity, simply as the "Doctors" or, in the singular, as the doctor");

patients, whose data are entered by the Doctors for the management of the follow-up (hereinafter indicated, for the sake of brevity, simply as the “Patients” or,

in the singular, as the “Patient”).

The Doctors' data processed through the BRM Follow-up application are common personal data (name and surname, country of origin, e-mail address,

password, profile picture, type of prosthesis with which the individual doctor works, etc.).

Patient data processed through the BRM Follow-up application are common personal data (name and surname, date of birth, e-mail address and - optionally -

telephone number) and particular data (sex, age and weight of the patient , date of the operation, implanted medical device, any images of the operation, x-rays

and other diagnostic tests, video recordings of the patient limited to the area affected by the operation or through measures aimed at preventing the recovery of

the face or other characteristic elements); the e-mail address of the Patient is collected and processed to send the confirmation of the manifestation of consent to

the registration of the same and to allow him to possibly exercise his rights.

The Owner recommends that the Doctor take the images and film the Patient, limiting the area to be filmed to a minimum and absolutely avoiding filming the face

and other characteristic bodily elements (tattoos, other identifying elements).

At the time of saving the Patient's data in the mobile application, the Doctor declares that he is entitled to store and in any case process the Patient's data by means

of this tool.

Purpose of the treatment

The personal data of the interested parties are processed for the purposes listed in this paragraph:

Registration of the Doctor's account on the BRM Follow-up mobile application and its correct identification, also by means of the profile image (to discourage any

phenomena of identity theft and similar);

Patient Registration;

Insertion of any images of the operation, x-rays and other diagnostic investigations, video recordings of the Patient limited to the area affected by the operation

or by means of a device aimed at preventing the recovery of the face or other characteristic elements;

Making patient follow-up data available for subsequent Doctor visits as well as for sharing with other Doctors who follow the patient;

Making follow-up data available to the patient;

Sending newsletters to the Doctor regarding the activity of the Owner.

Processing methods

The processing of personal data takes place using IT and telematic tools with logic strictly related to the purposes and, in any case, in such a way as to guarantee

the security and confidentiality of the data in compliance with the regulations in force. The treatment is carried out with electronic processing methods, through

management and storage systems with cutting-edge hardware and software: in order to provide high quality services to the interested parties, the Data Controller

can use services provided by specialized companies which are promptly made aware of his responsibilities by signing a specific contract for the appointment of

data controller pursuant to art. 28 GDPR.

The data is stored on servers located at the Data Controller's registered office, as well as possibly at the headquarters of external managers and their suppliers,

within the European Union. The Data Controller will not transfer User data outside the European Union, unless the conditions set out in Articles exist. 45 et seq.

GDPR. The common personal data of Doctors and the common and specific personal data of Patients will not be sold or otherwise transferred to other parties

other than the Data Controller and external data processors. Furthermore, the Data Controller guarantees that any external data processors undertake not to

sell or otherwise transfer the common personal data of Doctors and the common and specific personal data of Patients.

Legal basis of the processing

For the purpose indicated above in n. 1 the legal basis of the treatment is constituted by the art. 6 par. 1, lit. b) GDPR (i .e. the execution of

a contract - as well as the provision of related services - or the execution of pre-contractual measures adopted at the request of the Doctor). For the purposes

indicated above in numbers 2, 3 and 4, the legal basis for the processing of the patient's common personal data is art. 6 par. 1, lit. a) GDPR (i.e. the free, specific,

informed and unequivocal consent of the Patient who - informed by the Doctor regarding the characteristics of the processing of his data - expresses his consent

to the same, to then confirm it by contacting the e-mail by the mobile application); for the same purposes, the legal basis for the processing of the patient's

particular data is art. 9 par. 2, lit. a) GDPR (i.e. the free, specific, informed and unequivocal consent of the Patient who - informed by the Doctor regarding the

characteristics of the processing of his data - expresses his consent to the same, to then confirm it by contacting the e-mail by the mobile application).

For the purpose indicated above in n. 5 the legal basis the legal basis of the processing is constituted for common personal data by art. 6 par. 1 lit. a) GDPR and for

particular data from the art. 9 par. 2, lit. a) GDPR (in both cases it is the free, specific, informed and unequivocal consent of the Patient, who expresses it by

consulting the data concerning him or by downloading them). For the purpose indicated above in n. 6 the legal basis of the treatment is constituted by the art. 6 par.

1, lit. a) GDPR (i.e. the free, specific, informed and unequivocal consent of the Doctor).

Compulsory or optional nature of the provision of data and consequences of a possible refusal to answer

The provision of data is optional for the purposes referred to in numbers 1., 2., 3., 4. and 5.; failing that, the services rendered by the BRM Follow-up application

cannot be provided to the Doctor and the Patient and, for the purposes referred to in art. 6, the newsletter about the activi ty of the Owner cannot be sent to the

Doctor.

Communication and dissemination

The personal data of Doctors and Patients are processed by the Data Controller, by any Data Processors and by the Persons aut horized to process them. Patient

data may be communicated, subject to the consent expressed by the same, to other Doctors who treat them, by extending access to the pertinent files to them.

Storage times

In the event of a request for cancellation of the account by the Doctor, it is removed.

In the event of withdrawal of consent by the patient, or inactivity for more than 24 months after the conclusion of the follow-up on the relevant file, his data can

only be stored after radical and irreversible anonymization of the same, for scientific and statistical purposes.

In case of revocation of the Doctor's consent to the sending of the newsletter, his e-mail address will be removed from the relevant mailing list.

Existence of an automated decision-making process

There is no automated decision-making process.

Rights of the interested party

As an interested party, the subjects connected to the client companies as well as the company representatives of these companies can exercise the following rights:

access to data (art. 15 GDPR); rectification (art. 16 GDPR), cancellation (art. 17 GDPR), limitation of data processing (art. 18 GDPR); data portability (art 20 GDPR)

where applicable; opposition to the treatment (art. 21 GDPR). Interested parties can exercise their rights at any time by contacting the Data Controller at the

addresses indicated above and, if they believe that their rights have been violated, they can appeal to the Guarantor for the protection of personal data.