For the purposes of this notice, the data controller is Fondazione Rizzola Academy, with registered office in San Donà di Piave (VE), Via Gorizia no. 1, 30027, Fiscal Code and VAT no. 04689230276 (“Controller“).

Any request relating to the processing referred to in this notice may be addressed to the Controller, by mail to the registered office, or by sending an email to the address info@rizzolaacademy.it.

The Controller processes the following categories of personal data (collectively, “Personal Data“):

1. Identification and contact data: first and last name, email address, telephone number;
2. Professional data: professional qualification, employer/organization, specialization;
3. Billing data: tax and billing information of the participant or the employer/organization, when requested by the participant;
4. Image data: photographs depicting the participants during the Event, taken by professional photographers engaged by the Controller;
5. Other categories of data: any additional information voluntarily provided by the participant (for example, special needs relating to participation in the Event).

Personal Data is collected directly from the data subject, through the completion of the Event registration form available on the Controller’s website.

In compliance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, and accuracy pursuant to Article 5(1) of the GDPR, the Controller will process Personal Data for the following purposes:

a) Management of registrations and organization of the Event [performance of a contract]
This purpose includes the processing of Personal Data necessary to: (i) manage requests for registration to the Event; (ii) verify the participation requirements; (iii) provide logistical and organizational information relating to the Event; (iv) manage communications with participants. The legal basis for this processing is the performance of a contract to which the data subject is party (Article 6(1)(b) of the GDPR). The provision of Personal Data for this purpose is necessary. In the absence of such data, the Controller will not be able to guarantee the completion of the registration to the Event and, consequently, participation in it.

b) Administrative and fiscal management [legal obligation]
This purpose includes the processing of Personal Data necessary to: (i) manage the administrative aspects relating to participation in the Event; (ii) issue and manage invoicing, including towards the participants’ employers/organizations; (iii) fulfil the tax and accounting obligations established by current legislation. The legal basis for this processing is the fulfilment of legal obligations to which the Controller is subject (Article 6(1)(c) of the GDPR). The provision of Personal Data for this purpose is necessary. In the absence of such data, the Controller will not be able to guarantee the completion of the registration to the Event and, consequently, participation in it.

c) Communication with European Spine Journal [legitimate interest]
This purpose involves the communication of participants’ Personal Data to the European Spine Journal, as the owner of the Event format, to allow the proper management and coordination of the Event itself. The legal basis for this processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to ensure the correct execution of the Event according to the standards and requirements established by its format owner. In assessing the balance between its legitimate interest and the rights of the data subject, the Controller considered that: (i) the communication of data is limited to what is strictly necessary for the purposes of the Event; (ii) participants can reasonably expect such communication, given the nature of the Event; (iii) the European Spine Journal is required to process the data in compliance with applicable legislation. The provision of Personal Data for this purpose is necessary. In the absence of such data, the Controller will not be able to guarantee the completion of the registration to the Event and, consequently, participation in it.

d) Communications relating to future similar events [legitimate interest]
This purpose includes sending communications relating to future similar events organized by the Controller that may be of interest to participants, considering their professional specialization. The legal basis for this processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to maintain an informative relationship with participants on topics of specific professional interest to them. In assessing the balance with the rights of data subjects, it was considered that: (i) the recipients have a specific professional interest in the proposed content; (ii) communications will be limited to similar events; (iii) the possibility of easily objecting to such communications will always be guaranteed. The provision of Personal Data for this purpose is optional. Failure to provide it will not in any way affect participation in the Event, but will make it impossible to receive information on future similar events organized by the Controller. The data subject may however object to such use of their data at any time, in the manner indicated in this notice.

e) Photographic documentation of the Event [legitimate interest]
This purpose includes: (i) taking photographs during the Event by specifically appointed professional photographers; (ii) archiving the images; (iii) using the photographs to document the Event through: publication on the Controller’s website, use on the Controller’s social media channels, inclusion in presentations and promotional material relating to future similar events, use in scientific or popular publications relating to the Event. The legal basis for this processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR) to document the Event and promote its scientific and training activities. In assessing the balance between its legitimate interest and the rights of data subjects, the Controller considered that: (i) this is a professional and scientific event where photographic documentation represents a consolidated practice and is reasonably expected by participants; (ii) the photographs will be taken in a professional context and used exclusively for purposes related to the Event and similar activities; (iii) the interest in documenting the Event also has scientific and historical value; (iv) the data subjects are professionals participating in the Event in a public and professional context; (v) the images will always be used with respect for the decorum and professional dignity of the subjects portrayed. The data subject has the right to object at any time to the processing of their image, for reasons related to their particular situation, by contacting the Controller at the addresses indicated in point 1 of this notice. In case of objection, the Controller will refrain from taking photographs that portray the data subject and, where technically possible, will remove the images already published that portray them individually.

f) Fulfilment of legal obligations and protection of rights [legal obligation/legitimate interest]
This purpose includes the processing of Personal Data necessary to: (i) fulfil any obligations established by applicable laws and regulations; (ii) exercise or defend a right in court; (iii) comply with requests from the competent administrative or judicial authority and any other legitimate public entity. The legal basis for this processing is: (i) the fulfilment of legal obligations to which the Controller is subject (Article 6(1)(c) of the GDPR); (ii) the legitimate interest of the Controller to protect its rights and interests in court or out of court (Article 6(1)(f) of the GDPR). The provision of Personal Data for this purpose is necessary as it is strictly connected to legal obligations and the protection of the Controller’s rights. Failure to provide it could make it impossible to follow up on the request to participate in the Event or to fulfil the related legal obligations.

The processing of Personal Data is carried out using IT and electronic tools, with logics strictly related to the purposes indicated and in such a way as to guarantee the security and confidentiality of the data, in compliance with the principles set out in Article 5 of the GDPR. Personal Data will be retained for:

a) Event management purposes: for 24 months from the conclusion of the Event;

b) Administrative and fiscal purposes: for 10 years from the date of issuance of the tax documents, in accordance with applicable tax and accounting legislation;

c) Communication with European Spine Journal purposes: for the duration of the Event and for the following 12 months;

d) Communication relating to future similar events purposes: for 24 months from the last contact with the data subject or from the conclusion of the Event, without prejudice to any objection by the data subject before this deadline. This period has been determined considering the average frequency of organization of similar events and the professional interest of the recipients in receiving information relevant to their specialization;

e) Photographic documentation purposes: the photographs will be kept for 5 years from the conclusion of the Event. In the case of publication of the images, these will remain available for the time necessary for the information/promotional purposes for which they were published, without prejudice to the possibility for the data subject to exercise their right to object;

f) Fulfilment of legal obligations and protection of rights purposes: Personal Data will be kept for the time necessary to fulfil legal obligations and, with specific reference to the protection of the Controller’s rights, for the statute of limitations of the right that the Controller must protect, and therefore: (i) in the event of legal disputes, for the entire duration of the same, until the expiry of the terms for the exercise of appeals; (ii) in the case of specific legal obligations, for the period established by the relevant legislation.

At the end of the aforementioned retention periods, the Personal Data will be deleted or anonymized, without prejudice to further retention for the time necessary to resolve any disputes that may have arisen.

Personal Data will be processed exclusively by:

a) internal personnel of the Controller, expressly authorized for processing pursuant to Article 29 of the GDPR and Article 2-quaterdecies of the Privacy Code;

b) external service providers (for example, IT service providers, managers of digital event platforms), designated as data processors pursuant to Article 28 of the GDPR;

c) European Spine Journal, as the owner of the Event format, which will process the data as an independent data controller;

d) professionals and consultants (for example, accountants), bound by confidentiality obligations;

e) public authorities and bodies, in the cases provided for by law.

Personal data is stored on servers located within the European Union. The Controller does not transfer Personal Data to third countries or international organizations.

As a data subject, you have the right to:

a) request from the Controller access to your Personal Data and information relating to its processing and any copy in electronic format, unless otherwise specifically requested (Article 15 of the GDPR);

b) request the rectification and/or integration of your Personal Data, without undue delay (Article 16 of the GDPR);

c) for specific reasons (for example, unlawful processing, lack of purpose for the processing), request the erasure of your Personal Data, without undue delay (Article 17 of the GDPR);

d) in the event of specific circumstances (for example, inaccuracy of personal data, unlawfulness of processing, exercise of a right in court), request the restriction of processing (Article 18 of the GDPR);

e) in the case of automated processing, receive your personal data in a readable format, for the purpose of communicating it to a third party, or, where technically feasible, request the transmission of your Personal Data by the Controller directly to such third party (so-called right to data portability – Article 20 of the GDPR);

f) object at any time to the processing of your Personal Data which has the Controller’s legitimate interest as its legal basis (Article 21 of the GDPR). In the event of exercising the right to object, the Controller will refrain from further processing the Personal Data, unless it demonstrates the existence of legitimate and compelling reasons for proceeding with the processing that override the interests, rights and fundamental freedoms of the data subject, or for the establishment, exercise or defence of a legal claim;

g) be informed by the Controller, without undue delay, of any breaches or unauthorized access by third parties to its systems containing Personal Data (so-called data breach – Article 34 of the GDPR);

h) lodge a complaint with the supervisory authority of the EU country in which you habitually reside, work or where you believe your rights have been violated (Article 77 of the GDPR).

To exercise your rights or for any request regarding privacy, you can contact the Controller at the addresses indicated in point 1 of this notice. Pursuant to Article 12 of the GDPR, the Controller will provide data subjects with information on the actions taken in relation to a request to exercise their rights without undue delay and, in any case, within 1 (one) month of receipt of the request. This period may be extended up to 3 (three) months in cases of particular complexity. In the latter case, the Controller will inform the data subjects of the extension and the reasons for the delay within 1 (one) month of receipt of the request. If the data subject has submitted a request by electronic means, the information will be provided to them, where possible, by electronic means, unless otherwise indicated. This translation ensures clarity and legal precision when informing data subjects of their rights under the GDPR.