Personal Data Processing Notice

EMSy S.r.l. ("EMSy") operates the EMSy Events platform for the collection and management of health data of participants in sporting events (ultratrails, road races, cycling events and similar).

This notice describes the processing of personal data of healthcare operators (doctors, nurses, paramedics, volunteers) who register and use the EMSy Events platform in the course of their professional activities.

Regarding the healthcare operator, EMSy processes:

a) Registration data: first and last name, email address, phone number, declared professional qualification, organisation.

b) Access data: authentication logs, login/logout timestamps, IP address, browser/device user agent.

c) Operational data: clinical records entered by the operator within the assigned event, accesses to participant anamnesis data (Break-the-Glass log).

d) Consent data: timestamp, IP address and user agent related to acceptance of this notice and the confidentiality agreement.

e) Geolocation data: GPS coordinates (latitude, longitude, elevation) collected exclusively at the time of clinical record creation and shift clock-in/clock-out, for the purpose of medico-legal traceability of the healthcare intervention and operational coordination of the event. Location is not tracked continuously.

Service provision and account management: performance of a contract or pre-contractual measures (Art. 6.1.b GDPR).

Participant anamnesis data processed through the operator: vital interest of the data subject (Art. 6.1.d and Art. 9.2.c GDPR) and purposes of preventive medicine or emergency care (Art. 9.2.h GDPR), in the context of a field emergency during a sporting event.

Geolocation data: legitimate interest of the event organiser in ensuring the localisation of healthcare interventions and coordination of rescue operations (Art. 6.1.f GDPR), as well as vital interest of the participant in emergency situations (Art. 6.1.d GDPR). Collection is limited to discrete events (clinical record creation and shift clock-in/out) and does not constitute continuous tracking of the operator.

Audit trail and security logs: EMSy's legitimate interest in ensuring the integrity and traceability of access to special-category data (Art. 6.1.f GDPR).

Legal obligations: data retention required by applicable law (Art. 6.1.c).

For the processing of participant health data, EMSy acts as a Data Processor under Art. 28 GDPR, on the instructions of the event organiser (Controller). The healthcare operator acts as "authorised person" under Art. 29 GDPR, under the authority and following the instructions of EMSy and the organiser.

Participant anamnesis data (medical conditions, allergies, medications, blood type) is classified as special-category data under Art. 9 GDPR and is accessible only through the Break-the-Glass mechanism, which requires a documented clinical justification and generates an immutable log of every access.

Operator data is not sold or shared with third parties for commercial purposes. It may be disclosed to:

- Event organisers (Controllers), limited to data necessary for the operational management of the event.

- Technical infrastructure providers (Vercel, Neon Database / AWS), acting as sub-processors with adequate contractual guarantees and, where applicable, Standard Contractual Clauses for transfers outside the EEA.

- Competent authorities, in case of legal obligation or judicial authority request.

Hosting and database services operate in the EU-Central region (Frankfurt). Should transfers to third countries become necessary, EMSy adopts the safeguards provided by Arts. 46-49 GDPR (SCC, BCR or equivalent).

Account data and operational logs: retained for the duration of the account and for 24 months after deactivation, unless longer retention is required by law.

Break-the-Glass logs: retained for 10 years from the date of access (medico-legal purposes and GDPR accountability).

Consent data: retained for the duration of the relationship and for 10 years thereafter (proof of consent).

The healthcare operator has the right to:

- Access their personal data (Art. 15 GDPR).

- Rectify inaccurate data (Art. 16 GDPR).

- Obtain erasure, within the limits permitted by retention obligations and EMSy's legitimate interests (Art. 17 GDPR).

- Restrict processing (Art. 18 GDPR).

- Receive their data in a structured format (portability, Art. 20 GDPR).

- Object to processing based on legitimate interest (Art. 21 GDPR).

- Withdraw consent at any time, without prejudice to the lawfulness of processing before withdrawal.

- Lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

To exercise your rights: info@emsy.io

To request the deletion of your account and associated data, the operator may send a request by email to info@emsy.io, stating the name, surname and email address of the account to be deleted.

Requests are processed within 30 days of receipt. EMSy will confirm the deletion by email.

What is deleted upon request:

- Registration data: name, surname, email, phone number, professional qualification, organisation.

- Profile access data: preferences, settings, session tokens.

- Event associations: roles and assignments to future events.

What is retained due to legal obligations or legitimate interest (cannot be deleted):

- Security logs and audit trail (SecurityAuditLog, AuditLog): retained for 10 years for medico-legal traceability and GDPR accountability obligations.

- Break-the-Glass logs: immutable logs of accesses to participant anamnesis data, retained for 10 years.

- Consent records: retained for 10 years as proof of acceptance of the terms of use.

- Operational clinical records: records entered by the operator remain associated with the event for healthcare documentation obligations; the reference to the operator is pseudonymised.

EMSy implements appropriate technical and organisational measures, including:

- Encryption of data in transit (TLS 1.3) and at rest.

- JWT authentication with short expiry and role-differentiated refresh tokens.

- Physical separation of anamnesis data in a dedicated table.

- Immutable log of every access to special-category data.

- Role-based access control (RBAC).

The EMSy Events platform uses only strictly necessary technical cookies for the operation of the service. No profiling, advertising, or tracking cookies are used.

The technical cookies used are:

- emsy_token: authentication cookie (JWT), duration 15 minutes, HttpOnly, Secure, SameSite=Strict.

- emsy_refresh_token: session cookie for authentication renewal, variable duration by role (from 24 hours to 7 days), HttpOnly, Secure, SameSite=Strict.

- NEXT_LOCALE: language preference cookie (it/en), set by the internationalisation framework.

Under the Italian Data Protection Authority's Provision of 10 June 2021, technical cookies do not require user consent and may be used without a consent banner.

The analytics service (Vercel Web Analytics) used by the platform does not use cookies and does not perform individual user tracking.

EMSy reserves the right to update this notice. Material changes will be notified via the platform or by email with reasonable notice. Continued use of the platform after notification constitutes acceptance of the new version.