Privacy Statement

pursuant to art. 13 and 14 of Regulation (EU) 2016/679

(last update: 25/07/2024)

In accordance with the continuous commitment of PRINEOS to protect personal data, we created this Privacy Statement to explain, in a transparent way, how we collect, store, share and use personal data in compliance with the principles of lawfulness, accuracy and transparency applicable to the protection of personal data, as established by the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”). 


Summary

1. Who is the Data Controller

2. What personal data we collect 

3. How and why we use the data

4. Who may receive the data 

5. What type of Cookies are used on the website 

6. How long the data will be kept

7. What are the Data Subjects’ rights and options

8. What happens if this Policy is modified

9. How to contact us 

1. Who is the Data Controller

The Data Controller of personal data is PRINEOS S.R.L., with registered office in via Cesare Battisti n.1, 20122, Milan, Italy, and can be contacted at the following e-mail address: privacy@prineos.com (hereinafter “PRINEOS”, “we” or “Controller”). 

PRINEOS designated, pursuant to Article 37 of the GDPR, a Data Protection Officer (DPO) who can be reached at the following address: PRINEOS S.r.l. - Data Protection Officer, via Cesare Battisti 1, 20122 Milan (MI), Italy, or by email at the following: dpo@prineos.com and dpo.prineos@legalmail.it

2. What personal data we collect

This Privacy Statement (hereinafter the "Statement") applies to the processing of so-called "personal data" relating to the website users, our customers and prospects, external consultants (e.g., consultants, healthcare professionals, KOL) and suppliers, as well as those relating to potential candidates for our job offers (hereinafter the "Data Subject(s)"). 

The personal data may be collected by the Data Controller from registers or other publicly accessible sources, also through third parties (e.g., data broker), during the use of the website, blog, social network platforms and other channels available to interact with PRINEOS online, including sending e-mails to the addresses indicated in the relevant sections of the site, sending applications for a job offer, filling out contact forms, or any other interactions with PRINEOS, for example during events as well as in-person visits to PRINEOS offices and/or facilities. 

The categories of personal data that we may collect and process, either independently or through third parties, are listed below.  

Website Users

Category of data
Personal and/or contact data provided by Data Subjects on a voluntary basis (through the contact form) 

Description

  • Contact information: name, surname, title, department, organization/entity/group, country, e-mail, telephone number, other professional contact details 
  • Any other personal information provided by the Data Subjects themselves by sending electronic communications to the e-mail addresses indicated in the relevant sections of the website, or by filling in our online contact form  
  • Date and time of sending, receiving and opening such communications 
  • Selected options regarding updates and marketing communications and your contact preferences

Category of data
Navigation data (collected automatically or through third parties) 

Description

  • Your IP address or domain name  
  • URI addresses (Uniform Resource Identifier)  
  • Username, email address or unique identifier 
  • Country of origin and language preferences 
  • Browser characteristics, operating system and/or IT environment used to browse the site (e.g., screen size) 
  • Itinerary of the visit on the website 
  • Information on the interactions between server and users and other system logs 

* See more details about the navigation data collected through cookies in the relevant Section 5 of this Statement. 

Customers, prospects, consultants and suppliers 

Category of data
Personal data and/or Business contact information  

Description

  • Professional information and business contact details (e.g., name, surname, title, department, organisation/entity/group, country, e-mail, telephone number, other professional information and contact details, CV or records relating to career history, educational background, work history, qualifications)  
  • Any other personal information provided by the Data Subjects themselves by sending communications to PRINEOS (incl. via e-mails, phone call, request for information/quote)  
  • Some personal and contact data (name, e-mail, phone, country, title, organization) manifestly made public by the Data Subjects and/or lawfully provided by third-party suppliers to PRINEOS
  • Selected options regarding updates and marketing communications and your contact preferences  
  • Where applicable: documentation relating to business travel arrangements (e.g., name, contact details, passport and visa details) 

Category of data
Information on requested quotes, services purchased and other financial details 

Description

  • Details of requests for quotations, PRINEOS services purchased and/or in the process of purchase and customer service history  
  • Any data required for billing and other financial information for the management of the business relationship (e.g., information about transactions and payment, bank account information, financial statements, income)  
  • Any other personal information communicated during the compilation of a Request for Information/Proposal (RFI/RFP) sent to our suppliers (e.g., contact details, title, information on professional experience, information on the so-called 'politically exposed persons')

Category of data
Information on the use of PRINEOS blog and/or social network platforms 

Description

  • Username and other online identifiers used on PRINEOS blog and/or on LinkedIn© and other social network pages of PRINEOS 
  • Date and time of comments or other type of publications on the PRINEOS blog and/or social network platforms  
  • Any other personal information communicated or made public by Data Subjects themselves during the use of the blog, social network platforms, or other channels available to interact with PRINEOS online, including through third parties

Candidates

Category of data
Information relating to job applications (collected directly or indirectly during recruiting process) 

Description

  • Personal information (e.g., name, date of birth/age), and other contact details (address, phone number, e-mail) 
  • Details of the candidate's previous and/or current professional experience (e.g., work history, education, level of compensation, contractual information, references, last employer’s contact details and feedback, any additional information included in candidate’s cover letter and other personal data related to criminal history, exclusively if required by the law) 
  • Other personal data contained in the curriculum vitae (CV) or otherwise provided by the candidate him/herself when sending an application (spontaneous or not) by e-mail or by filling in the appropriate contact form, or via social network platforms or any other third-party portals, as well as during the evaluation, selection of candidates and related recruiting and selection phases (e.g., information related to the level of compensation and other contractual information) 

N.B. When applying to a job, we invite all candidates not to include in their application information that may not be relevant to the job offer.

The above-listed personal data could be collected by PRINEOS from public registers or other publicly accessible sources, or otherwise received from third parties (e.g., data broker), or directly from Data Subjects who freely provide their personal data during interactions with us or, in the case of navigation data, collected automatically during the use of this website.

PRINEOS, and/or any third-party suppliers legitimately acting on our behalf, may perform the following processing operations on all or part of such personal data set until their planned destruction: recording, consultation, structuring, modification, use, storage, disclosure by transmission, anonymization and/or erasure. 

Data Subjects may also provide us with someone else’s personal data. In such cases, we require the discloser to inform the individuals about their personal data being processed by us and to provide them with our contact details if they have any queries about how we use their data. In addition, individuals bear full responsibility for the personal data of third parties shared with us and guarantee to have the right to communicate or disseminate them, freeing PRINEOS from any liability to third parties.

3. How and why we use the data

During the use of our website, blog and social network platforms, and as part of the Data Subjects’ interactions with PRINEOS and its collaborators, we use various technologies for the processing of personal data, which are collected for different purposes.   

PRINEOS guarantees that processing of personal data is performed in accordance with the general principles laid down in the GDPR (see in particular art. 5). In this respect, we ensure full application of the principle of ‘lawfulness’ which provides that any processing of personal data must be based on a legal basis. The legal basis corresponds to the reason why we use the data, or in other words, what authorizes us to process the data lawfully. In addition, the principle of ‘purpose limitation’ according to which personal data must be collected only for specific, explicit and legitimate purposes, and subsequently processed in such a way that it is not incompatible with these purposes, is also considered and carefully applied within PRINEOS. 

The following table is aimed at providing Data Subjects with a clear and transparent overview of the purposes for which we collect and process personal data, as well as the legal bases to which we refer to process them legitimately.

Website Users
 

Necessary

Purpose(s) of data processing

Personal data may be processed to:

  • Ensure the operation and maintenance of this website 
  • Allow for this website contents’ transmission on the Internet and/or to make it load faster 
  • Monitor traffic and analyse users’ behaviour to improve this website  
  • Ensure systems and processes are operating properly and securely and to prevent cyber fraud and debugging 
  • Allow for visualization of external platforms content  
  • Fulfil any legal obligations to which we’re subject 
  • For the defence against abuse during the use of this website 

Legal basis

This processing of data is necessary to ensure operativity of our site (through the use of so-called technical cookies*), and the consent of Data Subjects is not required pursuant to current local legislation (see Art. 122, paragraph 1 of Privacy Code).

The processing is necessary for the purposes of the legitimate interests pursued by the Data Controller (GDPR art. 6, paragraph 1point (f)) (e.g., for the efficiency and improvement of the website, for administrative and litigation management, for the possible defence in court, for the protection and security of strategic corporate assets, interests and related commercial relationships). 

* See more details on navigation data collected through cookies in Section 5 of this Statement.

Optional

Purpose(s) of data processing

  • Provide the requested service and/or respond to inquiries received from users through our contact form (e.g., requests for information or quotes, or of any other nature as specified in the ‘object’ field).
  • Monitor traffic and analyse users’ behaviour through the use of third-party cookies* for the creation of profiles in order to analyze and improve our service proposals and to conduct statistical analysis on the use of this website, the blog, as well as the social platforms used by PRINEOS, on the basis of pseudonymised data that do not allow the Data Subjects to be directly identified.
  • Contact Data Subjects to send them promotional communications, our newsletter and scientific information, as well as invitations to conferences and other scientific events, also via e-mail (e.g., sending documentation on PRINEOS services and/or other useful information for professional and scientific update).

Legal basis

The processing of data is based exclusively on the specific consent provided by the Data Subject when submitting his/her preferences on third-party cookies’ use (Cookies preferences), or when sending a request via our contact form (pursuant to the GDPR art. 6, paragraph 1point (a)).  

N.B. The provision of consent is absolutely optional: failure to provide consent may however prevent us from responding to requests or from sending the requested material and invitations to events. 

Optional

Purpose(s) of data processing

  • Contact Data Subjects and send them promotional communications and scientific information, as well as invitations to conferences and other scientific events, also via e-mail (e.g., sending documentation on PRINEOS services and/or other useful information for professional and scientific update)  
  • Monitor traffic and analyse users’ behaviour for statistical analysis 

Legal basis

The processing of data is based exclusively on the specific consent provided by the Data Subject (pursuant to the GDPR art. 6, paragraph 1, point (a)). 

N.B. The provision of consent is absolutely optional: failure to provide consent may however prevent us from sending the requested material and invitations to events.

Customers, prospects, consultants and suppliers
 

Necessary

Purpose(s) of data processing

Personal data may be processed to: 

  • Execute and/or manage the services to be provided by PRINEOS or on its behalf as per the relevant contractual documentation (service or consultancy agreement, contracts with suppliers, etc.)
  • For the management of quotations and to ensure accuracy of payments and financial records  
  • Maintain accurate and up-to-date procurement records and contact details 
  • Know the satisfaction level related to PRINEOS services in an annonymous/aggregated manner also by sending e-mail inquiries, market surveys, phone interviews
  • Some personal and contact data (name, e-mail, phone, country, title, organization) manifestly made public by the Data Subjects and/or lawfully provided by third-party suppliers to PRINEOS to contact Data Subjects in connection with business opportunities that might be relevant to them
  • Send and/or reply to Request for Information/Proposal (RFI/RFP)  
  • Where required by the law: Perform security clearances and background checks of third-party suppliers 

Legal basis

The processing of data is necessary for the creation and performance of a contract with PRINEOS or for the execution of pre-contractual measures (pursuant to the GDPR art. 6, paragraph 1, point (b)) or because it is necessary to fulfil a legal obligation to which PRINEOS is subject (e.g., accounting obligations, background check, fraud prevention and reporting) (pursuant to the GDPR art. 6, paragraph 1, point (c)). 

The processing of data may also be necessary for the purposes of the legitimate interests pursued by the Data Controller (GDPR art. 6, paragraph 1, point (f)) for example for administrative and litigation management, for the possible defence in court, for the protection and security of strategic corporate assets, interests and related commercial relationships, in accordance with the principle of freedom of economic initiative - guaranteed constitutionally. Our legitimate interests have been assessed in the light of the reasonable expectations of the Data Subjects, taking into accountthe business sector to which we belong, and our legitimate interest does not override the fundamental rights and freedoms of the Data Subjects. 

Optional

Purpose(s) of data processing

  • Contact Data Subjects and send them promotional communications and scientific information, as well as invitations to conferences and other scientific events, also via e-mail (e.g., sending documentation on PRINEOS services and/or other useful information for professional and scientific update)  

Legal basis

The processing of data is based exclusively on the specific consent provided by the Data Subject (pursuant to the GDPR art. 6, paragraph 1, point (a)). 

N.B. The provision of consent is absolutely optional: failure to provide consent would ‘only’ prevent us from contacting the Data Subjects for the purposes specified herein. 

Necessary

Purpose(s) of data processing

  • Monitor traffic and analyse users’ behaviour to improve services’ proposal and to conduct statistical analysis related to the use of this website, blog, as well as social network platforms used by PRINEOS    
  • For the protection against abuse during the use of this website, the blog, as well as the social network platforms used by PRINEOS

Legal basis

The processing of data is necessary to pursue the legitimate interests of Data Controller (GDPR art. 6, paragraph 1, point (f)) (e.g., for the efficiency and improvement of the website and other platforms used by PRINEOS, for administrative and litigation management, for the possible defence in court, for the protection and security of strategic corporate assets, interests and related commercial relationships).

Candidates
 

Necessary

Purpose(s) of data processing

Personal data may be processed to: 

  • Evaluate the suitability of the applications received (including by contacting former employer, carrying out background checks, where permitted by the law) 
  • Streamline and improve our personnel selection procedures 
  • Communicate CVs and other candidates’ data to third-party suppliers who support PRINEOS in staff selection (e.g., head-hunters, consulting firms, etc.)

Legal basis

The processing of data is necessary for the purposes of the legitimate interests pursued by the Data Controller (GDPR art. 6, paragraph 1, point (f)) (e.g., for administrative management, for the protection and security of strategic corporate assets, interests and related commercial relationships, for the possible defence in court).

Optional

Purpose(s) of data processing

  • Store candidates’ data to propose future job opportunities in line with the candidates’ profile  
  • Communicate CVs and other candidates’ data to third-parties not involved in PRINEOS staff selection

Legal basis

The processing of data is based on the specific consent provided by the Data Subject when submitting their application to PRINEOS (pursuant to the GDPR art. 6, paragraph 1, point (a)). 

N.B. The provision of consent is absolutely optional: failure to provide consent may prevent us from assessing the suitability of an application and/or from proposing future job opportunities. 

Where the processing of data is indicated as "OPTIONAL" (see 3rd column of the above table), such processing is completely voluntary, and the Data Subjects may freely choose to provide their consent or not for the related purposes. Where, on the other hand, we specified that a processing operation is "NECESSARY", the consent of the Data Subjects is not necessary since the lawfulness of the processing is based on another legal bases listed by the GDPR (in particular, in the GDPR art. 6, paragraph 1). With respect to optional processing operations, Data Subjects can also check the potential consequences in case of failure to provide consent in the above table. 

Upon request of the Data subjects, in addition to the information contained in this Statement, further details on the processing of personal data can be requested at any time to PRINEOS at privacy@prineos.com

4. Who may receive the data

Personal data we keep are not be disclosed publicly. Nevertheless, based on Data Subjects specific consent, or where necessary for the execution of PRINEOS legitimate interests specified above, we may share some personal data with our third-party suppliers (for example, postal couriers, hosting providers, IT companies and other external service providers) appointed as "Data Processors" by PRINEOS, if required by the applicable law and, in particular, by art. 28 of the GDPR. 

The data collected may be communicated to the following categories of recipients: 

  • Employees and collaborators in charge of data processing and operating under the direct authority of PRINEOS (staff of the administrative, commercial, business development, legal, customer service, staff of the IT department and system administrators)  
  • external parties who manage, support and assist PRINEOS, even occasionally, in the services provision to its customers, the selection and management of personnel, the administration and maintenance of the website or its IT system and infrastructure, as well as any other third parties and consultants appointed to comply with the legal obligation to which PRINEOS is subject (e.g., postal couriers, hosting providers, IT companies, communication and consultancy agencies, head-hunters, law firm, and other third-party service providers) 
  • any competent authorities, only where required by the law or in response to valid requests by public authorities (e.g., by a court or a government agency). 

Any personal data we collect and further process are kept within the European Union, and in particular in Italy, on the company servers, and in any other place where the categories of recipients listed above are located.  

Please note that the data may be transferred to a country other than the one in which they were collected. In particular, with regard to navigation data processed by third parties through the use of cookies and other tracking tools, we invite the reader to refer to Section 5 of this Statement to see details of data transfers operated by such third parties. 

The possibility for PRINEOS to communicate personal data to third-parties remains unprejudiced where Data Subjects freely provide their specific and explicit consent.

5. What type of Cookies are used on the website

To run our website, we are using so-called cookies and other tracking tools (e.g., unique identifiers, web beacons, integrated scripts, e-tags), including those provided by third parties, and which may collect small portions of information containing the details of the users’ browsing history on that website, and store them on the devices used by the Data Subjects (computers, smartphones, tablets, IoT devices, etc.).  

These portions of information collected through the use of cookies and other similar tools may include some personal data, such as, for example, the device’s Internet Protocol address (IP address) or domain name, URI address (Uniform Resource Identifier), username, email address or unique identifier, country of origin and language preferences, browser characteristics, operating system and/or IT environment used to access the website, including screen size, the visit’s temporal connotations (e.g., time spent on each page) and the itinerary followed within the website, with particular reference to the sequence of pages consulted, the method used to send requests to server date and time of the requests sent to server, including size of the file obtained in response, the numerical code indicating the status of the response from server (successful, error, etc.) and other system logfiles – i.e. files that record users’ interactions on the website (hereinafter, the "Navigation Data"). 

Cookies and other tracking tools allow us to pursue several purposes as specified in the table below: 

Essential Cookies

Cookie type
Technical Cookies of this website (Proprietary) 

Type of data used and purpose(s) of processing

  • Navigation Data (IP address, user name, country, language, etc.) 
     
    • Ensure the efficiency and maintenance of this website 
    • Allow this website contents’ transmission on the Internet and/or to make it load faster 
    • Allow for visualization of external platforms content  
    • Ensure systems and processes are operating properly and securely and to prevent cyber fraud and debugging 

Retention period: at the end of the session 

Cookie type

Third-party Technical Cookies: Cookie Solution (Iubenda s.r.l.) 

Type of data used and purpose(s) of processing 

  • Navigation Data (IP address, user name, country, language, etc.) 
  • Methods of collection, date and outcome of the choice relating to the user's consent
     
    • To allow for configuration and to track users’ choices for the use of optional cookies on behalf of PRINEOS, and without having access to personal data that could allow the re-identification of individual users (based on pseudonymized or aggregated data) 

      Place of processing: UE 
      Link: Privacy Policy di Cookie Solution 

Retention period: 15 days

Optional Cookies

Cookie type
Third-party Analytical Cookies: Google Analytics (Google Ireland Limited) 

 Type of data used and purpose(s) of processing

  • Navigation Data (IP address, user name, country, language, browser characteristics, system logfiles, interactions with other websites/platforms, etc. – see complete definition above) 
  • Number of visits on this website and other statistical and aggregated data on the use of the website
     
    • to improve content and to develop better features that improve the user’s experience on the website by collecting traffic data, users’ preferences and behaviour on the website and by sharing statistic reports with PRINEOS, but without accessing any personal data that could allow for re-identification of individual users (using pseudonymized or aggregated data) 
    • to limit the frequency of requests 
    • to register a unique ID used to generate statistical reports on the use of this website and therefore assess its effectiveness

      Place of processing: EU and US (international data transfer based on the use of the European Commission's standard contractual clauses – see links below to learn more) 

      Link: Privacy Policy – International transfers – Cookie management tool 

Retention period: ga; 2 years; gid: 1 day; gat: 1 day 

At the time of collection, the data collected through cookies are previously minimized and encrypted and are not collected to allow the identification of Data Subjects.  

Where cookies or other equivalent tools are necessary for the sole purpose of ensuring the display and operation of this site (the so-called technical cookies), the consent of the interested party is not required (see Article 122, paragraph 1 of the Privacy Code). However, the use of some specific cookies and third-party cookies may be subject to the provision of explicit consent by the interested parties. For instance, that is the case for the so-called profiling cookies that could allow for the re-identification of website’s users through processing and combination with additional data stored by third-party platforms.  

If consent for the use of specific cookies is given, the Data Subjects may change their preferences and/or freely revoke their consent at any time by clicking on the "Cookie preferences" link in the footer of the website.

The management of cookies can be challenging for Data Subjects, as well as for websites operators, especially with regard to third-party cookies. Therefore, in addition to the possibility of choosing which cookies to authorize on this website and those of third-party cookie managers (see links in the table above), please note that websites’ users can also protect their online privacy by using anti-tracer tools (so-called "ad-blocker") in order to block unwanted advertisements using for example uBlock Origin or AdGuard© (also operational on smartphones). 

6. How long the data will be kept

The data will be processed and stored for the time required to execute the purposes for which they have been collected. Therefore: 

  • Personal data which processing is based on Data Subjects’ consent will be kept longer until such consent is revoked. Furthermore, the Data Controller may be obliged to keep personal data for a longer period in compliance with a legal obligation or by order of an authority. 
  • Personal data collected for purposes related to the execution of a contract between the Data Controller and the Data Subject will be retained until the execution of this contract is completed, without prejudice to the further specific storage necessary as a result of a judicial dispute. 
  • Personal data collected for purposes related to the legitimate interests of the Data Controller will be retained until this interest is satisfied. Data Subjects can obtain further information regarding the legitimate interest pursued by the Data Controller in the relevant sections of this document or by contacting the Data Controller. 

Furthermore, it should be noted that: 

  • Personal data collected through the use of cookies or other tracking tools may be kept for the entire duration of the browsing session on the website and beyond, if the Data Subject expressed a freely given consent to this end, and except the further storage required as a result of a dispute in court. 
  • Personal data collected following an application for a job offer will be deleted within 6 months (for profiles not deemed relevant) and up to 24 months after sending the application (for relevant profiles), solely for the purpose of evaluating applications and streamlining our further personnel selection and training procedures.  

At the end of the retention period, the personal data will be deleted and/or anonymised in such a way as to prevent or no longer allow the identification of the Data Subjects. Moreover, at the end of this term, the right of access, cancellation, rectification and the right to data portability can no longer be exercised. 

7. What are the Data Subjects’ rights and options

Data Subjects may exercise several rights with respect to the processing of their personal data by the Data Controller. In particular, Data Subjects may have the right to: 

  • access their personal data processed by the Data Controller and all the information referred to in art. 15 of the GDPR. 
  • request the rectification of inaccurate personal data and/or to obtain the integration of incomplete data (GDPR art. 16). 
  • obtain the limitation of the processing of their data when one or more hypotheses referred to in art. 18 of the GDPR applies. In this case, the Data Controller will not process the data for any other purpose than their conservation. 
  • object to the processing of their data for reasons connected to their particular situation and when it occurs on a legal basis other than consent (GDPR art. 21). 
  • ask for data deletion (GDPR art. 17) – ‘right to be forgotten’ – except for those contained in documents that must be kept by the Data Controller as per legal obligation and unless there is a legitimate overriding reason to proceed with the data processing. 
  • lodge a complaint with the competent supervisory authority (GDPR art. 77). 
  • withdraw consent at any time and without any reason, and without prejudice to the lawfulness of the processing based on the consent given before the withdrawal (GDPR art. 7.3). 
  • obtain the transmission of their data from the Data Controller to another Data Controller in accordance with the criteria and methods indicated in art. 20 of the GDPR. 

To exercise their rights as expressed in the GDPR Chapter III, Data Subjects can send a request to the Data Controller, by writing to the following e-mail address: privacy@prineos.com. We will then process any requests we receive as soon as possible, in any case within one month.

8. What happens if this Statement is modified

PRINEOS may update this Privacy Statement at any time by notifying Data Subjects on this page and, if technically and legally feasible, by sending a notification to the Data Subjects using one of the contact details in our possession, if any. We therefore recommend consulting this page on a regular basis, referring to the date of the last version specified on top of this page. 

If the any modification relates to data processing performed on the basis of the consent, PRINEOS shall seek for a new specific consent form the Data Subjects, except if there is another valid legal basis to be used to keep on processing such data lawfully or if otherwise permitted by the applicable law. 

9. How to contact us

If you have any questions or complaints about our Privacy Statement or our personal data protection practices, you can contact us by sending a request via our contact form, by sending an ordinary mail to the following address: PRINEOS SRL, via Cesare Battisti n.1, 20122, Milan, or via e-mail by writing to privacy@prineos.com.

Moreover, you may contact the Data Protection Officer of PRINEOS at the following e-mail address: dpo@prineos.com and dpo.prineos@legalmail.it.