Appointment as Authorised Data Processor and Confidentiality Agreement

EMSy S.r.l. ("EMSy") operates the EMSy Events platform for the collection and management of health data of participants in sporting events.

In this context, healthcare operators access special-category personal data under Art. 9 of EU Regulation 2016/679 (GDPR): health data of participants, including medical conditions, allergies, medications, blood type, and emergency notes.

Under Arts. 29 and 32.4 GDPR, as well as Art. 2-quaterdecies of Italian Legislative Decree 196/2003 (Italian Privacy Code, as amended by Legislative Decree 101/2018), authorised persons must operate under the direct authority of the controller/processor and are bound by confidentiality.

By accepting this document, the healthcare operator (hereinafter "Authorised Person") acknowledges their appointment as Authorised Person for the processing of special-category personal data on the EMSy Events platform, under Art. 29 GDPR and Art. 2-quaterdecies of Legislative Decree 196/2003.

The Authorised Person undertakes to process participant personal data:

a) Exclusively for healthcare purposes within the assigned sporting event, and under no circumstances for personal, commercial, or unauthorised research purposes.

b) Only within the limits strictly necessary for the ongoing clinical intervention (minimisation principle, Art. 5.1.c GDPR).

c) Accessing anamnesis data (Break-the-Glass) only in the presence of a real and documented clinical need, aware that every access is recorded in an immutable log with timestamp, IP address, and reason.

d) Not disclosing participant data to unauthorised persons, including other participants, family members not designated as emergency contacts, media, or any third party not involved in direct care.

e) Not exporting, copying, or storing data outside the EMSy Events platform, on personal devices, or unauthorised systems.

f) Immediately reporting to EMSy (info@emsy.io) any data breach, unauthorised access, loss of devices, or any event that could compromise the confidentiality of processed data.

The Authorised Person declares awareness that:

a) Participant health data is special-category data under Art. 9 GDPR and enjoys enhanced protection.

b) Every access to anamnesis data through the Break-the-Glass mechanism is recorded and retained for 10 years for medico-legal and accountability purposes.

c) Breach of this agreement may constitute civil and/or criminal liability (Arts. 167-168 of Legislative Decree 196/2003) and result in immediate suspension of the platform account.

The confidentiality commitment remains valid even after the end of activity at the event or of the collaboration with EMSy.

It does not prejudice reporting obligations required by law (e.g. mandatory reports to the Judicial Authority or Health Authority).

The Authorised Person accepts the instructions issued by EMSy for data processing, including the platform's security policies, and undertakes to follow any training courses provided by EMSy on data protection matters.

Access to participant anamnesis data is through a controlled mechanism ("Break-the-Glass") that:

- Requires entry of a documented clinical reason.

- Generates an access session lasting a maximum of 30 minutes.

- Records immutably: operator identity, timestamp, IP address, user agent, declared reason, and participant identifier.

- Allows early manual re-locking by the operator.

The Authorised Person undertakes not to abuse this mechanism and to use it only in the presence of genuine clinical need.