Italiano English

Privacy Policy

Last updated: 26/01/2026 (v1.0)

1. Introduction and Regulatory References

This Privacy Policy, drafted pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), describes how personal data of users accessing the EasyRefert platform and using its services is collected, processed, and protected.

Personal data processing is carried out in full compliance with applicable data protection regulations, including:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR")
  • Italian Legislative Decree No. 196 of 30 June 2003 ("Privacy Code")
  • Italian Legislative Decree No. 101 of 10 August 2018 (provisions for adapting national legislation to the GDPR)
  • Provisions and Guidelines of the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali)

2. Data Controller and Data Protection Officer

Data Controller

The Data Controller for personal data relating to the EasyRefert platform is:

ITLand S.r.l.

Registered Office: Via Pietro Castellino, 179 - 80131 Napoli (NA)

Operational Office: Via Antiniana, 2i - 80078 Pozzuoli (NA)

VAT Number: IT09130391213

Email: support@itland.it

Certified Email (PEC): info@pec.itland.it

Data Protection Officer (DPO)

You can contact the Data Protection Officer (DPO) for all matters related to personal data processing and exercising your rights under the GDPR:

DPO Email: privacy@itland.it

Important note for healthcare facilities: Healthcare facilities using EasyRefert for managing their patients' medical records act as independent Data Controllers for health data. ITLand S.r.l. acts exclusively as Data Processor pursuant to Article 28 GDPR, based on a specific Data Processing Agreement.

3. Types of Personal Data Processed

3.1 Common Data

During use of the EasyRefert platform, the following categories of common personal data may be collected and processed:

  • Identification and contact data: name, surname, tax code, date of birth, email address, phone number, residence/domicile address, company name (for entities), VAT number
  • Browsing data: IP address, browser type, operating system, device used, access date and time, pages visited, time spent, referring URL
  • Account data: username, encrypted password, user preferences, system settings, assigned role and permissions
  • Usage data: activity logs on the platform, operation history, feature usage statistics
  • Cookies and similar technologies: as detailed in our Cookie Policy
3.2 Health Data (Special Categories of Personal Data)

The EasyRefert platform is designed for processing health-related data pursuant to Article 4(15) and Article 9 of the GDPR, which constitute "special categories of personal data" subject to enhanced protection.

Healthcare facilities may process the following through the platform:

  • Patient identification data: name, surname, tax code, date and place of birth, gender, contacts
  • Medical reports: diagnoses, diagnostic examinations, clinical interpretations, medical conclusions
  • Diagnostic images: DICOM images (CT, MRI, X-rays, ultrasounds), clinical photographs
  • Healthcare documentation: medical history, prescriptions, clinical notes, attached medical records
  • Appointment data: date, time, type of service, associated notes
Warning: Health data processing is subject to specific lawfulness conditions under Article 9(2) GDPR and requires implementation of adequate technical and organizational security measures, as specified in Section 7 of this policy.

4. Purposes and Legal Basis for Processing

Personal data is processed for the following purposes, each based on a specific legal basis:

Purpose Legal Basis Nature of Provision
Provision of the EasyRefert service
Delivery of platform functionalities (report management, DICOM image storage, PDF generation, internal messaging)		 Performance of a contract (Art. 6(1)(b) GDPR) Mandatory - service cannot be provided without this data
Health data processing
Management of medical reports, diagnostic images, and healthcare documentation on behalf of client healthcare facilities		 Explicit patient consent (Art. 9(2)(a) GDPR) or necessity for reasons of public interest in public health or preventive medicine (Art. 9(2)(h) and (i) GDPR) Mandatory for the provision of healthcare services
Tax, accounting, and administrative obligations
Invoice issuance, payment management, tax compliance		 Legal obligation (Art. 6(1)(c) GDPR) Mandatory by law
Technical assistance and customer support
Handling support requests, resolving technical issues		 Performance of a contract (Art. 6(1)(b) GDPR) Optional - but necessary to receive assistance
IT security
Fraud prevention, protection against unauthorized access, data backup, audit logs		 Legitimate interest and legal obligation (Art. 6(1)(f) and (c) GDPR) Mandatory to ensure platform security
Statistical analysis and service improvement
Aggregated anonymous statistics on platform usage		 Legitimate interest of the Controller (Art. 6(1)(f) GDPR) Optional - data processed anonymously
Marketing and promotional communications
Sending newsletters, commercial communications about similar products and services		 Optional consent (Art. 6(1)(a) GDPR) and Art. 130 Legislative Decree 196/2003 Optional - can be withdrawn at any time
Analytics cookies
Use of Google Analytics 4 for web traffic analysis		 Optional consent (Art. 6(1)(a) GDPR) according to Italian Data Protection Authority Cookie Guidelines Optional - managed via cookie banner
Consequences of not providing data: Refusing to provide personal data necessary for purposes marked as "mandatory" will result in the inability to provide the service or fulfill contractual and legal obligations. For optional purposes, refusal does not affect the use of the platform.

5. Processing Methods and Data Recipients

5.1 Processing Methods

Personal data is processed using electronic and digital tools, with methods strictly related to the stated purposes, and in any case in a manner that ensures the security and confidentiality of the data.

Processing is carried out by specifically authorized and trained personnel of the Controller, who have received adequate operational instructions.

5.2 Data Recipients

Personal data may be disclosed to the following parties, acting as data processors or independent controllers:

  • IT and hosting service providers: for cloud infrastructure delivery, backup, server maintenance
  • Email service providers: for sending transactional communications and notifications
  • Consulting firms: for legal, tax, and administrative assistance
  • Banks and payment institutions: for payment and transaction management
  • Public authorities: when required by law or by orders from competent authorities

The complete and updated list of Data Processors is available at the Controller's premises and can be requested by writing to support@itland.it.

5.3 Data Disclosure

Personal data is not subject to public disclosure. Access to health data is reserved exclusively for authorized healthcare personnel of the healthcare facility that controls the data.

6. International Data Transfers

Personal data is stored on servers located within the European Union (EU) and the European Economic Area (EEA).

Some third-party services used by the platform (e.g., Google Analytics) may involve data transfers to non-EU/EEA countries. In such cases, transfers occur exclusively:

  • To countries recognized by the European Commission as having an adequate level of data protection (adequacy decisions pursuant to Art. 45 GDPR)
  • Based on Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR)
  • To entities adhering to recognized certification mechanisms (e.g., EU-US Data Privacy Framework for the United States)

For more information on the safeguards adopted for non-EU data transfers, please contact the DPO at privacy@itland.it.

7. Security Measures and Health Data Protection

The Controller implements adequate technical and organizational security measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR, including:

Technical Measures
  • End-to-end encryption: health data is encrypted both in transit (TLS 1.3) and at rest (AES-256)
  • Pseudonymization: where possible, data is pseudonymized to reduce risks
  • Access controls: multi-factor authentication (MFA), role-based granular permission management (RBAC)
  • Audit logs: recording of all access and operations on health data with complete traceability
  • Automatic backups: daily encrypted backups with redundant storage in geographically separated data centers
  • Firewall and IDS/IPS systems: perimeter protection and intrusion detection
  • Vulnerability scanning: periodic vulnerability scans and timely patch management
Organizational Measures
  • Data Protection Impact Assessment (DPIA): privacy impact assessment conducted for health data processing
  • Staff training: mandatory periodic training on privacy and IT security
  • Data breach procedures: documented procedures for managing personal data breaches
  • Retention policies: automatic data deletion upon expiration of retention periods
  • Supplier agreements: all suppliers accessing data are bound by GDPR-compliant Data Processing Agreements
Industry compliance: The implemented security measures comply with the Italian Data Protection Authority Guidelines for health data processing and international best practices for healthcare information security (e.g., HIPAA Security Rule).

8. Data Retention Periods

Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, in compliance with the minimization principle under Article 5 GDPR.

Specifically, data is retained for the following periods:

Data Category Retention Period Justification
Personal and contractual data 10 years from termination of the contractual relationship Tax and accounting obligations (Art. 2220 Italian Civil Code)
Health data (reports and DICOM images) According to the provisions of the healthcare facility controller, in compliance with applicable healthcare regulations (generally not less than 10 years) Healthcare regulations and medical ethics
Tax data and invoices 10 years from the date of issue Art. 2220 Italian Civil Code and tax regulations
Browsing data and logs 12 months from the date of recording Legislative Decree 196/2003 and Data Protection Authority provisions
Cookie and marketing consents Until consent withdrawal + 5 additional years to demonstrate consent given Accountability and burden of proof (Art. 7(1) GDPR)
Security audit logs 24 months from recording IT security and access traceability
Support requests 3 years from ticket closure Contractual documentation and service quality

After the retention periods expire, personal data is securely and irreversibly deleted or permanently anonymized.

9. Data Subject Rights

As a data subject, you have the right to exercise the rights provided under Articles 15 to 22 of the GDPR against the Controller:

Right of Access (Art. 15)

Obtain confirmation of whether your data is being processed and access such data, obtaining a copy in a structured format.

Right to Rectification (Art. 16)

Obtain correction of inaccurate or incomplete personal data without undue delay.

Right to Erasure (Art. 17)

Obtain erasure of personal data ("right to be forgotten") when the legal requirements are met.

Right to Restriction (Art. 18)

Obtain restriction of processing when the regulatory requirements are met.

Right to Data Portability (Art. 20)

Receive personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.

Right to Object (Art. 21)

Object to processing of personal data based on legitimate interest or for direct marketing purposes.

Withdrawal of Consent (Art. 7(3))

Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint (Art. 77)

Lodge a complaint with the Data Protection Authority if you believe that processing violates the GDPR.

How to Exercise Your Rights

To exercise the above rights, the data subject may send a written request via:

  • Email: support@itland.it or privacy@itland.it
  • Certified Email (PEC): info@pec.itland.it
  • Postal mail: Via Pietro Castellino, 179 - 80131 Napoli (NA)

The Controller will respond to the request without undue delay and, in any case, within one month of receiving the request. This period may be extended by two months in case of particularly complex requests.

Complaint to the Data Protection Authority

Without prejudice to any other administrative or judicial remedy, the data subject who believes that the processing concerning them violates the GDPR has the right to lodge a complaint with the Italian Data Protection Authority:

Garante per la Protezione dei Dati Personali

Piazza Venezia, 11 - 00187 Rome (RM)

Tel: +39 06 696771

Fax: +39 06 69677785

Email: garante@gpdp.it

PEC: protocollo@pec.gpdp.it

Website: www.garanteprivacy.it

10. Automated Decision-Making and Profiling

The Controller does not carry out fully automated decision-making processes pursuant to Article 22 GDPR, nor profiling activities based on users' personal data.

Any statistical analyses are performed exclusively on aggregated and anonymous data that does not allow identification of the data subject.

11. Privacy Policy Updates and Modifications

The Controller reserves the right to modify, update, and supplement this Privacy Policy at any time to adapt it to any regulatory changes, modifications to the services offered, or other operational needs.

Changes will be communicated to users by publishing the updated version on the website, indicating the date of the last update. In case of substantial changes requiring new consent, users will be informed with adequate notice and a new consent will be requested.

Users are invited to periodically consult this page to stay updated on how personal data is processed.

12. Contact Information

For any questions, clarification requests, or to exercise the rights provided by the GDPR regarding this Privacy Policy, you may contact:

Data Controller

ITLand S.r.l.

Email: support@itland.it

PEC: info@pec.itland.it

Tel: +39 081 18096512

Data Protection Officer (DPO)

Data Protection Officer

Email: privacy@itland.it

Contact hours: Lunedì-Venerdì 09:00-13:00, 14:00-18:00

Data Controller

ITLand S.r.l.

VAT: IT09130391213

Registered Office: Via Pietro Castellino, 179 - 80131 Napoli (NA)

Email: support@itland.it

PEC: info@pec.itland.it

Tel: +39 081 18096512

Back to Home