H-PASS PRIVACY POLICY

Information to be provided (art. 13 GDPR)

You are currently visiting the H-PASS Web Privacy Policy.

This website https://hpass.healthworkforce.eu/ (the “Site”) is hosted by H-PASS Associated Partner SEMMELWEIS UNIVERSITY (SU), a Hungarian university having its registered office at 26 Üllői str. (Hungary). The content of the site is generated by the H-PASS project, managed by the coordinator ORSZÁGOS KÓRHÁZI FŐIGAZGATÓSÁG (OKFŐ) Diós Árok 3, 1125 Budapest (Hungary) and by Work Package 2 – Dissemination – lead beneficiary UNIVERSITA CATTOLICA DEL SACRO CUORE (UCSC) Largo Gemelli 1 Po Box: 000 20123, Milano, (Italy)

This privacy policy informs you of our policies regarding the collection, use and disclosure of personal information/data we receive from users of the Site. In the following sections, we explain how we collect, use and protect your personal data in compliance with the provisions of European Regulation 2016/679 (“GDPR”). We also explain what rights you have about your personal data and how you can exercise those rights.

Definitions

Data Subject is an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The Data Processor is a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the Data Controller.

The Data Protection Officer is a person with expert knowledge of data protection law and practices assisting the Data Controller or Data Processor to monitor internal compliance with GDPR. Such DPO, whether or not is an employee of the controller, should be in a position to perform due tasks in an independent and timely manner.

Data Controller

Name and contact information of the Data Controller:

Name: Semmelweis University Address: 1085 Budapest, Üllői út 26. Mailing address: 1428 Budapest, Pf.2.

Data protection officer: dr. Sára Trócsányi E-mail: adatvedelem@semmelweis-univ.hu

How do we collect your personal data?

Your personal data on this website can be directly when you voluntarily submit it after giving your consent. It can be collected indirectly when collecting information such as the number of visitors, last visit date and consulted pages. Please refer to the Cookies Policy. The following types of personal data are collected, stored, and used:

Information about browsing data: your IP address, geographical location, browser type and version, operating system, length of visit, page views and website navigation paths.

Scope and purpose of the collection, processing and utilization of personal data

All use of your collected personal data is confined to the purposes stated below and is only undertaken to the extent necessary for these purposes.

When you visit the H-PASS website

Information about browsing data: We collect some data to help us find out things like how many people visit our site, how they navigate around our site, the pages that are most visited.

We use Google Analytics to track user interaction with our website.

The Website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While the Data Controller does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.

This information includes several parameters related to your operating system and IT environment: your IP address; location (country); the domain names of your device; the type of device; the URI (Uniform Resource Identifier) addresses of resources you request on the Website; the time of requests made; the method used to submit requests to the server; the dimensions of the file obtained in response to a request; the numerical code indicating the status of the response sent by the server (successful, error, etc.).

These data are used to compile statistical information on the use of the Website, to ensure its correct operation, as well as restore backup from possible failures of the Website and identify any faults and/or abuse of the Website.

Legal grounds for processing personal data

Semmelweis University will collect, use and share only the aforementioned personal data and for the purposes specified. The legal bases for processing your personal data related to each purpose are the following.

1.       Your consent – Art. 6 (1.a) GDPR, for processing personal identifiable information in order to implement your benefits and duties linked to H-PASS Newsletter type of subscription.

2.       Legitimate Interests – Art. 6 (1.f) GDPR, for processing browsing data. Our legitimate interests include:

·       Understand how users interact with the Website and to improve the Website accordingly, with the aim to providing a better user experience;

·       Improving efficacy of the H-PASS website

·       Prevent and detect any misuse of the Website, or any fraudulent activities carried out through the Website;

3.       Legal obligations – Art. 6(1)(c) GDPR, for processing personal identifiable information in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.

Storage, access and transfer of personal data

Personal Information which you supply to us is generally stored and kept in servers located in Budapest, Hungary. Information on how personal data are protected by Semmelweis University can be found on our website: https://semmelweis.hu/english/data-protection

Your Personal Data is shared with the following list of Data Processors:

1.       Entities engaged in order to provide or support the Website and Services (e.g., hosting providers, e-mail platform providers, technical maintenance providers):

·       SEMMELWEIS UNIVERSITY, H-PASS Associated Partner for maintenance and statistical purposes;

·       OKFŐ, H-PASS Coordinator for maintenance and statistical purposes;

·       UCSC – H-PASS Partner for maintenance and statistical purposes;

·       BREVO, software (GDPR compliant) for newsletter management.

2.       Third part entities engaged for success factors demonstration:

·       Third party analytics, namely Google Analytics.

·       Personal data will not be transferred to government bodies or public authorities except in order to comply with mandatory national legislation or if the transfer of such data should be necessary in order to take legal action in cases of fraudulent access to our network infrastructure.

Personal data will not be transferred for any other purposes.

Semmelweis University will not pass on or sell your personal data to third parties for their own marketing purposes.

Period of storing personal data

Personal data will be retained for a limited period of time as long as we need it to fulfil the purposes for which we have initially collected it, unless otherwise require by law. We will not retain your Personal Data for longer than required. This means that we will keep your Personal Data for any or a combination of periods described as follows: (i) for as long as required by law, (ii) until we no longer have a valid reason for keeping it, (iii) until you request us to stop using it. When we delete your Personal Data from our databases, it will remain in our backup system until it cycles out. Please note that by law certain kinds of data must be kept for a certain period of time. Such data must be stored by us until these periods run out. We block this data in our system and use it only in order to fulfil statutory requirements.

Consent requested on this website

Your consent is optional but if you don’t provide the requested information, please mind that the Data Controller can’t contact you. By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified. You can withdraw your consent at any time by sending an email to: info.hpass@okfo.gov.hu

Security measures applied to handle personal data

Any personal data processed by SEMMELWEIS UNIVERSITY is kept on secure servers. SEMMELWEIS UNIVERSITY uses reasonable administrative, technical, personnel, and physical measures to safeguard personal data against loss, unauthorized access, use, disclosure, or modification and to ensure the integrity of the personal data. Additionally, SEMMELWEIS UNIVERSITY ensures to process your personal data only for the purposes mentioned in this privacy notice and to keep data no longer than necessary. This website is subject to the SEMMELWEIS UNIVERSITY Information Security Policy, aiming at safeguarding the confidentiality, integrity, availability, authenticity and non-repudiation of information and information systems. SEMMELWEIS UNIVERSITY implements technical and organizational security measures to safeguard stored personal data against inadvertent or deliberate manipulation, loss or destruction and against access by unauthorized persons.

What are your rights as a data subject?

While we are in possession of, or processing your personal data, you, the data subject, have the following rights:

·       Right of access – you have the right to request a copy of the information that we hold about you.

·       Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

·       . Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.

·       Right to processing restriction– where certain conditions apply to have a right to restrict the processing.

·       Right of portability – you have the right to have the data we hold about you transferred to another organisation.

·       Right to object – you have the right to object to processing activities not described in this policy.

·       Right to object to automated processing, including profiling – you also have the right to object to be subject to the legal effects of automated processing or profiling.

·       Right to judicial review – in the event that RHEA refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain.