1. Introduction
This Cookie Policy refers exclusively to the website https://research.hsr.it/en/index.html  (“Website”) and must be intended as an integral part of the Privacy Policy of the same.

2. Definitions, characteristics and application of the legislation
The data controller is Ospedale San Raffaele S.r.l., with registered office in Via Olgettina n. 60 - 20132 Milan (“OSR” or “Data Controller”) e-mail hsrsanraffaele@hsr.postecert.it.
OSR has also appointed a data protection officer (“Data Protection Officer” or “DPO”), as required by the GDPR, with duties of surveillance, supervision and specialist advice in the privacy field who can be contacted for any support at the following e-mail address: dpo@hsr.it.
The Data Controller processes personal data in compliance with the principles of lawfulness, correctness, transparency, limitation of purposes and conservation, data minimization, accuracy, integrity and confidentiality.

3. Definitions, characteristics and legislation on cookies
Cookies are small text files that the websites visited by the user send and record on his/her computer or mobile device, to be then retransmitted to the same websites on the next visit. Thanks to cookies, a website remembers the user's actions and preferences (for example, login data, chosen language, font size, etc.), so that they do not have to be indicated again when the user returns to visit said site or navigates from one page to another of it. Cookies are therefore used to perform computer authentication, session monitoring and storage of information regarding the activities of users who access a site. They may also contain a unique identification code that allows tracking of the user's navigation within the site itself for statistical or advertising purposes.

While browsing a website, the user may receive on his computer so-called “first-party” cookies – when installed directly by the website manager –, but also cookies from websites or web servers other than the one he is visiting (so-called “third-party” cookies), installed on the terminal by a person other than the website manager.
Some operations could not be performed without the use of cookies, which in some cases are therefore technically necessary for the operation of the website.
There are various types of cookies, depending on their characteristics and functions, which can remain on the user’s computer for different periods of time. In this sense, a distinction is made between the so-called session cookies, which are automatically deleted when the browser is closed, and the so-called persistent cookies, which remain on the user’s device until a pre-established expiry date.

According to the legislation in force in Italy, the use of cookies does not always require the express consent of the user. In particular, the so-called "technical cookies", i.e. those used for the sole purpose of transmitting a communication over an electronic communications network, or just in the strictly necessary extent to provide a service explicitly requested by the user, do not require such consent. In other words, these are cookies that are essential for the functioning of the website or necessary to perform activities requested by the user.
Among technical cookies, which do not require express consent for their use, the Guarantor for the Protection of Personal Data (see Provision "Identification of simplified procedures for the information and acquisition of consent for the use of cookies of May 8, 2014" and "Guidelines for cookies and other tracking tools – June 10, 2021") also includes "first-party analytical cookies" and "anonymized third-party analytical cookies".
For “profiling cookies”, on the other hand, i.e. those aimed at creating profiles relating to the user and used to send advertising messages in line with the preferences expressed by the user while browsing the internet, prior consent from the user is required.

4. Types of cookies used by the website
In details, cookies sent by GSDSS through the website are indicated in the tables “List of cookies” present at the bottom of the page.

5. Settings related to the cookies
The user can block or delete (in whole or in part) the technical and functionality cookies through the specific functions of your Browser. However, we remind the user that not authorizing technical cookies might entail the impossibility to use the Website, to view its contents and to take advantage of the related services. Inhibiting the functionality cookies might entail that some services or determined functions of the Website will not be available or will not work correctly, and the user might be forced to modify or manually insert some information or preferences any times they visits the Website. 
In particular, the user can authorize, block or delete (in whole or in part) cookies through the specific functions of his Browser. For further information on how to set preferences on the use of cookies through the Browser, it is possible to consult the relative instructions:

• Internet Explorer
• Google Chrome
• Safari
• Firefox

6. Methods of collecting consent for the use of cookies
When accessing the homepage of the Website, there is Banner containing a brief information notice on cookies, which informs the user about the meaning of their actions. In particular, by clicking on “I accept all cookies”, the user authorizes the use of all cookies and other technologies present on the Website, including profiling cookies; by clicking on the “X” in the top right, the user is aware that only the necessary anonymized technical and analytical cookies are installed on their device; by clicking on “Cookie Settings”, the user has the possibility to choose which categories of cookies to install on their device.
The user, through the “Cookie Settings” button in footer of the Website and as an icon on the page, has the right, pursuant to Art. 7 of the GDPR, to modify and/or revoke his/her consent at any time. Such revocation does not affect the lawfulness of the processing based on consent before the revocation.

7. Transfer of personal data
Personal data collected by means of first-party cookies – i.e. installed by GSDSS – present on the Website, are not subject to transfer outside the European Union. In any case, it is understood that, if necessary, the Data Controller may also transfer personal data even to non-EU countries, guaranteeing from now that the transfer would take place in accordance with the applicable legal provisions and therefore stipulating, if and when necessary, specific agreements that guarantee an adequate level of protection of personal data, or in any case adopting the standard contractual clauses provided by the European Commission for the transfer of personal data outside the EU.
Instead, with particular reference to the transfer of personal data carried out by means of third-party cookies, please refer to the respective data processing policies at the link of the individual cookies reported in the “List of cookies” section at the bottom of the page.

8. Categories of recipients
Personal data collected through cookies may be shared with:
•    people authorized by the Data Controller to process personal data, as employees and/or collaborators pursuant to Art. 29, GDPR and 2-quaterdecies of the Privacy Code, who have received adequate operative instructions and who have undertaken to maintain confidentiality or are subject to an adequate legal obligation of confidentiality;
•    subjects delegated and/or appointed by the Data Controller to carry out activities strictly related to the pursuit of specific purposes (for example and not limited to, technical maintenance interventions on the systems), duly appointed as Data Processors pursuant to Art. 28 of the GDPR. The list of names of the data processors is available to the Interested parties at Ospedale San Raffaele S.r.l.;
•    subjects, entities, or authorities to whom the communication of the Interested party’s personal data is mandatory by virtue of provisions of law or orders of the competent authorities.

9. Rights of the interested party
In accordance with the provisions of GDPR, the user has the right to ask the Data Controller, at any time, for access to his/her personal data, for the rectification or erasure of the same or to object to their processing. The law also allows the user to exercise the right to request the limitation of processing in the cases provided by Art. 20 of the GDPR.
Requests can be sent to the email address indicated in paragraph 1 of this Cookie Policy.
Finally, we remind you that you always have the right to lodge a complaint with the competent supervisory authority (Guarantor for the Protection of Personal Data), pursuant to the Art. 77 of the GDPR, if you believe that the processing of your personal data is contrary to the legislation in force.