Privacy Statement

1. Data protection statement

The protection of data protection and privacy represents one of the core values of Ente Ospedaliero Cantonale (hereinafter simply "EOC" or also "we" / "us").

We are actively committed to treating all information with the utmost care and responsibility in compliance with applicable data protection provisions, in particular in accordance with the requirements of Swiss and Canton Ticino Law and in line with European legislation, if and to the extent that the latter is applicable.
We are constantly working to ensure maximum protection for the personal data we handle, making necessary changes and improvements in accordance with applicable laws.

This data protection statement is addressed to everyone who comes into contact with the EOC (e.g., website users, patients, EOC employees, suppliers, physicians and health care providers, clinics, hospitals, etc.) and is intended to inform how and why we collect, process, and use personal data.

What is described below applies to any processing of personal data collected by the EOC in the course of carrying out its many activities and regardless of how such personal data is collected, i.e. online (e.g., through our website www.eoc.ch, use of EOC applications, e-mail), or physically at our facilities and locations (e.g., by filling out forms/forms or through other means).

Please read this data protection statement carefully and check this page regularly to keep abreast of any changes made under this statement.

1. Data protection statement

The protection of data protection and privacy represents one of the core values of Ente Ospedaliero Cantonale (hereinafter simply "EOC" or also "we" / "us").

We are actively committed to treating all information with the utmost care and responsibility in compliance with applicable data protection provisions, in particular in accordance with the requirements of Swiss and Canton Ticino Law and in line with European legislation, if and to the extent that the latter is applicable.
We are constantly working to ensure maximum protection for the personal data we handle, making necessary changes and improvements in accordance with applicable laws.

This data protection statement is addressed to everyone who comes into contact with the EOC (e.g., website users, patients, EOC employees, suppliers, physicians and health care providers, clinics, hospitals, etc.) and is intended to inform how and why we collect, process, and use personal data.

What is described below applies to any processing of personal data collected by the EOC in the course of carrying out its many activities and regardless of how such personal data is collected, i.e. online (e.g., through our website www.eoc.ch, use of EOC applications, e-mail), or physically at our facilities and locations (e.g., by filling out forms/forms or through other means).

Please read this data protection statement carefully and check this page regularly to keep abreast of any changes made under this statement.

1. Data protection statement

The protection of data protection and privacy represents one of the core values of Ente Ospedaliero Cantonale (hereinafter simply "EOC" or also "we" / "us").

We are actively committed to treating all information with the utmost care and responsibility in compliance with applicable data protection provisions, in particular in accordance with the requirements of Swiss and Canton Ticino Law and in line with European legislation, if and to the extent that the latter is applicable.
We are constantly working to ensure maximum protection for the personal data we handle, making necessary changes and improvements in accordance with applicable laws.

This data protection statement is addressed to everyone who comes into contact with the EOC (e.g., website users, patients, EOC employees, suppliers, physicians and health care providers, clinics, hospitals, etc.) and is intended to inform how and why we collect, process, and use personal data.

What is described below applies to any processing of personal data collected by the EOC in the course of carrying out its many activities and regardless of how such personal data is collected, i.e. online (e.g., through our website www.eoc.ch, use of EOC applications, e-mail), or physically at our facilities and locations (e.g., by filling out forms/forms or through other means).

Please read this data protection statement carefully and check this page regularly to keep abreast of any changes made under this statement.

4. What data do we collect and process?

In the performance of its public law mandates and all our further activities, we collect and process various types of personal data in compliance with applicable data protection regulations. In particular:

A. Personal Data
Upon your admission to the EOC - and whenever you come into contact with the EOC - different types of personal data may be requested.

Some examples, depending on your needs and your relationship with us:

• appellation, first name, last name;
• date and place of birth
• nationality
• residential address
• telephone numbers, email addresses, and other contact information
• IP address
• ID numbers of documents (e.g., health insurance and/or insurance card, OASI number or card)
• any other personal data that falls under the definition in Article 5(a) DPA.

This type of information is also known as "common" personal data because it is data commonly used to carry out all those operations that are necessary and fundamental in the management of the main hospital activities (e.g., the safe and correct identification and registration of the person within the facility, the taking care of the requested services, the possibility of communicating with the person to keep him/her informed in case of updates on the results of the examinations or examinations carried out, and so on).

In other cases and circumstances, personal data arising in connection with the conclusion or execution or dissolution of contracts may be used. Such data, in addition to those mentioned above, may include, in particular, the data of legal persons.

B. Health data
The EOC, as part of its activities, may request or become aware of data concerning health (e.g., through various documents such as reports, medical histories, diagnostic results, blood tests, etc.), genetic data, biometric data, and in general information concerning the intimate sphere of patients.

These data are also known as personal data "worthy of special protection" because they are data that must be protected with the utmost care and security.
In the context of the purposes related to the various activities carried out by the EOC, the processing of this type of data is indispensable in order to be able to carry out in the best possible way the health care services required and/or necessary for the patient's medical treatment or course of care.

C. Browsing data, cookies and other tracking tools
By browsing data and cookies we mean all that information that is not collected per se to be associated with identified data subjects, but which by its very nature may include personal data or could, through processing and association, allow us to identify users of the site, our Apps or other digital tools.

Examples include:

• The type of browser used by the User;
• The website from which you reached our site (referring website);
• The operating system of the computer;
• The type of device used;
• The referrer URL (Uniform Resource Locator);
• The IP address;
• Internet Service Provider (ISP);
• The country from which access took place and the language settings of the User's browser;
• The click rate or click-through rate (link tracking);
• The time and date a page was viewed.

Other tools may also be used on our site, such as "tracking pixels" which are graphical elements (e.g., images) embedded in web page codes that serve to document how users navigate the website. In the latter case, the only processing carried out concerns the production of statistics, with anonymized data.

D. Video footage, images, and video surveillance
For security and related evidentiary purposes, we may also take video footage both in the outdoor and indoor spaces of the properties we rent (e.g., of institutions and hospital facilities). We can then obtain information on the behavior in the filmed areas, subject to the recommendations and legal provisions that specifically regulate video surveillance. The use of surveillance cameras is restricted to limited areas and is appropriately reported.

In addition to security needs, the EOC conducts video filming for the purpose of care (e.g., this is the case of intensive care monitoring through CCTV surveillance) or filming of images and/or videos in the care setting (e.g., in the emergency room, imaging of an injury). The use of this type of video surveillance for the purpose of care is limited and restricted to specific areas and services and defined in internal guidelines and regulations in line with the provisions and requirements of the Law.

E. Other data worthy of special protection
In addition to the type of data described in subsection B of this section, the EOC may, under special circumstances and in compliance with applicable legal provisions, also become aware of other types of personal data worthy of special protection, pursuant to Article 5(c) DPA.

For example in the course of official procedures of authorities or in the execution of procedures or acts resulting from courts, we may become aware of personal data pertaining to the private and intimate sphere, contained in documents, acts or means of evidence. For reasons of security and health protection, we may also collect information, e.g. on who and when accesses a particular building or has corresponding access rights (e.g. for access control, based on registration data or visitor lists, etc.), or on who and when uses our infrastructure and systems.

5. Where does the personal data we process come from?

The EOC preferably collects personal data directly from data subjects when they first contact us. Depending on different and specific circumstances, we collect and process personal data from individuals who fall into one of the following categories:

• patients, family members of patients (e.g., current and former spouses, cohabiting partners, parents and children), and other persons who accompany patients or are reference persons for patients;
• people who visit our website or other digital services (e.g., our Apps);
• people who visit our offices or use our other services;
• EOC employees and contractors and people who apply for our job openings;
• students, pupils, apprentices, trainees and civil service participants/volunteers;
• suppliers and partners, employers and their contact persons;
• social and health insurance companies and their contact persons;
• physicians and/or private health care providers and/or belonging to other hospitals/health care institutions and their contact persons;
• freelancers, attorneys (e.g., legal representatives);
• people who write to us or contact us in various capacities (e.g., tenants and contact persons of residential and commercial property rental companies);
• members of our bodies and persons belonging to public authorities and/or offices;
• ...and anyone who falls within the definition in Section 2(E) of this statement.

We would like to clarify that, on these occasions, even if data referring to other persons (such as relatives, friends, the contact of a reference person and/or legal representative or other health care providers) are provided, we assume that the person providing these data has the authorization to do so and that these data are accurate. We also expect that he or she has informed such individuals about this statement, in accordance with the requirements of applicable law.

Data relating to minors or persons incapable of discernment
In the case of patients who are minors under the age of 16 or adults incapable of discernment, consent shall be given by the parents or legal representative.

Treatment justified by the consent of the person concerned is in principle lawful where the minor who has given consent is at least 16 years old. Where the minor is under the age of 16, the processing of personal data is lawful only and to the extent that consent is given or authorized by the legal representative. The EOC may make every reasonable effort to verify that the consent given by the legal representative is effective. However, the EOC will not be responsible in any way for any misrepresentation that may be provided by the minor and, in any case, should it be determined that the statement is false, any personal data and any material acquired will be immediately deleted. The data controller will facilitate requests concerning the personal data of minors coming from the legal representative, as per point 10.

A. Data communicated directly by data subjects

It is often you who directly communicate personal data to us, for example when you transmit data to us or communicate with us in person, by going to our facilities or by phone, e-mail, filling out paper forms and/or forms or online on our website or via App. The transmission of data to us is basically voluntary, but in some cases it is absolutely necessary to be able to use our services or in fulfillment of legal and/or contractual obligations.

In principle, we specify which personal data are mandatory.
For example, the presence of mandatory fields, which it finds on forms to be filled out, indicates that that particular information is necessary to enable us to ensure the provision of the requested services. On the other hand, the provision of other information not marked as mandatory is optional, i.e. it does not affect the activity, e.g. the use of our website, Apps or other services. Through the activity of filling out and sending contact forms and/or forms, you voluntarily provide us with your personal data and this data is used for the sole purpose of pursuing the related purposes

Online application submission
This includes, for example, when personal data are submitted by you through the completion of online application forms/forms accessible from the dedicated section on our website. Data may be processed according to open positions, which may include either a single, specific position or additional positions. The User is required to enter in the online form the information requested by the system and indicated as mandatory, For example, the presence of mandatory fields, which he finds on some forms, indicates that that particular type of information is necessary to allow us to carry out the EOC recruitment and selection activities. The personal data subject to processing are the information in the Curriculum Vitae transmitted and relating to personal details, educational qualifications, professional and work experience, contractual classification, references, job description, motivations for change, aspirations, preferences, etc. The User is free to attach additional documents to supplement the information provided, such as diplomas, work certificates and other documents pertaining to the position.

The EOC is free to use the candidate's personal data to verify the information provided at any time during the application and selection process. This may include verifications with previous employers, academic and/or professional institutions, and other entities and/or agencies, both public and private. Personal data is used and processed only to the extent strictly necessary and in a manner and procedure appropriate to the purposes related to the recruitment, selection and evaluation of EOC personnel.

Personal data will be kept for the time strictly necessary for the proper fulfillment of the above purposes. Specifically, in the case of recruitment, the personal information transmitted by the User is shared within the EOC Human Resources unit and operational and managerial functions to assess how well the application is in line with the position for which the User has applied or with possible other positions, if the User has consented.
Personnel administration uses this information to create a file (dossier) on the new employee for the purpose of managing the subsequent fulfillments arising from the employment contract. In case of non-employment, personal data are kept in the system as a rule for a maximum period of 12 months after their receipt/last profile update, after which they will be destroyed and deleted. The period could be longer, in case the data subject has consented to the possibility of using and then processing the data also for any different and/or future positions in EOC than those for which the data subject originally applied.

The User has the option to register in order to receive regular automatic notifications about positions posted on the platform. At any time the User can unsubscribe from the list of recipients you such notifications. Non-subscription to the notification service or deletion from the list of recipients does not affect or in any way reduce the use of the platform.
With the deletion of the last application on the User's profile, the profile is also automatically, permanently and completely deleted. The User may at any time request the secure and permanent partial and/or final deletion of personal data. The request shall be followed up without delay, but in any case within 30 days of the exercise of the right to deletion.

In any case, the criteria used to determine the retention period may be related to the express consent of the User/interested party, the duration of recruitment and selection activities, the conduct of statistical studies and research, or are prescribed by Law. The Data Controller, also by means of periodic checks, will regularly verify the strict relevance, non-excessiveness and indispensability of the retained personal data with respect to the stated purposes, also with reference to the additional information provided on its own initiative by the data subjects.

B. Data from third parties

Under certain conditions, it is also possible for the EOC to collect data not from data subjects. In these cases we only collect data useful for the provision of health and care services and for the preparation and execution of contracts also from other service providers, social or private insurances, authorities, other health care providers, your family members and relatives, or other third parties.

We may also collect data from publicly available sources (e.g., debt enforcement registry, land registry, commercial registry, media, or the Internet, including social networks) or receive it from (i) authorities, (ii) your employer or principal who has a business relationship with us or is otherwise in contact with us, and (iii) other third parties (e.g., lending institutions, address providers, associations, contractors, Internet analysis services). This includes, in particular, data that we process in connection with the preparation, conclusion, and execution of contracts, as well as data from correspondence and interviews with third parties, within the limits set by law.

8. Who are the recipients of the data?

Often, the relationship between therapist and patient also requires the involvement of third parties such as laboratories, IT services, billing and insurance claims assessment services, and access to specific medical expertise through other professionals working in the health care setting. Communication and information sharing among health professionals and practitioners are essential prerequisites to enable the best interoperability of data in order to provide patients with quality care and treatment and effective and efficient care.

For this reason, the EOC can share information and personal data not only internally, but also with other professionals who work in close coordination with the activities performed taken our facilities.
Specifically, the EOC may communicate or share data with the patient's consent or in fulfillment of specific legal obligations with the following categories of recipients:

A. internal EOC recipients (non-exhaustive list):

• internal specialized operational staff forming part of the patient's circle of care (physicians, nurses, pharmacists, physiotherapists, biologists, chemists, psychologists, speech therapists and any other health care workers, including their auxiliaries, students and trainees);
• internal administrative staff responsible for carrying out specific management and direction activities (e.g., Quality Services, Medical Secretariats, EOC Medical Officer Service, Human Resources, Finance and Controlling Services, Legal & Compliance Group, Security Services, ICT Services);
• entities that provide services for the management of information and telecommunications systems used by the data controller for the organization, planning, implementation, and execution of management activities.

B. recipients outside the EOC (non-exhaustive list):

• external physicians (e.g., family physician, assistant physicians);
• insurance and social security agencies and collection services;
• other public and private health and hospital entities;
• suppliers of products and services (under contract to provide loan staff);
• pharmaceutical companies and/or medical device companies;
• freelancers who provide services to the data controller as data processors or who act as independent data controllers;
• subjects belonging to supervisory and control authorities;
• all entities covered by a mandate or contract agreement and not included in the categories listed above for which there is a legal obligation of disclosure by the EOC or other entities for which specific authorizations are acquired on the basis of special requests (e.g., on the basis of the law or from data subjects).

In any case, all recipients of personal data have access only to the data necessary for the performance of their activities and tasks and are obliged, by law or under specific confidentiality agreements, to maintain confidentiality regarding any information learned by reason of their job function.

In addition, the EOC processes personal data primarily and preferably on Swiss territory. However, it is possible that personal data may also be processed abroad, in other countries (e.g., Microsoft tools and Cloud systems) provided that they have the appropriate levels of security required by law or provide adequate safeguards to protect personal data.

Any exchange of information or transfer of data is carried out in compliance with the provisions of data protection laws and/or applicable special laws and involves only third parties that adhere to strict security standards designed to protect and guarantee the interests and fundamental rights of data subjects.

8. Who are the recipients of the data?

Often, the relationship between therapist and patient also requires the involvement of third parties such as laboratories, IT services, billing and insurance claims assessment services, and access to specific medical expertise through other professionals working in the health care setting. Communication and information sharing among health professionals and practitioners are essential prerequisites to enable the best interoperability of data in order to provide patients with quality care and treatment and effective and efficient care.

For this reason, the EOC can share information and personal data not only internally, but also with other professionals who work in close coordination with the activities performed taken our facilities.
Specifically, the EOC may communicate or share data with the patient's consent or in fulfillment of specific legal obligations with the following categories of recipients:

A. internal EOC recipients (non-exhaustive list):

• internal specialized operational staff forming part of the patient's circle of care (physicians, nurses, pharmacists, physiotherapists, biologists, chemists, psychologists, speech therapists and any other health care workers, including their auxiliaries, students and trainees);
• internal administrative staff responsible for carrying out specific management and direction activities (e.g., Quality Services, Medical Secretariats, EOC Medical Officer Service, Human Resources, Finance and Controlling Services, Legal & Compliance Group, Security Services, ICT Services);
• entities that provide services for the management of information and telecommunications systems used by the data controller for the organization, planning, implementation, and execution of management activities.

B. recipients outside the EOC (non-exhaustive list):

• external physicians (e.g., family physician, assistant physicians);
• insurance and social security agencies and collection services;
• other public and private health and hospital entities;
• suppliers of products and services (under contract to provide loan staff);
• pharmaceutical companies and/or medical device companies;
• freelancers who provide services to the data controller as data processors or who act as independent data controllers;
• subjects belonging to supervisory and control authorities;
• all entities covered by a mandate or contract agreement and not included in the categories listed above for which there is a legal obligation of disclosure by the EOC or other entities for which specific authorizations are acquired on the basis of special requests (e.g., on the basis of the law or from data subjects).

In any case, all recipients of personal data have access only to the data necessary for the performance of their activities and tasks and are obliged, by law or under specific confidentiality agreements, to maintain confidentiality regarding any information learned by reason of their job function.

In addition, the EOC processes personal data primarily and preferably on Swiss territory. However, it is possible that personal data may also be processed abroad, in other countries (e.g., Microsoft tools and Cloud systems) provided that they have the appropriate levels of security required by law or provide adequate safeguards to protect personal data.

Any exchange of information or transfer of data is carried out in compliance with the provisions of data protection laws and/or applicable special laws and involves only third parties that adhere to strict security standards designed to protect and guarantee the interests and fundamental rights of data subjects.

8. Who are the recipients of the data?

Often, the relationship between therapist and patient also requires the involvement of third parties such as laboratories, IT services, billing and insurance claims assessment services, and access to specific medical expertise through other professionals working in the health care setting. Communication and information sharing among health professionals and practitioners are essential prerequisites to enable the best interoperability of data in order to provide patients with quality care and treatment and effective and efficient care.

For this reason, the EOC can share information and personal data not only internally, but also with other professionals who work in close coordination with the activities performed taken our facilities.
Specifically, the EOC may communicate or share data with the patient's consent or in fulfillment of specific legal obligations with the following categories of recipients:

A. internal EOC recipients (non-exhaustive list):

• internal specialized operational staff forming part of the patient's circle of care (physicians, nurses, pharmacists, physiotherapists, biologists, chemists, psychologists, speech therapists and any other health care workers, including their auxiliaries, students and trainees);
• internal administrative staff responsible for carrying out specific management and direction activities (e.g., Quality Services, Medical Secretariats, EOC Medical Officer Service, Human Resources, Finance and Controlling Services, Legal & Compliance Group, Security Services, ICT Services);
• entities that provide services for the management of information and telecommunications systems used by the data controller for the organization, planning, implementation, and execution of management activities.

B. recipients outside the EOC (non-exhaustive list):

• external physicians (e.g., family physician, assistant physicians);
• insurance and social security agencies and collection services;
• other public and private health and hospital entities;
• suppliers of products and services (under contract to provide loan staff);
• pharmaceutical companies and/or medical device companies;
• freelancers who provide services to the data controller as data processors or who act as independent data controllers;
• subjects belonging to supervisory and control authorities;
• all entities covered by a mandate or contract agreement and not included in the categories listed above for which there is a legal obligation of disclosure by the EOC or other entities for which specific authorizations are acquired on the basis of special requests (e.g., on the basis of the law or from data subjects).

In any case, all recipients of personal data have access only to the data necessary for the performance of their activities and tasks and are obliged, by law or under specific confidentiality agreements, to maintain confidentiality regarding any information learned by reason of their job function.

In addition, the EOC processes personal data primarily and preferably on Swiss territory. However, it is possible that personal data may also be processed abroad, in other countries (e.g., Microsoft tools and Cloud systems) provided that they have the appropriate levels of security required by law or provide adequate safeguards to protect personal data.

Any exchange of information or transfer of data is carried out in compliance with the provisions of data protection laws and/or applicable special laws and involves only third parties that adhere to strict security standards designed to protect and guarantee the interests and fundamental rights of data subjects.

11. What are the rights of affected persons?

Every data subject (see Section 2(E)) has certain rights in relation to the processing of his or her personal data.
In particular, depending on the applicable law, every data subject has the right to:

• request access to his/her personal data(right of access)
• request the updating/amendment/correction of their personal data that is inaccurate or incomplete(right of rectification);
• request the deletion or anonymization of one's personal data(right to erasure);
• request the restriction of the processing of one's personal data, if the processing is not (anymore) necessary(right to restriction);
• request to receive their personal data in a structured, commonly used and machine-readable format(right to data portability);
• withdraw consent with effect for the future, if personal data are on the basis of consent(right of revocation);
• request the interruption of the transmission/communication of one's personal data, in the permitted cases(right to object).

Please note that the exercise of these rights may be subject to limitations or exclusions depending on the cases provided for by the Law (e.g. if there are doubts about the identity of the Applicant or if the exercise of the right may result in injury to the rights of other persons or to safeguard interests worthy of protection or simply to comply with certain legal obligations).

To exercise these rights, a request must be made in writing. Please be advised that in order to respond to requests regarding the exercise of the aforementioned rights, The EOC is entitled to take appropriate measures to identify the Applicant (e.g., if necessary, by means of a copy of an identity document) and the latter is required to cooperate. In line with the Data Protection Act, information is normally provided free of charge but costs may be considered where disclosure would require a disproportionate burden.

In any case if there are any doubts or questions about the exercise of rights or the content of this document, we invite you to contact us in advance (see item 12). If you are resident in the EEA, you may also have recourse to the relevant data protection authorities in your country. A list of these authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_fr.

12. How long do we keep personal data?

As a matter of principle, we retain personal data for no longer than is necessary to fulfill the purposes for which the data were collected (see Section 6). However, in some cases it is the Law itself that tells us what the retention periods for personal data are, or we are entitled to assert our specific legitimate interests that may provide for longer retention periods.

The criteria and legal terms of retention of personal data may vary. Some examples are:

• in the case of data contained in personnel files, salary certificates or working time records, the statutory retention period is 5 years (Art. 330a CO in conjunction with Art. 128 CO/Art. 46 Labor Law (LLL) and Art. 73 Ordinance 1 concerning Labor Law (OLL 1), while in documents pertaining to occupational medicine must be retained for 40 years (Annex 4 to the FMH Code of Ethics);
• Data contained in business records (such as invoices, tax records or expense slips) may be kept for at least 10 years (Arts. 958 and 958f CO), while access log records are kept for at least one year and are accessible only to the bodies and persons charged with verifying the application of data protection provisions or safeguarding or restoring confidentiality, integrity, availability and traceability of data and shall be used only for that purpose; the retention of data worthy of special protection included in the health record shall be kept for at least 20 years (combined Art. 128a CO and Art. 67, para. 4, LSan) treats personal data in accordance with the principles of good faith, proportionality and minimization, for as long as necessary to achieve the purposes.

Given the above, in the absence of legal or contractual obligations or technical and/or security reasons to the contrary, at the end of the storage period personal data will be deleted or completely anonymized.

13. How to get in touch with us?

For general questions related to data protection, the data controller can be contacted
via e-mail address [email protected].

For inquiries regarding the exercise of rights, in particular the right of access (Art. 25 DPA) and the right to data portability (Art. 28 DPA), they can be submitted by enclosing a copy of one's ID:

• in writing by regular mail to the following address:
  Data Protection Compliance Officer (DPCO) c/o General Management EOC, Viale Officina 3 - CP 1437, CH-6501 Bellinzona;
• or to the following e-mail address: [email protected].

Please note that, for security reasons, when processing requests the EOC may take appropriate measures in order to verify in advance the identity of the requesting data subject (Art 16, co 5, OPDa).

13. How to get in touch with us?

For general questions related to data protection, the data controller can be contacted
via e-mail address [email protected].

For inquiries regarding the exercise of rights, in particular the right of access (Art. 25 DPA) and the right to data portability (Art. 28 DPA), they can be submitted by enclosing a copy of one's ID:

• in writing by regular mail to the following address:
  Data Protection Compliance Officer (DPCO) c/o General Management EOC, Viale Officina 3 - CP 1437, CH-6501 Bellinzona;
• or to the following e-mail address: [email protected].

Please note that, for security reasons, when processing requests the EOC may take appropriate measures in order to verify in advance the identity of the requesting data subject (Art 16, co 5, OPDa).

13. How to get in touch with us?

For general questions related to data protection, the data controller can be contacted
via e-mail address [email protected].

For inquiries regarding the exercise of rights, in particular the right of access (Art. 25 DPA) and the right to data portability (Art. 28 DPA), they can be submitted by enclosing a copy of one's ID:

• in writing by regular mail to the following address:
  Data Protection Compliance Officer (DPCO) c/o General Management EOC, Viale Officina 3 - CP 1437, CH-6501 Bellinzona;
• or to the following e-mail address: [email protected].

Please note that, for security reasons, when processing requests the EOC may take appropriate measures in order to verify in advance the identity of the requesting data subject (Art 16, co 5, OPDa).