• Funded by the Horizon Europe programme, under GA No. 101113193



Ospedale San Raffaele S.r.l., with registered office in Milan, via Olgettina no. 60, 20132, Tax Code 07636600962, VAT no. 07636600962,  e-mail hsrsanraffaele@hsr.postecert.it, represented by the Chief Executive Officer and legal representative (“OSR” or the “Data Controller” ) is committed to protecting the on – line privacy of the users of our websites (hereinafter, “Website”). As such, this Privacy Policy has been written in accordance with art. 13 of the Regulation (EU) 2016/679 (“Regulation”) in order to allow you to understand OSR’s policy regarding your privacy, as well as how your personal information will be handled when using the Website. This Privacy Policy will also provide you with information so that you are able to consent to the processing of your personal data in an explicit and informed manner, where appropriate.

In general, any information and data which you provide to OSR over the Website, or which is otherwise gathered via the Website by OSR, in the context of the use of OSR’s services (“Services”), will be processed by OSR in a lawful, fair and transparent manner in accordance with Regulation’s provisions.

To this end, and as further described below, OSR takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data accuracy and confidentiality.

Data controller and Data Protection Officer

Ospedale San Raffaele S.r.l., as identified at the top of this Privacy Policy, is the data controller regarding all personal data processing carried out through the Website.
To get in touch with OSR Data Protection Officer (hereinafter, “DPO”), please contact: dpo@hsr.it

Personal Data Processed

When you use the Website, OSR will collect and process information regarding you (as an individual) – such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person – which allows you to be identified either by itself, or together with other information which has been collected. OSR may also be able to collect and process information regarding other persons in this same manner, if you choose to provide it to OSR.

This information may be classified as “Personal Data” and can be collected by OSR both when you choose to provide it or simply by analysing your behaviour on the Website.

Personal Data which can be processed by OSR through the Website are as follows:

Browsing data

The Website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While OSR does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.

This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on. These data are used to compile statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days.


The cookies on the site are:
– Technical session cookies
– Technical cookie cookieyes-consent for approval cookies
– Technical cookie wp_lang for user language identification.

Purposes of processing

OSR intends to use your Personal Data, collected through the Website, for the following purposes:

  • to allow to provide the services which you may request on the Website;
  • to assist you and reply to your queries;
  • for compliance with laws which impose upon OSR the collection and/or further processing of certain kinds of Personal Data, financial laws and regulations;
  • to improve the website by analyzing how Visitors or Users navigate and/or use the website;
  • to identify or prevent fraudulent activity and exercise the Controller’s rights in court.
Legitimate basis

OSR’s legal bases to process your Personal Data, according to the purposes identified in Section 3, are as follows:

  • Processing for the purposes set forth in Section 3 (a – b) is based on Article 6(1)(b) GDPR since the processing is necessary to provide the Services described above and, therefore, is necessary for the performance of a contract with you. It is not mandatory for you to give OSR your Personal Data for these purposes; however, if you do not, OSR will not be able to provide the Website’s Services to you.
  • Processing for the purposes set forth in Section 3 (c) is necessary for OSR to comply with its legal obligations in accordance with Article 6(1)(c) GDPR. When you provide any Personal Data to OSR, OSR must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.
  • Processing for the purposes set forth in Section 3(d-e) is based on Controller’s legitimate interest according to Articles 6(1)(f).
Recipients of Personal Data

Your Personal Data may be shared with the following list of persons / entities (“Recipients”):

  • Entities which act as data processors in accordance with Article 28 of the Regulation and specifically: Persons, companies or professional firms providing OSR with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services and which act typically as data processors on behalf of OSR;
  • Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers); 
  • Persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks); More information on the list of data processors is available upon written request to OSR at the following address: dpo@hsr.it  (DPO).
  • Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities.
  • Persons authorised by OSR to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees of OSR).
Transfers of Personal Data

Your Personal Data may be transferred to Recipients located in several different countries. OSR implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.

Data transfer outside the EU
The Operator will not transfer Your personal data outside the EU territory. In the event it is absolutely necessary, Your personal data will be processed by one of the methods permitted by the applicable legislation such as Standard Regulations Approved by the European Commission, by the entities participating in international programs of data free circulation or operating in the countries the European Commission considers to be safe. Further information may be received from the data protection officer (DPO) using the above contact details. 

Retention of Personal Data

Persona Data processed for the purposes set forth in Section 3 (a – b – d) will be kept by OSR for the period deemed strictly necessary to fulfil such purposes in accordance with minimisation and storage limitation principles. In any case, as these Personal Data are processed for the provision of the services, OSR may continue to store this Personal Data for a longer period, as may be necessary to protect OSR’s interests as regards potential liability related to the provision of the Services. More information on retention of personal data and basis used by OSR for determining the storage period is available upon written request to OSR (Controller) or OSR’s DPO using the above contact details

Data subjects’ rights

As a data subject, you are entitled to exercise the following rights before OSR, at any time: Access your Personal Data being processed by OSR (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data; Correct or update your Personal Data processed by OSR, where it may be inaccurate or incomplete; Request erasure of your Personal Data being processed by OSR, where you feel that the processing is unnecessary or otherwise unlawful; Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing; Exercise your right to portability: the right to obtain a copy of your Personal Data provided to OSR, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller; Withdraw your consent to processing; or Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent OSR from processing your Personal Data: OSR will no longer process Your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override Your interests, rights and freedoms.

In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data, if you believe that the processing of your Personal Data carried out through the Website is unlawful.

You can always exercise your rights described above by sending a written request to OSR (Controller) or OSR’s DPO at the above contact details.


This Privacy Policy entered into force on November 2022.

OSR reserves the right to partly or fully amend this Privacy Policy, or simply to update its content, e.g., as a result of changes in applicable law. OSR will inform you of such changes as soon as they are introduced, and they will be binding as soon as they are published on the Website. OSR therefore invites you to regularly visit this Privacy Policy in order to acquaint yourself with the latest, updated version of the Privacy Policy, so that you may remain constantly informed on how OSR collects and uses Personal Data.