Privacy policy

Information on the processing of personal data
pursuant to art. 13 European Regulation for the Protection of Personal Data 679/2016 hereinafter GDPR

  1. This information

1.1 EDRA S.p.A. aware of the importance of guaranteeing the security of private information, in compliance with the applicable Italian and European legislation, below describes the methods of processing the personal data of those ("User", "Users") who connect to this Site, directly , or even through a link from another site.

1.2 This Site contains links to other websites: this information does not apply to such other websites that may be consulted by the User through specific links. They may contain "information on the processing of personal data" diverging, in whole or in part, from this information. Edra S.p.A. therefore invites the User to examine the privacy policy of each site to which he connects, before entering any personal information on it.

1.3 This information applies exclusively to personal data processed through and on this Site: it does not, on the other hand, concern the processing of data through other tools (eg telephone, mail, etc.).

1.4 This is the current information, updated to the date that appears at the bottom: EDRA S.p.A. reserves the right, at any time, to modify and update it.

1.5 The statements of EDRA S.p.A. all listed below integrate the Legal Notes (Terms and Conditions of Use) of the Site but are not contractual in nature and therefore do not generate contractual obligations towards the User and corresponding User rights.

  1. Holder of the treatment of personal data

2.1 The Data Controller of personal data is: EDRA S.p.A. Tax Code and VAT number 08056040960, with registered office in Milan, via Spadolini 7, a company incorporated under Italian law.

  1. Place of processing of personal data

3.1 The processing of personal data connected to the consultation of the Site takes place at the registered office of EDRA S.p.A. Indicated above. The data are stored at a Data Center located in the registered office of EDRA S.p.A. in Milan and at the Elmec Informatica Data Center located in via Pret n. 1 Brunello (VA), appointed External Data Processor pursuant to art. 28 GDPR.

  1. Type of data processed

Traffic and navigation data provided by the user's computer

4.1 The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes the IP addresses or domain names of the computers used by the Users who connect to the site, the URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user's IT environment. These data constitute the access register.

4.2 The Site also acquires and stores the URL sequence data (Uniform Resource Locator) identifying the resources visited or searched by the User on the Internet (e.g. Web pages, documents, images, etc.), including the date and time of access and their content.

4.3 The Site also acquires data and information from the User's computer through the use of cookies: permanent and / or "session":

- persistent cookies: the computer system of the Site, during its normal operation, sends from the EDRA SpA server to the User's browser some data that are stored on the hard disk of the User's computer to allow him to navigate in some, specific, restricted areas of the Site.

- session cookies: the computer system of the Site sends some data consisting of random numbers generated by the server, the so-called session cookies, which are not stored permanently on the User's computer and therefore disappear when the computer is closed. The sending of such data serves to allow the transmission of session identifiers, necessary for the safe and efficient exploration of the site and to collect information on the use of the Site by the User.

Any profiling cookies are processed for the sole purpose of allowing the use of personalized banners. No targeted advertising will be sent instead thanks to the use of these cookies. Consent to use of the same must be expressed by accepting the use of the site as per the Provision of the Privacy Guarantor of 4 June 2014.

In particular, the cookies used are the following:

Permanent Cookies

Google Analytics _ga cookie: Used to distinguish users - necessary for third-party service

MK cookie: Used to store user authentication with a permanent login

Session cookies

Google Analytics_gat cookie: used for the analysis of visits to the site.

4.4 Most of the Users' browsers are designed to automatically accept cookies, but the User can set their browser to disable, once and for all or once at a time, the receipt and saving of new cookies; or you can set your computer to receive a warning when it is about to store a cookie. In case of deactivation of cookies, the User, while being able to access the Site, may not be able to navigate in specific and / or reserved areas.

4.5 In general, the Site acquires and stores - and sometimes communicates to third parties - all the navigation data described above exclusively in anonymous and aggregate form. The processing of such data allows the Owner to manage and control the proper functioning of the Site and to carry out statistics and samples for promotional or scientific purposes.

Data provided voluntarily by the User.

4.6 The Site may sometimes ask the User to provide some personal information such as, for example, name and surname, business address, telephone number, e-mail address, etc. The provision of such data depends only on the will of the User and is therefore absolutely optional.

4.7 The User, in order to have access to certain contents of the Site in specific reserved areas and to be able to take advantage of the full operation of the Site, has the responsibility of:

- obtain a pair of unique keys (Username and Password) through a registration procedure;

- subsequently, at each new session, enter your Username and Password for recognition by the authentication system.

4.8 The personal data collected by the form completed by the User at the time of his voluntary registration (Registration data) consist of information relating to the User's contacts and so, for example: name and surname or name of the company, association or body , professional title, postal address, e-mail address, telephone number, fax. The computer system of the Site automatically associates this data with the Username and Password chosen by the User and connects them to an account. In subsequent accesses, it will be possible to access personal registration data only by typing in Username and Password; the User is therefore fully responsible for the proper custody of their Username and Password.

Data provided by third parties

4.9 The computer system of the Site sometimes also processes personal data and contacts of Users published in public categorical lists (e.g. single database of telephone subscribers, databases of professional orders, databases of social security institutions of the medical-health categories, etc.). As such, these data can be processed by EDRA S.p.A. as independent data controller, in compliance with the provisions of the GDPR and in particular those provided for in the field of unsolicited communications (e-mail, SMS, Mms, electronic faxes).

  1. Purpose of the treatment

The personal data provided will be processed for the following purposes:

5.1 Activities strictly connected and functional to the operation of the services: for example, allowing the User to access the services offered and view the contents of the Site; allow the User to receive the requested products or services, executing the orders received; respond to the User's questions and requests;

5.2 Technical management of the Site and its information system, including through the Medikey® certification platform: for example, acquisition, matching and management of information relating to the account; securing and checking the correct functioning of the Site; site activity monitoring;

5.3 Enrichment or customization of the contents, services, or design of the Site on the occasion of a single visit, or of repeated accesses;

5.4 Profiling in aggregate form (i.e. anonymous, without any prejudice to the privacy and confidentiality of the data of each registered owner), of Users and their access to confidential specialized pages, for the purpose of scientific and / or market research, analysis, and for the elaboration of reports, carried out directly by Edra SpA or also through specialized third-party companies;

5.5 Communication with the User regarding changes or updates to the Site and its services; advertising communications, communications of special offers and promotions; requests for market surveys to which the User can freely choose whether to join or not.

  1. Processing methods

6.1 The processing of personal data takes place using IT, telematic, manual tools, both as EDRA S.p.A. that as Medikey® or with other names and commercial signs of the LSWR group.

6.2 Data processing takes place in compliance with the GDPR and the requirements defined within the organization of EDRA S.p.A. described in the treatment registers and in the Security Policy Document, which the Company continues to update.

  1. Categories of the subjects that process the data

7.1 The processing is carried out by the Data Controller and by his Appointees: employees, agents, representatives, third party suppliers (e.g. companies that provide data processing services, invoice printing, enveloping and labeling of products purchased online, shipping, etc.).

7.2 The processing is also carried out by the other companies of the EDRA S.p.A. group and by subjects (companies, associations, entities) for which the Data Controller operates as an agent, licensee, publisher for the purposes listed above. In the cases provided for by art. 28 of the GDPR (i.e. when the Company carries out processing on behalf of other independent Data Controllers) EDRA S.p.A. she was appointed External Manager.

7.3 Data processing by EDRA S.p.A. and its representatives may take place regardless of the User's consent in the following cases:

7.3.1 at the request of the Judicial Authority, or to defend or protect one's rights in administrative, judicial or arbitration proceedings;

7.3.2 in the event that the processing of data is necessary to allow investigations aimed at countering illegal activities, acts in fraud of the law, or to ensure the safety of people or things; in all cases, in general, in which the transmission of data is required by law;

7.3.3 in the event that EDRA S.p.A. is acquired by, transferred or merged with another company, or in the event that this Site or some of its contents are transferred to third parties.

  1. Rights of interested parties

8.1 The User registered on the Site is solely responsible for the veracity of the personal information entered therein. Pursuant to articles 15 to 21 of the GDPR, the interested party has the right:

  1. obtain confirmation of the existence or not of personal data concerning him, even if not yet registered and their communication in an intelligible form.
  2. obtain the indication:
  3. a) the origin of personaldata;
  4. b) the purposes and methods of theprocessing;
  5. c) the logic applied in case of processing carried out with the aid of electronictools;
  6. d) of the identification details of the Data Controller, of the Managers
  7. e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them as designated Representative in the State,managersor agents.
  8. get:
  9. a) updating, rectification, or, when interested, integration ofdata;
  10. b) the cancellation, transformation into anonymous form or blocking of data processed in violation of the law, including those that do not need to be kept for the purposes for which the data were collected or subsequentlyprocessed;
  11. c) the attestation that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment is finds it impossible or involves the use of means that are manifestly disproportionate to the protected right.

The User can exercise these rights recognized by law by contacting EDRA S.p.A. to the Contacts indicated in point 11 below.

8.2 Starting from 25 May 2018, the interested party may also, pursuant to articles 15-21 of the GDPR, exercise the following specific rights:

  • right of access
  • right of rectification
  • right to cancellation (right to be forgotten), except in the case where the processing is necessary for the Data Controller, for the exercise of the rights to freedom of expression and information, for the fulfillment of a legal obligation or for the execution of a task carried out in the public interest, for archiving purposes in the public interest, for scientific or historical research or for statistical purposes, for the assessment, exercise or defense of a right in court.
  • right to limitation of treatment
  • right to object
  • right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent before the withdrawal;
  • right to lodge a complaint with the Guarantor Authority for the protection of personal data. Therefore, if the User wishes to exercise this right, he can express his will by contacting EDRA S.p.A. to one of the addresses indicated in point 11, below. 

8.3 EDRA S.p.A. reserves the right to communicate changes or updates to the Site to the User whenever necessary.

  1. Retention of personal data

9.1 EDRA S.p.A. retains the personal data collected by the User for as long as such information is deemed relevant for commercial purposes, and in any case up to a maximum of two years from the last interaction or until the User requests the cancellation of their data by contacting EDRA SpA to one of the addresses indicated in point 11, below.

  1. Information security

10.1 EDRA S.p.A. is aware of the importance of ensuring the security of private information of which it becomes aware and therefore strives to protect the privacy of the Users of its Site.

10.2 The personal and demographic information including the access credentials (username / login and password) of each User are sent and stored in servers equipped with firewalls and physically located in protected data centers.

10.3 Login and password transit on the Internet in encrypted form on SSL protocol. The other personal information transits between the data centers on an MPLS private line in encrypted form.

10.4 The implementation of lockout management systems (which provide for blocking access in the event of repeated incorrect access) also allow you to protect accounts from intrusion or hacking attempts by unauthorized third-party users.

10.5 Furthermore, EDRA S.p.A. adopts internal security procedures described in the Programmatic Security Document (DPS) including, for example, the filtering of access and use of data by its employees.

10.6 EDRA S.p.A. however, cannot be held responsible for any unauthorized access, for data loss (eg passwords), illicit / incorrect use, or for alterations of personal information that occur outside of its control, nor can it guarantee the correct and secure use of the User's personal data by third parties.

  1. Contacts

11.1 The User can exercise the rights recognized by art. 7 of Legislative Decree 196/2003 and submit any of your requests, questions, comments, or complaints regarding this Notice, or the way in which your personal data are processed on the Site to:


via Spadolini n. 7, 20141 Milan

tel +39 02 88184.1;

fax +39 02 88184.301;


  1. DPO

The Data Controller pursuant to art. 37, co. 1, letter b) of the GDPR has appointed Monica Gobbato as Data Protection Officer (the "DPO") who can be contacted at the following addresses: